Analysis And Implement Of IPv6 Address Certification System

IETF released IPv6(Internet Protocol Version6) as the next generation of Internet Protocol in RFC2460 in December 1998. IPv6 fundamentally resolve the crisis of IPv4 network, However, we can see that some principles and characteristics of security issues has not fundamentally changed in IPv4 and IPv6, Source address spoofing is one of network threafts at present.In this dissertation, IPv6 address authentication system was proposed which based on RFC3971 SEND. In CGA protocol, using CGA generation algorithm generates the IPv6 address which can solve address spoofing problem, but there still exist some limitations in the CGA generation algorithm of the hash algorithm, signature algorithm, address support authentication methods. The releated problems are described as follows:1) CGA generation algorithm only supports SHA-1 hash algorithm and RSA public key algorithm. So, potentialfuture applications of the CGA technology may be susceptible to attacks against the collision-free property of SHA-1.Second, only support a single public key algorithm, hash algorithm and the use of technology affect the CGA, and perhaps someday we need to use optional hash algorithms and optional public key algorithms.2) Because CGAs themselves are not certified, an attacker can create a new CGA from any subnet prefix and its own (or anyone else's) public key. So, it's difficult to solve the Man-In-the-Middle-Attack. In addition, to verify the association between the address and the public key, the verifier needs to know the address itself, the public key, and the values of the auxiliary parameters. The verifier can then go on to verify messages signed by the owner of the public key (i.e., the address owner). No additional security infrastructure, such as a public key infrastructure (PKI), certification authorities, or other trusted servers, is needed. This authentication method used in demanding safety system has some limitations.The main content and contributions of this dissertation are described as follows:1) Improved CGA generation algorithm to resist Man-In-the-Middle-Attack. Before the generation of the CGA, communication network node generates shared key K. However, in the CGA generation process, HMAC hash algorithm using shared key K to generate CGA. The CGA including shared key K can resist Man-In-the-Middle-Attack.2) Improved CGA protocol support multiple Hash algorithm, multiple public key algorithm and multiple authentication. Encoding the hash value used in the Sec bits to support multiple Hash in CGA. Using extension fields for additional data items to support multiple signature algorithm and Different address authentication.3) Proposing and implementing a new IPv6 extension header, designing CGA option and CGA module. Achieving IPv6 address authentication system.