唐国栋,,
常朝稳,
王瑞云
信息工程大学 ??郑州 ??450001
基金项目:国家自然科学基金(61572517)
详细信息
作者简介:秦晰:女,1978年生,副教授,硕士生导师,研究方向为SDN安全、可信计算
唐国栋:男,1992年生,硕士生,研究方向为SDN安全
常朝稳:男,1965年生,教授,博士生导师,研究方向为网络安全、态势感知
王瑞云:女,1992年生,硕士生,研究方向为协议形式化验证
通讯作者:唐国栋 tgdhooping@163.com
中图分类号:TP393计量
文章访问数:1286
HTML全文浏览量:440
PDF下载量:47
被引次数:0
出版历程
收稿日期:2017-12-26
修回日期:2018-06-01
网络出版日期:2018-07-12
刊出日期:2018-09-01
Packet Forwarding Authentication Mechanism Based on Cipher Identification in Software-defined Network
Xi QIN,Guodong TANG,,
Chaowen CHANG,
Ruiyun WANG
Information Engineering University, Zhengzhou 450001, China
Funds:The National Natural Science Foundation of China (61572517)
摘要
摘要:针对软件定义网络(SDN)中缺乏安全高效的数据来源验证机制问题,该文提出基于密码标识的报文转发验证机制。首先,建立基于密码标识的报文转发验证模型,将密码标识作为IP报文进出网络的通行证。其次,设计SDN批量匿名认证协议,将SDN控制器的验证功能下放给SDN交换机,由SDN交换机进行用户身份验证和密码标识验证,快速过滤伪造、篡改等非法报文,提高SDN控制器统一认证与管理效率,同时可为用户提供条件隐私保护。提出基于密码标识的任意节点报文抽样验证方案,任何攻击者无法通过推断采样来绕过报文检测,确保报文的真实性的同时降低其处理延迟。最后,进行安全性分析和性能评估。结果表明该机制能快速检测报文伪造和篡改及抵抗ID分析攻击,但同时引入了大约9.6%的转发延迟和低于10%的通信开销。
关键词:软件定义网络/
密码标识/
数据来源验证/
条件隐私性
Abstract:To deal with the lack of a secure and efficient data source authentication mechanism in Software-Defined Network (SDN), a packet forwarding authentication mechanism based on cipher identification is proposed. Firstly, a packet forwarding authentication model based on cipher identification is established, where the cipher identification is identified as a passport of IP packets entering and leaving the network. Secondly, the SDN batch anonymous authentication protocol is designed to decentralize the authentication function of the SDN controller to the SDN switch. The SDN switch performs user authentication and cipher identification verification, and quickly filters forgery, falsification, and other illegal packets to improve the unified authentication and management efficiency of the SDN controller, while providing users with the conditions of privacy protection. Thirdly, a scheme for sampling and verifying packets based on cipher identification in any node is proposed, where any attacker can not bypass the packet detection by inferring the sample, to ensure the authenticity of the packet while reducing its processing delay. Finally, safety analysis and performance evaluation are conducted. The results show that this mechanism can quickly detect packet falsification and tampering and resist ID analysis attacks, but at the same time it introduces about 9.6% forwarding delay and less than 10% communication overhead.
Key words:Software-Defined Network (SDN)/
Cipher identification/
Data source authentication/
Conditional privacy
PDF全文下载地址:
https://jeit.ac.cn/article/exportPdf?id=b5365ca0-78a5-4e89-932b-8373031da3a0