高级搜索

留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

软件定义网络中基于密码标识的报文转发验证机制

秦晰 唐国栋 常朝稳 王瑞云

秦晰, 唐国栋, 常朝稳, 王瑞云. 软件定义网络中基于密码标识的报文转发验证机制[J]. 电子与信息学报, 2018, 40(9): 2042-2049. doi: 10.11999/JEIT171226
引用本文: 秦晰, 唐国栋, 常朝稳, 王瑞云. 软件定义网络中基于密码标识的报文转发验证机制[J]. 电子与信息学报, 2018, 40(9): 2042-2049. doi: 10.11999/JEIT171226
Xi QIN, Guodong TANG, Chaowen CHANG, Ruiyun WANG. Packet Forwarding Authentication Mechanism Based on Cipher Identification in Software-defined Network[J]. Journal of Electronics & Information Technology, 2018, 40(9): 2042-2049. doi: 10.11999/JEIT171226
Citation: Xi QIN, Guodong TANG, Chaowen CHANG, Ruiyun WANG. Packet Forwarding Authentication Mechanism Based on Cipher Identification in Software-defined Network[J]. Journal of Electronics & Information Technology, 2018, 40(9): 2042-2049. doi: 10.11999/JEIT171226

软件定义网络中基于密码标识的报文转发验证机制

doi: 10.11999/JEIT171226
基金项目: 国家自然科学基金(61572517)
详细信息
    作者简介:

    秦晰:女,1978年生,副教授,硕士生导师,研究方向为SDN安全、可信计算

    唐国栋:男,1992年生,硕士生,研究方向为SDN安全

    常朝稳:男,1965年生,教授,博士生导师,研究方向为网络安全、态势感知

    王瑞云:女,1992年生,硕士生,研究方向为协议形式化验证

    通讯作者:

    唐国栋  tgdhooping@163.com

  • 中图分类号: TP393

Packet Forwarding Authentication Mechanism Based on Cipher Identification in Software-defined Network

Funds: The National Natural Science Foundation of China (61572517)
  • 摘要: 针对软件定义网络(SDN)中缺乏安全高效的数据来源验证机制问题,该文提出基于密码标识的报文转发验证机制。首先,建立基于密码标识的报文转发验证模型,将密码标识作为IP报文进出网络的通行证。其次,设计SDN批量匿名认证协议,将SDN控制器的验证功能下放给SDN交换机,由SDN交换机进行用户身份验证和密码标识验证,快速过滤伪造、篡改等非法报文,提高SDN控制器统一认证与管理效率,同时可为用户提供条件隐私保护。提出基于密码标识的任意节点报文抽样验证方案,任何攻击者无法通过推断采样来绕过报文检测,确保报文的真实性的同时降低其处理延迟。最后,进行安全性分析和性能评估。结果表明该机制能快速检测报文伪造和篡改及抵抗ID分析攻击,但同时引入了大约9.6%的转发延迟和低于10%的通信开销。
  • 图  1  基于密码标识的报文转发验证模型

    图  2  生成身份基

    图  3  SDN批量匿名认证

    图  4  不同的检测因子h下的网络吞吐量

    图  5  检测准确率

    图  6  转发延迟CDF

    表  1  任意节点报文抽样验证流表项生成算法

     算法1 任意节点报文抽样验证流表项生成算法
     输入:未匹配报文 ${P_i}$;检测因子h
     输出:流表项;组表项;共享密钥 ${k_i}$
     (1)  ${\rm{PID}}_i \leftarrow {\rm{getPID}}\left( {{P_i}} \right)$;
     (2) ${\rm{SwitchID}} \leftarrow {\rm{getSwitchID}}\left( {{P_i}} \right)$;
     (3) ${\rm{SrcIP}}_i \leftarrow {\rm{getSrcIP}}\left( {{P_i}} \right)$;
     (4) ${\rm{RID}}_i \leftarrow {\rm{PID}}_i \oplus {H_0}\left( {b{W_i}} \right)$;
     (5) get ${\rm{Lifetime}}_i,{k_i}$ by querying ${L_c}$ according to ${\rm{RID}}_i$;
     (6) $\alpha = {\rm{ValidityCheck}}\left( {{\rm{Lifetime}}_i} \right)$;
     (7) if $\alpha = = 0$ /* ${\rm{RID}}_i$失效*/
     (8) setFlowEntry (SwitchID; SrcIPi; drop);
     (9) else /* ${\rm{RID}}_i$有效*/
     (10) select an optimized ${{\rm Path}_i}$ for unmatched packet ${P_i}$;
     (11)  ${L_i} \leftarrow {\rm{getLength}}\left( {{\rm{Path}}_i} \right)$;
     (12) randomly select $x \in Z_q^ * $;
     (13)  $k \leftarrow x\bmod {L_i}$;
     (14) for $j = {1_{}}{;_{}}j \le {L_i}_{}{;_{}}j + + $
     (15)  SwitchID $ \leftarrow {\rm{getSwitchID}}\left( {{\rm{Path}}\left( j \right)} \right)$;
     (16)  if $j \ne k$
     (17)   setFlowEntry(SwitchID; Ci; Forward);/* ${C_i}$为匹配域
    */
     (18)  else
     (19)   SwitchID $ \leftarrow {\rm{getSwitchID}}\left( {{\rm{Path}}\left( k \right)} \right)$;
     (20)   setFlowEntry(SwitchID; Ci; Group);/* ${C_i}$为匹配域*/
     (21)   setGroupTable(SwitchID; select; h; Forward,Verify-
    MAC);
     (22)   send ${k_i}$ to SwitchID by TLS;
     (23)  end if
     (24)end if
    下载: 导出CSV

    表  2  交换机与主机数目表

    网络符号 说明
    网络拓扑结构 Fattree
    核心交换机数目 64
    聚集交换机数目 128
    边界交换机数目 128
    主机数目 512
    下载: 导出CSV

    表  3  认证开销

    方案 参与方数量 通信开销 用户计算开销 SDN控制器(服务器)计算开销 SDN交换机计算开销
    文献[18] 2 3|G|+4|ID|+2 $|Z_q^*|$ 7 ${T_{\rm em}}$+2 ${T_{\rm ea}}$ 5 ${T_{\rm em}}$+2 ${T_{\rm ea}}$ $\left( {3n + 1} \right){T_{\rm em}}$+ $\left( {4n - 1} \right){T_{\rm ea}}$
    文献[19] 2 2|G|+4|ID|+4 $|Z_q^*|$ 7 ${T_{\rm em}}$+ ${T_{\rm ea}}$ 7 ${T_{\rm em}}$+ ${T_{\rm ea}}$
    本文方案 3 5|G|+3|ID|+2 $|Z_q^*|$ 5 ${T_{\rm em}}$+ ${T_{\rm ea}}$ 2 ${T_{\rm em}}$
    注:“–”表示不存在该项,n为单位时间SDN交换机收到用户数目
    下载: 导出CSV
  • MCKEOWN N. Software-defined networking[C]. IEEE International Conference on Computer Communications, Rio de Janeiro, Brazil, 2009: 30–32.
    NUNES B, MENDONCA M, NGUYEN X, et al. A survey of software-defined networking: Past, present, and future of programmable networks[J]. IEEE Communications Surveys&Tutorials, 2014, 16(3): 1617–1634 doi: 10.1109/SURV.2014.012214.00180
    王蒙蒙, 刘建伟, 陈杰, 等. 软件定义网络: 安全模型、机制及研究进展[J]. 软件学报, 2016, 27(4): 969–992 doi: 10.13328/j.cnki.jos.005020

    WANG Mengmeng, LIU Jianwei, CHEN Jie, et al. Software defined networking: Security model, threats and mechanism[J]. Journal of Software, 2016, 27(4): 969–992 doi: 10.13328/j.cnki.jos.005020
    LIU Hongqiang, WU Xin, ZHANG Ming, et al. zUpdate: Updating data center networks with zero loss[J]. Computer Communication Review, 2013, 43(4): 411–422 doi: 10.1145/2486001.2486005
    LI Dan, SHANG Yunfei, and CHEN Congjie. Software defined green data center network with exclusive routing[C]. IEEE International Conference on Computer Communications, Toronto, Canada, 2014: 1743–1751.
    DHAWAN M, PODDAR R, MAHAJAN K, et al. SPHINX: Detecting security attacks in software-defined networks[C]. Network and Distributed System Security Symposium, San Diego, USA, 2015: 1–15.
    李杰, 吴建平, 徐恪, 等. Hidasav: 一种层次化的域间真实源地址验证方法[J]. 计算机学报, 2012, 35(1): 85–100 doi: 10.3724/SP.J.1016.2012.00085

    LI Jie, WU Jianping, XU Ke, et al. An hierarchical inter-domain authenticated source address validation solution[J]. Chinese Journal of Computers, 2012, 35(1): 85–100 doi: 10.3724/SP.J.1016.2012.00085
    YAO Guang, BI Jun, and XIAO Peiyao. Source address validation solution with OpenFlow/NOX architecture[C]. IEEE International Conference on Network Protocols, Vancouver, Canada, 2011: 7–12.
    孙鹏. 面向SDN的源地址验证方法研究[J]. 电光与控制, 2016, 23(3): 49–53 doi: 10.3969/j.issn.1671-637X.2016.03.012

    SUN Peng. Source address validation methods based on SDN[J]. Electronics Optics&Control, 2016, 23(3): 49–53 doi: 10.3969/j.issn.1671-637X.2016.03.012
    LIU Bingyang, BI Jun, and ZHOU Yu. Source address validation in software defined networks[C]. ACM Conference on SIGCOMM, Florianópolis, Brazil, 2016: 595–596.
    KIM H, BASESCU C, JIA L, et al. Lightweight source authentication and path validation[C]. ACM Conference on SIGCOMM, Chicago, USA, 2014: 271–282.
    TAKAYUKI S, CHRISTOS P, TAEHO L, et al. SDNsec: Forwarding accountability for the SDN data plane[C]. International Conference on Computer Communication and Networks, Hawaii, USA, 2016: 1–10.
    陈越, 贾洪勇, 谭鹏许, 等. 基于流认证的IPv6接入子网主机源地址验证[J]. 通信学报, 2013, 34(1): 171–178 doi: 10.3969/j.issn.1000-436x.2013.01.019

    CHEN Yue, JIA Hongyong, TAN Pengxu, et al. Host’s source address verification based on stream authentication in the IPv6 access subnet[J]. Journal of Communications, 2013, 34(1): 171–178 doi: 10.3969/j.issn.1000-436x.2013.01.019
    董平, 秦雅娟, 张宏科. 支持普适服务的一体化网络研究[J]. 电子学报, 2007, 35(4): 599–606

    DONG Ping, QIN Yajuan, and ZHANG Hongke. Research on universal network supporting pervasive services[J]. Acta Electronica Sinica, 2007, 35(4): 599–606
    FARINACCI D, MEYER D, ZWIEBEL J, et al. The locator/id separation protocol (LISP) for multicast environments[S]. Internet Draft, draft-farinacci-lisp-15.txt, 2011.
    许芷岩, 吴黎兵, 李莉, 等. 无线漫游认证中可证安全的无证书聚合签名方案[J]. 通信学报, 2017, 38(7): 123–130 doi: 10.11959/j.issn.1000-436x.2017152

    XU Zhiyan, WU Libing, LI Li, et al. Provably secure certificateless aggregate signature scheme in wireless roaming authentication[J]. Journal of Communications, 2017, 38(7): 123–130 doi: 10.11959/j.issn.1000-436x.2017152
    HORNG S, TZENG S, PAN Y, et al. b-SPECS+: batch verification for secure pseudonymous authentication in VANET[J]. IEEE Transactions on Information Forensics&Security, 2013, 8(11): 1860–1875 doi: 10.1109/TIFS.2013.2277471
    谢永, 吴黎兵, 张宇波, 等. 面向车联网的多服务器架构的匿名双向认证与密钥协商协议[J]. 计算机研究与发展, 2016, 53(10): 2323–2333 doi: 10.7544/issn1000-1239.2016.20160428

    XIE Yong, WU Libing, ZHANG Yubo, et al. Anonymous mutual authentication and key agreement protocol in multi-server architecture for VANETs[J]. Journal of Computer Research and Development, 2016, 53(10): 2323–2333 doi: 10.7544/issn1000-1239.2016.20160428
    周彦伟, 杨波, 张文政. 一种改进的无证书两方认证密钥协商协议[J]. 计算机学报, 2017, 40(5): 1181–1191 doi: 10.11897/SP.J.1016.2017.01181

    ZHOU Yanwei, YANG Bo, and ZHANG Wenzheng. An improved two-party authenticated certificateless key agreement protocol[J]. Chinese Journal of Computers, 2017, 40(5): 1181–1191 doi: 10.11897/SP.J.1016.2017.01181
  • 加载中
图(6) / 表(3)
计量
  • 文章访问数:  2056
  • HTML全文浏览量:  709
  • PDF下载量:  69
  • 被引次数: 0
出版历程
  • 收稿日期:  2017-12-26
  • 修回日期:  2018-06-01
  • 网络出版日期:  2018-07-12
  • 刊出日期:  2018-09-01

目录

    /

    返回文章
    返回