Research And Design On New Internet Key Exchange Against DDoS Attacks

Internet is applied to many domains such as military affairs,scientific researches, entertainment,and commerce and so on.With commercializing of Internet,many company's local area networks join in Internet.But the lack of security service in intemet protocol has limited the wider deployment of many applications such as E-Commerce.There is an important security issue.We can find the technology of VPN to solve the security issue.VPN(Virtual Private Network)is such a kind of technique that a private network is built in the public network,thus the data can transmit in public network through secure densification channel.IPSec(IP Security)is currently one of the main protocols constructing VPN.SA(Security Association)must be established and an agreement should be reached on how to protect and exchange information and other public security settings before exchange data between two IPSec VPN computers.IKE(Internet Key Exchange) protocol is the major part of IPSec,responsible for the dynamic negotiation,authentication and managing SA.The reliability of shared-key negotiated by the two communication sides and the security of communication are decided by the security of IKE protocol.However,because it is a kind of mixed protocol,its complexity brings some unavoidable limitations which will cause many problems in its security,efficiency and accomplishment.Recently,analysis and improvement of IKE protocol has become a hotspot in network security area.Thus IKEv2 protocol and JFK(Just Fast Keying) protocol are brought forward as the substitute for IKE to simplify protocol and resolve the problems of IKE.From the view of practical and simple and convenient,JFK protocol is safer,higher efficient and simpler than IKE protocol.Nevertheless,until now,whether the basic protocol edition IKEvl or the revised protocol editions,e.g.IKEv2,JFK still have some shortcomings and security problems.This paper's contibutions are: First,we begin our thesis with the attack of DoS.It then induces the emergence of distributed DoS,named DDoS(Distributed Denial of Service).DDoS Attack is emerging as a special kind of Denial of Service(DoS) Attack in recent years.It is distributed and cooperative large-scale attack.DDoS attack has the same attack principles as the traditional DoS attack.But DoS attack is originated from one single attacker point,while the realization of DDoS comes from hundreds,even thousands of PC attackers which have been installed Daemon,and it is a group-based attack-behavior. The targets of DDoS are usually quite big websites,such as the websites of business companies,search engines,or government departments.Among these contests of hundred or thousand to one,the Internet Service Provider(ISP) will face unprecedented destructions.Compared with the traditional DoS attack,DDoS attacks possess more attack resources,and have larger destroying power,and thus it is more difficult to be detected and defended.DDoS attacks have brought tremendous threat to the security of Internet,and it also gains much research attention in the field of network security.Next,the structure and principle of IKE protocol is discussed and the mechanism of internet key exchange protocol including IKEvl,IKEv2 and JFK is referred.Thirdly, the mechanism of authentication and negotiation of IKEv1 main mode protocol based on pre-shared-key authentication is emphasized and the revised solutions of IKEv2 aiming at the security problem of IKEv1 are expounded.Then to introduce the method of SVO logic briefly and to explain the significance of logic for key analysis of security.In view of the insufficiency of SVO logic for formalizing and proving complex internet key exchange protocols,a new logic—SVO+ logic is proposed for analyzing key exchange protocols.Based on some revised axioms and symbols SVO+ logic captures more desirable features than those of SVO logic. Moreover,the security problems of IKEv1,IKEv2 and JFK protocol are analyzed with the revised SVO+ logic.By the instance analysis and verification,it shows that SVO+ logic is practical and effective.At last,for the weakness of the existent internet key exchange protocols on the protection of the identities and DDoS attacks,TKE(Trusted Key Exchange) is presented as a new key exchange protocol based on the assistant verification via the third trusted principal and the feasibility and security of the TKE protocol is demonstrated in this paper.With the method of SVO+ logic we prove that the TKE protocol prevents attackers from obtaining the identity of Initiator or Responder and provides the most notably ability against susceptibility to DDoS.