基植於MACsec的網路存取控制架構

Abstract

在傳統的網路，資料在區域網路MAC層中傳遞時沒有任何安全協定保護，容易遭受竊聽、修改、偽造等攻擊。為了解決問題MAC上安全的漏洞，IEEE組織近期提出仍在制定當中的802.1 MACsec標準，達到區域網路中設備的身分認證、網路資源的存取控制、以及資料的機密性。然而，MACsec在點與點之間訊息傳送時造成中間裝置上過多的加密計算量以及資料訊框傳送的延遲時間，和群組金鑰分送協定中沒有達到forward/backward secrecy。在此篇論文中，我們將提出一個新的架構，包含一個點對點的金鑰交換協定及群組金鑰分送協定。其中，點對點金鑰交換協定可減輕訊息經過中間裝置運算加解密的次數，而群組金鑰分送協定則可減少金鑰伺服器傳送金鑰訊息並減少運算複雜度，用這兩個協定來改進MACsec標準中目前不足的地方。在論文的最後，我們會分析提出的方法與先前其他研究在訊息數量、加密運算花費、資料訊框延遲的比較，並且分析提出協定的安全性。

In conventional networks, such as Ethernet, network access at data link layer is not authenticated and controlled. Any network device connecting a network can send and receive network frames. Consequently, data frames can be eavesdropped, modified and forged by an adversary who plugs in the network port. To cope with the problem, IEEE 802.1 MACsec has been proposed recently to authenticate a network device and its access to the local area network. However, MACsec requires high computation overhead, and does not provide forward and backward secrecy for group key distribution. Further enhancement is desirable. In this paper, we will propose a secure network access control framework (NAC) for MACsec, including the network access control architecture along with two key distribution protocols. The station-to-station key handshake protocol is for pairwise communication, while the group key distribution protocol allows a group of hosts in a local area network to communicate with each other in a secure and efficient way. A Group handshake protocol is also proposed to handle group joining and leaving. The design and implementation of NAC will be illustrated; the overhead of the proposed group key distribution protocol will be evaluated and compared with related work. The result shows that our protocols incur the lowest computation cost as well as communication overhead.