Study Of The Techniques Of Attacking And Protecting Several Internet Security Protocols

With the development of information technology and popularization of Internet, Internet has become the infrastructure of information times, WWW, Email, network telephone and network TV service has gone deep into people's daily life. Internet has the characteristic of globality, openness and sharing, it brings great convenience to information exchange. But at the same time, network protocols have also disadvantages, the increasing security events let us recognize the importance of network security, especially for the rapid developing e-commerce which needs great security, so how to make sure the security of the communication is becoming the focus and the research priorities. In this thesis we research several kinds of popular attack methods, such as protocol attack, loophole attack and encryption algorithm attack, select several protocols which are most used or will be popular in the near future as the simulation attack object, analyze whether the attack methods can attack successfully or not, and educe the required condition, environment, and computing competence, then present the corresponding defence schemes. Moreover, we try to improve them and also present new schemes.SSL protocol is the most popular security protocol at present, which provides the integrality and privacy assurance of application layer data, also the service of sever authentication, client authentication (optional). OpenSSL is the most typical implement of SSL, in this thesis we make use of version rollback attack to the concrete implement of OpenSSL, then try to attack the loopholes according to the low version, the experiment show that, in 32 days with a general computer we can get the session key, and decrypted the communication content; another effective attack to SSL is certificate substitution attack, which makes use of man in the middle attack, substitutes the certificate which exchanges between client and server, the pre master key passed from client to server will be mastered by the"middle man", so the master key and session keys can also be caculated, and the experiment shows that it can work. There is the same problem in IPSec protocol, in the stage of IKE, because of the Diffie-Hellman algorithm can't prevent man in the middle attack, so it needs digital certificate to verify the identity, so there is also certificate substitution attack. At the same time we present mehods to prevent such attack.The basic authentication principle of DNSSEC is that the public key of every layer of name domain system should be signed by the private key from the upper layer, the parent-domain make sure of the sub-domain's security, and then form an authentication chain from the top downward. According to the principle of IBE we present a authentication way, which assure the security of DNS from another way, also with the similarity of the key agreement between DNSSEC and SSL, we present a method which let SSL protocol share DNSSEC's security parameters, which improves SSL's security and efficiency. At last, we point out the importance of enhancing the people's security consciousness and law consciousness.