期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

IPSec协议的远程证明扩展 被引量:2

Remote Attestation Extension for IPSec
下载PDF
导出
摘要 传统IPSec协议在建立安全通信连接时,没有考虑终端自身安全问题,而可信计算的远程证明机制就是为被接入方提供接入方的自身安全证明,将其引入IPSec协议可以弥补建立IPSec连接时的终端安全漏洞。首先分析了IPSec协议的IKE协商过程和可信计算技术的远程证明机制,然后以基于数字签名的IKE主模式流程为例,提出在IKE协商阶段引入远程证明机制的IPSec远程证明扩展协议流程及安全分析。该协议引入带有SKAE扩展项的身份证书,实现对终端身份和系统完整性的双重认证,确保端到端的安全连接。协议在保证通信信息的机密性、完整性、新鲜性之外,也充分保护终端平台隐私性。 Standard IPSec doesn't provide any guarantees about the integrity of the endpoints when an IPSec linkage is established.And the remote attestation in trusted computing is to provide security evidence of the user for the accessed server.So it can avoid terminal security vulnerability in IPSec to introduce the remote attestation into IPSec.IKE negotiation of IPSec and remote attestation mechanism were analyzed firstly.Then taking IKE main mode based on figure signature for example,an extended IPSec protocol based on remote attestation and its security analysis were presented.In the extended IPSec protocol,remote attestation mechanism was introduced into IKE negotiation.This protocol can complete double authentications including identity and system integrity by using a certificate with a SKAE extension to ensure an end-to-end secure linkage.Besides,the protocol can guarantee not only information's confidentiality,integrity and freshness,but also endpoints' privacy.
作者 王剑 汪海航 杨健
机构地区 同济大学电子与信息工程学院 河南科技大学电子与信息工程学院 大理学院数学与计算机学院
出处 《计算机科学》 CSCD 北大核心 2011年第6期49-53,共5页 Computer Science
基金 国家863计划项目(2006AA01Z438)资助
关键词 IPSEC IKE协商 远程证明 可信计算 完整性度量 IPSec IKE negotiation Remote attestation Trusted computing Integrity measurement
分类号 TP309 [自动化与计算机技术—计算机系统结构]
  • 相关文献

参考文献12

  • 1Trusted Network Connect Work Group. TCG Trusted Network Connect TNC Architecture for Interoperability, Speeification Version 1.2 Revision 4[S]. 2007.
  • 2Jiang S, Smith S, Minami K. Securing Web servers against insider attack[C]//Proceedings of 17th Annual Computer Security Ap- plications Conference. IEEE Press, 2001:265-276.
  • 3Sadeghi A R, Stuble C, Wolf M, et al. Enabling fairer digital rights management with trusted eomputing[C]//Proceedings of ISC'07. LNCS 4779. Springer, 2007 : 53-70.
  • 4Stumpf F,Tafreschi O,Roder P, et al. A robust integrity repor- ting protocol for remote attestation[C]//2nd Workshop on Ad- vances in Trusted Computing, WATC ' 06. 2006 : 1-12.
  • 5Gasmi Y, Ahmad-Reza S, Patrick S, et al. Beyond Secure Chan- nels[C]// Proceedings of the 2nd ACM Workshop on Scalable Trusted Computing, STC 2007. Alexandria, VA, USA, Novem- ber 2007 : 30-40.
  • 6Zhou Lingli, Zhang Zhenfeng. Trusted Channels with Password- based Authentication and TPM-based Attestation[C]//Pro- ceedings of International Conference on Communication and Mo- bile Computing. 2010:223-227.
  • 7Armknecht F,Gasmi Y, Sadeghi A-R, et al. An Efficient Imple- mentation of Trusted Channels based on OpenSSL[C] // Pro- ceedings of STC'08. Fairfax, Virginia, USA, October 2008: 41-50.
  • 8Trusted Computing Group. TCG Specifi_ cation Architecture O- verview Specification' s Revision1. 2 [S]. https://www. trusted- computinggroup. org. Apr. 2004.
  • 9Davis C R.IPSec:VPN的安全实施[M].北京:清华大学出版社,2002.
  • 10范红.互联网密钥交换协议及其安全性分析[J].软件学报,2003,14(3):600-605. 被引量:14

二级参考文献5

  • 1吴以四.CA认证经历成长烦恼[J].信息系统工程,2006,19(7):22-33. 被引量:3
  • 2[1]Meadows C. Analyzing formal methods to the analysis of a key management protocol. Journal of Computer Security-ESORICS 96, Springer-Verlag, 1996. 365~384.
  • 3[2]Borella MS, Grabelsky JLD, Montenegro G. Realm specific IP: framework. Internet Draft draft-ietf-nat-rsip-framework-03.txt, 1999.
  • 4[3]Harkins D, Carrel D. The Internet key exchange (IKE). Internet RFC 2409, 1998.
  • 5[4]Meadows C. Analysis of the Internet key exchange protocol using the NRL protocol analyzer. In: Proceedings of the 1999 Symposium on Security and Privacy. IEEE Computer Society Press, 1999. 287~305.

共引文献13

同被引文献17

  • 1任彦,苏伟,张思东,张宏科.移动网络中IPsec-VPN的构建与性能分析[J].北京交通大学学报,2005,29(5):10-13. 被引量:1
  • 2ZHANG Huanguo WANG Fan.A Behavior-Based Remote Trust Attestation Model[J].Wuhan University Journal of Natural Sciences,2006,11(6):1819-1822. 被引量:10
  • 3Uskov A V. Information security of mobile VPN: Conceptual models and design methodology [C]//Proceedings of the IEEE International Conference on Electro/Information Technology. Liverpool, United Kingdom: IEEEPress, 2012: 1-6.
  • 4Jian Wang, Haihang Wang, Chengxiang Tan. A mobile security access system based on IPSec VPN [J]. Journal of Computational Information Systems, 2009, 5 (1): 467-472.
  • 5Uskov, Alexander V. information security of ipsec-based mobile vpn: Authentication and encryption algorithms performance [C]//Proceedings of the IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications. Liverpool, United Kingdom: IEEE press, 2012: 1042-1048.
  • 6Ahmad-Reza Sadeghi, Steffen Schulz. Extending IPsec for efficient remote attestation [G]. Lecture Notes in Computer Science 6054: Financial Cryptography and Data Security, 2010: 150-165.
  • 7Sadeghi A-R, Christian Stuble. Property-based attestation for computing platforms: Caring about properties, not mechanisms [C] //Proceedings on the New Security Paradigms Workshop. Virginia Beach, VA, USA: September, 2004: 67-77.
  • 8Liqun Chen, Rainer Landerfermann, Hans Lohr, et al. A protocol for property-based attestation [C]//Virginia, USA: Proceedings on the first ACM Workshop on Scalable Trusted Computing, Alexandria, 2006: 7-16.
  • 9Jian Wang, Haihang Wang, Chengxiang Tan. RABBIF: Remote attestation based on behavior and information flow [C] //Proceedings of ICTTA, 2010: 18-22.
  • 10Liang Gu, Xuhua Ding, Robert H Deng, et al. Model-driven remote attestatioin: Attesting remote system form behavioral aspect [C]//Zhangiiajie, Hunan, China: Proceedings of the 9th International Conference for Young Computer Scientists, 2008.. 2347-2a5a.

引证文献2

二级引证文献6

计算机科学
2011年 第6期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部