摘要
In ternet密钥交换协议第二版本(IKEv2)即将成为标准,分析该协议有助于更好地理解和实现该协议,针对协议存在的安全隐患提出改进措施。通过对协议的安全性分析,发现协议面临基于分片的拒绝服务攻击和退化消息类型的中间人攻击。针对前一种攻击提出了一种基于地址偏好列表的防御措施。针对后一种攻击提出了一种基于共享密钥的密钥生成方案。分析表明,使用这两种改进措施可以有效地提高协议抵抗拒绝服务攻击和退化消息攻击的能力。基于地址偏好列表的防御措施可以直接用于协议实现,改进的密钥生成方案可以为协议的下一个版本提供借鉴。
The version 2 of the Internet Key Exchange Protocol (IKEv2) will become a request for comments. Analyses of IKEv2 have shown that IKEv2 is susceptible to denial of service (DOS) attacks based on IP fragment and degenerate message attacks. DoS attacks can be handled by using an IP address preferred list. An improved way to generate keying materials to protect against degenerate message attacks is based on shared secrets. Analysis results indicate that these two measures improve IKEv2's ability to resist DoS attacks and degenerate message attacks. Measures based on the IP address preferred list can be used directly when implementing IKEv2. The improved methods to generate keying material can be used as a reference for the next version of IKEv2.
出处
《清华大学学报(自然科学版)》
EI
CAS
CSCD
北大核心
2006年第7期1274-1277,共4页
Journal of Tsinghua University(Science and Technology)
基金
国家自然科学基金资助项目(60373010)
关键词
密钥交换
安全隐患
拒绝服务攻击
退化消息攻击
key exchange
security fault
deny of service attack
degenerate message attack