材料研究信息安全传送中IPSec协议的实现
摘要
网络信息安全问题不仅越来越受到生活在网络信息社会中的个人与公司的重视,而且已涉及到社会生活的方方面面。为了建立安全可靠的信息网络,进行安全技术的研究与设计应用是必要与迫切的。
人们希望在Internet上安全,低成本地存取自己所需信息,这使虚拟专用网(VPN)的需求日益增长。VPN技术可使机密信息在开放、不安全的Internet上安全传输。常见的VPN协议有L2TP,IPSec,SOCKS 5.
IPSec实际上是一组协议套件,包括认证头部(AH)—为IP通信提供认证服务;封装有效载荷(ESP)—对IP数据进行加密;Internet密钥交换(IKE)—用于建立安全联结。AH确保包在传输中没有被修改。ESP利用对称加密算法(如DES,三重DES)加密有效载荷。AH与ESP一起为IP包提供机密性,完整性和身份源认证服务。
本论文主要研究了IPSec VPN技术,并在Windows下开发了VPN client,该软件可使进入与外出通信得到透明的IPSec保护。Client实现为Windows下的一个中间层驱动程序。这种实现方式也就是通常所说的“堆栈中块的实现”。对操作系统上层而言,它表现为一个网络驱动程序,整个Windows IP协议栈与所有的上层应用程序不需要知道底层的细节。本软件基于IPSec标准,通过加密,压缩和认证来保护传输数据的完整性和机密性。
Information security problem in the network has been not only paid attention by individuals and companies of network information society increasingly, but also involved in all aspects. For building reliable and secure information networks, it is of great necessity and urgency to make research on security technology.
The availability and inexpensive access of the Internet, has resulted in an increasing demand for Virtual Private Network (VPN) solutions. VPNs provide the means to conduct secure communication of private information on the open and rather insecure Internet. Currently, there are a handful of VPN protocols rising to the surface in the industry - namely L2TP, IPsec, and SOCKS 5.
IPSec is actually a suite of protocols.The suite includes the Authentication Header (AH), which addresses authentication for IP traffic, the Encapsulating Security Payload (ESP), which defines encryption for IP data,the Internet Key Exchange(IKJE),which facilitates the transfer of IPSec security associations (SAs). The Authentication Header ensures that the packet has not been altered or tampered with during transmission. ESP is the protocol that handles encryption of IP data at the packet level. It uses symmetric and cryptographic algorithms like Data Encryption Standard (DES), and triples DES to encrypt the payload.Together, the IPSec ESP and AH protocols provide privacy, integrity, and authentication of IP packets.
The technology of IPSec VPN is focused in the thesis. We developed VPN Client software to enable completely transparent IPSec protection for traffic to and from a PC while it is running a familiar Microsoft Windows environment. The client implemented as an NDIS intermediate device driver that runs under Windows. This implementation is commonly referred to as a "bump-in-the-stack" approach. It appears as a network driver to the upper operating system, which allows the entire Windows IP stack and all applications to function without any knowledge of the IPSec software. Using standards-based IPSec technology, VPN Client extends the integrity and confidentiality of data traveling outside of enterprise networks by providing encryption, compression, and authentication.
人们希望在Internet上安全,低成本地存取自己所需信息,这使虚拟专用网(VPN)的需求日益增长。VPN技术可使机密信息在开放、不安全的Internet上安全传输。常见的VPN协议有L2TP,IPSec,SOCKS 5.
IPSec实际上是一组协议套件,包括认证头部(AH)—为IP通信提供认证服务;封装有效载荷(ESP)—对IP数据进行加密;Internet密钥交换(IKE)—用于建立安全联结。AH确保包在传输中没有被修改。ESP利用对称加密算法(如DES,三重DES)加密有效载荷。AH与ESP一起为IP包提供机密性,完整性和身份源认证服务。
本论文主要研究了IPSec VPN技术,并在Windows下开发了VPN client,该软件可使进入与外出通信得到透明的IPSec保护。Client实现为Windows下的一个中间层驱动程序。这种实现方式也就是通常所说的“堆栈中块的实现”。对操作系统上层而言,它表现为一个网络驱动程序,整个Windows IP协议栈与所有的上层应用程序不需要知道底层的细节。本软件基于IPSec标准,通过加密,压缩和认证来保护传输数据的完整性和机密性。
Information security problem in the network has been not only paid attention by individuals and companies of network information society increasingly, but also involved in all aspects. For building reliable and secure information networks, it is of great necessity and urgency to make research on security technology.
The availability and inexpensive access of the Internet, has resulted in an increasing demand for Virtual Private Network (VPN) solutions. VPNs provide the means to conduct secure communication of private information on the open and rather insecure Internet. Currently, there are a handful of VPN protocols rising to the surface in the industry - namely L2TP, IPsec, and SOCKS 5.
IPSec is actually a suite of protocols.The suite includes the Authentication Header (AH), which addresses authentication for IP traffic, the Encapsulating Security Payload (ESP), which defines encryption for IP data,the Internet Key Exchange(IKJE),which facilitates the transfer of IPSec security associations (SAs). The Authentication Header ensures that the packet has not been altered or tampered with during transmission. ESP is the protocol that handles encryption of IP data at the packet level. It uses symmetric and cryptographic algorithms like Data Encryption Standard (DES), and triples DES to encrypt the payload.Together, the IPSec ESP and AH protocols provide privacy, integrity, and authentication of IP packets.
The technology of IPSec VPN is focused in the thesis. We developed VPN Client software to enable completely transparent IPSec protection for traffic to and from a PC while it is running a familiar Microsoft Windows environment. The client implemented as an NDIS intermediate device driver that runs under Windows. This implementation is commonly referred to as a "bump-in-the-stack" approach. It appears as a network driver to the upper operating system, which allows the entire Windows IP stack and all applications to function without any knowledge of the IPSec software. Using standards-based IPSec technology, VPN Client extends the integrity and confidentiality of data traveling outside of enterprise networks by providing encryption, compression, and authentication.
引文
1、 S. Kent and R. Atkinson, Security Architecture for the Internet Protocol, November 1998. Internet RFC 2401
2、 S. Kent and R. Atkinson, IP Authentication Header(AH), November 1998. Internet RFC 2402
3、 S. Kent and R. Atkinson, Encapsulation Security Protocol(ESP), November 1998. Internet RFC 2406
4、 D. Maughan, M. Schertler, M. Schneider, J. Turner, Internet Security Association and Key Management Protocol (ISAKMP), November 1998. Internet RFC 2408
5、 C. Madson and R. Glenn, The Use of HMAC-MD5-96 within ESP and AH, November 1998. Internet RFC 2403
6、 C. Madson and R. Glenn,The Use of HMAC-SHA-1-96 within ESP and AH, November 1998. Internet RFC 2404
7、 C. Madson and N. Doraswamy, The ESP DES-CBC Cipher Algorithm With Explicit f44, November 1998. Internet RFC 2405
8、 D. Piper, The Internet IP Security Domain of Interpretation for ISAKMP, November 1998. Internet RFC 2407
9、 D. Harkins, D. Carrel , The Internet Key Exchange (IKE), November 1998. Internet RFC 2409
10、 H. Orman, The OAKLEY Key Determination Protocol, November 1998. Internet RFC 2412
11、 A. Shacham, R. Monsour, R. Pereira, M. Thomas, IP Pay load Compression Protocol (IPComp), November 1998. Internet RFC 2393
12、 R. Glenn, S. Kent, The NULL Encryption Algorithm and Its Use With Ipsec, November 1998. Internet RFC 2410
13、 R. Thayer, N. Doraswamy, R. Glenn, IP Security Document Roadmap, November 1998. Internet RFC 2411
14、 G Shorrock and C Awdry, "Concert IP Secure-a managed firewall and VPN service" , BT Technol J Vol 19 No 3 July 2001
15、 L. Keng Lim, Jun Gao, T. S. Eugene Ng, Prashant R. Chandra, Peter Steenkisite, Hui Zhang , "Customizable virtual private network service with QoS" , Computer Networks 36(2001) 137-151
16、 William Box and Keith Sterling, Jacobs Rimell, "Enabling the User: The VPN in Context" , Information Security Technical Report, Vol 6, No. 1 (2000) 65-76
17、 Refik Molva,"Internet security architecture", Computer Networks 31 (1999) 787-804
18、 Neil Dunbar, "IPsec Networking Standards-An Overview" , Information Security Technical Report, Vol 6, No. 1 (2001) 35-48
19、Tom Markham and Chuck Williams, "Key Recovery Header for IPSEC", Computers & Security, Vol. 19, No. 1
20、Georgina Schfer, "Placement of Intelligence Within Networks to Provide Corporate VPN Services", Information Security Technical Report, Vol 6, No. 1 (2000) 77-94
21、曾志峰,冯运波,杨义先,“虚拟专用网的研究与实现”,北京邮电大学学报》,2000年6月第23卷第2期
22、黎静,曾华,“虚拟专用网(VPN)”,《计算机应用》,1999年10月第19卷第10期
23、雍建明,伍俊明,吴国新,“因特网上的虚拟专用网(VPN)”,《数据通信》,1999年第1期
24、翁亮,陈依群,诸鸿文,“基于IPSec的网络层VPN技术”,《数据通信》,1999.4,总第107期
25、王宇,卢昱,“利用IPSEC建立无状态的VPN”,《计算机工程与应用》,1999.12
26、陈性元,宋国文,“IP-VPN及其关键技术”,《电信科学》,2000年第5期
27、Samantha Donovan, Peter Drabwell and Rae Harbird 1, "VPNs and Lightweight Clients", Information Security Technical Report, Vol 6, No. 1 (2000) 49-64
28、Dr J.S. Broderick, "VPN Security Policy", Information Security Technical Report, Vol 6, No. 1 (2001) 31-34
29、陈弘,刘彦,杨宇航,“NDIS网络驱动程序设计研究和IP隧道驱动程序实现”,《电子技术》,2000.2
2、 S. Kent and R. Atkinson, IP Authentication Header(AH), November 1998. Internet RFC 2402
3、 S. Kent and R. Atkinson, Encapsulation Security Protocol(ESP), November 1998. Internet RFC 2406
4、 D. Maughan, M. Schertler, M. Schneider, J. Turner, Internet Security Association and Key Management Protocol (ISAKMP), November 1998. Internet RFC 2408
5、 C. Madson and R. Glenn, The Use of HMAC-MD5-96 within ESP and AH, November 1998. Internet RFC 2403
6、 C. Madson and R. Glenn,The Use of HMAC-SHA-1-96 within ESP and AH, November 1998. Internet RFC 2404
7、 C. Madson and N. Doraswamy, The ESP DES-CBC Cipher Algorithm With Explicit f44, November 1998. Internet RFC 2405
8、 D. Piper, The Internet IP Security Domain of Interpretation for ISAKMP, November 1998. Internet RFC 2407
9、 D. Harkins, D. Carrel , The Internet Key Exchange (IKE), November 1998. Internet RFC 2409
10、 H. Orman, The OAKLEY Key Determination Protocol, November 1998. Internet RFC 2412
11、 A. Shacham, R. Monsour, R. Pereira, M. Thomas, IP Pay load Compression Protocol (IPComp), November 1998. Internet RFC 2393
12、 R. Glenn, S. Kent, The NULL Encryption Algorithm and Its Use With Ipsec, November 1998. Internet RFC 2410
13、 R. Thayer, N. Doraswamy, R. Glenn, IP Security Document Roadmap, November 1998. Internet RFC 2411
14、 G Shorrock and C Awdry, "Concert IP Secure-a managed firewall and VPN service" , BT Technol J Vol 19 No 3 July 2001
15、 L. Keng Lim, Jun Gao, T. S. Eugene Ng, Prashant R. Chandra, Peter Steenkisite, Hui Zhang , "Customizable virtual private network service with QoS" , Computer Networks 36(2001) 137-151
16、 William Box and Keith Sterling, Jacobs Rimell, "Enabling the User: The VPN in Context" , Information Security Technical Report, Vol 6, No. 1 (2000) 65-76
17、 Refik Molva,"Internet security architecture", Computer Networks 31 (1999) 787-804
18、 Neil Dunbar, "IPsec Networking Standards-An Overview" , Information Security Technical Report, Vol 6, No. 1 (2001) 35-48
19、Tom Markham and Chuck Williams, "Key Recovery Header for IPSEC", Computers & Security, Vol. 19, No. 1
20、Georgina Schfer, "Placement of Intelligence Within Networks to Provide Corporate VPN Services", Information Security Technical Report, Vol 6, No. 1 (2000) 77-94
21、曾志峰,冯运波,杨义先,“虚拟专用网的研究与实现”,北京邮电大学学报》,2000年6月第23卷第2期
22、黎静,曾华,“虚拟专用网(VPN)”,《计算机应用》,1999年10月第19卷第10期
23、雍建明,伍俊明,吴国新,“因特网上的虚拟专用网(VPN)”,《数据通信》,1999年第1期
24、翁亮,陈依群,诸鸿文,“基于IPSec的网络层VPN技术”,《数据通信》,1999.4,总第107期
25、王宇,卢昱,“利用IPSEC建立无状态的VPN”,《计算机工程与应用》,1999.12
26、陈性元,宋国文,“IP-VPN及其关键技术”,《电信科学》,2000年第5期
27、Samantha Donovan, Peter Drabwell and Rae Harbird 1, "VPNs and Lightweight Clients", Information Security Technical Report, Vol 6, No. 1 (2000) 49-64
28、Dr J.S. Broderick, "VPN Security Policy", Information Security Technical Report, Vol 6, No. 1 (2001) 31-34
29、陈弘,刘彦,杨宇航,“NDIS网络驱动程序设计研究和IP隧道驱动程序实现”,《电子技术》,2000.2