徐恪等:基于区块链的网络安全体系结构与关键技术研究进展 2020年 Abstract With the continuous evolution of Internet technology and the explosively increasing number of users the network has penetrated all aspects of people's lives, and its security has gradually become the focus of peoples attention. Researchers have been doing much research on network security. However, with the expansion of network scale and the diversification of attackers' misbehaviors, some drawbacks have been exposed to traditional network security architecture and its key technologies. For example, most of today's network security infrastructure, such as PKI and RPKl, are all realized as a centralized architecture. And the effectiveness of cybersecurity measures are based on the trust in these centralized architectures, which exposes serious single-point of trust issues. The incidents of Dutch CA certificate provider DigiNotar hacked to issue the malicious certificate for more than 500 websites, and Symantec's misinformation of more than 30,000 certificate extension vouchers indicate that once these trust centers have problems, it will have a severe impact on the entire Internet. Secondly, since the early design of network architecture did not take security into account too much, the deployment of many later proposed security mechanisms not only require modifications to existing network protocols but also affect the efficiency of network operation, which cause difficulties in the actual deployment of hese security mechanisms. Besides, with the advent of the era of lot, the complexity of the network will continue to expand, and network security construction should be participated by many organizations and even the whole people. However, there is a lack of a trustworthy incentive mechanism to coordinate the cooperatio between different organizations and mobilize the enthusiasm of users to participate in the network security construction. Nowadays, there is no good solution for these disadvantages, but emerging technology blockchain provides new solutions. Blockchain is a trustworthy distributed database that integrates p2P technology cryptography, consensus mechanism, and distributed storage technology. Its characteristics, such as decentralization, immutability, and auditability, have led researchers to apply it to network security and generate much research. This paper summarizes these research works and divides them into three areas from the perspective of the TCP/IP network architecture: network-layer security, application-layer security, and PKI security. And categorize the role of blockchain in network security applications into three situations: true storage, true computing, and true incentives. Specific application areas include collaborative intrusion detection, inter-domain routing security, Vulnerability detection crowdsourcing, access control, and PKI security. For each specific application field of blockchain, this paper first introduces the security status of the field, then introduces the research of blockchain in this field, and finally analyzes the advantages of blockchain technology applied in this field. At the end of the paper, we analyze the four aspects of privacy issues, scalability issues, security issues, and structure evolution direction that should be paid attention to in blockchain applications. And prospect the future network security architecture and key technologies based on blockchain Key words blockchain; network security architecture; network-layer security; application-layer security, PKI 了严峻的挑战。从2018年2月黑客攻击韩国冬奥 引言 会致使会场网络中断到2018年8月全球最大的半 导体制造商台积电遭受 WannaCry恶意病毒袭击。, 自从1969年 ARPANET正式投入运行,互联再到2018年底万豪酒店集团五亿客户隐私数据泄 网已经发展了50余年,从最初的仅有4个节点到 如今全球接近44亿网络用户,从最初仅用于军事 研究目的到如今“互联网+”涵盖各个领域,互联 O Hackers Targeted the W o'embarraSs'southKoreahttp://time.com/5155234/hackers-t 网已经作为一项基础设施渗透于人们生存、生活的 rgeted-pveongchang-opening-ceremony 2018, 2, 13 各个方面。然而,互联网技术在为人们带来诸多便 2 TSMC Chip Maker Blames WannaCry Malware for Producti Halt.https://thehackernews.com/2018/08/tsmc-wannacry-ran 利的同时,其安全隐患也给人们的生活、财产带来2 徐 恪等：基于区块链的网络安全体系结构与关键技术研究进展 2020 年 Abstract With the continuous evolution of Internet technology and the explosively increasing number of users, the network has penetrated all aspects of people's lives, and its security has gradually become the focus of people's attention. Researchers have been doing much research on network security. However, with the expansion of network scale and the diversification of attackers' misbehaviors, some drawbacks have been exposed to traditional network security architecture and its key technologies. For example, most of today's network security infrastructure, such as PKI and RPKI, are all realized as a centralized architecture. And the effectiveness of cybersecurity measures are based on the trust in these centralized architectures, which exposes serious single-point of trust issues. The incidents of Dutch CA certificate provider DigiNotar hacked to issue the malicious certificate for more than 500 websites, and Symantec's misinformation of more than 30,000 certificate extension vouchers indicate that once these trust centers have problems, it will have a severe impact on the entire Internet. Secondly, since the early design of network architecture did not take security into account too much, the deployment of many later proposed security mechanisms not only require modifications to existing network protocols but also affect the efficiency of network operation, which cause difficulties in the actual deployment of these security mechanisms. Besides, with the advent of the era of IoT, the complexity of the network will continue to expand, and network security construction should be participated by many organizations and even the whole people. However, there is a lack of a trustworthy incentive mechanism to coordinate the cooperation between different organizations and mobilize the enthusiasm of users to participate in the network security construction. Nowadays, there is no good solution for these disadvantages, but emerging technology blockchain provides new solutions. Blockchain is a trustworthy distributed database that integrates P2P technology, cryptography, consensus mechanism, and distributed storage technology. Its characteristics, such as decentralization, immutability, and auditability, have led researchers to apply it to network security and generate much research. This paper summarizes these research works and divides them into three areas from the perspective of the TCP/IP network architecture: network-layer security, application-layer security, and PKI security. And categorize the role of blockchain in network security applications into three situations: true storage, true computing, and true incentives. Specific application areas include collaborative intrusion detection, inter-domain routing security, Vulnerability detection crowdsourcing, access control, and PKI security. For each specific application field of blockchain, this paper first introduces the security status of the field, then introduces the research of blockchain in this field, and finally analyzes the advantages of blockchain technology applied in this field. At the end of the paper, we analyze the four aspects of privacy issues, scalability issues, security issues, and structure evolution direction that should be paid attention to in blockchain applications. And prospect the future network security architecture and key technologies based on blockchain. Key words blockchain; network security architecture; network-layer security; application-layer security; PKI security 1 引言 自从 1969 年 ARPANET 正式投入运行，互联 网已经发展了 50 余年，从最初的仅有 4 个节点到 如今全球接近 44 亿网络用户，从最初仅用于军事 研究目的到如今“互联网+”涵盖各个领域，互联 网已经作为一项基础设施渗透于人们生存、生活的 各个方面。然而，互联网技术在为人们带来诸多便 利的同时，其安全隐患也给人们的生活、财产带来 了严峻的挑战。从 2018 年 2 月黑客攻击韩国冬奥 会致使会场网络中断①到 2018 年 8 月全球最大的半 导体制造商台积电遭受 WannaCry 恶意病毒袭击②， 再到 2018 年底万豪酒店集团五亿客户隐私数据泄 ① Hackers Targeted the Winter Olympics Opening Ceremony t o „Embarrass‟ South Korea. http://time.com/5155234/hackers-t argeted-pyeongchang-opening-ceremony 2018,2,13 ② TSMC Chip Maker Blames WannaCry Malware for Producti on Halt. https://thehackernews.com/2018/08/tsmc-wannacry-ran somware-attack.html 2018,8,7