| As one of the fundamental protocols in network, ARP is responsible for the mapping of IP address to hardware address of network interface. However, a subtle weakness, which means the protocol cannot validate the authenticity of the source of incoming ARP packets, has been existing in ARP since it was drafted. Therefore, any host in LAN can forge an ARP packet with malicious codes to attack the ARP caches of target hosts. The lack of authentication mechanisms has made ARP vulnerable to a raft of IP-based impersonation, and the hosts can be attacked by Man-in-the-Middle (MiM) and DoS attacks.By introducing the ARP protocol and its working mechanism, the thesis analyses the existing methods of defending against ARP spoofing attacks, and understands their features. The the principles and complexity of these methods are also studied in this thesis, which sums up their advantages and disadvantages.This thesis mainly includes the following four aspects:①Basing on the analysis of the principles of ARP and the current related technologies, an enhanced ARP -- Autharp is proposed in this thesis, which adds the cryptographic authentication mechanism. Autharp with backward compatibility and security keeps the flexibility of ARP as well as identity authentication②In order to achieve the cryptographic authentication mechanism, the fingerprint sequence is embedded in the Autharp packets for the safety and effectiveness in the transmission of data packets.③The flexibility is ensured in Autharp protocol. It's not necessary to inform all the hosts that have been authenticated in each node to update their list when the LAN adds new hosts. In addition, for networks that run the DHCP to assign IP addresses, it is possible to assign several IP addresses as valid to a single MAC and new hosts still can be authenticated.④A lot of work has been done in order to ensure the effectiveness and safety of Autharp protocol. Firstly, the protocol is constructed by using strong authentication and encryption algorithms. Secondly, the protocol is designed from the bases which provide a high level of security. Thirdly, a management solution which is much more complex than ARP is proposed. Furthermore, considering the issues of the network bandwidth, the thesis proposes a solution of maintaining the key cache to avoid exchanging the key in each transmission of information.Finally, by introducing the process of information transfer and validation by Autharp among hosts, the thesis details all the potential attacks in every steps of information transfer of Autharp packets and studies how the protocol defends against these attacks in the solution proposed. Tests basing on the modules of detection system constructed in this thesis show that the expected security, flexibility and effectiveness are achieved in the protocol. |
PDF Full Text Request