一个基于身份的安全域间路由协议  被引量：7

作　　者：王娜[1,2] 智英建[2] 张建辉[2] 程东年[2] 汪斌强[2] 

机构地区：[1]解放军信息工程大学电子技术学院,河南郑州450004 [2]解放军信息工程大学信息工程学院,河南郑州450002

出　　处：《软件学报》2009年第12期3223-3239,共17页Journal of Software

基　　金：国家重点基础研究发展计划(973)No2007CB307102;国家高技术研究发展计划(863)No2007AA01Z2A1~~

摘　　要：提出了一个采用基于身份密码体制的安全域间路由协议--基于身份域间路由协议(identity-based inter-domain routing,简称id2r).id2r协议包括密钥管理机制、源AS验证机制LAP(the longest assignment path)和AS_PATH真实性验证机制IDAPV(identity-based aggregate path verification).密钥管理机制采用一个分布式层次密钥分发协议(distributed and hierarchical key issuing,简称DHKI),以解决基于身份密码系统固有的密钥托管问题.LAP的基本思想是,任一发出前缀可达路由通告的自治系统都必须提供该前缀的分配路径及证明,只有提供前缀最长有效分配路径的自治系统才是该前缀的合法源AS.IDAPV采用基于身份的聚合签名体制,生成保证AS_PATH路径属性真实性的路由聚合证明.性能评估结果显示,基于2007年12月7日的RouteViews数据,id2r路由器仅额外消耗1.71Mbytes内存,是S-BGP的38%;更新报文长度明显短于S-BGP;当硬件实现密码算法时,收敛时间几乎接近于BGP.The paper proposes a secure inter-domain routing protocol which adopts identity-based cryptographic system--id^2r （identity-based inter-domain routing）, id^2r consists of a key management mechanism, an origin AS verification mechanism LAP （the longest assignment path）, and an AS_PATH authenticity verification mechanism IDAPV （Identity-based Aggregate Path Verification）. The key management mechanism adopts a distributed and hierarchical key issuing protocol DHKI （distributed and hierarchical key issuing） to solve the inherent key escrow problem in the identity-based cryptographic system. The basic idea of LAP is that all ASes must provide the assignment path and attestations of their announced prefixes, and for a prefix, the AS which provides the longest valid assignment path is its legitimate origin AS. With identity-based aggregate signature scheme, IDAPV generates a route aggregate attestation to guarantee the authenticity of AS_PATH. Performance evaluation results indicate that based on RouteViews data on December 7, 2007, an id2r router only consumes 1.71Mbytes additional memory, which is 38% of S-BGP router; id^2r has shorter UPDATE message than S-BGP; convergence time of id^2r with hardware implementation of cryptographic algorithm approximately equals BGP.

关 键 词：BGP 安全 基于身份 前缀支持攻击 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]