版權(quán)說(shuō)明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)
文檔簡(jiǎn)介
1、<p><b> 中文8169字</b></p><p><b> 本科畢業(yè)設(shè)計(jì)</b></p><p> ——文獻(xiàn)翻譯 </p><p> 題 目 IP協(xié)議及IPSec協(xié)議安全分析 </p><p> 學(xué)生姓名
2、 </p><p> 專業(yè)班級(jí) 計(jì)算機(jī)科學(xué)與技術(shù) 2003-1班 </p><p> 學(xué) 號(hào) 56 </p><p> 院 (系) 計(jì)算機(jī)與通信工程學(xué)院 </p><p> 指導(dǎo)教師 ) </p><p&g
3、t; 完成時(shí)間 2007 年 6 月 6 日 </p><p><b> 英文原文</b></p><p> The Analysis Of IP and IPSec Protocol’s Security Problem</p><p> OSI model in time for TCP/IP protocol
4、Overview</p><p> OSI model in time for TCP/IP protocol introduce </p><p> It was repose International Organization for Standardization’ suggest to whereas extend arisen', it broke into sev
5、en layer into to that OSI model (open system interconnection reference model). The overdone bulkiness, intricacy incur know clearly heap criticism of the is ISO constitutive OSI reference model. </p><p> As
6、 shown in the following chart </p><p> Graphic 1.1 OSI model and TCP/IP model</p><p> The practical application sense nope very large, thereof forsooth toward fathom network protocol interior
7、wield did very avail out of the refer to network cannot but talk OSI reference model, notwithstanding OSI reference model. In reins network world liner, TCP/IP protocol suite obtain know clearly still for extensive appli
8、cation. These OSI seven layer model suffer, per layer big city provide thereon thickness with, combine one visit mouthpiece or interface. </p><p> The homology hierarchy entitled peer layer of the differ ma
9、inframe of compartment. Stand for and mainframe B menses presentation layer each other for peer layer, mainframe A menses session layer and mainframe B menses session layer each other for peer layer grade among as if mai
10、nframe A. Session layer and stand for (these double-deck function by merge to application layer realize) among at TCP/IP reference model suffer, take out know clearly OSI reference model. </p><p> TCP/IP pr
11、esence frangibility </p><p> It was run low of virtual security authentication and crypto system, there into up most factor namely IP address problem that IP layered major defect. R command , NFS, X window
12、grade big city is repose IP address versus user proceed authentication and authorization to among that of TCP/IP protocol with IP address came by way of network node alone one identification, heap TCP/IP serve, include B
13、erkeley. Source IP address estimation compact technique authenticity and security among both that of cu</p><p> It was repose IP protocol of last, TCP subsection and UDP protocol data packet is encapsulatio
14、n be on the security menace of IP WRAPT suffer at network upper Tran missive, wherefore sameness be confronted with IP layer station encounter that owing to UDP. Now that people all the while in thought method set, yet s
15、till avoid less namely as per TCP tie hour in at rest "thrice handshake" Machine-made attack. Either these attack summarize arisen include:</p><p> One: source address cheat(source address spoofin
16、g) or IP cheat(IP spoofing);</p><p> Two: source routing select cheat(source routing spoofing);</p><p> Three: rip attack(rip attacks);</p><p> Four: discriminate attack(authenti
17、cation attacks);</p><p> Five: TCP serial number cheat(TCP sequence number spoofing);</p><p> Six: TCP/IP protocol data stream adopt plaintext transmission;</p><p> Seven: TCP se
18、rial number BOMB attack(TCP SYN flooding attack), for short SYN attack;</p><p> Eight: easy fraudulence (ease of spoofing).</p><p> Network Security </p><p> Both moiety end user
19、 versus thereof visit, furthermore enterprise network proper no more will exterior closed among be mainframe computer system suffer among it was one relatively walkway that it was resource that both that of one be indisp
20、ensable to whereas important factor among Network security right through data network. Preparatory network suffer, none but calculator proper and application. Shield this resource. Confidential data by memory at one fit
21、on glass hall. Past crypto guard make in</p><p> There be the resource completeness exposure at hacker, juggler and those hellion’ attack of down, there into likely to return include some immoral numerator
22、in order to or certain still ugly motive station ongoing destroy of it was completeness visible that the revolution transfer know clearly possession all these of the both internet and computer technology. Now, calculator
23、 full high speed, cheapness combine possess resolvability, general design to depot private and confidential information. In</p><p> In the meanwhile, special enterprise network too need for use internet com
24、bine therewith mutual to. Internet at advertisement and e-business aspect repose whereabouts huge business opportunity, versus user came said internet must. Figure full high speed, cheapness combine possess resolvability
25、, general design to depot private and confidential information up lead folk in a OSI to at global within range proceed without a hitch corresponding also, thereof unreliability no more will conceivable to i</p>&l
26、t;p> It was be on the foundation upward strain for security insure of IP-layer or still definitely said yes at each IP grouping that both data stream among as a matter of fact us has manifold means useful for protect
27、ive network. Could through the medium of be on the fringe erect one fire wall, filter come off those undefeated data stream out for of dedicated network. Application and transport protocols command thereof own security m
28、echanism. Other kind of technology, considering hereinafter several c</p><p> 1. The Intranet big city yes repose IP 'of the both internet and enterprise. Proprietary data stream quantity big city must
29、 through IP-layer. Proprietary data too big city yes by IP grouping came load-supporting;</p><p> 2. Both it could shield and isolation higher level application exempt meets with safeness attack;</p>
30、<p> 3. It took the part of in being higher level security mechanism;</p><p> 4. It could took the part of above internet erect one extendible, secure VPN.</p><p> Both it is time fo
31、r in order to met the needs of above IP-layer realize safeness, IETF came into existence know clearly IP security (IPSec) workgroup. Transit effort, to workgroup already fetch round robin at IPV four and IPV six upward s
32、trains for network layer safeness agreement, mechanism kimono devote one's efforts to.</p><p> IPSec frame station took the part of serve include hereinafter content:</p><p> access contro
33、l;</p><p> data origin authentication(demonstration every last IP grouping);</p><p> replay protection (Prevent attacker eavesdrop to certain grouping combine after some hour playback);</p&
34、gt;<p> data integrity (Test withal make IP grouping at transport process suffer have no by distort certain out);</p><p> data confidentiality & encryption (Part of past encrypt should grouping
35、stash)</p><p> limited traffic flow management (The IP address of the conceal originality dispatcher)</p><p> key management</p><p> IPSec frame initially definitive agreement in
36、clude inspect weight head (AH), encapsulation security net lotus (ESP) and key management.</p><p> IPSec:IP layer protocol security</p><p> IPSec protocol bring necessity forth </p><
37、;p> IPSec at IP layer endue safety service, it lead system be able to according to require select secure protocol, take serve station utilized algorithm in time for clap demand serve required key to relevant OSI in f
38、or to with. The path of the IPSec be used to shield a stick of or multiyear mainframe and mainframe compartment, safety net shut and safety net shut compartment, safety net shut and mainframe compartment. Both IPSec be
39、able to submitted safety service multitude include access control, c</p><p> Both the instant correct realize, use these mechanism, they ought not versus use these security mechanism shield tarn missive use
40、r, mainframe and rest hero special net part bring negative impact forth. This mechanism too by is designed for algorithm independent. Such modularity permit select different algorithm multitude instead of impact rest se
41、gmental realize for to. For example:In the event of, different user communication is available to different algorithm multitude.</p><p> It was a sort of away hair homology serial number 'WRAPT lead sys
42、tem crash' method of attack grade means came attack to that of whereas IPv6 WRAPT proper without supply any security protection, hacker could past information packet detect, IP spoofing, joint captive, replay attack
43、. The data packet be in existence hereinafter hazard of the wherefore, us receive:No came from legal dispatcher; data at transport process suffer by human amend; data content afterwards by human pick (for instance milit&
44、lt;/p><p> IPSec basic structure analyses</p><p> It was avail authentication header (AH) and encapsulation melt security net lotus (esp.) came realize compact technique authentication and encryp
45、t of that that of IPSec basic structure. And that be used to realize integrity of data, this be used to realize compact technique confidentiality. The transmission provision know clearly amphipods of the at the same time
46、 logarithm according to:Transmission mode and channel mode. Either at transmission mode suffer, IP head inscribe layer protocol head of</p><p> Both IPSec structure include a multitude of protocol and algor
47、ithm. The correlation as follows station notify of the protocols of compartment.</p><p> IPSec structure includes a large number of agreements and algorithms. These agreements are between the mutual relatio
48、ns.</p><p> Graph 1: Structural Drawing of IPSec protocols</p><p> Encapsulating Security Payload(ESP)</p><p> Esp. supply integrity checking, authentication and encrypt, could s
49、et down as with IP data packet "super AH" it was addressable, therefore in the event of invocation encrypt, then too with concurrent selection know clearly integrity checking and authentication that of, for it
50、endue confidentiality combine preventable distort with. There into, ESP encrypt serve. For in the event of hardly use encryption, intruder with likely to fake fold withal launch cryptanalytic attack in up.</p><
51、;p> There into, esp. message preamble field include:</p><p> Security Parameters Index</p><p> Sequence Number</p><p> Padding Length</p><p> Next Header</p&
52、gt;<p> Authentication Header(AH)</p><p> AH agreement supply data source authentication, data integrity and bob weight sow warrant, it be able to guard correspondence from doctor, therefore be inca
53、pable of prevent intercept, fit design to transmission not confidential data up to with IP correspondence.</p><p> There into, AH message preamble field include:</p><p> Next Header</p>
54、<p><b> Length</b></p><p> Security Parameters Index</p><p> Sequence Number</p><p> Authentication Data</p><p> IPSec protocol future vista <
55、/p><p> Today, information super highway ratio ever before big city bulk, but it too be confronted with EVER-LARGER security menace, hence versus muscle T-number suffer every last node hardware security sexual
56、 demand in course of on the increase up. It was one postmortem take problem into consideration that but, versus heap network equipments drawing Design whereas character, security. Us need for versus whence, when and on w
57、hat occasion enrolls safety properties precede reconsider in as well to. For th</p><p> Follow on IP agreement-IPv6</p><p> Change of IPv6</p><p> Change incarnate infra five im
58、portance aspect among IPv6:</p><p> spread address</p><p> predigestion head format</p><p> Tone toward spread and option 'support up</p><p> Stream tag</p&g
59、t;<p> Both identity authentication and secrecy</p><p> 1. Spread address</p><p> The clean culture address and design to appoint by one or more of mainframe intercept 'multicastin
60、g address base these immovability of the address structure bed cleaning in feeding stage of an instars know clearly do with three two bit address space reach up to know clearly 1 two 8-bit besides, return versus IP mainf
61、rame likely to obtain different type address did know clearly some adjust of the IPv6. IPv6 suffer Cancel know clearly broadcast address whereas instead arbitrary point sow address. </p><p> 2. Predilection
62、 head format</p><p> Both IPv6 suffer include total length for four 0 syllabic eight words segment (there into two is source address and subsection can but by source node proceed among IPv6 suffer include t
63、otal length for four 0 syllabic eight words segment (there into two is source address differ with destination address). it and IPv6 toe 'consist, IPv6 suffer contain at least 1 two loaf differ field, even length at w
64、ithout option bear date two 0 byte, therefore at contain option hour approve reach six 0 byte. IPv6</p><p> 3. Tone toward spread and option 'support up</p><p> The WRAPT demand came in fo
65、r made an exception of, for not that possession chain circuit big city suffice get those long transmission cell, even Router expect as best as one can keep out of do with they forward to mishandled 'network upper of
66、done of the along with it dispose hop-by-hop option of the in IPv6 suffer could at IP cephalic tail join option, therewith differ, IPv6 suffer do with option plus at separate spread head suffer. Through the medium of suc
67、h means, option heads none but in cas</p><p><b> 4. Stream</b></p><p> Clad dispose could not so much him WRAPT differ, therefore at any rate, toward their dispose out sail, for Ro
68、uter dispense with versus each toe among enfold height of row imitate dispose among it was unaltered that at IPv6 suffer, versus possession WRAPT approximately parity treat, this purport each WRAPT big city yes by middle
69、 Router according to own mode whence rational. Router no track at discretion twain platform mainframe compartment sent WRAPT, wherefore be incapable of "keep” how to versu</p><p> 5. Both identity auth
70、entication and secrecy</p><p> It was begin virtual private network (VPN) 'foundation, it permit each institution use internet by way of thereof dedication diatheses network came pool sensitive informat
71、ion to that possession detail equal by stash among as IPv6 by the exercise of security spread:IP identity authentication head (AH) first of all by RFC 1826 (IP identity authentication head) description, so both others pa
72、rt (toe) should unfurl transmission among it was at transport process suffer meet with know clearly bitch, or</p><p> Both IPv6 identity authentication and security</p><p> For IP eke security
73、 out</p><p> Significance increase steadily, attack station result in 'potential hazard should possess unprecedented destructibility among both the purpose except by way of simple network intercommunica
74、tion agreement, thus there into have no contain safety properties of the IPV four. If IPV four hardly by way of research instrument, or at include research, war, education and government Network relatively rigid suffer b
75、y way of product C-network C agreement whereas use, run low of security it's not that one s</p><p> First of all us ask definitude safeness object--identity authentication, integrality, confidentiality.
76、</p><p> The data answer to sent data, and make dispatch said compact technique entity not so much station alleged status accord certain of the identity authentication:In an OSI reliably ascertain pickup.&l
77、t;/p><p> Integrality: in an OSI to reliably specified data at from among source to destination deferent course have no modify.</p><p> Either confidentiality: ensure data can but for expectant r
78、eceiver use or sense, instead of be able to for rest any entity use or sense.</p><p> Both integrality and identity authentication often closely relate to each other, whereas confidentiality at times use pu
79、blic key encryption came realize, in this way too conduce to versus source end on row identity authentication.</p><p> The IPSec secure protocol of the repose IPv6</p><p> Both that of IPSec
80、object yes supply as well as useful for IPV four too useful for IPV six 'security mechanism, said serve by I p-layer supply. One system command IPSec came require not so much him systemic mutual withal secure mode pr
81、oceed through the medium of specific security algorithm harmonize discuss. IPSec supply know clearly necessary instrument, design to one system not so much him system of compartment versus each other receivable security
82、precede negotiation. this purport, one system</p><p> IPSec suffer likely to take as follows security serve into consideration:</p><p> Access control: The security swap, user identity authent
83、ication could design to access control round of the in the event of correct code with be incapable of visit one serve or system. Could invoke security agreement came control key.</p><p> Connectionless
84、 integrality: Use IPSec, May well at not reference rest clad on occasions, versus any separate IP enfold row integrality verify. here each fold big city yes independent, could through the medium of self came affirm in. t
85、his function could through the medium of security hash technology came finish, it bore analogy to use go into the figures test analogy, therefore reliability still high, and much less be open to not entitled to entity st
86、ation distort out with.</p><p> Data source identity authentication: It was versus IP fold enjoys containing 'compact technique source precede identification in that IPSec submitted another term securit
87、y serve. This function in such a way that digital signature algorithm complete.</p><p> Versus fold playback offensive defense: It was point attacker dispatch one destination host afterwards take over ultra
88、 fold, through the medium of occupancy receiving system 'resource, such attack lead systemic usability came in for injure to in that by way of connectionless protocol, IP dead easy came in for playback offensive mena
89、ce. Playback attack. For met such stunt, IPSec supply know clearly fold counter mechanism.</p><p> Encrypt: It is through the medium of encrypt came submitted to it was point nothing but permit identity aut
90、hentication exactness soprano visit data, versus anybody else all and singular disallow to that data unit.</p><p> Limited traffic stream confidentiality: Both either that of between times nothing but use e
91、ncryption data deficiencies withal protection system. so long as known once encrypt commutative terminal point, alternating index probability shut data transfer rest information, resolute attacker with has adequate infor
92、mation came embroil system with or mess system up drive system confusion or mess system up. Through IP tunnel means, above all and security gateway sharing, IPSec supply know clearly limite</p><p> IPv6 sec
93、urity head</p><p> Both of the currently tentative length next door to RFC' twice of the both IPSec security serve completeness past AH and encapsulation security net lotus (esp.) head adjoin mechanism
94、came endue, of course still have got correct correlation key management agreement with. RFC 1826 (IP identity authentication head) suffer versus AH proceed know clearly description, whereas ESP head at RFC 1827 (IP encap
95、sulation security net lotus (esp.)) suffer description. Supra RFC and Insecurity architecture RFC</p><p> Both there into, IPv6 security head again broke into two broad heading:Identity authentication head
96、and encapsulation security net lotus head.</p><p> Identity authentication head</p><p> The action as follows of the AH:</p><p> (1)Supply powerful integrality serve, these purpo
97、rt AH useful for IP datagram bearing content authentication data with IP datagram</p><p> (2)Supply powerful identity authentication, these purport AH useful for should entity and datagram content phase lin
98、k with IP datagram</p><p> (3)In the event of at integrality serve suffer by the exercise of public key digital signature algorithm, AH could serve IP datagram supply in congealable disavow in</p>&l
99、t;p> (4)Through the medium of sequence number field came prevent playback attack</p><p> The simplicity direct datagram carry endue identity authentication and shield, too useful for versus issuance sec
100、urity gateway or by security gateway emit wholly datagram in pour row encapsulation from with of the AH could at tunneling mode type or transparence mode down use, these purport it as well as useful for two node compartm
101、ent</p><p> Encapsulation security net lotus head</p><p> It was in order to furnish some kind of different serve, there into certain serve and AH have got station overlap with that both be ES
溫馨提示
- 1. 本站所有資源如無(wú)特殊說(shuō)明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
- 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒(méi)有圖紙預(yù)覽就沒(méi)有圖紙。
- 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
- 5. 眾賞文庫(kù)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
- 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
- 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。
最新文檔
- 計(jì)算機(jī)科學(xué)與技術(shù)畢業(yè)設(shè)計(jì)(論文)外文翻譯
- 計(jì)算機(jī)專業(yè)畢業(yè)設(shè)計(jì)外文翻譯
- 計(jì)算機(jī)專業(yè)畢業(yè)設(shè)計(jì)-外文翻譯
- 計(jì)算機(jī)專業(yè)畢業(yè)設(shè)計(jì)外文翻譯27
- 計(jì)算機(jī)科學(xué)與技術(shù)專業(yè)畢業(yè)設(shè)計(jì)題目
- 計(jì)算機(jī)專業(yè)畢業(yè)設(shè)計(jì)外文翻譯--internet
- 計(jì)算機(jī)專業(yè)--畢業(yè)設(shè)計(jì)外文翻譯--論網(wǎng)站建設(shè)技術(shù)
- 計(jì)算機(jī)科學(xué)與技術(shù)畢業(yè)設(shè)計(jì)
- 計(jì)算機(jī)專業(yè)畢業(yè)設(shè)計(jì)外文翻譯--jdbc接口技術(shù)
- 計(jì)算機(jī)科學(xué)與技術(shù)外文翻譯
- 計(jì)算機(jī)專業(yè)畢業(yè)設(shè)計(jì)外文資料翻譯3
- 計(jì)算機(jī)專業(yè)畢業(yè)設(shè)計(jì)-外文翻譯--matlab 介紹
- 計(jì)算機(jī)畢業(yè)設(shè)計(jì)外文翻譯
- 計(jì)算機(jī)專業(yè)畢業(yè)設(shè)計(jì)外文翻譯--無(wú)線局域網(wǎng)技術(shù)
- 計(jì)算機(jī)專業(yè)畢業(yè)設(shè)計(jì)外文文獻(xiàn)翻譯部分
- 計(jì)算機(jī)專業(yè)畢業(yè)設(shè)計(jì)外文翻譯--jsp內(nèi)置對(duì)象
- 計(jì)算機(jī)專業(yè)畢業(yè)設(shè)計(jì)外文翻譯--數(shù)據(jù)庫(kù)
- 計(jì)算機(jī)專業(yè)畢業(yè)設(shè)計(jì)文獻(xiàn)翻譯
- 計(jì)算機(jī)專業(yè)畢業(yè)外文翻譯
- 計(jì)算機(jī)專業(yè)畢業(yè)設(shè)計(jì)(論文)外文翻譯2篇
評(píng)論
0/150
提交評(píng)論