Network layer security protection system and method based on IKE protocol

Abstract

The invention provides a network layer security protection method based on an IKE protocol, and the method comprises the steps: generating basic parameters for completing security association negotiation for all edge network endpoints administered by an internal gateway of a router, uploading the basic parameters of each edge network endpoint to a first block chain, and completing the real-time updating of the basic parameters through a new block; and completing IKE SA and IPsec SA negotiation between the initiator and the responder by using the basic parameters stored on the chain, and chaining exchange data in the IKE SA negotiation and IPsec SA negotiation processes to the second block chain through the local router. The security protection system constructed by adopting the method has relatively strong confidentiality, PFS characteristic, disguise attack resistance and replay attack resistance.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a network layer security protection system and method based on the IKE protocol. Background technique [0002] Network security is one of the important contents of information security. Since the Internet only paid attention to the realization of its connectivity at the beginning of its design, without considering security factors, it has become an open network system, which seriously lacks the ability to verify the real identities of both parties in communication, and lacks data confidentiality and integrity for network transmission. and reliability protection. [0003] The network security protocol technology is an effective way and means to solve the problem of network space security. Virtual private network (VPN) technology adopts special network encryption and communication protocol, can establish a virtual "encrypted channel" on the public network, build a safe "...

AI Technical Summary

Problems solved by technology

[0005] The IKE protocol has a set of self-protection mechanisms that can safely authenticate identities, distribute keys and establish IPsec SAs on insecure networks; however, there are still some insecure factors

For example: after the attacker intercepts the initial negotiation strategy of the two parties in the protocol, they exchange their own key messages with the initiator and the responder in a disguised identity to complete the key exchange and obtain the shared key, thereby giving the two parties in the protocol bring security risks

In addition, since the IP address can be configured at the application layer, and the current authentication mechanism is often based on the source IP address authentication, there are problems in the IP layer that network data packets are monitored, stolen, intercepted, IP address spoofed, information leaked, and data items are stolen. Attacks such as tampering, the use of a single IP address authentication mechanism will inevitably fail to meet security requirements, resulting in multiple and complex network security threats

Images