| This thesis has focused on the research of the IKE protocol in IPsec protocol suite, and proposed to combine the techniques of ECC, PKI, and RBAC for access control with the IKE protocol, so as to design an enhanced IKE protocol based on authentication and access control with PKI. The thesis has designed and implemented an IPsec VPN security gateway prototype. Its specific research and implementation includes: Examine current IKE-related techniques; analyze their pro and cons, so as to find the starting point of the research. Research PKI and ECC techniques and analyze their advantages. Employ ECC technique to get higher efficiency and better security. Apply PKI-based authentication technique to improve the security level of IKE and system's extensibility. Apply RBAC access control technique based on the attribute certificate to gain finer granularity, all with support to DER and PEM format of digital certificate. Study DPD protocol, design and implement it Resolve the problems of how to discover the dead distant peers efficiently when they're offline, then to re-negotiate to improve system's robustness and efficiency. Analyze prototype for security. Against the fact that MD5, SHA1 message digest algorithms have been cracked recently, analyze the possible potential security threat to the project and propose appropriate measures. Test the prototype system and analyze with the results that the prototype system could work with IPsec modules in Linux kernel v2.6 smoothly, and has got its initial design targets.The research of this thesis has sponsored by the natural science foundation of Jiangsu Province for the project "Research on the High Intensity VPN Security Gateway Techniques and Core System Based on PKI and ECC" (Project Number: BK2004039). |
PDF Full Text Request