CAJ | 학술논문

提出了一个采用基于身份密码体制的安全域间路由协议--基于身份域间路由协议(identity-based inter-domain routing,简称id~2r).id~2r协议包括密钥管理机制、源AS验证机制LAP(the longest assignment path)和AS_PATH真实性验证机制IDAPV(identity-based aggregate path verification).密钥管理机制采用一个分布式层次密钥分发协议(distributed and hierarchical key issuing,简称DHKI),以解决基于身份密码系统固有的密钥托管问题.LAP的基本思想是,任一发出前缀可达路由通告的自治系统都必须提供该前缀的分配路径及证明,只有提供前缀最长有效分配路径的自治系统才是该前缀的合法源AS.IDAPV采用基于身份的聚合签名体制,生成保证AS_PATH路径属性真实性的路由聚合证明.性能评估结果显示,基于2007年12月7日的RouteViews数据,id~2r路由器仅额外消耗1.71Mbytes内存,是S-BGP的38%;更新报文长度明显短于S-BGP;当硬件实现密码算法时,收敛时间几乎接近于BGP.
제출료일개채용기우신빈밀마체제적안전역간로유협의--기우신빈역간로유협의(identity-based inter-domain routing,간칭id~2r).id~2r협의포괄밀약관리궤제、원AS험증궤제LAP(the longest assignment path)화AS_PATH진실성험증궤제IDAPV(identity-based aggregate path verification).밀약관리궤제채용일개분포식층차밀약분발협의(distributed and hierarchical key issuing,간칭DHKI),이해결기우신빈밀마계통고유적밀약탁관문제.LAP적기본사상시,임일발출전철가체로유통고적자치계통도필수제공해전철적분배로경급증명,지유제공전철최장유효분배로경적자치계통재시해전철적합법원AS.IDAPV채용기우신빈적취합첨명체제,생성보증AS_PATH로경속성진실성적로유취합증명.성능평고결과현시,기우2007년12월7일적RouteViews수거,id~2r로유기부액외소모1.71Mbytes내존,시S-BGP적38%;경신보문장도명현단우S-BGP;당경건실현밀마산법시,수렴시간궤호접근우BGP.
The paper proposes a secure inter-domain routing protocol which adopts identity-based cryptographic system-id~2r (identity-based inter-domain routing). id~2r consists of a key management mechanism, an origin AS verification mechanism LAP (the longest assignment path), and an AS_PATH authenticity verification mechanism IDAPV (Identity-based Aggregate Path Verification). The key management mechanism adopts a distributed and hierarchical key issuing protocol DHKI (distributed and hierarchical key issuing) to solve the inherent key escrow problem in the identity-based cryptographic system. The basic idea of LAP is that all ASes must provide the assignment path and attestations of their announced prefixes, and for a prefix, the AS which provides the longest valid assignment path is its legitimate origin AS. With identity-based aggregate signature scheme, IDAPV generates a route aggregate attestation to guarantee the authenticity of AS_PATH. Performance evaluation results indicate that based on RouteViews data on December 7, 2007, an id~2r router only consumes 1.71Mbytes additional memory, which is 38% of S-BGP router; id~2r has shorter UPDATE message than S-BGP; convergence time of id~2r with hardware implementation of cryptographic algorithm approximately equals BGP.