国密SSL安全通信协议的研究与实现

发布时间：2018-07-16 19:59

【摘要】：网络通信安全已上升至我们国家的战略高度,不论是互联网还是大数据云计算时代,一直都是被关注的热点。安全套接字层SSL协议是目前使用最广泛的传输层安全通信协议,为应用数据安全传输提供保障,在电子政务与电子商务等领域发挥极其重要的作用,但采用传统密码算法的SSL协议满足不了我国商业密码应用的需求,面对日益严峻的安全形势,国家密码管理局发布了国密商用SM系列算法,并且还制定了《国密SSL VPN技术规范》来指导国密SSL VPN的研发。本文主要基于OpenSSL实现国密SM系列算法,再根据《国密SSL VPN技术规范》分析与实现国密SSL VPN协议。具体地讲,主要包括以下三方面:1、借助OpenSSL的Engine密码引擎机制扩展国密SM2、SM3、SM4算法,使OpenSSL Crypto密码库能够支持国密SM系列算法。在实现国密算法基础上,使用OpenSSL自带的PKI工具搭建用于颁发与管理SM2证书的轻量级CA。2、通过分析SSL标准通信协议部分,扩展国密SSL VPN规范中规定的v1.0版本国密SSL协议。重点研究通信双方密码套件的协商过程,并加入在底层调用国密SM系列算法的国密密码套件。3、基于扩展的OpenSSL搭建典型的安全Web应用测试环境,通过配置Web服务器与客户端本地端口代理,使通信双方采用国密SSL协议协商并使用国密密码套件,并抓包验证国密SSL协议实现的正确性。本文的研究成果可以为各类安全应用开发提供传输层安全通信支持,包括HTTPS安全Web通信与国密SSL VPN等。目前仅实现了ECC-SM1-SM3密码套件,后续可以将其《国密SSL VPN技术规范》要求的所有套件均实现,提供更完善的支持。
[Abstract]:The security of network communication has risen to the strategic height of our country. It has always been the focus of attention both in the Internet and in the age of large data cloud computing. The secure socket layer SSL protocol is the most widely used transport layer security communication protocol, providing security for the application of data security, and in the fields of e-government and e-commerce. It plays an extremely important role, but the traditional cryptographic algorithm SSL protocol can not meet the needs of Chinese commercial cipher application. Facing the increasingly severe security situation, the national cryptographic authority has issued the national secret commercial SM series algorithm, and also formulated the "national secret SSL VPN technical specification >" to guide the research and development of the national dense SSL VPN. This paper is mainly based on the research. OpenSSL implements the national dense SM series algorithm, and then analyzes and implements the national dense SSL VPN protocol according to the national secret SSL VPN specification. Specifically, it mainly includes the following three aspects: 1, with the aid of the Engine cryptographic engine mechanism of OpenSSL to expand the country dense SM2, SM3, SM4 algorithm, so that the OpenSSL cryptographic library can support the national dense algorithm. On the basis of the PKI tool brought by OpenSSL to build a lightweight CA.2 for issuing and managing SM2 certificates, by analyzing the SSL standard communication protocol part, extending the v1.0 version of the national dense SSL Protocol stipulated in the national dense SSL VPN specification. The negotiation process of the cipher suites of the communication parties is focused on, and the country is added to the country of the dense SM series algorithm in the underlying country. The secret cipher suite.3 builds a typical security Web application test environment based on the extended OpenSSL. By configuring the Web server and the client local port agent, the communication parties negotiate with the national secret SSL protocol and use the national secret cipher suite, and verify the correctness of the implementation of the national secret SSL protocol. The research results of this paper can be used for all kinds of security. Application development provides transport layer security communication support, including HTTPS secure Web communications and national secret SSL VPN. At present, only the ECC-SM1-SM3 cipher suite is implemented, followed by all the packages required by the national secret SSL VPN specification, providing more complete support.
【学位授予单位】：西安电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】