Research On Key Issues Of Internet Trusted Authentication

Owning to the lack of built-in authentication capabilities in its core architecture,the Internet has suffered from security threats that have never been effectively addressed for a long time,such as prefix hijacking,IP address spoofing and distributed denial of service attacks.The Internet currently relies on external public key infrastructure(PKI)to provide authentication,such as domain name system security extension(DNSSEC)for domain name services,transport layer security(TLS)protocol for authentication of Web servers,resource public key infrastructure(RPKI)for authentication of IP prefix and autonomous domain numbers.However,the current PKI-based certification architecture still faces many issues in terms of security,scalability,deployability,and certification efficiency:1)The centralized trust structure of PKI makes the authority too powerful and lack of supervision,resulting in the risk of abuse of authority;2)PKI certificate management is complex,limiting its scalability and deployability;3)Certificate storage,transmission and complex certificate verification for certificate-based authentication has brought great overhead and performance loss.Starting from the security requirements of different levels of Internet architecture,this paper studies the above problems faced by the current authentication infrastructure.The main research work and contributions of this paper are as follows:1.We propose a blockchain-based decentralized Internet number resource authentica-tion mechanism.RPKI is used to authenticate the ownership of Internet numbering resources to protect the inter-domain routing system.However,RPKI grants overpowering authority to the authority so that the authority can revoke the IP prefixes under their control arbitrarily.In view of the abuse and lack of supervision of the central authority of RPKI,this paper proposes DARPKI,a blockchain-based decentralized Internet number resource authentication mechanism.DARPKI records the allocation and authorization of Internet number resources through a distributed blockchain,effectively preventing the malicious manipulation of resources by authorities in RPKI.We also designs a monitor that periodically reviews DARPKI to effectively detect misbehavior by resource owners and incorrect resource authorization operations.In addition,the compatibility design of DARPKI allows it to provide effective route source authentication and path verification without changing the existing BGP protocol and router.2.We propose a decentralized IP address authentication mechanism based on identity-based cryptography.PKI-based certificate management is complicated,with low scalability and deployability,and it is difficult to provide support for network-layer security.In response to this problem,this paper proposes a decentralized IP address authentication mechanism DISA,which provides a cryptographicly verifiable IP address for hosts on the Internet.Combined with the identity-based cryptography,this paper proposes the self-trustworthy IP address.Without changing the IP address structure,self-trustworthy addresses bind the IP address to the public key naturally,which greatly reduces the complexity and cost of certificate and key management presented in the PKI-based authentication.Besides,DISA adopts a decentralized trust model,in which each network independently manages the distribution of address keys,thereby supporting high scalability.DISA emplys blockchain to maintain the global verifiability of all IP addresses.In addition,DISA also supports flexible and efficient key update and revocation.We proposes a lightweight key revocation mechanism that can revoke self-trustworthy addresses and verify the revocation status with trivial cost.3.We propose a lightweight end-to-end mutual authentication protocol with minimal latency.TLS is the most widely used end-to-end authentication protocol at the transport layer.However,the transmission and verification of certificates brings greater bandwidth and computational overhead,and increases the connection establishment delay.This makes TLS difficult to apply to new types of networks such as mobile networks and the Internet of Things.In response to this problem,this paper proposes a lightweight end-to-end mutual authentication protocol,called i TLS.i TLS uses identity-based cryptography for key negotiation,which can authenticate communication parties while establishing the shared key.This eliminates the transmission and verification of certificates during the connection establishment process.In addition,we propose an identity-based handshake protocol,which allows the client to dynamically generate an authenticated encryption key based on the identities of both parties before receiving a reply from the server.This can establish the encrypted connection with no additional round trips,minimizing the connection establishment delay.We also propose the ephemeral secret ticket mechanism to provide forward security and replay protection for all encrypted data.