Discussion on newcommunication rule which can realize Trusting Connection and Trusting router
Prepared for ISO/IEC JTC1 SC6 meetings, Sep.. 2010
1．The creation of new communication rule
IP-based communications such as IPv4, IPv6 have been developed rapidly and take more and more important role in cyber society. Internet has became the mainstream of telecommunication over the world. However, we have to see the increasing security problems of Internet. The main reason is the lack of security mechanism. It is said that at the beginning of IPv4 and IPv6 protocol design, the security problem was not taken into account absolutly. Now, the security problem is getting more serious, and threats the life-time of Internet.
The communication network majored by Internet has been changed greatly and developed from the pure information system to a new cyber space which integrated with the Internet of things. Therefore to construct a trusting system in the broad cyberspace has become the main target.
For this purpose, the research for new generation of Internet has begun in many coutries and achieved some progress. The common view point is that the future Internet must be constructed by international join efforts and must be a green network in which once a malicious activity occurs it may be detected and deterred immediately. This projects will be a complicated task and need to solve many rekated problems in deed. But our opinion is we can begin with the urgent problem that is to solve the existing demerits of Internet:
l The Internet's shortage of security originates from the begining trusting design scheme which is no verifying scheme. No matter the user whether is willing to want, the mail shall deliver certainly and inspect by receiving party himself;
l The Endless Patching and "Identifing bad hacker system" is not the answer.
l To solve the network information security problem must change communication scheme from trusting to mutual suspicion.
Therefore, We have defined and redesigned the communication's rule which is changed from existing rule of communicating first and verifing after to verifing first and communicating. We start with from the following two aspects:
1）Addressing: The address should not be defined by random number. The experience tell us that rundom number is not easily known to others and can only be explained by the designated DNS. If the address is real-name decimal system then it will be easily known to others and there will be no need to have the support of DNS. Some one suggested that the new addressing system might be integrated with geographic location. It is interesting sujestion for it may solve the locating problem at the same time.
2）Address proof:The sender sends an evidence that proves the authenticity of address. The evidence can be verified by any reciever. Any party can verify the authenticity of original address or routing addresses to realize trusting connection and prevent illegal access.
In the base of IPv9, we have realized the trusting connection router using real-name address. Our works mainly include the following three projects:
The address proving and verifying are the same as identity authentication. The core of contemporary information security is identity authentication which is the “silver bullet” of trusting system. Silver bullet must be implemented by new type of public key crypto-system, so it has long been the dreamed that visionaries imagined for public key system.
Public key cryptosystem has undergone three phases of development: the first phase began in 1976, Diffie et al. proposed the asymmetric key system; The second phase began in 1984, Shamir et al. proposed identity-based public key system; The third phase began in 2003, Nan Xianghao et al. proposed seed-based combination public key system. CPK can resolve the horizontal key management and mutual authentication for ultra large scale of addresses. The appearance of CPK promoted Public key cryptosystem technical progress.
CPK can provide original address with evidence to prove its authenticity (by address signing), any other router can verify the address true or false (by verifying signature).
Because the sender's address is arrived at recipient before data so the recipient can verify the authenticity of address before the data. It is called "pre-proof". Only "pre-proof" can prevent illegal access.
2）Composition of new routing protocol
The protocol is different between real-name address system and random number address. The modification of protocol is necessary and inevitable. Due to the address verifying system is new add protocol and has a significant impact for transmission format. Therefore we have studied with emphasis the head form which is involved to router schema.
The new design header structure of trusting connection is following:
Original address （16-2048 bit)
Destination Address （16-2048 bit)
3） Trusting computing environment
The router execution code should be signed by manufacturer. The system only allows the execution of the software which is signed. All software which is not signed should not be executed. It is obivious that any malicious software cannot work, thereby the trusting computing environment is ensured.
3.Functions of new prototype router
The functional prototype router implements four objectives proving that the new generation of router has a good feasibility.
、The original address can provide address evidence and its lifetime evidence and can be verified by any other routers.
、All pathway router can verify the original address and can decide wether to accept or not.
、It can provide trusted connection proventing illegal access
、It can provide trusted computing environment inside router.
4．Some our sujjestionsCurrently, as the key technology of address authentication CPK cryptosystem is authorized by Chinese government and now applying for IEEE International standard. The process is going well. But the new router header protocol, also as one of the key technology, the standardization has not begun yet. It is a pity. Now it is better to start the standardization work at once.
If we have a standard format, we can greatly speed up the construction of the future network.
Cyber Security Technical Framework—Trusting system based on identity