面向网络虚拟化的网络层可信身份验证机制研究

项目名称： 面向网络虚拟化的网络层可信身份验证机制研究

项目编号： No.61772384

项目类型： 面上项目

立项/批准年度： 2018

项目学科： 自动化技术、计算机技术

项目作者： 余发江

作者单位： 武汉大学

项目金额： 16万元

中文摘要： 在现有互联网架构下，网络中间设备无法在网络层对数据包源主机、用户进行身份验证，导致大量网络安全事故发生，且追溯定位极为困难。现有机制偏重于在目标主机、应用层、网络接入时进行身份验证。本项目拟建立一种网络层可信身份验证机制，中间节点可检查数据包是否由可信的主机和用户所发送。在这种机制里，用可信平台模块TPM身份密钥和eID来标识主机、用户身份；源主机只需与目标主机在应用层执行基于签名的身份验证和MAC密钥协商，基于该密钥产生广播同态MAC，作为身份证明信息，不用与每个中间节点进行密钥协商、为每个中间节点生成一个MAC值；该机制支持IP分片，中间节点对所获取的部分证明信息进行组合，基于源主机所给予的授权码，即可完成身份认证。本项目拟基于SDN控制器和OpenFlow交换机实现中间节点网络层身份验证，这些网络虚拟化技术将数据与控制相分离，易在现有互联网架构上演进发展，给网络安全带来了新思路。

中文关键词： 可信计算平台；可信平台模块；网络层身份验证；网络虚拟化；同态MAC

英文摘要： With the current Internet architecture, the intermediate devices cannot authenticate the identities of the source host and user, then there are many network security issues, and the source tracing is very difficult. The existing mechanism paid more attentions on the identity authentication at the destination endpoint, in the application layer or during the network access. .This proposal plans to develop a network layer trusted identity authentication mechanism, in which the intermediate could check whether network data package was sent by the trusted source host and user. In this mechanism, the host would be identified by the TPM (Trusted Platform Module) identity key, and the user would be identified by the eID; the source host only needs to carry out a signature-based identity authentication and a MAC (Message Authentication Code) key negotiation in the application layer, then generate one broadcast homomorphic MAC as identity proof information, and does not need to have key negotiation with every intermediate node and generate a MAC for every intermediate node. This mechanism would support IP payload splitting, in which the intermediate node could combine the partial identity proof information from the sliced packages, and complete the identity authentication based on the authorization code which is from the source host..This proposal plans to deploy this network layer trusted identity authentication mechanism on the SDN (Software-Defined Network) controller and OpenFlow switch, which belong to the network virtualization technology devices, and separate the control panel from the data panel. The network virtualization technology can develop and have an evolution on the current Internet architecture and devices, which gives out some new solving ideas of network security.

英文关键词： Trusted Computing Platform;Trusted Platform Module (TPM);Network Layer Identity;Network Virtualization;Homomorphic MAC