摘要
本文给出了IP加密机的全面而详尽的设计方案与实现方法。首先简要介
绍了IPSec协议体系;然后是系统功能与性能要求的描述,在此基础上,提出
了相应的总体设计方案与系统配置方案。接着是系统各部分的详细设计、技术
难点及对策;在系统的实现过程中,我们对IP加密机的性能,设备以及通信
的安全性,用户管理的方便性等几方面给予极大的关注。同时也使用了众多高
级的技术,如硬件加密卡、IC卡、进程间通信、核心态编程、Socket编程等。
最后给出了系统的性能分析、构建VPN的实例以及今后的改进与展望。
In this paper, I present the comprehensive and detailed information about the design and implementation of IP Encryption System. Firstly, I give a brief introduction to IPSec Architecture; then the system function and performance descriptions are described. On the base of that, we bring out our system architecture design and system configuration. The following is the detailed design of all parts of this system, technological puzzle and corresponding solutions. During the realization of it, we focus on the performance, device and communication security, user management's convenience and so on. In the meanwhile, many advanced techniques have been utilized, such as Encryption card, IC card, local process communication, programming in kernel mode, socket programming. At last, I put forward the system performance analysis, examples using IP Encryption System to construct the VPN and improvement and prospect in the future.
引文
1.朱三元、杨明、薛钫,网络通信软件设计指南,清华大学出版社,1994
2.鲁士文,计算机网络原理与网络技术,机械工业出版社,1996
3.[美]Rubini.A,Linux设备驱动程序,聊鸿斌等译,中国电力出版社,2000
4.解海水,网络层安全的设计和实现的研究,中科院硕士学位研究生学位论文,2000
5.冯登国、裴定一,密码学导引,科学出版社,1999
6.戴宗坤、唐三平,VPN与网络安全,金城出版社,2000
7.冯登国、吴文玲,分组密码的设计与分析,清华大学出版社,2000
8.[美]Scott Maxwell,Linux内核源代码分析,冯锐、刑飞、刘隆国、陆丽娜译,机械工业出版社,2000
9.怀石工作室,Linux上的C编程,中国电力出版社,2000
10.[美]Naganand Doraswamy、Dan Harkins,IPSec新一代因特网安全标准,京京工作室译,机械工业出版社,2000
11.[美]Casey Wilson、Peter Doak,虚拟专用网的创建与实现,钟鸣、魏允韬等译,机械工业出版社,2000
12.林勇、宋征等,Visual C++6.0应用指南,人民邮电出版社,1999
13.于宏军、赵冬艳,智能(IC)卡技术全书,电子工业出版社,1996
14.David A.Rusling等,Linux编程白皮书,朱珂、涂二靓等译,机械工业出版社,2000
15. Bruce Schneier, Applied Cryptography, Protocols, Algorithms, and Source Code in C, John Wiley & Sons, Inc., 1996
16. Graham Glass, UNIX for Programmers and Users, A Complete Guide, Prentice-Hall International, Inc., 1993
17. Andrew S. Tanenbaum, Distributed Operating Systems,清华大学出版社/Prentice-Hall International, Inc. 1996
18.王化文等,计算机安全保密原理与技术,科学出版社,1993
19.王锡林、李瑞宏,计算机信息系统安全与反病毒,电子工业出版社,1995
20. RFC2402IP Authentication Header
21. RFC2406IP Encapsulating Security Payload (ESP)
21. RFC2367 PF_KEY Key Management API, Version 2
22. RFC2407The Internet IP Security Domain of Interpretation for ISAKMP
23. RFC2408 Internet Security Association and Key Management Protocol (ISAKMP)
24. RFC2409The Internet Key Exchange (IKE)
25. RFC2412The OAKLEY Key Determination Protocol
26. RFC2528Internet X. 509 Public Key Infrastructure
27. RFC2403The Use of HMAC-MD5-96 within ESP and AH
28. RFC2404The Use of HMAC-SHA-1-96 within ESP and AH
29. 天融信网络卫士VPN系统 http://www.talentit.com.cn/chpfa/vpn.asp
30. T. Dierks, C. Allen, A. 0. Freier, P. L. Karl ton, and P. Kocher. "The TLS (Transport Layer Security) Protocol", Internet-Draft draft-ietf-tls-protocol-05. txt, Consensus Development, Netscape Communications, Nov 12, 1997.
31. Naganand Doraswamy, "Implementation of Virtual Private Network (VPNs) with IP Secrity", draft-ietf-ipsec-vpn-00. txt, FTP Software, Mar 12, 1997
32. R. Pereira, TimeStep Corp., P. Bhattacharya, "IPSec Policy Data Model" draft-ietf-ipsec-policy-model-00. txt, IBM Corp., February 19, 1998.
33. ITU-T Recommendation X. 509 (1997/06) , " The Directory-Authentication Framework".
34. http://csrc.nist.gov/pki/
35. William Burr, Donna Dodson, Noel Nazario, W. Timothy Polk, "Minimum Interoperability Specification for PKI Components, Version 1", Sep 3, 1997
36. R. M. Needham and M. D. Schroeder, " Using Encryption for Authentication in Large Networks of Computers," Communications of the ACM, Vol. 21, No. 12, Dec. 1978, pp. 993-999.