Design And Implementation Of Security Architecture For IPv6 Under The Environment Of Pre-boot

With the development of computer, the traditional BIOS is facing the problem of aging and poor control which prevents the speed of the computer development. In order to improve computer performance, Intel has introduced the next generation BIOS, that is, UEFI BIOS. It fundamentally solved the disadvantages of the original BIOS. However, the new BIOS is facing security challenges. Therefore the application of IPSec in the next generation of BIOS meets an urgent need.This thesis designs and implements the IPSec security architecture under Pre-boot environment of UEFI BIOS, providing an effective guarantee for the communication security in IP-layer. This thesis implements the application of ECC encryption algorithm to IPSec. This thesis carries out the system optimization and performance testing. The detailed work of this thesis is as follows:First, the network security flaws of UEFI BIOS are analyzed. Based on security considerations for UEFI BIOS, this thesis analyzes the main function modules and the main tasks of every boot phases of UEFI BIOS. Then this thesis gives a summary of the structure of TCP / IP protocol of BIOS, analyzes the security from the view of code. This thesis explains the need for incoming IPSec application due to the security flaws of TCP/IP. In this thesis, the comparison between ECC and other encryption algorithm is given to show the superiority of ECC algorithm.Second, the IPSec framework under UEFI BIOS is designed and implemented. Because the layers of TCP/IP do not take security considerations into account, safety hazard exists from the beginning of the design. The introduction of TCP/IP to Pre-boot environments is a new attempt. It can bring a lot of performance beyond the reach of the traditional BIOS. Therefore, through comprehensive consideration of these factors, this thesis designs and implements IPSec to ensure the network security for Pre-boot environment. This thesis focuses on the design of the IPSec architecture in the Pre-boot environment. At the same time, this thesis demonstrates the good performance of IPSec for the security protection under Pre-boot, by giving the details of the design process of IPSec. The concrete realization of ECC encryption methods is also given.Third, this thesis designs and implements the IKE module, and implements the application of ECC encryption algorithm. The two phases of IKE are implemented. The first phase is the design for the format of data package, the definition of data fragment and the way how the IKE work for the traffic under Pre-boot. The second phase is the building of Child-SA with active mode. In addition, this thesis shows how the ECC algorithm is added to the Pre-boot. Finally, from the perspective of function and performance this thesis carries out the testing for IPSec security solution under Pre-boot environment. The experiment proves that the designed security framework meets the protocol standard of Pre-boot environment. The architecture can run well with TCP/IP protocol. The performance test further verifies the ECC encryption algorithm in IPSec is able to run properly in Pre-boot environment, and demonstrates that the introduction of the IPSec impacts little on the total time.