Study And Implementation Of Authentic IPv6 Address Based Cross-domain Identity Authentication

Currently, the openness and the inherited weakness of Internet make attackers easy to attack the network. In current network architecture, the authenticity of IP addresses is not strictly authorized, the existence of abundant fake addresses and NATs make tracing attackers relatively difficult. In 2005, the concept of authentic IPv6 address based on network addressing architecture was firstly proposed to solve the imbedded security problems of NGN from the network architecture level in CNGI-CERNET2As an import part of network security technique, identity authentication technique is needed to guarantee users'login and legal utilization of resources.After authenic address is imported, how to use authentic IPv6 address to assist user identifying is a challenging problem. Simultaneously, the identity authentication system needs to provide with uniform security services for the applications of upper layer. Meanwhile the upper-level applications may belong to different realms using different authentication protocol, and this imposes a big challenge on the identity authentication system. Therefore, a solution is needed to design for the universal cross-domain authentication. The concerns of this thesis are:①Having researched on a typical one-time password authentication scheme--S/Key and its amelioration--SAS, a dynamic password authentication scheme supporting authentic IPv6 address is proposed to meet the need of authentic IPv6 address in authentication. In the proposed scheme, the authentic IPv6 can be checked during the process of users'authentication.②Based on the next generation authentication protocol-Diameter, a Diameter NAS model which supporting authentic IPv6 address is designed. This model aims to guarantee the end users'legal accessing CERNET2.③According that other authentication protocols are not fully supported in diameter's cross-domain protocol, a cross-domain authentication framework for diameter is presented. Based on SAML and web services, this framework can be used to achieve intra-realm authentication and cross-realm authentication. This framework also meets the needs of other network applications for authentication on IPv6 address.④Based on the proposed dynamic password authentication scheme, NAS model and cross-domain framework, a prototype system is implemented and thoroughly tested.Research in this thesis comes from a sub-project named " Authentic IPv6 address based identity authentication system", undertaken by Chongqing University ,which is a component of CNGI demonstration project--" Internet Security Architecture Framework and Key Technique Research based on authentic IPv6 Address" leaded by national development and reform commission. The tested results indicate that the proposed authentic IPv6 address based cross-domain identity authentication system can meet the demand of identification authentication, and that it can be applied to authenticate IPv6 address in CERNET2.