聚合Nyberg-Rueppel签名数据的一种源自治系统认证方法  

作　　者：杨波[1,2] 

机构地区：[1]江西财经大学信息管理学院,南昌330013 [2]江西省电子商务高水平工程研究中心,南昌330013

出　　处：《小型微型计算机系统》2014年第7期1496-1499,共4页Journal of Chinese Computer Systems

基　　金：国家自然科学基金项目(61163053;61262010)资助;江西省教育厅科技项目(GJJ12735)资助;江西省自然科学基金项目(20132BAB201036);江西省电子商务高水平工程研究中心开放课题资助

摘　　要：IP前缀劫持对互联网安全构成重大威胁.为防范IP前缀劫持,公认的有效手段之一是基于数字签名进行源自治系统认证.由于带宽容量问题,传统的源自治系统认证机制不能支持认证信息的在线发布和验证.为支持认证信息的在线发布和验证,应尽可能降低地址证明创建和验证过程中需要在线传送的数据量.本文充分利用Nyberg-Rueppel签名的特点,将地址证明创建过程中产生的大部分数据进行聚合以降低需要在线传输的数据量,以期克服源自治系统在线验证的带宽障碍,给出了算法完成系统初始化、地址证明的创建、以及地址证明的验证.这种机制所涉及的认证信息字节长度短,约为426 Bytes.由于大幅度降低认证信息的字节长度,本机制能够支持源自治系统认证信息的在线发布和验证.IP prefix hijacking is one of the top known threats on today＇s Internet. The cryptography-based mechanisms are recognized as effective ways for defending against IP prefix hijacking. Most of existing mechanisms of authenticating origin ASes（Autonomous Systems） are not able to support on-line issuing and verifying of these verifying information,mainly because of the problem of bandwidth. For supporting on-line issuing and verifying of these verifying information,the data which need to be transported on-line should be as seldom as possible. In this paper,we make full use of the characteristics of Nyberg-Rueppel signatures,and thus aggregate most of data of signatures which are created in the course of creation and verification of address attestations,so as to reduce the data which need to be transported in on-line mode and thus overcome obstacles brought about by the problem of bandwidth. The algorithms,which are used to complete system initiation,creation of address attestations,and verification of address attestations,are given. In the presented mechanism,the authenticating information,which is about 426 bytes,is short. Because the length of authenticating information is largely reduced,the presented mechanism can support on-line issuing and verifying of authenticating information when authenticating origin ASes.

关 键 词：IP前缀劫持 带宽容量 源自治系统 在线发布和验证 Nyberg-Rueppel签名 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]