Ipsec-based Vpn Security Analysis

In the modern information age, network has been used more and more widely even in the home environment. Network has become an important means for people to exchange information. The network information security is very critical for the wide application of network.VPN (Virtual Private Network) is a virtual private local network to realize security and reduce cost through secure channels over the existed public communication channels, such as Internet. VPN implements the network security in IP (Internet Protocol) layer. The advantage of which is that VPN is transparent for the application protocol layers above IP, so the special secure mechanism is not needed. A secure cnannei is establlshed between two VPN equipments within the protected subnets. Information is transparent when the hosts in the same subnet communicate and VPN protection is applied to ensure the security and integrality when the host communicates with the other host out of the subnet.Among VPN architecture, IPSec is the one protocol used most widely including security protocol and key negotiation. ESP and AH mechanismes are provided by the IPSec protocol. ESP provides the security and integrity protection, and AH only provides integrity protection. Both these two mechanisms can prevent the attack of re-send. In IPSec protocol, automatic secure parameters negotiation of the security protocol is realized by IKE. The parameters negotiated by IKE include the arithmetic of encrypt and verification, the key used in encrypt and verification, the protecting pattern of communication (transfers or tunnel pattern) and the exist time of key. The aggregation of these parameters, which are refreshed by IKE, is called SA.In this paper, the secure architecture of VPN based on IPSec with whose theory and the security is discussed. The design and realization of cipher card based public-key mechanism is also the focus of this paper. One solution of the source verification and the secure key management in "multi-transfer source" condition is presented in this paper.The main research works in this paper is summarized as below:1. The multicast security can't be ensured because IPSec is a point to point protocol. The theories and the features of the existed solutions for the source validation in "multi-transfer source" condition is provided in this paper, and one new solution is presented.2. hi "multi-transfer source" condition, the secure key management is difficult to implemented. Several popular secure key management architectures are discussed and the improved solution is provided in this paper.3. The cipher card based the public-key mechanism is designed in this paper. Three algorithms are provided in this card: 128 bit systemic algorithm, 128 bits message digest HASH and RSA with module length 1024/2048 bits. The four secure key management mechanisms, including KP (Protect Key), KD&KE (Decrypt & Encrypt Key), KW (Working Key) and KM (Message Key), which can protect the key "end-to-end" and ensure the key only use once.