IPSec协议的远程证明扩展  被引量:2

Remote Attestation Extension for IPSec

在线阅读下载全文

作  者:王剑[1,2] 汪海航[1] 杨健[1,3] 

机构地区:[1]同济大学电子与信息工程学院,上海201804 [2]河南科技大学电子与信息工程学院,洛阳471003 [3]大理学院数学与计算机学院,大理671003

出  处:《计算机科学》2011年第6期49-53,共5页Computer Science

基  金:国家863计划项目(2006AA01Z438)资助

摘  要:传统IPSec协议在建立安全通信连接时,没有考虑终端自身安全问题,而可信计算的远程证明机制就是为被接入方提供接入方的自身安全证明,将其引入IPSec协议可以弥补建立IPSec连接时的终端安全漏洞。首先分析了IPSec协议的IKE协商过程和可信计算技术的远程证明机制,然后以基于数字签名的IKE主模式流程为例,提出在IKE协商阶段引入远程证明机制的IPSec远程证明扩展协议流程及安全分析。该协议引入带有SKAE扩展项的身份证书,实现对终端身份和系统完整性的双重认证,确保端到端的安全连接。协议在保证通信信息的机密性、完整性、新鲜性之外,也充分保护终端平台隐私性。Standard IPSec doesn't provide any guarantees about the integrity of the endpoints when an IPSec linkage is established.And the remote attestation in trusted computing is to provide security evidence of the user for the accessed server.So it can avoid terminal security vulnerability in IPSec to introduce the remote attestation into IPSec.IKE negotiation of IPSec and remote attestation mechanism were analyzed firstly.Then taking IKE main mode based on figure signature for example,an extended IPSec protocol based on remote attestation and its security analysis were presented.In the extended IPSec protocol,remote attestation mechanism was introduced into IKE negotiation.This protocol can complete double authentications including identity and system integrity by using a certificate with a SKAE extension to ensure an end-to-end secure linkage.Besides,the protocol can guarantee not only information's confidentiality,integrity and freshness,but also endpoints' privacy.

关 键 词:IPSEC IKE协商 远程证明 可信计算 完整性度量 

分 类 号:TP309[自动化与计算机技术—计算机系统结构]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象