计算机科学 ›› 2021, Vol. 48 ›› Issue (11A): 678-681.doi: 10.11896/jsjkx.210100030

• 交叉& 应用 • 上一篇    下一篇

国密算法在资源公钥基础设施(RPKI)中的应用

冷峰1,2,3, 张明凯2, 延志伟2, 张翠玲2, 曾宇1,2   

  1. 1 中国科学院计算机网络信息中心 北京100190
    2 中国互联网络信息中心 北京100190
    3 中国科学院大学 北京100049
  • 出版日期:2021-11-10 发布日期:2021-11-12
  • 通讯作者: 曾宇(zengyu@cnnic.cn)
  • 作者简介:lengfeng@cnnic.cn
  • 基金资助:
    北京市科技新星计划项目(Z191100001119113)

Application of Chinese Cryptographic Algorithm in RPKI

LENG Feng1,2,3, ZHANG Ming-kai2, YAN Zhi-wei2, ZHANG Cui-ling2, ZENG Yu1,2   

  1. 1 Computer Network Information Center,Chinese Academy of Sciences,Beijing 100190,China
    2 China Internet Network Information Center,Beijing 100190,China
    3 University of Chinese Academy of Science,Beijing 100049,China
  • Online:2021-11-10 Published:2021-11-12
  • About author:LENG Feng,born in 1982,Ph.D,is a member of China Computer Federation.His main research interests include internet infrastructure resources and network security.
    ZENG Yu,born in 1973,Ph.D,resear-cher,Ph.D supervisor,is a member of China Computer Federation.His main research interests include computer architecture,network security and digital economy.
  • Supported by:
    Beijing Nova Program of Science and Technology(Z191100001119113).

摘要: 近年来域间路由劫持事件频发,路由系统的安全性受到广泛重视。RPKI系统作为一种路由安全验证系统,通过和现有的路由广播策略的有效结合,可大幅降低路由劫持的风险。RPKI系统当前在设计和开发上针对密码算法的选择做了特殊的约定,其中签名算法仅限于使用RSA非对称加密算法,哈希算法仅限于使用SHA-256算法。随着密码算法的不断升级更新,以及新密码算法的推出,预期RPKI系统在未来版本中会逐步纳入更多新的算法来满足安全、性能以及用户定制化部署的需求。文中将国密算法与RPKI结合,通过建立一套完善的密码算法测试环境,对国密算法应用性能与标准RFC定义的算法进行多维度的横向比较,探讨国密算法在RPKI中应用的可行性、大规模部署环境下的优化改进方式以及对现有RPKI系统中密码体系的未来发展的展望。

关键词: RPKI, 非对称加密, 哈希算法, 路由安全, 性能测试

Abstract: The security of routing systems attracts extensive attention worldwide with increasing inter-domain routing hijacking incidents in recent years.As a routing security verification system,the RPKI system can greatly reduce the risk of routing hijacking by working with existing routing broadcast strategies.The signature algorithm is limited to the RSA asymmetric encryption algorithm,and the hash algorithm is limited to the SHA-256 algorithm.With the upgrading of cryptographic algorithms,it is reasonable to expected that the RPKI system will gradually accept more algorithms to meet security and performance requirements.This article introduces the SM2 and SM3 algorithms,also known as Chinese commercial cryptographic algorithms,into RPKI system,and establishes a complete set of cryptographic algorithm testing environment from multi-dimensional aspect to compare Chinese commercial cryptographic performance with standard RFC defined algorithms.After performance evaluation and comparison,we discuss the algorithm feasibility,optimization and improvement methods in large-scale deployment environments,and the prospect of the future development of the existing crypto system in RPKI system.

Key words: Asymmetric encryption, Hash algorithm, Performance test, Routing security, RPKI

中图分类号: 

  • TP393
[1]Towards uncovering BGP Hijacking attacks [EB/OL].https://pastel.archives-ouvertes.fr/tel-01412800/-document.2016.
[2]RIPE NCC YouTube Hijacking:A RIPE NCC RIS case study[EB/OL].https://www.ripe.net/publication-s/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study[2008].
[3]ThousandEyes,Anatomy of a BGP Hijack on Amazon's Route 53 DNS Service [EB/OL].https:/-/medium.com/thusandeyes/anatomy-of-a-bgp-hijack-on-amazons-route-53-dns-servicea5eebb3e9375.2018.
[4]APNIC RFC7935[EB/OL].https://tools.ietf.org/ht-ml/rfc79-35.2016.
[5]BBN TechnologiesRFC3779[EB/OL].https://tool-s.ietf.org/html/rfc3779.2004.
[6]QIN X W.Head First RPKI[M].Publishing house of electronics industry,2018.
[7]RSA Laboratories[EB/OL].https://tools.ietf.org/-html/rfc4055.2005.
[8]Public Key cryptographic algorithm SM2 based on elliptic curves Part 2:Digital signature algorithm[S].Beijing:Chinese Standard Publishing House,2012.
[9]Information security techniques—SM3 cryptographic hash algorithm[S].Beijing:Chinese Standard Publishing house,2012.
[10]MA D.RPKI Overview[J].Telecommunications Network Technology,2012.
[11]GENG X J,MA D,MAO W,et al.RPKI Cache Update Mechanism Based on HTTPS[J].Computer Systems and Applications,2019,28(9):72-80.
[12]Cloudflare RIPE79 Cloudflare and RPKI at scale [EB/OL].https://ripe79.ripe.net/presentations /40-RIPE79-Cloudflares-RPKI-validator.pdf.
[1] 郦睿翔, 毛莺池, 郝帅.
基于近似匹配的移动边缘计算缓存管理方法
Cache Management Method in Mobile Edge Computing Based on Approximate Matching
计算机科学, 2021, 48(1): 96-102. https://doi.org/10.11896/jsjkx.200800215
[2] 邓良, 许庚林, 李梦杰, 陈章进.
基于深度学习与多哈希相似度加权实现快速人脸识别
Fast Face Recognition Based on Deep Learning and Multiple Hash Similarity Weighting
计算机科学, 2020, 47(9): 163-168. https://doi.org/10.11896/jsjkx.190900118
[3] 陈利锋, 朱路平.
一种基于云端加密的FPGA自适应动态配置方法
Encrypted Dynamic Configuration Method of FPGA Based on Cloud
计算机科学, 2020, 47(7): 278-281. https://doi.org/10.11896/jsjkx.190700110
[4] 何霞, 汤一平, 王丽冉, 陈朋, 袁公萍.
基于Faster RCNNH的多任务分层图像检索技术
Multitask Hierarchical Image Retrieval Technology Based on Faster RCNNH
计算机科学, 2019, 46(3): 303-313. https://doi.org/10.11896/j.issn.1002-137X.2019.03.045
[5] 陈铁南,唐震,王晓冉,任凯,支孟轩.
基于云计算的大规模性能测试服务平台
Large Scale Performance Test Service Platform Based on Cloud
计算机科学, 2014, 41(9): 63-66. https://doi.org/10.11896/j.issn.1002-137X.2014.09.010
[6] 梁力图,陆璐.
基于用户会话的Web应用性能测试方法的研究
Modified Hierarchy Clustering Algorithm for User-session-based Performance Testing
计算机科学, 2014, 41(11): 46-49. https://doi.org/10.11896/j.issn.1002-137X.2014.11.010
[7] 张媛,于冠龙,阚云鹤.
并行网络文件系统PNFS研究
Study of Parallel Network File System
计算机科学, 2013, 40(Z6): 387-391.
[8] 郭淑霞,董中要,张宁,刘孟江.
北斗卫星导航接收端抗干扰性能测试系统构建方法研究
Anti-jamming Performance Test System Building Method of Beidou Satellite Navigation Receiver
计算机科学, 2013, 40(7): 28-31.
[9] 张毅,文俊浩,陈义.
自治组件架构在存储业务仿真测试中的应用
Application of Autonomous Component Architecture in Storage Business Simulation Test
计算机科学, 2012, 39(8): 164-168.
[10] 贺秦禄,李战怀,王乐晓,段升强,王惠峰,孙鉴.
磁盘存储测试技术研究
Disk Storage Testing Technology
计算机科学, 2012, 39(6): 1-5.
[11] 李 磊,韩文报.
FPGA上SHA-1算法的流水线结构实现
Implementation of Pipeline Structure on FPGA for SHA-1
计算机科学, 2011, 38(7): 58-60.
[12] 饶立,张云泉,李玉成.
国产百万亿次机群系统Alltoall性能测试与分析
Performance Test and Analysis of Alltoall Collective Communication on Domestic
计算机科学, 2010, 37(8): 186-188.
[13] .
一种实用的Ad hoc网络鉴别路由协议AARP

计算机科学, 2008, 35(8): 42-45.
[14] 吴俊峰 戴桂兰 白晓颖 殷人昆.
桌面操作系统性能测试研究

计算机科学, 2006, 33(9): 257-261.
[15] .
Web应用性能测试进展

计算机科学, 2006, 33(8): 278-280.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!