The Research And Implement Of National Standard IPSec VPN Security Mechanism

As a kind of secure communication network in the Internet,the VPN network plays an increasingly important role in daily communications,especially in commercial communications.There are some security holes in the encryption algorithms and IKE main mode of the RFC standard.In order to further improve the security of IPSec VPN technology,the State Cryptography Administration proposed the "IPsec VPN Gateway Product Specification." This specification has a strong guiding significance for the development of IPSec VPN technology in line with China's national conditions.Based on the "IPsec VPN Gateway Product Specification",this thesis researched and implemented the content of the national standard IPSec VPN security mechanism such as main mode,encryption algorithm,and network filter mechanism,and mainly completed the following work.1.For the security holes of man-in-the-middle attack,and information repudiation attack,this thesis researched and analyzed the IKE main mode in the RFC standard.Then based on the open source software Open Swan,this thesis designed and implemented a digital certificate authentication method in the main mode,which improve the security and authority in the authentication process.2.This thesis researches,and further compares the encryption algorithms used in RFC standard and national standard.The RFC standard used open source algorithms that increasing the risk of being compromised.This thesis took advantage of the closure quality of the encryption algorithms.Based on the Crypto framework of the Linux kernel,and taking two custom hardware encryption cards as the algorithm encryption and decryption computing platform,this thesis designed and implemented a kernel module that used the national standard algorithms to perform encryption and decryption operations in Linux operating system.This module not only improves the security of the algorithm used in the system,but also releases the CPU computing resources for improving the encryption and decryption efficiency.3.Based on the deeply research of Xfrm and Netfilter frameworks of Linux kernel,through the preparation of Xfrm interaction module and Netfilter kernel module,this thesis designed and implemented a network filter mechanism,which could handle network packets in IPSec encryption,plain text transmission,and dropping ways,basing on network packet triplet <IP(or subnet,address range),port,protocol>.Filtering mechanism could provide differentiated services for different network packets,improved the flexibility of IPSec VPN to process network packets,and realized the function of packet filtering in security mechanisms.Based on the above research,this thesis implemented a server prototype system that complies with the national standard IPSec VPN security mechanism.The system was tested from both functional and performance perspectives.Experiments have proved that the IPSec VPN server prototype system developed in this thesis conforms to the "IPSec VPN Gateway Product Specification" in all aspects.And this project successfully passed the acceptance of a Nanjing institute under the Ministry of National Security.The performance of this system also meets the requirements for application.