| With the rapid popularization of the Internet, the information exchangewhich based on IP is being expanded in various fields. People fully enjoy theconvenience brought about by the information superhighway, but it also facesall kinds of threats to security. Information theft and information distortion,or even information server's fatal attacking, these often happen.This requiresthe development of a secure communication standard for public safe datatransmission network, so, Virtual Private Network technology emergedThrough the creation of safe and efficient tunnels, it is possible toconstruct the Virtual Private Network based on public network. Most of thepresent applications are based on IP, Therefore, using the IPSec protocol atthe IP layer greatly simplify the process of communication. IPSec protocolestablishes Security Association cluster by IKE alliance agreement. This isthe most basic and crucial part of information security,and make possiblefor the exchange of information security.IPSec protocol is a Network layer security mechanism constituted byEncapsulating Security Payload, Authentication Header and Internet KeyExchange Protocal. Compared with other VPN schemes, IPSec has thefollowing advantages: transparent, flexible, and powerful security.IPSec is a secure protocol, which uses strong cryptography to provideboth authentication and encryption services. Certification services ensure thecorrect information be sent from the sender to the receiver without beingtampered with; Encryption services prevent unauthorized users to read theencrypted information. These services allow users to establish the credibilesecure tunnels on public network. Each message must be sent by the Gatewaywith IPSec encryption, and similarly, the receiving side must be decrypted first by IPSec Gateway. Only the VPN users with corresponding SA canreceive and send the information, it ensures the safety.The beginning of this paper describes the structure of the IPSec system,including the Authentication Header (AH), Encapsulating Security Payload(ESP), Security Association (SA), Security Policy Database (SPD), SecurityAssociation Database (SAD), IPSec packet accessing, encryption algorithmand authentication algorithm. We also introduce with Cryptography, includ-ing the symmetric key algorithm, RSA, digital signature, HASH function.These are below the foundation.In this paper, the main line is IKE, IKE is a hybrid agreement. There aretwo stages, First of all, the establishment of a communication ISAKMP SA,then, the other agreement (AH or ESP) can establish IPSec SA by theprotection of ISAKMP SA; Secondly, when the first stage of securityprotecting measures have been activated, the participates in thecommunication system can establish IPSec SA and the key will be used toprotect user data flows. In the first consulting stage, the IKE exchangeincludes identity protection and basic document's "brutal" exchange modes,we called them "main mode" and the "barbaric mode". For the second stage,we give the definition of a fast mode of IKE exchange. In this paper, we givesafety analysis in main mode exchange: non-repudiation of information,confidentiality and integrity. in most cases it is safe, But there are loopholesand can easily be attacked from the four means-- denial of service attacks,middleman attacks, replay attacks and transform payload attacks, whichrevealed the inadequacy of the agreement itself. Therefore, this paper is toraise more concern for the security of IKE negotiation, and give threeamendments for IKE negotiation in digital signature way: in message (3), addHASH_ID and SIG_ID payloads; in message (5) and (6), modify the contentof ID payloads to (IDi)psk_d and (IDr)psk_d; reuse message ID in the first stage. We also give the analysis of the four attacks, compared advantages tothe original mothord.In another part, we focus on the elliptic curve encryption algorithm andbinary domain in the domain of elliptic curve analysis. First, we introducewith the basic knowledges, including the definition of the current hotresearching domain of elliptic curve, the computation of the elements and theparameters-domain. Second, compare the RSA and elliptic curve encryptionmethods, ECC has many technical advantages: better safety performance,small amount of processing speed and storage space, low bandwidth. So,ECC is a good alternative. Finally, we study on the elliptic curve's computingefficiency. The key is the realization of the efficiency of the computationalspeed of elliptic curves; the core is scalar multiplication. Given E and integern>0, calculate nP?E. Computation can be divided into two levels: 1.Elements of the arithmetic operations in binary domain; 2. Elliptic Curveelements of the operation, the scalar multiplication. The paper works on thesetwo aspects from the ECC calculating analysis, and the acceleratingcomputing of the scalar multiplication. This paper is aim at IKE, therefore,ECC will be applied to the D-H exchange and digital signature, we also givethe realization of the algorithm.The system is based on Linux 2.4, it realizes a basic function and theusing of the ECC algorithm, including the rapid realization of ECC, the D-Hexchange of verification and validation, and the realization of the digitalsignature. The system is written by C++, which realized many functions ofthe bottom classes including elliptic curve classes, domain parameter classes,it has involved high-level public key and private key, digital signature classes.Since the completion of a good C++ encapsulation, the procedure can becalled outside the system. The system uses the curve recommended by NIST:y^2+xy=x^3+x^2+ b, the 163 degree of the binary domainremcommended byfips186-2 standards. In this system, we test the efficiency of the improved ECC algorithm. By the introduction of new methods, the encryption speed issignificantly improved.This paper is helpful to the realization of the existing VPN, especially tothe improvement of RFC IKE archive, and we look forward to the using ofECC for existing mainstream VPN. |
PDF Full Text Request