本文選題：SIP　切入點(diǎn)：AVISPA　出處：《國防科學(xué)技術(shù)大學(xué)》2014年碩士論文

【摘要】：隨著Internet技術(shù)的飛速發(fā)展,基于Internet的多媒體應(yīng)用業(yè)務(wù)得以快速推廣和普及。作為多媒體應(yīng)用管理的有效的基礎(chǔ)協(xié)議,會話初始化協(xié)議SIP成為下一代網(wǎng)絡(luò)中信令控制標(biāo)準(zhǔn)協(xié)議,其安全性受到高度關(guān)注。SIP協(xié)議在設(shè)計(jì)上追求簡單、靈活、高可擴(kuò)展等特性,缺乏有效的安全機(jī)制,同時(shí)協(xié)議中的消息采用文本類型的編碼方式,因此,運(yùn)行在開放Internet環(huán)境下的SIP協(xié)議遭受多種安全威脅。常見的SIP協(xié)議攻擊有注冊劫持攻擊、服務(wù)器偽裝攻擊、消息篡改攻擊、會話更改攻擊和拒絕服務(wù)攻擊等。IETF建議使用現(xiàn)有的網(wǎng)絡(luò)協(xié)議安全機(jī)制來保證SIP的安全運(yùn)行,如HTTP摘要認(rèn)證機(jī)制、S/MIME機(jī)制、TLS機(jī)制、IPsec機(jī)制等。但是,這些安全機(jī)制僅適用于特定應(yīng)用場景,局限性大,不能有效保證SIP的安全運(yùn)行。如何有效的改進(jìn)和擴(kuò)展SIP的安全機(jī)制,確�；赟IP的多媒體應(yīng)用業(yè)務(wù)的安全運(yùn)行,是當(dāng)前急需解決的熱點(diǎn)研究課題。本文從SIP協(xié)議入手,首先是分析了SIP協(xié)議的結(jié)構(gòu)、功能、消息格式等,接下來分析了SIP協(xié)議的安全問題,并利用形式化的方法對SIP協(xié)議的安全性進(jìn)行分析,在此基礎(chǔ)上提出了一種SIP安全性增強(qiáng)方法,并進(jìn)行了編碼實(shí)現(xiàn)與分析驗(yàn)證,取得了較好的效果。本文的主要內(nèi)容如下:1.從SIP協(xié)議的設(shè)計(jì)機(jī)制和運(yùn)行機(jī)制上對SIP協(xié)議的安全性進(jìn)行分析,進(jìn)而分析了針對SIP協(xié)議的幾種安全威脅以及其原理,歸納總結(jié)了IETF提出的幾種現(xiàn)有的安全機(jī)制的適用范圍;2.分別使用基于BAN邏輯的人工分析和基于AVISPA的自動化分析兩種形式化分析方法分析了SIP協(xié)議的安全性,得出了協(xié)議中存在安全缺陷及其可行的攻擊路徑;3.針對SIP協(xié)議的安全分析結(jié)果提出了一種安全增強(qiáng)方法,詳細(xì)闡述了改進(jìn)后的SIP方案,并對其安全性及其可攻擊利用性進(jìn)行了形式化分析。安全增強(qiáng)方法通過利用橢圓曲線雙線性對以及基于身份的加密方法對SIP協(xié)議進(jìn)行改進(jìn),使其不僅同時(shí)滿足客戶端對服務(wù)器的認(rèn)證以及服務(wù)器對客戶端的認(rèn)證,也解決了HTTP摘要認(rèn)證機(jī)制下的密鑰托管問題;同時(shí)提出了白名單策略,對消息的某些頭域進(jìn)行進(jìn)一步的認(rèn)證,為客戶端和服務(wù)器端都同時(shí)增加了另一層保護(hù)。通過對改進(jìn)后方案的編碼實(shí)現(xiàn),驗(yàn)證了本文提出方法的有效性,改進(jìn)了原有SIP協(xié)議的安全性,消除了可攻擊路徑。
[Abstract]:With the rapid development of Internet technology, multimedia application services based on Internet have been popularized and popularized rapidly. As an effective basic protocol for multimedia application management, session initialization protocol (SIP) has become the signaling control standard protocol in the next generation network. The security of SIP protocol is paid close attention to, which is simple, flexible and extensible in design, and lacks of effective security mechanism. At the same time, the message in the protocol adopts the encoding method of text type, so, The SIP protocol running in the open Internet environment is subject to various security threats. Common SIP protocol attacks include registry hijacking attacks, server camouflage attacks, message tampering attacks, etc. IETF suggests to use existing network protocol security mechanisms to ensure the secure operation of SIP, such as HTTP digest authentication mechanism, HTTP summary authentication mechanism, TLS mechanism and IPsec mechanism, etc. These security mechanisms are only suitable for specific application scenarios, which are limited and can not effectively guarantee the safe operation of SIP. How to effectively improve and extend the security mechanism of SIP to ensure the secure operation of multimedia applications based on SIP, This paper begins with the SIP protocol, first of all, analyzes the structure, function, message format of the SIP protocol, and then analyzes the security problems of the SIP protocol. On the basis of analyzing the security of SIP protocol by formal method, a security enhancement method of SIP is proposed, and the coding implementation and analysis verification are carried out. The main contents of this paper are as follows: 1. From the design mechanism and operation mechanism of SIP protocol, the security of SIP protocol is analyzed, and several kinds of security threats to SIP protocol and its principle are analyzed. The application scope of several existing security mechanisms proposed by IETF is summarized. Two formal analysis methods, manual analysis based on BAN logic and automated analysis based on AVISPA, are used to analyze the security of SIP protocol. The security defects in the protocol and its feasible attack path are obtained. According to the security analysis results of SIP protocol, a security enhancement method is proposed, and the improved SIP scheme is described in detail. The security and its exploitability are analyzed formally. The security enhancement method improves the SIP protocol by using elliptic curve bilinear pair and identity-based encryption. It not only satisfies the authentication of the server and the client, but also solves the key escrow problem under the HTTP summary authentication mechanism, and puts forward the whitelist strategy. Some header domains of the message are further authenticated, and another layer of protection is added to both the client and the server. The effectiveness of the proposed method is verified by the coding implementation of the improved scheme. The security of the original SIP protocol is improved and the attack path is eliminated.
【學(xué)位授予單位】：國防科學(xué)技術(shù)大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TN915.04

【參考文獻(xiàn)】

相關(guān)期刊論文 前7條

1 樊自甫;萬曉榆;;基于S/MIME的SIP安全性方案[J];計(jì)算機(jī)工程;2009年05期

2 徐夢茗;肖聰;唐六華;黃金濤;;安全協(xié)議和網(wǎng)絡(luò)攻擊分析[J];信息安全與通信保密;2007年02期

3 俞志春;方濱興;張兆心;;SIP協(xié)議的安全性研究[J];計(jì)算機(jī)應(yīng)用;2006年09期

4 薛銳;馮登國;;安全協(xié)議的形式化分析技術(shù)與方法[J];計(jì)算機(jī)學(xué)報(bào);2006年01期

5 王宇飛;范明鈺;王光衛(wèi);;一種基于HTTP摘要認(rèn)證的SIP安全機(jī)制[J];重慶郵電學(xué)院學(xué)報(bào)(自然科學(xué)版);2005年06期

6 王原麗 ,嚴(yán)劍;基于S/MIME的SIP安全機(jī)制[J];信息安全與通信保密;2005年05期

7 儲泰山,潘雪增;SIP安全模型研究及實(shí)現(xiàn)[J];計(jì)算機(jī)應(yīng)用與軟件;2004年12期

相關(guān)碩士學(xué)位論文 前5條

1 魏鵬娟;橢圓曲線的選取與雙線性對的快速計(jì)算研究[D];西安電子科技大學(xué);2011年

2 宋秀紅;SIP協(xié)議若干安全問題的研究[D];山東大學(xué);2008年

3 喻靚;SIP安全威脅及SIP安全協(xié)議研究[D];上海交通大學(xué);2008年

4 方東輝;一種SIP應(yīng)用層安全機(jī)制的設(shè)計(jì)與實(shí)現(xiàn)[D];哈爾濱工業(yè)大學(xué);2007年

5 張巖;SIP協(xié)議及其安全機(jī)制的研究與實(shí)現(xiàn)[D];東南大學(xué);2006年

，

本文編號：1664870