The Analysis Of IKE And Its Improvement Based On CPK

Among the secure protocols, IPSec are the basic protocols for the Internet. IPSec are the protocols to ensure the data security during communication in IPv6. IKE is an important part of IPSec. It is responsible for the session key agreement and management. So it makes sense both in theory and practice to analysis IKE. In light the importance of IKE, the main tasks of thispaper are to nanlyze and improve IKE.Firstly, we compare some protocol analysis methods, and choose the logic method as ourmain tool. Then we improve the logic system by adding some new axioms and remedying some old ones. At the same time we prove the new theorems.Secondly we analyze the security of IKE1 and IKE2 in detail with the logic method. Totally we analyze those protocols as follows: three authentication modes (namely shared key mode, digital signature mode and public key encryption mode) of the main mode in the first stage, the second stage aggressive mode, and the IKE2 protocols. We conclude that the above protocols are secure. But we refer that the effiency is low. So it's necessary to improve them.Finally, we give an improved scheme based on CPK. In CPK (Combinative Public Key), the public key of the user is determined by user's name, and there is one to one relationship between certification and the user's name. Because of the secret key is distributed face to face, or distributed by the company uniformly; so it is a direct trust relationship, and the secret key is trustworthy. Therefore the authentication of user's public key only needs one time looking up in local host table and one time visiting to the center. Comparing with IPSec, our protocol is more efficient. Besides, by the logic analysis, we prove that our scheme is of high security.Of course, the IPSec protocol has its own advantages, such as better openness, and more flexibility. So our scheme is not to completely replace the IPSec protocol. Generally speaking, in boundless open networks, the IPSec protocol is more suitable. But in bounded close networks, such as military networks, electronic government affairs networks, our protocol is obviously more applicable.