Abstract: Because Internet key exchange authentication with signatures is vulnerable to the man-in-the-middle attack, the user ID may expose to the outside in the IKE protocol. Aimeing at this issue, this paper proposes a solution to hide the user ID. This solution not only maintains the framework of ISAKMP but also resists the man-in-the-middle attack and brutal force attack effectively, with cheap system cost. This solution has already adopted by the design of an IPSec coprocessor.

Key words: Internet key exchange (IKE), Man-in-the-middle attack, IP security (IPSec), Information security

摘要： 由于IKE协议中签名认证方式易受中间人攻击，因此IKE协议存在用户ID泄漏的安全隐患。针对该问题，文章提出了一种隐藏用户ID的解决方案。此方案既保持了ISAKMP的框架结构又可以有效地抵御中间人攻击和暴力破解手段，而且付出的系统代价很小。此方案已被一款IPSec协处理器的设计所采纳。

关键词: Internet密钥交换, 中间人攻击, IPSec, 信息安全