Design and Implementation of IP-Based Security Enablers

• Main Authors: Yu-Chung Chang, 張譽鐘
• Other Authors: Chin-Laung Lei
• Format: Others
• Language: en_US
• Published: 1999
• Online Access: http://ndltd.ncl.edu.tw/handle/56451387894670707869

碩士 === 國立臺灣大學 === 電機工程學研究所 === 87 === With the fast growth of Internet and electronic commerce, network security has emerged as one of the hottest research and development topics for networking and communication society. How to provide a secure communication environment on the Internet has become an urgent issue. At the moment, the Internet running TCP/IP lacks for the fundamental mechanisms for providing personal privacy and communication security. However, network security is one of the key factors for electronic commerce. Most of the network security solutions place their security mechanisms at the application layer. Therefore, they must modify each application individually to accomplish the purposes of security and authentication. This is very inconvenient and requires much time and work. In this thesis, we propose the concept of IP-based security enablers to be an efficient Internet security solution, and we present a complete design of system architecture and implementation. The concept of IP-based security enablers is to provide a flexible and extensible network security interface for network programs. Network programs can enjoy network security services such as authentication, confidentiality, access control immediately without any modification. The system architecture of the proposed IP-based security enablers contains three components: an authentication and key management component, a network protocol encryption component, and a security policy component. The implementation is carried out on FreeBSD 2.2.8 operation system. In this thesis, we also propose a key management protocol based on Kerberos authentication service, called Ticket-based Key Management Protocol (TKMP). This protocol is the only key management protocol adopting symmetric cryptosystem. Since TKMP does not have to perform any time-consuming exponential operations, it is much faster than the public-key based key management protocols and is suitable for low-computation power mobile computing devices. Moreover, TKMP does not need public-key certificates. Therefore, it can also be utilized in a network environment without PKI support. The proposed IP-based security enablers architecture with a ticket-based key management protocol provides a robust network security infrastructure and various security services to users. Compared with other public-key based systems, it has advantages such as: does not need PKI, suitable for Local Area Network (LAN) and Intranet of an enterprise, easy to install, and suitable for low-computation power mobile computing devices. In addition, our system can accept tickets issued by Kerberos Key Distribution Center (KDC); therefore, it is compatible with the widely used Kerberos authentication service.