因特网密钥交换协议的研究与实现

【作者】 王斌；

【导师】 方贵明；

【作者基本信息】 中国科学院研究生院（软件研究所） ， 计算机应用技术， 2002， 硕士

【摘要】 IPv4协议中定义的IP数据包本身并不包含任何安全特性。很容易便可伪造出IP包的源地址、修改其内容、重发以前的包以及在传输途中拦截并查看包的内容。针对IPv4的先天不足，IPSec协议提供了一种标准的、健壮的以及包容广泛的安全机制，可用它为IP及上层协议（如UDP 和TCP）提供安全保证。 但是IPSec协议要得到广泛的应用，必须解决如何在Internet中进行密钥的自动协商问题，这就是本论文的重点。 本论文从介绍IPSec协议开始，重点论述了其中的解决密钥协商问题的IKE协议。并且结合具体的科研工作，描述了在Linux操作系统上如何实现IKE协议。全文共有六个章节。 第一章介绍了Internet的发展现状，存在的安全隐患和Internet上典型的攻击，阐述了在TCP/IP协议族的各层实现安全机制的优缺点，并介绍了虚拟私用网的概念，以及目前实现虚拟私用网的两种隧道协议。 第二章描述了IPSec协议族所包含的协议、IPSec的工作模式、建立安全关联的方法。然后重点介绍了IPSec协议族中的IKE协议，包括IKE协议的两阶段协商，IKE协议定义的负载格式，以及IKE协议定义的交换模式。 第三章结合我们的科研工作，阐述了如何在Linux操作系统中设计和实现IKE协议。包括如何在内核中创建和管理安全关联数据库，如何实现PF_KEY套接字接口和PF_KEY消息，如何设计IKE协议的主模式和快速模式的状态机 等等。 第四章描述了安全路由器的实现，安全路由器的外部接口，以及硬件加密设备的实现，并对安全路由器进行了测试。 第五章对全文进行了简单的总结，并给出了一些可用于提高虚拟私用网效率的技术。更多还原

【Abstract】 Originally IP packets defined by IPv4 don.t contain any security characteristic.Attackers can easily forge the address of the IP packets, revise their content, replay them in a later time, and eavesdrop data during transmission. In order to make up the innate deficiency of the IPv4, IPSec protocol provides a kind of standard and robust security mechanism, and can be used to provide security protection for IP and higher layer protocols. But before IPSec protocol can be used widely, a problem must be resolved. The problem is how to negotiate keys automatically through Internet. And it is what this paper mainly deals with. First, this paper introduces the concept of IPSec protocol and discusses emphatically the IKE protocol which resolves the problem of key negotiation. Then,according to our current research work, I describe in detail the procedure on how to realize IKE protocol in Linux. There are totally five chapters in this paper. The first chapter shows the current development status of Internet , some network security problems and some classic Internet attacks, discusses the advantages and disadvantages to realize network security on different TCP/IP layers, and gives a simple introduce about Virtual Private Network and two kinds of VPN tunneling protocoals. The second chapter introduces the protocols contained in IPSec protocol stack,the work modes and the methods to build Security Associations. Then the detail of IKE protocol is described, including the two negotiating phases, the format of all IKE payloads, and the exchange mode defined by IKE. In the third chapter, combined with our current research, I describe how to design and realize IKE in Linux OS. The realization includes establishing and managing security association database in Linux kernel, developing PF_KEY socket interface and PF_KEY message, and designing the state machines of IKE main mode and IKE quick mode. In the fourth chapter, I depict the realization of the VPN router, the out interface of the VPN router, and the realization of hardware encryption. In the end, I describe the test to the VPN router. Chapter 5 draws the conclusion and indicts the future direction of the system.更多还原