VPN Gateway Based On IP Technology, Design And Implementation

With the development of technique of computer network, and increasingly wide application of computer network, credibility and security of network communication is becoming more and more important. IPSec is a set of protocols for safely communication in IP layer, and it provides confidentiality, integrity and authentication. Target of this dissertation is to design and carry out a virtual private network in enterprise, in which the distributed subnets is combined as one through safety gateway, under ESP and AH tunnel model.First, encryption algorithms based RSA are investigated in this thesis. RSA is a most popular method for implementing public-key encryption, its theory is based on complex mathematical transformations, The key of RSA is divide into two part, public key and private key, Exponential operation is commonly used to implement the function of Encryption/decryption and digital signature. The genetation of determinacy prime, probality prime and strong prime are described. Expontiation and Montgomery modular multiplication are analyzed in this thesis, then on these basis, some new methods of modular multiplication,multiplication and squre for large integer are proposed to improve the efficiency of RSA encryption arithmetic.Second, DES and MD5 are studied in our thesis. DES is a block cipher Encryption Technique, it mainly uses displacement, replace etc algebra operation, and can encrypt and decrypt data efficiently. Its common use is to encrypt the data stored in disk or delivered in communication tunnel. In order to enhance data security, 3DES, a DES based method, is often used. The MD5 function produces a unique identifier (128 bits message digest) for the message being sent, and it is used to check integrality of messages or files.Third, we study IPsec tunnel techniques. through two mechanism, IP Encapsulation Security Payload (ESP) and IP Authentication Header (AH), IPsec provides an mutually operable, high quality and cryptology based security. The thesis investigate the structure of Ipsec, and encapsulation format of ESP and AH. Design and implement the tunnel model of ESP and AH. AH fulfills source authentication and integrality checkingusing MD5. ESP employs 3DES and MD5 to provide service of data encryption, source authentication and integrality checking.Last, we implement a gateway. In the program of the gateway, we use public key of RSA to negotiate and update security parameter; while gateway receive message from safe subnet, package and transmit the message using IPsec technique; and while gateway receive data under encapsulation in ESP or AH format from public network, unpack the data, then transmit. Techniques about IPsec, encryption and message digest are integrated into the program, to guarantee the data's security and integrity.