(3.215.180.226) 您好!臺灣時間:2021/03/09 03:33
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果

詳目顯示:::

我願授權國圖
: 
twitterline
研究生:張譽鐘
研究生(外文):Yu-Chung Chang
論文名稱:網際網路安全促成工具之設計與實作
論文名稱(外文):Design and Implementation of IP-Based Security Enablers
指導教授:雷欽隆雷欽隆引用關係
指導教授(外文):Chin-Laung Lei
學位類別:碩士
校院名稱:國立臺灣大學
系所名稱:電機工程學研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:1999
畢業學年度:87
語文別:英文
論文頁數:98
中文關鍵詞:網路安全網際網路安全協定網際網路密碼學密鑰管理協定
外文關鍵詞:Network SecurityIP SecurityInternetCryptographyKey Management Protocol
相關次數:
  • 被引用被引用:0
  • 點閱點閱:145
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:1
隨著網際網路及電子商務的快速成長,網路安全成為近年來網路及通訊領域中最熱門的研究主題之一。如何在網際網路上提供一個安全的網路通訊環境已成為一迫切的課題。目前架構在TCP/IP通訊協定上的網際網路,其對於個人隱私及通訊安全方面所提供的保護極為缺乏,而網路安全乃是建置電子商務成功與否的關鍵因素。現有的網路安全解決方案,大多將安全機制設計於應用層,因此針對各個不同的應用程式,必須做個別的修改,方能達到保密及認證的功能,十分不便,且需耗費許多額外的人力物力。有鑑於此,本篇論文提出網際網路安全促成工具的概念,作為一有效的網際網路安全解決方案,我們亦提出完整的系統架構設計及實作。
網際網路安全促成工具的概念,在於提供一個可彈性運用,擴充性高的網路安全介面,讓所有網路應用程式,毋須做任何修改,即可使用,並立即享有認證,保密,使用權控制等網路安全服務。
本論文所提出的網際網路安全促成工具之系統架構設計分為三大部分:認證及密鑰管理部分、網路層協定加密部分以及安全策略部分。我們已將此系統實作於FreeBSD 2.2.8作業系統上。
本篇論文並提出一個基於Kerberos認證服務的密鑰管理協定,稱為通行票式密鑰管理協定。本協定為目前唯一採用對稱式密鑰技術之密鑰管理協定,相較於使用公開密鑰之密鑰管理協定,本協定毋須做指數運算,具有較快的計算速度,可適用於低計算能力的行動計算裝置。此外,本協定毋須公開密鑰憑證,因此可使用於沒有公開密鑰基礎建設的環境之下。
本論文所提出之採用通行票式密鑰管理協定的網路安全促成工具架構,提供使用者一個強健的網路安全架構,以及多種的網路安全服務。與其他採用公開密鑰之系統比較,具有毋須公開密鑰憑證,系統設定容易,適用於區域網路及企業內部網路,且可適用於低計算能力的行動計算裝置等優點。此外,本系統可直接接受Kerberos密鑰分配中心所發出之通行證作為認證,因此可相容於目前廣為使用的Kerberos認證服務。

With the fast growth of Internet and electronic commerce, network security has emerged as one of the hottest research and development topics for networking and communication society. How to provide a secure communication environment on the Internet has become an urgent issue. At the moment, the Internet running TCP/IP lacks for the fundamental mechanisms for providing personal privacy and communication security. However, network security is one of the key factors for electronic commerce. Most of the network security solutions place their security mechanisms at the application layer. Therefore, they must modify each application individually to accomplish the purposes of security and authentication. This is very inconvenient and requires much time and work. In this thesis, we propose the concept of IP-based security enablers to be an efficient Internet security solution, and we present a complete design of system architecture and implementation.
The concept of IP-based security enablers is to provide a flexible and extensible network security interface for network programs. Network programs can enjoy network security services such as authentication, confidentiality, access control immediately without any modification.
The system architecture of the proposed IP-based security enablers contains three components: an authentication and key management component, a network protocol encryption component, and a security policy component. The implementation is carried out on FreeBSD 2.2.8 operation system.
In this thesis, we also propose a key management protocol based on Kerberos authentication service, called Ticket-based Key Management Protocol (TKMP). This protocol is the only key management protocol adopting symmetric cryptosystem. Since TKMP does not have to perform any time-consuming exponential operations, it is much faster than the public-key based key management protocols and is suitable for low-computation power mobile computing devices. Moreover, TKMP does not need public-key certificates. Therefore, it can also be utilized in a network environment without PKI support.
The proposed IP-based security enablers architecture with a ticket-based key management protocol provides a robust network security infrastructure and various security services to users. Compared with other public-key based systems, it has advantages such as: does not need PKI, suitable for Local Area Network (LAN) and Intranet of an enterprise, easy to install, and suitable for low-computation power mobile computing devices. In addition, our system can accept tickets issued by Kerberos Key Distribution Center (KDC); therefore, it is compatible with the widely used Kerberos authentication service.

Chapter 1 Introduction
1.1 Motivation
1.2 Design Goals
1.3 Design Approaches
1.4 Organization of this thesis
Chapter 2 IP Security
2.1 Introduction
2.2 IP Security Architecture
2.3 IP Security Services
2.4 Security Association (SA)
2.5 AH and ESP Protocols
2.5.1 Authentication Header
2.5.2 Encapsulating Security Payload
2.6 Transport and Tunnel Modes
2.6.1 Transport Mode
2.6.2 Tunnel Mode
2.7 Key Management
2.7.1 IKE
2.7.2 SKIP
2.7.3 MKMP
2.8 Virtual Private Network
Chapter 3 Kerberos
3.1 Introduction
3.2 Terminology
3.2.1 Kerberos Encryption
3.2.2 Kerberos Tickets
3.2.3 Key Distribution Center (KDC)
3.3 The Kerberos Version 5 Model
3.3.1 The Authentication Dialogue
3.3.2 Ticket Flags
3.3.3 Kerberos Realms
3.3.4 Kerberized Applications
Chapter 4 The Design of IP-Based Security Enablers
4.1 The Concept of IP-Based Security Enablers
4.2 Combine IPSec with Kerberos
4.3 The Design of Basic Security Enablers
4.3.1 The Ticket-Based Key Management Protocol
4.3.2 The Security Policy
4.3.3 The IPSec protocol
4.3.4 Secure Tunnel
4.3.5 Basic IP-Based Security Enablers
4.4 The Tunnel Enabler
4.5 The Public-Key Enabler
Chapter 5 The Implementation of IP-Based Security Enablers
5.1 The Network Architecture
5.2 The System Architecture
5.2.1 The AH and ESP Agents
5.2.2 Manual Keying Object
5.2.3 Key Engine
5.2.4 Ticket Database
5.2.5 SA Database
5.2.6 Policy User Interface
5.2.7 Policy Engine
5.2.8 IP Engine
5.2.9 IPSec Engine
5.2.10 Crypto Engine
5.3 The Flowcharts
5.4 System Functions
5.5 Testing
Chapter 6 Analysis
6.1 Security Analysis
6.2 Performance Analysis
6.3 Comparisons
Chapter 7 Conclusions
Bibliography

[1] A. Aziz and M. Patterson, "Design and Implementation of SKIP," INET'95 Conference, June 1995.
[2] R. Atkinson, "Security Architecture for the Internet Protocol," RFC 1825, August 1995.
[3] R. Atkinson, "IP Authentication Header," RFC 1826, August 1995.
[4] R. Atkinson, "IP Encapsulating Security Payload," RFC 1827, August 1995.
[5] M. Bellare and P. Rogaway, "Entity Authentication and Key Distribution," Advances in Cryptography, Springer-Verlag, New York, pp. 232-249, August 1993.
[6] R. Bird, I. Gopal, A. Herzberg, P. A. Janson, S. Kutten, R. Molva, and M. Yung, "Systematic Deesign of a Family of Attack-Resistant Authentication Protocols," IEEE Jounal on Selected Areas in Communications 11, No. 5, 679-693, June, 1993.
[7] B. Schneier, Applied Cryptography, 2nd Edition, John Wiley and Sons, 1996.
[8] P. C. Cheng, J. A. Garay, A. Herzberg, H. Krawczyk, "A Security Architecture for the Internet Protocol," IBM Systems Journal, Vol. 37, No.1, 1998.
[9] D. Kosiur, Building and Managing Virtual Private Networks, pp. 91-120, John Wiley and Sons, 1998.
[10] W. Diffie and M. Hellman, "New Directions in Cryptography," IEEE Trans. Info. Theory, IT-22, pp. 644-654, 1976.
[11] D. Harkins and D. Carrel, "The Internet Key Exchange (IKE)," RFC 2409, Nov. 1998.
[12] P. Karn, P. Metzger, and W. Simpson, "The ESP DES-CBC Transform," RFC 1829, August 1995.
[13] S. Kent and R. Atkinson, "Security Architecture for the Internet Protocol," RFC 2401, Nov. 1998.
[14] S. Kent and R. Atkinson, "IP Authentication Header," RFC 2402, Nov. 1998.
[15] S. Kent and R. Atkinson , "IP Encapsulating Security Payload (ESP)," RFC 2406, Nov. 1998.
[16] J. Kohl and C. Neuman, "The Kerberos Network Authentication Service (V5)," RFC 1510, Sep. 1993.
[17] J. Kohl, C. Neuman, and T. Ts'o, "The Evolution of the Kerberos Authentication Service," Distributed Open Systems. Los Alamitos, CA: IEEE Computer Society Press, 1994.
[18] X. Lai and J. Massey, "A Proposal for a New Block Encryption Standard," Advances in Cryptology-EUROCRYPT `90, pp. 389-404, 1990.
[19] X. Lai and J. Massey, "Markov Ciphers and Differential Cryptanalysis," Advances in Cryptology-EUROCRYPT `91, pp. 17-38, 1991.
[20] X. Lai and J. Massey, "On the Design and Security of Block Ciphers," Konstanz, Germany: Hartung-Gorre, 1992.
[21] D. McDonald, C. Metz, and B. Phan, "PF_KEY Key Management API, Version 2," RFC 2367, July 1998.
[22] P. Metzger and W. Simpson, "IP Authentication using Keyed MD5," RFC 1828, August 1995.
[23] S. Miller, C. Neuman, J. Schiller, and J. Saltzer, "Kerberos Authentication and Authorization System," Section E.2.1, Project Athena Technical Plan, M.I.T. Project Athena, Oct. 1988.
[24] R. Needham and M. Schroeder, "Using Encryption for Authentication in Large Networks of Computers," Communications of ACM, Vol. 21, No. 1, pp. 993-999, Dec. 1978.
[25] C. Neuman and J. Wray, "Public Key Cryptography for Initial Authentication in Kerberos," draft-ietf-cat-kerberos-pk-init-03.txt, 1997.
[26] J. Steiner, C. Neuman, and J. Schiller, "Kerberos: An Authentication Service for Open Networked Systems," Proceedings of the Winter 1998 USENIX Conference, pp. 191-201, Feb. 1988.
[27] W. Stallings, Cryptography and Network Security, 2nd Edition, Prentice-Hall, 1999.

QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
無相關期刊
 
系統版面圖檔 系統版面圖檔