面向网络虚拟化的网络层可信身份验证机制研究

With the current Internet architecture, the intermediate devices cannot authenticate the identities of the source host and user, then there are many network security issues, and the source tracing is very difficult. The existing mechanism paid more attentions on the identity authentication at the destination endpoint, in the application layer or during the network access. .This proposal plans to develop a network layer trusted identity authentication mechanism, in which the intermediate could check whether network data package was sent by the trusted source host and user. In this mechanism, the host would be identified by the TPM (Trusted Platform Module) identity key, and the user would be identified by the eID; the source host only needs to carry out a signature-based identity authentication and a MAC (Message Authentication Code) key negotiation in the application layer, then generate one broadcast homomorphic MAC as identity proof information, and does not need to have key negotiation with every intermediate node and generate a MAC for every intermediate node. This mechanism would support IP payload splitting, in which the intermediate node could combine the partial identity proof information from the sliced packages, and complete the identity authentication based on the authorization code which is from the source host..This proposal plans to deploy this network layer trusted identity authentication mechanism on the SDN (Software-Defined Network) controller and OpenFlow switch, which belong to the network virtualization technology devices, and separate the control panel from the data panel. The network virtualization technology can develop and have an evolution on the current Internet architecture and devices, which gives out some new solving ideas of network security.

在现有互联网架构下，网络中间设备无法在网络层对数据包源主机、用户进行身份验证，导致大量网络安全事故发生，且追溯定位极为困难。现有机制偏重于在目标主机、应用层、网络接入时进行身份验证。本项目拟建立一种网络层可信身份验证机制，中间节点可检查数据包是否由可信的主机和用户所发送。在这种机制里，用可信平台模块TPM身份密钥和eID来标识主机、用户身份；源主机只需与目标主机在应用层执行基于签名的身份验证和MAC密钥协商，基于该密钥产生广播同态MAC，作为身份证明信息，不用与每个中间节点进行密钥协商、为每个中间节点生成一个MAC值；该机制支持IP分片，中间节点对所获取的部分证明信息进行组合，基于源主机所给予的授权码，即可完成身份认证。本项目拟基于SDN控制器和OpenFlow交换机实现中间节点网络层身份验证，这些网络虚拟化技术将数据与控制相分离，易在现有互联网架构上演进发展，给网络安全带来了新思路。

在现有互联网架构下，网络中间设备无法在网络层对数据包源主机、用户进行身份验证，导致大量网络安全事故发生，且追溯定位极为困难。现有机制偏重于在目标主机、应用层、网络接入时进行身份验证。本项目试图建立一种网络层可信身份验证机制，中间节点可检查数据包是否由可信的主机和用户所发送。本项目面向虚拟网络，在OpenVSwitch上开展工作。虚拟化网络主要基于服务器及数据中心，本项目提出了一种基于BMC的服务器可信启动与信任传递方案、一种基于BMC的服务器硬件可信性保护方法。在物理服务器及其系统可信的基础上，本项目提出了一种虚拟TPM动态信任扩展方法，以满足云计算、网络虚拟化等场景下虚拟机频繁迁移的需求，让每个虚拟机拥有自己专属的TPM，且将对物理TPM的信任扩展到虚拟TPM上。有了虚拟TPM的支持后，本项目用虚拟TPM的身份密钥来标识虚拟网络主机，提出了一种云平台虚拟可信局域网构建机制，基于虚拟TPM协商出MAC密钥，用于在后续通信过程中的完整性保护和身份验证，防止VLAN环境被恶意主机攻击。本项目提出的机制能将虚拟化网络与物理网络相结合，易在现有互联网架构上演进发展，给网络安全带来了新思路。