提出了一种基于线索平衡二叉排序哈希树认证委分字典的安全高效的源认证(origin authentication,简称OA)方案,用于防范BGP地址前缀劫持攻击.基于Aiello和McDaniel等人提出的OA服务,通过数值区间对AS号和IP地址前缀这两种BGP前缀宣告资源进行了统一的形式化定义,采用一种方案同时解决了两种前缀宣告资源的源可信问题.该方案不仅解决了原OA服务中存在的“无效分配关系的证据量是有效分配关系证据量的两倍”的问题,而且与原OA服务相比,该方案建树所需要的总节点数降低约一半,同时,委分证据集合的平均长度更小.因此,该源认证方案效率更高.%A new origin authentication scheme based on a threaded balanced binary stored hash tree for authenticated delegation/assignment dictionaries is proposed to solve the problems of BGP (border gateway protocol) address prefix hijacking. BGP address prefix announcement is made up of AS number and IP address prefix, and this paper makes use of the number value range to uniformly define two kinds of BGP address prefix announcement resources, so the two kinds of BGP address prefix announcement resources' origin trustworthy problems are issued by one efficient origin authentication scheme in this paper. This scheme inherits the merit of a threaded binary stored hash tree to correct the shortcomings existing in the William Aiello and Patrick McDaniel's origin authentication scheme that the amount of the evidence for invalid delegation/assignment is double that of the valid. Meanwhile, in contrast with original OA scheme, this scheme reduces the number of tree nodes to half the amount of the delegation/assignment attestation set, which is smaller, so this scheme is more efficient.
展开▼
