Abstract
Owing to the advent and rapid development of Internet communication technology, network security protocols with cryptography as their core have gradually become an important means of ensuring secure communications. Among numerous security protocols, certificate authentication is a common method of identity authentication, and hostname verification is a critical but easily neglected process in certificate authentication. Hostname verification validates the identity of a remote target by checking whether the hostname of the communication partner matches any name in the X.509 certificate. Notably, errors in hostname verification may cause security problems with regard to identity authentication. In this study, we use a model-learning method to conduct security testing for hostname verification in internet protocol security (IPsec). This method can analyze the problems entailed in implementing hostname verification in IPsec by effectively inferring the deterministic finite automaton model that can describe the matching situation between the certificate subject name and the hostname for different rules. We analyze two popular IPsec implementations, Strongswan and Libreswan, and find five violations. We use some of these violations to conduct actual attack tests on the IPsec implementation. The results show that under certain conditions, attackers can use these flaws to carry out identity impersonation attacks and man-in-the-middle attacks.
Highlights
Owing to the rapid development of network communication technology and the continuous upgrading of the Internet industry, Internet products and services have gradually become an important part of people’s daily lives
A common method to verify user identity is through digital certificates entailing the application of the public-key cryptographic algorithm
We summarize the identification types of internet protocol security (IPsec) according to the relevant RFCs
Summary
Owing to the rapid development of network communication technology and the continuous upgrading of the Internet industry, Internet products and services have gradually become an important part of people’s daily lives. As society’s dependence on networks continues to increase, ensuring communication security has become an important problem that must be solved urgently. A common method to verify user identity is through digital certificates entailing the application of the public-key cryptographic algorithm. One party in the communication uses its own private key to sign the message, and the other party uses the corresponding public key to verify the message. The subject name corresponding to the certificate is compared with the user identity to ensure that the identity of the certificate provider is legal
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
