Journal of the Korea Institute of Information and Communication Engineering (한국정보통신학회논문지)

The Korea Institute of Information and Commucation Engineering (한국정보통신학회)
권호 표지

An Implementation of Security Key Management System by LDAP

LDAP을 이용한 보안 키 관리 시스템 구현

  • Published : 2006.03.01
Download PDF
⟨ Previous Next ⟩

Abstract

The security key management function is a key element to secure network environment, and many protocols include IPSec, HIP, etc. demand this function. There are two solutions to provide the key management function in the network layer, one is a method for storing security key material in the directory, and the other is a method for storing security key material in DNS. In this paper we present an implementation of key management system by LDAP. We deployed the open source solutions for directory service(OpenLDAP), cryptographic algorithm (FLINT/C), IPSec(FreeS/WAN), and verified the key management system by the encrypted message exchange and the interoperability test by un daemon.

보안 키 관리 기능은 망 보안을 위 한 필수 요소 중 하나로서, IPSec, HIP 등 다양한 프로토콜에서 이러한 기능을 요구하고 있다. 망 계층에서 보안 키 관리 기능을 제공하기 위한 두가지 방안이 있는데, 그것들은 디렉토리 서비스를 이용하는 것과 DNS 서비스를 이용하는 것이다. 본 논문은 디렉토리 서비스를 이용하여 보안 키 관리 시스템을 구현한 예를 소개한다. 디렉토리 서비스(OpenLDAP)와 공개키 알고리즘(FLINT/C), IPSec(FreeS/WAN)의 기능들을 공개 소프트웨어들을 이용하여 구축하였으며, 보안 키 관리 시스템을 이용한 암호화된 메시지 교환, IKE 데몬과의 연동을 통해 구현된 관리 시스템의 기능을 확인하였다.

Keywords

References

  1. C. Partridge, F. Kastenholz, 'Technical Criteria for Choosing IP The Next Generation (IPng)', IETF RFC 1726, Dec. 1994
  2. S. Deering, R. Hinden, 'Internet Protocol, Version 6 (IPv6) Specification', IETF RFC 2460, Dec. 1998
  3. S. Kent, R. Atkinson, 'Security Architecture for the Internet Protocol', IETF RFC 2401, Nov. 1998
  4. S. Kent, R. Atkinson, 'IP Authentication Header', IETF RFC 2402, Nov. 1998
  5. S. Kent, R. Atkinson, 'IP Encapsulating Security Payload (ESP)', IETF RFC 2406, Nov. 1998
  6. http://www.ipv6.org
  7. http://www.tahi.org
  8. http://www.sun.com
  9. http://www.software.hp.com
  10. http://www.microsoft.com/windowsxp/pro/techinfo/administration/ ipv6
  11. D.Harkins, D.carrel, 'The Internet Key Exchange (IKE)', IETF RFC 2409, Nov. 1998
  12. D. Maughan, M. Schertler, M. Schneider, J. Turner, 'Internet Security Association and Key Management Protocol(ISAKMP), IETF RFC 2408, Nov. 1998
  13. H. Orman, 'The OAKLEY Key Determination Protocol', IETF RFC 2412, Nov. 1998
  14. Radia Perlman, Charlie Kaufman, 'Key Exchanges in IPSec: Analysis of IKE', IEEE Internet Computing Vol. 4, No.6, Nov. 2000
  15. Mockapetris, P., 'Domain names - concepts and facilities', SID 13, RFC 1034, November 1987
  16. Mockapetris, P., 'Domain names - implementation and specification', SID 13, RFC 1035, November 1987
  17. Eastlake 3rd, D., 'Domain Name System Security Extensions', RFC 2535, March 1999
  18. R. Arends, R. Austein, M. Larson, D. Massey, S. Rose, 'DNS Security Introduction and Requirements', IETF RFC 4033, March 2005
  19. http://www.ietf.org/html.charters/hip-charter.html
  20. Secure Electronic Transactiont(SET) Specification Book 1: 'Business Description', 1997.5
  21. ISO 9594-1, X.500, 'The Directory Part1: Overview of Concepts, Models, and Services', 1993
  22. Kaufman, C., 'Internet Key Exchange (IKEv2) Protocol', draft-ietf- ipsec-ikev2-17 (work in progress), October 2004
  23. http://www.ietf.org/html.charters/pkix-charter
  24. http://www.pki-page.org/
  25. R. Droms, 'Dynamic Host Configuration Protocol', IETF RFC 1541, Oct. 1993
  26. Finlayson, Mann, Mogul, Theimer, 'A Reverse Address Resolution Protocol', IETF RFC 903, June, 1984
  27. Hodges, J. and R. Morgan, 'Lightweight Directory Access Protocol (v3): Technical Specification', RFC 3377, September 2002
  28. http://archive.dante.net/np/ds/osi.html
  29. http://www.openldap.org
  30. Welchenbach, Michael, 'Cryptography in C and C++', Springer-Verlag New York Inc, 2001
  31. ANSI X9.31-1998, Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry, 1998
  32. Joan Daemen and Vincent Rijmen, 'AES submission document on Rijndael', June 1998
  33. http://www.freeswan.org
  34. http://www.strongsec.com/freeswan
  35. S. Kent, K. Seo, 'Security Architecture for the Internet Protocol', draft-ietf-ipsec-rfc2401bis-D6.txt, March, 2005
  36. P. Vixie, 'Extension Mechanisms for DNS (EDNSO)', IETF RFC 2671, Aug. 1999
  37. http://www.isc.org