| IPSec-VPN is currently the most widely embodiment of VPN technology. Femto Securi-ty Gateway use IPSec-VPN as a means of implementing data security to provide security ser-vices for data communications between Femto HNB and core network. However, IPSec auth-entication function is weak itself, that is not able to handle a large number of Femto HNBs’authentication access work. PKI (Public Key Infrastructure) is a standardized, common secur-ity infrastructure platform, which is able to compensate for the lack of IPSec’s authenticationfunction. A digital certificate is able to be used to solve the trust issues. EAP-TLS protocolprovides a certificate-based mutual authentication, which Security and performance overheadcan get balance.Based on the principle of IPSec-VPN and the architecture and technical characteristics ofFemto security gateway, the research topic of this paper is to design a kind of digital certific-ate authentication scheme for security gateway. The scheme introduces PKI as the impleme-ntation of authentication system, follows the PKIX standard processes and X.509v3digitalcertificate format with EAP-TLS, which is used as implementation process of handling certif-icate authentication.Also, authentication messages between Femto HNB and security gatewayare encapsulated by IKEv2protocol, and which between security gateway and AAA areencapsu-lated by Radius protocol in the scheme designed in this paper. Security gateway andAAA process authentication messages of HNB through a joint way. Meanwhile, based on thestruc-ture and characteristics of open source software strongswan, the scheme achieves thecertificate authentication process, and dynamic-configuration of related parameters.The paper first introduces concepts and key technologies of VPN technology and IPSec,and analyzes the embodiment of IPSec-VPN; then points out the lack of IPSec authenticationfunction, thus introduces the concept of the digital certificate authentication, and analyzes thebasic principles and standards of PKI and certificate authentication technology, digital certif- icates format standards and EAP-TLS processes; as the following, hardware architecture andsoftware architecture of security gateway are analyzed. Then the paper describes the designand implement of security gateway digital certificate authentication scheme, which achievesthe message exchanges of authentication by EAP-TLS, generates master key for encryptionby TLS handshake, uses "HNB to the security gateway and then to AAA" as a general frame-work, and achieves dynamic-configuration of related parameters through reading and writingprofile of strongswan. Finally, through the certificate authentication function test and test dataanalysis, the correctness and the practical value of the scheme is verified in this paper. |
PDF Full Text Request