Research On Preventing BGP Man-in-the-middle Attack Method

Man-in-the-middle attack is an attack in which a malicious third party secretly controls the communication between two or more endpoints.The third party can choose to monitor,intercept,modify or replace the data of both sides of the communication.In this process,the victim does not know the existence of the attacker and always believes that both sides are still communicating normally.Border gateway protocol is the only protocol used to deal with autonomous system communication on the Internet,and its security is particularly important.In recent years,man-in-the-middle attacks against the border gateway protocol are becoming more and more common,and the harm caused is becoming more and more serious.How to ensure that the legitimate autonomous system communication in the Internet is not attacked by intermediaries is the key of protocol research.Therefore,in view of the above problems,the main work of this paper is as follows:(1)In order to deal with computing overhead caused by the issuance and revocation of certificates in the certificate based BGP security extension scheme,a BGP security scheme based on certificateless ordered multi-signature is designed.Compared with the traditional scheme,this scheme does not need complex operations such as certificate generation and revocation.By introducing a trusted third party and the user to jointly generate the private key,it can avoid the forgery attack by dishonest third parties.After security analysis,the proposed scheme can resist the forgery signature attack of two kinds of attackers at the same time;After performance analysis,on the premise of ensuring the same security,the proposed scheme is greatly improved compared with the existing schemes in the signature stage and verification stage.(2)In order to solve the problem of identity legitimacy of prefix publishers in BGP and the collusion attack of multiple malicious intermediaries,a security scheme to improve the authentication of S-BGP routing source and intermediate nodes is proposed.The identity of the routing source is verified through the certificateless signature scheme and the routing prefix authentication is provided for it.The node receiving the notification must verify whether the source autonomous system in the message has the authority to publish the routing prefix;The real neighbor relationship is verified by adding neighbor authentication chain to intermediate nodes to prevent collusive attacks.After security analysis,the proposed scheme can resist the forgery attack,collusion attack and path attack of malicious intermediaries against the routing prefix at the same time.After performance analysis,the scheme based on certificateless signature scheme and bilateral neighbor authentication mechanism has greatly improved the communication overhead and computing overhead.