基于Openswan的国密IPsec VPN服务器软件设计与实现
发布时间:2018-03-06 02:22
本文选题:IPsec 切入点:VPN 出处:《西安电子科技大学》2014年硕士论文 论文类型:学位论文
【摘要】:近年来,互联网越来越深入地应用到人们的生活中,给人们的生活带来了极大的便利,然而伴随其产生的网络安全问题也越来越严重。作为网络安全的最重要的保障手段之一,IPsec VPN技术广泛地被应用于网络安全的各个重要节点中。当今广为使用的IPsec VPN技术,无论是安全协议,还是密码算法全部都是来自国外组织或机构制定的标准。为适应我国自身的安全需求,我国国家密码管理局批准了一系列国密标准的密码算法。在此基础上制订了基于国密标准密码算法的VPN技术规范。本文基于《IPsec VPN技术规范(2010版)》,在开源IPsec VPN服务器Openswan的基础上,对基于国密标准的IPsec VPN技术进行了研究和实现。主要的研究成果为:1.系统地研究了开源IPsec VPN服务器Openswan的系统整体架构、密码算法系统和IKE协商流程。2.改进了开源IPsec VPN服务器Openswan,增加了对国密标准密码算法的支持,按照国密标准的IPsec VPN技术规范的IKE协商流程的要求,修改了Openswan的IKEv1协商流程。3.对Linux 2.6内核的IPsec实现NETKEY模块进行了研究,扩大了Linux 2.6内核的IPsec实现所支持的密码算法集,使之能够支持国密标准的密码算法。4.深入研究了Linux内核的加密框架和向其中添加自定义密码算法的方法。将国密标准的密码算法注册进Linux内核的加密框架中,使得内核其他模块能够在需要的时候调用国密标准的密码算法,完成所需的密码运算。向Linux内核加密框架注册对称加密算法有cipher、同步块和异步块三种方式,本论文分别尝试了这三种注册方式对于系统的加密性能的影响。最终使用了异步块的注册方式实现了整个系统。5.在以上研究成果的基础上实现了符合《IPsec VPN技术规范(2010版)》的国密标准IPsec VPN服务器。对服务器进行了全面的测试,取得了良好的测试结果。
[Abstract]:In recent years, the Internet has been used more and more deeply in people's life, which brings great convenience to people's life. As one of the most important means of network security, IPsec VPN technology is widely used in every important node of network security. Nowadays, IPsec VPN technology is widely used in network security. Whether it is a security protocol or a cryptographic algorithm, it is a standard formulated by a foreign organization or organization. The State Cryptography Administration of China has approved a series of national cryptographic algorithms. On this basis, the VPN technical specification based on the state-secret standard cipher algorithm has been established. This paper is based on the < IPsec VPN Technical Specification (2010)], and on the basis of the open source IPsec VPN server Openswan. This paper studies and implements the IPsec VPN technology based on the national secret standard. The main research result is: 1. The system architecture of the open source IPsec VPN server Openswan is systematically studied. The cryptographic algorithm system and IKE negotiation flow. 2. The open source IPsec VPN server Openswan. has been improved, and the support for national secret standard cryptographic algorithm has been increased. According to the requirements of IKE negotiation flow of IPsec VPN technical specification, This paper modifies the IKEv1 negotiation flow of Openswan .3.Study the IPsec implementation NETKEY module of the Linux 2.6 kernel, and expand the set of cryptographic algorithms supported by the IPsec implementation of the Linux 2.6 kernel. The encryption framework of the Linux kernel and the method of adding the custom cryptographic algorithm to it are studied in depth. The cryptographic algorithm of the national secret standard is registered into the encryption framework of the Linux kernel. Other modules of the kernel can call the standard cryptographic algorithm when needed, complete the required cryptographic operation. Register the symmetric encryption algorithm with the Linux kernel encryption framework in three ways: cipher, synchronous block and asynchronous block. In this paper, the effect of these three registration methods on the encryption performance of the system is tried. Finally, the asynchronous block registration method is used to realize the whole system. 5. On the basis of the above research results, the IPsec VPN technology specification is implemented. China Security Standard IPsec VPN Server. The server has been fully tested. Good test results have been obtained.
【学位授予单位】:西安电子科技大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【共引文献】
相关硕士学位论文 前9条
1 简校荣;基于历史IP过滤的防御实验系统研究与实现[D];华南理工大学;2013年
2 林益锌;基于文件系统过滤驱动的跨平台网站防篡改系统的设计与实现[D];华南理工大学;2013年
3 周浩;基于Cortex-A8的拉力试验机控制器原理样机设计与实现[D];华中科技大学;2013年
4 舒翔;基于虚拟机的安全监控系统设计与实现[D];华中科技大学;2013年
5 张海涛;可演进的Locator/ID分离网络体系结构[D];清华大学;2013年
6 李s,
本文编号:1572927
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/1572927.html