Design And Implementation Of Security Authentication Gateway Based On Chinese Cipher

With the developments of e-government and e-commerce applications,more and more important information is transmitted in the network.Therefore,SSL/TLS as a secure communication protocol is widely used,but the current international standard specification of the SSL/TLS protocol does not support Chinese cryptographic algorithm.The State Encryption Administration has issued the standard specifications such as "SSL VPN technical specification based on Chinese cipher" and the "Security authentication gateway product specification" in order to accelerate the industrilization of Chinese cryptographic algorithms.The security authentication gateway supporting the Chinese cipher SSL protocol can provide the high-intensity identity authentication service and high-intensity encrypted transmission service based on digital certificate.This article designs and implements a complete security authentication gateway system based on Chinese cipher,which consists of two components: a unified gateway equipment of software and hardware and a client-side Chinese Cipher Browser Agent.The gateway provides Web-based configuration management and the portal of applications;the Chinese Cipher Browser Agent allows popular browsers to communicate through Chinese cipher SSL.The system's design and implementation meet the requirements of the "SSL VPN technical specification based on Chinese cipher" and the "Security authentication gateway product specification".The gateway system is based on the security-enhanced Linux platform.The configuration management of the gateway is implemented in a Web-based manner.The identity authentication and encrypted communication in management are implemented based on Chinese cipher SSL.Configuration function include Network Settings,User Management,Application Management,SSL Settings,Log Management and System Settings.The user application Portal provides a unified portal for users to access applications,provides highintensity identity services based on digital certificates,and supports single sign-on and host security detection.For the problem that popular browsers do not support the Chinese cipher SSL protocol,this thesis designs and implements the Chinese Cipher Browser Agent,including GUI for configuration and the engine of agent communication.The former supports Port Settings,Protocol Settings,Certificate Management,Log Management and Proxy Settings.The latter provides HTTPS proxy service for the browser,which serves as a client for the Chinese Cipher SSL communication with the gateway device,and uses multi-threading to realize concurrent processing.For the key management problem in the "Security authentication gateway product specification",the gateway device and the client use the Chinese Cipher Encryption Card and the Chinese Cipher Key to implement security key management separately.The Engine mechanism of Open SSL is used to develop the Engine module on Linux and Windows respectively,and the cryptographic operation of the encryption card and the cipher key is encapsulated,so that the cryptographic operation in the communication process of the Chinese cipher SSL protocol is all done within cryptographic device,to protect the private key.Finally,the test environment is set up according to the typical application scenario of the security authentication gateway,and the gateway's functions are tested.The test results show that:(1)the administrator can use the Web-based Gateway Management to adjust configuration according to the actual application environment of the gateway;(2)the user is able to use the mainstream browsers to access the Portal through the Chinese Cipher Browser Agent.The protocol complies with the Chinese cipher SSL protocol specification and supports two-way identity authentication based on digital certificates;(3)the gateway device and the client respectively use the Chinese cipher encryption card and the Chinese cipher key to assure security of key management.