基于无证书签名的抗DNS中间人攻击方案

doi:10.11959/j.issn.2096-109x.2021093

网络与信息安全学报 ›› 2021, Vol. 7 ›› Issue (6): 167-177.doi: 10.11959/j.issn.2096-109x.2021093

• 学术论文 • 上一篇

基于无证书签名的抗DNS中间人攻击方案

胡杨¹^,², 韩增杰¹^,², 叶帼华¹^,², 姚志强¹^,²^,³

¹ 福建师范大学计算机与网络空间安全学院，福建福州 350117
² 福建省公共服务大数据挖掘与应用工程技术研究中心，福建福州 350108
³ 非遗数字化与多源信息融合福建省高校工程研究中心，福建福清 350300

修回日期:2021-10-12 出版日期:2021-12-15 发布日期:2021-12-01
作者简介:胡杨（1996− ），男，河南鹤壁人，福建师范大学硕士生，主要研究方向为大数据安全与隐私保护
韩增杰（1997− ），男，山西洪洞人，福建师范大学硕士生，主要研究方向为大数据安全与隐私保护
叶帼华（1976− ），女，福建霞浦人，福建师范大学副教授，主要研究方向为大数据安全与隐私保护、信息安全
姚志强（1967− ），男，福建莆田人，博士，福建师范大学教授、博士生导师，主要研究方向为大数据安全与隐私保护、多媒体安全、应用安全
基金资助:
国家自然科学基金(61872090);国家自然科学基金(61972096);福建省引导性科技项目计划(2019H0010);非遗数字化与多源信息融合福建省高校工程研究中心开放课题(FJ-ICH201901)

Preventing man-in-the-middle attacks in DNS through certificate less signature

Yang HU¹^,², Zengjie HAN¹^,², Guohua YE¹^,², Zhiqiang YAO¹^,²^,³

¹ College of Computer and Cyber Security, Fujian Normal University, Fuzhou 350117, China
² Fujian Engineering Research Center of Public Service Big Data Mining and Application, Fuzhou 350108, China
³ Engineering Research Center for ICH Digitalization and Multi-Source Information Fusion, Fuqing 350300, China

Revised:2021-10-12 Online:2021-12-15 Published:2021-12-01
Supported by:
The National Natural Science Foundation of China(61872090);The National Natural Science Foundation of China(61972096);The Guiding Science and Technology Planning Project of Fujian(2019H0010);The Foundation of Engineering Research Center for ICH Digitalization and Multi-Source Information Fusion(FJ-ICH201901)

摘要/Abstract

摘要：

为应对域名系统协议中存在的中间人攻击问题，提出一种轻量化的解决方案。该方案在 DNSSEC的基础上引入无证书签名技术构建新的签名算法，去除难以部署的信任链以提高消息认证的效率和安全性；同时通过使用对称加密技术确保消息的机密性，加大敌手的攻击难度。理论分析证明了所提方案能够抵抗常见的中间人攻击类型，实验对比结果显示所提方案较同类方案具有更好的性能表现。

关键词: 域名系统, 中间人攻击, 无证书签名

Abstract:

Aiming at resisting the man-in-the-middle attacks in the domain name system protocol, a lightweight solution was proposed.The scheme introduced certificate less signature algorithm, removed the difficult-to-deploy trust chain to improve the efficiency and security of authentication.By using symmetric encryption technology, the proposed solution ensured the confidentiality of the message and increase the attack difficulty.The theoretical analysis proved the proposed scheme can resist common man-in-the-middle attacks.Experimental comparison results show the scheme has better performance than similar schemes.

Key words: domain name system, man-in-the-middle attacks, certificate less signature

中图分类号:

TP393

胡杨, 韩增杰, 叶帼华, 姚志强. 基于无证书签名的抗DNS中间人攻击方案[J]. 网络与信息安全学报, 2021, 7(6): 167-177.

Yang HU, Zengjie HAN, Guohua YE, Zhiqiang YAO. Preventing man-in-the-middle attacks in DNS through certificate less signature[J]. Chinese Journal of Network and Information Security, 2021, 7(6): 167-177.

图/表 5

图1

图2

表1

符号说明Table 1 Notions and their meanings"

符号	含义
G	q阶椭圆曲线的循环群
P	群G生成元
s	主密钥
P_pub	系统公钥
IP_i	实体i的IP地址
t_i	时间戳
H₀	${0, 1}^{} \to Z_{q}^{}$
H₁	$G \times G \to Z_{q}^{*}$
H₂	$G \times {0, 1}^{} \to Z_{q}^{}$
H₃	${0, 1}^{} \times G \times G \times {0, 1}^{} \to Z_{q}^{*}$
K_i	会话密钥
σ_i	实体i的签名
⊕	异或运算

表1

表2

表3

参考文献 32

[1]	王文通, 胡宁, 刘波 ,等. DNS 安全防护技术研究综述[J]. 软件学报, 2020,31(7): 2205-2220.
	WANG W T , HU N , LIU B ,et al. Survey on technology of security enhancement for DNS[J]. Journal of Software, 2020,31(7): 2205-2220.
[2]	CONTI M , DRAGONI N , LESYK V . A survey of man in the middle attacks[J]. IEEE Communications Surveys ＆ Tutorials, 2016,18(3): 2027-2051.
[3]	HERZBERG A , SHULMAN H . Antidotes for DNS poisoning by off-path adversaries[C]// Proceedings of 2012 Seventh International Conference on Availability,Reliability and Security. Piscataway:IEEE Press, 2012: 262-267.
[4]	THOMAS M , MOHAISEN A . Kindred domains:detecting and clustering botnet domains using DNS traffic[C]// Proceedings of the 23rd International Conference on World Wide Web. 2014: 707-712.
[5]	ZHAO Y , HU N , ZHANG C ,et al. DCG:aclient-side protection method for DNS cache[J]. Journal of Internet Services and Information Security, 2020,10(2): 103-121.
[6]	EASTLAKE D , ANDREWS M . Domain name system (DNS) cookies[R]. RFC Editor, 2016.
[7]	EASTLAKE D , KAUFMAN C . Domain name system security extensions[R]. RFC Editor, 1997.
[8]	HERRMANN D , FUCHS K P , LINDEMANN J ,et al. EncDNS:A lightweight privacy-preserving name resolution service[M]. Computer Security-ESORICS 2014, 2014: 37-55.
[9]	BERNSTEIN D J . DNSCurve:usable security for DNS[EB]. 2009.
[10]	ZHU L , HU Z , HEIDEMANN J ,et al. Connection-oriented DNS to improve privacy and security[C]// Proceedings of 2015 IEEE Symposium on Security and Privacy. 2015: 171-186.
[11]	ALI M , NELSON J , SHEA R ,et al. Blockstack:a global naming and storage system secured by blockchains[C]// Proceedings of 25th Usenix Security Symposium. 2016: 181-194.
[12]	CHETIOUI K , ORHANOU G , HAJJI S E . New protocol E-DNSSEC to enhance DNSSEC security[J]. International Journal of Network Security, 2018,20(1): 19-24.
[13]	DIFFIE W , HELLMAN M . New directions in cryptography[J]. IEEE Transactions on Information Theory, 1976,22(6): 644-654.
[14]	宋潇潇 . PKI技术在电子政务中的研究与应用[J]. 电子元器件与信息技术, 2019,3(3): 19-21,25.
	SONG X X . Research and application of PKI technology in E-government[J]. Electronic Component and Information Technology, 2019,3(3): 19-21,25.
[15]	SHAMIR A . Identity-based cryptosystems and signature schemes[M]// Advances in Cryptology. Berlin,Heidelberg: Springer Berlin Heidelberg, 1984: 47-53.
[16]	Al-RIYAMI S S , PATERSON K G . Certificateless public key cryptography[C]// Proceedings of 1st International Conference on Applied Cryptography and Network Security. 2003: 452-473.
[17]	LIU J K , AU M H , SUSILO W . Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model:extended abstract[C]// Proceedings of the 2nd ACM Symposium on Information,Computer and Communications Security. 2007: 273-283.
[18]	CHOI K Y , PARK J H , HWANG J Y ,et al. Efficient certificateless signature schemes[M]// Applied Cryptography and Network Security. Berlin,Heidelberg: Springer, 2007: 443-458.
[19]	XIONG H , QIN Z , LI F . An improved certificateless signature scheme secure in the standard model[J]. Fundamental Informaticae, 2008,88(1): 193-206.
[20]	HE D , CHEN J , ZHANG R . An efficient and provably-secure certificateless signature scheme without bilinear pairings[J]. International Journal of Communication Systems, 2012,25(11): 1432-1442.
[21]	TSAI J L , LO N W , WU T C . Weaknesses and improvements of an efficient certificateless signature scheme without using bilinear pairings[J]. International Journal of Communication Systems, 2014,27(7): 1083-1090.
[22]	ISLAM S H , BISWAS G P . Provably secure and pairing-free certificateless digital signature scheme using elliptic curve cryptography[J]. International Journal of Computer Mathematics, 2013,90(11): 2244-2258.
[23]	TIWARI N . On the security of pairing-free certificateless digital signature schemes using ECC[J]. ICT Express, 2015,1(2): 94-95.
[24]	YEH K H , SU C H , CHOO K K Raymond ,et al. A novel certificateless signature scheme for smart objects in the Internet of things[J]. Sensors (Basel,Switzerland), 2017,17(5): 1001.
[25]	WU F , XU L L , KUMARI S ,et al. A new and secure authentication scheme for wireless sensor networks with formal proof[J]. Peer-to-Peer Networking and Applications, 2017,10(1): 16-30.
[26]	WANG D , LI W T , WANG P . Measuring two-factor authentication schemes for real-time data access in industrial wireless sensor networks[J]. IEEE Transactions on Industrial Informatics, 2018,14(9): 4081-4092.
[27]	SAEED M E S , LIU Q Y , TIAN G Y ,et al. Remote authentication schemes for wireless body area networks based on the internet of things[J]. IEEE Internet of Things Journal, 2018,5(6): 4926-4944.
[28]	汪定, 李文婷, 王平 . 对三个多服务器环境下匿名认证协议的分析[J]. 软件学报, 2018,29(7): 1937-1952.
	WANG D , LI W T , WANG P . Crytanalysis of three anonymous authentication schemes for multi-server environment[J]. Journal of Software, 2018,29(7): 1937-1952.
[29]	HUANG X Y , MU Y , SUSILO W ,et al. Certificateless signatures:new schemes and security models[J]. The Computer Journal, 2011,55(4): 457-474.
[30]	KARATI A , HAFIZUL ISLAM S , BISWAS G P . A pairing-free and provably secure certificateless signature scheme[J]. Information Sciences, 2018,450: 378-391.
[31]	PAKNIAT N , VANDA B A . Cryptanalysis and improvement of a pairing-free certificateless signature scheme[C]// Proceedings of 2018 15th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology (ISCISC). Piscataway:IEEE Press, 2018: 1-5.
[32]	DENG L Z , YANG Y X , GAO R H ,et al. Certificateless short signature scheme from pairing in the standard model[J]. International Journal of Communication Systems, 2018,31(17): e3796.

方案	签名算法	验证算法	总开销（T_m）	第一类攻击者	第二类攻击者
文献[30]	T _sm+T _inv	6T_sm	≈214.60	不安全	不安全
文献[31]	T _sm+T _inv	6T_sm	≈214.60	不安全	不安全
文献[32]	T _sm+T _inv	2T_sm+T_par	≈185.60	安全	不安全
本文方案	T_sm+T_h	2 T _sm+T_h	≈203.00	安全	安全

方案	源身份认证	保密性	恶意KGC攻击
DNSSEC^[7]	是	否	不安全
DNSCurve^[9]	是	是	不安全
E-DNSSEC^[12]	是	是	不安全
本文方案	是	是	安全

基于无证书签名的抗DNS中间人攻击方案

Preventing man-in-the-middle attacks in DNS through certificate less signature

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 5

参考文献 32

相关文章 6

Metrics

推荐阅读 0

[1]	唐飞, 甘宁, 阳祥贵, 王金洋. 基于区块链与国密SM9的抗恶意KGC无证书签名方案[J]. 网络与信息安全学报, 2022, 8(6): 9-19.
[2]	罗玙榕, 曹进, 李晖, 赵兴文, 尚超. 基于SM2联合签名的电子发票公开验证方案[J]. 网络与信息安全学报, 2022, 8(2): 122-131.
[3]	王菁,李祖猛. 几个无证书签名方案的伪造攻击[J]. 网络与信息安全学报, 2020, 6(3): 108-112.
[4]	王勇,王相,贺文婷,周宇昊,蔡雨帆. 馈线终端单元FTU的101规约安全性测试[J]. 网络与信息安全学报, 2018, 4(10): 22-30.
[5]	王翠翠,延志伟,耿光刚. 互联网名址体系安全保障技术及其应用分析[J]. 网络与信息安全学报, 2017, 3(3): 34-42.
[6]	郭川,冷峰. DNSSEC自动化部署相关问题分析[J]. 网络与信息安全学报, 2017, 3(3): 58-63.