ZHANG Ling-ling,PAN Xue-zeng,CUI Yu-zeng

2005-01-01

Abstract:Comparing the difference between IKEv2 and IKE,the advantages of IKEv2 on the complex of the implementation and the low delay were analyzed.The message exchange and the generation of various keys of IKEv2 was introduced, an implementation approach of IKEv2 using the security coprocessor were proposed.This implementation can accelerate the process of key generation,message encryption and integrity verify check.

Jianqing Fu,Xiaoning Jiang,Lingdi Ping,Rong Fan

DOI: https://doi.org/10.1109/icime.2009.14

2009-01-01

Abstract:In this paper, we identify a vulnerability of IEEE 802.11 wireless Mesh LANs in which a compromised mesh point can still receive data from other mesh points. Then we propose a new protocol that can counter this attack by considering the effective period of both the mesh points (MPs) when decide the lifetime of the key shared between them. We also amend 802.11s draft in order not to bring about a fundamental change to the whole key hierarchy, and propose a protocol to refresh the shared key when it expired. Then we prove the security of the protocol using protocol composition logic (PCL).

杜全文,潘雪增,平玲娣

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.09.039

2002-01-01

Abstract:It is necessary to implement IKE protocol when using IPSec protocol to ensure IP security.This paper describes how to implement a typical IKE message exchange by multithread in detail.

Haifeng Zhou,Chunming Wu,Ming Jiang,Boyang Zhou,Wen Gao,Tingting Pan,Min Huang

DOI: https://doi.org/10.1109/mcom.2015.7081074

IF: 9.03

2015-01-01

IEEE Communications Magazine

Abstract:The past few years have witnessed revolutionary advances in network technology. Along with new techniques such as SDN come lots of new network security challenges. Conventional network security mechanisms are incompetent to overcome these challenges, since they are built on a static network configuration that facilitates attackers in finding the weaknesses of a network. In this article, we conceive a novel conceptual network security mechanism, the evolving defense mechanism (EDM), to resolve current and future security problems. EDM is based on a bio-inspired idea of network configuration variations. According to the security requirements of the system, the user, and the network security state, EDM selects an efficient network configuration variation strategy to prevent corresponding security threats. Combined with SDN implementation, EDM resolves security problems from a new angle and is capable of evolving with new network security technology. We sketch a way to implement EDM and present its reference framework, which serves as an ecosystem and coexisting environment for various kinds of network configuration variations. The proposed mechanism avoids the deficiency of conventional mechanisms and has potential to cope with emerging security threats.

XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

GAO Xiang,MA Hong-tu

DOI: https://doi.org/10.3969/j.issn.1000-7024.2007.24.012

2007-01-01

Abstract:IETF issuing IKEv2 protocol has made IKEv2 a RFC standard document. IKEv2 has been a new generation standard of Internet key exchange. IKEv2 has roundly optimized and improved IKEv1. To compare the key exchange character of IKEv2 to IKEv1, an implementation scheme of IKEv2 protocol based on Linux is put forward. And then a simulation experiment is done for these two key exchange versions. The negotiation efficiency of DCEv1 and IKEv2 according to the simulation results is analyzed and compared.

Ya Hang Zhang,BoWen Cheng,Sihan Qing,Guang N. Zou,Weiping Wen

DOI: https://doi.org/10.1117/12.855391

2010-01-01

Abstract:To solve the conflict between TCP accelerating technology based on PEP middle node and IPSec protocol used in the Satellite Network, NASA and the Hughes Research Laboratory (HRL) each independently proposed a solution named Multilayer IPsec protocol which can integrate IPSec with TCP PEPs. The problem is: Traditional IKE protocol can't work with Multilayer IPSec protocol. In this study, the traditional IKE main mode and quick mode are enhanced for layered IPSec protocol, and an improved layered key distribution protocol: ML-IKE is proposed. This key distribution protocol is used for key exchange between peers and middle node, so that different nodes have different security associations (SA), and different security associations correspond to different IP packet fields, so different SA nodes have different authorization to different IP packet fields. ML-IKE protocol is suitable for layered IPSec, thus layered IPSec can be used for automatic key distribution and update.

邢新景,张朝阳,王匡

DOI: https://doi.org/10.3969/j.issn.1003-8329.2003.04.009

2003-01-01

Wireless Communication Technology

Abstract:The WEP security algorithm used in IEEE 802.11 wireless LAN is introduced. Under the basis of a systematical analysis, flaws embedded in WEP are pointed out, and correspondingly, several attacking methods are provided to prove the weakness of WEP. The upgraded version of WEP algorithm-TKIP was also introduced and analyzed. At last, some potential solutions to the security problems are also proposed in using existing IEEE 802.11 equipments.

Liu Xiang-jiang

2009-01-01

Abstract:Since the Point-to-Point protocol (PPP) provides no protection for the negotiations of algorithms, the Internet key exchange (IKE) protocol is introduced into PPP for the negotiations of shared keys and authentication, compression and encryption algorithms. Through the integrity protection of the control messages, this method effectively solves the security problem of negotiations in PPP. The analysis of the method shows that it is much more secure and more effective than the original PPP.

Jun Lei,Xiaoming Fu,Dieter Hogrefe,Jianrong Tan

DOI: https://doi.org/10.1016/j.cose.2007.01.001

IF: 5.105

2007-01-01

Computers & Security

Abstract:IEEE 802.11 wireless LAN has become one of the hot topics on the design and development of network access technologies. In particular, its authentication and key exchange (AKE) aspects, which form a vital building block for modern security mechanisms, deserve further investigation. In this paper we first identify the general requirements used for WLAN authentication and key exchange (AKE) methods, and then classify them into three levels (mandatory, recommended, and additional operational requirements). We present a review of issues and proposed solutions for AKE in 802.11 WLANs. Three types of existing methods for addressing AKE issues are identified, namely, the legacy, layered and access control-based AKE methods. Then, we compare these methods against the identified requirements. Based on the analysis, a multi-layer AKE framework is proposed, together with a set of design guidelines, which aims at a flexible, extensible and efficient security as well as easy deployment.

Yunxiao Sun,Bailing Wang,Hongri Liu,Yuliang Wei,Di Wu,Jing Wang

DOI: https://doi.org/10.1155/2022/2605684

2022-01-01

Wireless Communications and Mobile Computing

Abstract:The IPSec has been a widely used VPN (virtual private network) protocol due to its security and convenience. The security of IPsec itself plays a fundamental role in the overall security of the application system. However, it can be found from the existing research that because of some insecurity issues in the application process, the IPsec protocol will suffer from the man-in-the-middle attack. In this paper, we constructed the first experiment environment of IKE (Internet Key Exchange) man-in-the-middle detecting, use normal distribution to detect the RTT (round-trip time), and get 90% of accuracy.

SUN Wei-ping,YIN Xia,SHI Xin-gang

2006-01-01

Journal of Computer Applications

Abstract:A black box testing method aiming at IKE(Internet Key Exchange) protocol performance was proposed,which was based on the self-developed platform of protocol integrated test system. Flexible test suite was designed according to characteristics of IKE,and the IKE performance testing was done on one actual host,all kinds of parameters' impact on IKE performance was analyzed. This test method is applicable to IKE tests in different devices.

Geoff Twardokus,William Joslin,Benjamin Carini,Hanif Rahbari,William Layton

2024-11-25

Abstract:Within 1-2 decades, quantum computers are expected to obsolesce current public-key cryptography, driving authorities such as IETF and NIST to push for adopting quantum-resistant cryptography (QRC) in ecosystems like Internet Protocol Security (IPsec). However, IPsec struggles to adopt QRC, primarily due to the limited ability of Internet Key Exchange Protocol Version 2 (IKEv2), which establishes IPsec connections, to tolerate the large public keys and digital signatures of QRC. Many solutions (e.g., IETF RFCs) are proposed to integrate QRC into IKEv2, but remain largely untested in practice. In this paper, we measure the performance of these proposals over the Internet by designing and implementing a novel, scalable, and flexible testbed for quantum-resistant IPsec, and we expose the serious shortcomings of existing proposals for quantum-resistant IKEv2 when deployed in constrained (e.g., lossy, rate-limited) networks. Through experimental deployments ranging from cloud-based virtual networks to hardware-in-the-loop wireless links between software-defined radios, as well as deployment on the international FABRIC testbed for next-generation networks, we show that today's solutions for quantum-resistant IPsec are insufficient, necessitating development of better approaches.

Networking and Internet Architecture

Wang Changji,Yang Bo,Wu Jianping

DOI: https://doi.org/10.1007/s11767-005-0007-z

2005-01-01

Abstract:In 1999, Seo and Sweeney proposed a simple authenticated key agreement protocol that was designed to act as a Diffie-Hellman key agreement protocol with user authentication. Various attacks on this protocol are described and enhanced in the literature. Recently, Ku and Wang proposed an improved authenticated key agreement protocol, where they asserted the protocol could withstand the existing attacks. This paper shows that Ku and Wang’s protocol is still vulnerable to the modification attack and presents an improved authenticated key agreement protocol to enhance the security of Ku and Wang’s protocol. The protocol has more efficient performance by replacing exponentiation operations with message authentication code operations.

Weiping Sun,Xia Yin,Xingang Shi

2006-01-01

Abstract:The performance of the IKE protocol will much affect the performance of IPSec. In this paper, a test system for performance of IKE protocol was designed and verified. After having analyzed the test requirements of IKE's performance, this paper designed a black box test system which satisfies the performance test requirements. This test system is formed by the self-developed platform of protocol integrated test system, the extensible test suite and the IKE reference implementation. By using this test system, the IKE protocol performance was tested and the impacts of different parameters on the IKE protocol performance are analyzed. The feasibility of test system was verified.

Wei Yang,Pla Information

2003-01-01

Abstract:The exploitation of security gateway or security router is based on the deep understanding of IPSec protocols.In fact, IKE protocol can realize th e automated management of IPSec security parameters, and has high superiority i n technique.From the point of view of realizing IKE protocol, this paper explai ns how IKE daemon thread works,and analyzes emphatically message negotiations o f IK E protocol.

Zhen Cao,Zhi Guan,Zhong Chen,Jian-Bin Hu,Li-Yong Tang

DOI: https://doi.org/10.1007/s11390-010-9330-4

2010-01-01

Abstract:Denial-of-Service (DoS) attacks are virulent to both computer and networked systems. Modeling and evaluating DoS attacks are very important issues to networked systems; they provide both mathematical foundations and theoretic guidelines to security system design. As defense against DoS has been built more and more into security protocols, this paper studies how to evaluate the risk of DoS in security protocols. First, we build a formal framework to model protocol operations and attacker capabilities. Then we propose an economic model for the risk evaluation. By characterizing the intruder capability with a probability model, our risk evaluation model specifies the “Value-at-Risk” (VaR) for the security protocols. The “Value-at-Risk” represents how much computing resources are expected to lose with a given level of confidence. The proposed model can help users to have a better understanding of the protocols they are using, and in the meantime help designers to examine their designs and get clues of improvement. Finally we apply the proposed model to analyze a key agreement protocol used in sensor networks and identify a DoS flaw there, and we also validate the applicability and effectiveness of our risk evaluation model by applying it to analyze and compare two public key authentication protocols.

Patrick Wachter,Stephan Kleber

DOI: https://doi.org/10.1145/3568160.3570229

2022-11-22

Abstract:DoIP, which is defined in ISO 13400, is a transport protocol stack for diagnostic data. Diagnostic data is a potential attack vector at vehicles, so secure transmission must be guaranteed to protect sensitive data and the vehicle. Previous work analyzed a draft version and earlier versions of the DoIP protocol without Transport Layer Security (TLS). No formal analysis exists for the DoIP protocol. The goal of this work is to investigate the DoIP protocol for design flaws that may lead to security vulnerabilities and possible attacks to exploit them. For this purpose, we deductively analyze the DoIP protocol in a first step and subsequently confirm our conclusions formally. For the formal analysis, we use the prover Tamarin. Based on the results, we propose countermeasures to improve the DoIP's <a class="link-external link-http" href="http://security.We" rel="external noopener nofollow">this http URL</a> showthat the DoIP protocol cannot be considered secure mainly because the security mechanisms TLS and client authentication in the DoIP protocol are not mandatory. We propose measures to mitigate the vulnerabilities thatwe confirm to remain after activating TLS. These require only a minor redesign of the protocol.

Cryptography and Security,Networking and Internet Architecture

Ke Xu,Minpeng Qi,Haitao Li,Peng Yang,Hui Deng

DOI: https://doi.org/10.1109/ICCW.2008.91

2008-01-01

Abstract:In IETF, Mobile IPv6 signaling and data must be protected by IP security association, while IKEv2 is recommended to make dynamical IPSec security association maintenance. But when mobile node bootstrapped in foreign net work or handover to a new network, IKEv2 cannot get information about MIPv6 to negotiate right IP security associations, which will incur bootstrap failure and long handover delay. In this paper, a novel solution is proposed to interface IKEv2 and MIPv6 for information sharing and mobility detection. In according with our evaluation result, this solution could solve bootstrap problem and reduce the handover delay greatly. ©2008 IEEE.

Jian-fan WEI,Zhong CHEN,Yun-suo DUAN,Li-fu WANG

DOI: https://doi.org/10.3321/j.issn:0372-2112.2005.02.023

2005-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:Denial of service has become a major security threat in open communications networks. Authentication and key establishment protocols usually are vulnerable to network DoS attacks. This paper presents a new countermeasure to make authentication protocols without trusted third party resistant against DoS attack. By using this method, the strength of resistance can be adjusted dynamically and most parallel session attacks can be prevented.