Current location - Quotes Website - Personality signature - Design and Analysis of Network Security Platform Based on PKI Technology
Design and Analysis of Network Security Platform Based on PKI Technology
Design and Analysis of Network Security Platform Based on PKI Technology

Abstract: Using USB encryption machine and PKI technology, a network security platform is designed and implemented. The security platform realizes authentication, secure transmission and access rights management. The workflow of the protocol used in the platform is studied, and the working principles of client, access control server and certificate management system are introduced in detail.

[Keywords:] information security PKI security protocol USB encryption machine network security platform

I. Overview

This paper aims to develop a network security authentication and connection platform based on PKI technology. The platform uses USB cipher machine and uses the related technology of PKI system to build a secure platform for legal users with cipher machine to access the resource server of internal network through intranet or Internet. The platform needs two-way authentication between users and servers, key negotiation and management of users' access rights to ensure confidentiality, integrity and non-repudiation of information transmission.

The server side of the network security platform is divided into two parts, access control server and certificate management server. The access control server is a server that directly exchanges data with the client, and is responsible for completing key negotiation with the client, realizing encrypted transmission and controlling the access rights of the client. The certificate management server is responsible for certificate generation and certificate issuance for all users, including the access control server. The certificate is in X.509v3 format, which is responsible for the authentication of users when connecting.

Second, the introduction of USB cipher machine

The SJW-2 1C USB cipher machine used in this paper is a cipher device with USB interface.

The symmetric encryption algorithm of SJW-2 1C cipher machine adopts a special cryptographic algorithm chip certified by the National Cryptography Bureau. The encryption block is 64 bits, and the key length is 128 bits. What is the symmetric encryption speed of cipher machine? SMbps, what RSA 1024 does the public key algorithm support, and the signature speed? 4 times per second, the summary algorithm supports SHA? Me and MDS. The cipher machine also has a built-in random number generator certified by relevant state departments, which supports random number screening, that is, it will automatically check the quality of random numbers, and those that do not meet the requirements will be automatically discarded. In addition, the ciphertext itself also supports the generation of RSA key pairs.

Thirdly, the principle of PKI security platform is introduced.

The security authentication process of network security platform based on PKI is divided into two parts, one is the initialization process of authentication information, and the other is the authentication process of users.

(1) initialization of authentication information

Authentication information initialization means that after the network umbrella platform is built, the certificate management system will generate certificates and private keys of all users, including the access control server, and then distribute them to their respective cryptographic machines. The specific process is as follows.

1, the certificate management system will be initialized after installation.

2. The certificate system will start to generate certificates of other certification entities as needed.

3. Each user brings his own password machine to the securities management system to initialize and write the certificate and private key.

4. After the password machine is initialized, as long as you install the password machine on any computer that can connect to the access control server, run the client and enter the correct PIN code, you can start using the content on the resource server according to your own authority. The above is the initialization process of the whole security platform system.

(2) Authentication process of security platform authentication protocol

The design idea of security platform authentication protocol comes from SSL/TLS protocol, but it is not a simple combination of the two, because it will not only give full play to the real advantages of USB cipher machine, but also affect the security of SSL/TLS protocol because of its own characteristics, so this protocol is designed according to the security function and actual situation of cipher machine after understanding the design idea of SSL/TLS protocol. In the following introduction, the 128-bit domestic symmetric encryption algorithm that comes with the cipher machine will be called SAl28.

1, the client ciphertext generates one 12 8-bit random numbers R 1, and then uses SHA- 1 algorithm to get the information summary H 1 of this random number and ciphertext TD, uses SAl28 algorithm to encrypt h 1 with Rl as the key, and then uses the private key of ciphertext to encrypt R.

2. The access control server directly forwards the data sent by the user to the certificate management server.

3. After receiving the package, the certificate server first looks up the certificate corresponding to this ID in the certificate database, then decrypts the Rl encrypted by the client's private key with the public key contained in the certificate electricity, and then decrypts it with this R 1 through SAl28 algorithm to get H 1. After the verification is passed. The certificate server will generate a new random number R2, then RSA will encrypt R2 with the public key of the client, add Rl to the encrypted data, then take the abstract SAl28 H2, then encrypt Rl and encrypted R2 and H2 with the key of R2, then RSA will encrypt R2 with the public key of the access control server, and then send the above data to the access control server.

4. After receiving the above data, the server first solves R2 with its own public key, and then obtains RsC(R2)+RI+H2 with R2 through SAl28 algorithm. After verification, it extracts the abstract H3 from R2, and then encrypts RsC(R2)+H3 with R 1 and sends it to the client.

5. After receiving the data, the client first uses Rl to solve Rsl(R2) and H3, then uses its own private key to solve R2 after confirmation, and then uses R2 as the key of SA 128 algorithm to start communication with the server. At this point, the authentication process ends and a secure connection is established between the client and the access control server.

Fourth, the main span block of the safety platform

The secure connection part of this network umbrella authentication platform is mainly divided into three parts: client, access control server and certificate management server. This system is an application of network security, so network communication and security are very important. Communication on Internet public network adopts TCP/IP protocol, and network connection is established by using one-step socket class CasyncSocket encapsulated by MFC. As for the secure connection, the cipher machine is used, and the programming is to access the USB driver application interface. What is used here is the software development package of this cipher machine.

(A) the implementation of the client

The implementation of client is divided into two parts, one is the control of cipher machine, and the other is the support of network security protocol. After the client sets the verification PIN code, it starts self-checking the public and private keys. After the self-checking is successful, it starts to submit the verification application to the connection control server.

(2) Implementation of Access Control Server

The main function of the access control server is to exchange data between the external network and the internal network, and judge the attributes of the data for different processing. On the access server, an access rights database is maintained, which contains all resources on the resource server and indicates the rights of each user ID. After the client establishes a secure connection with the access control server, the server will turn the thread that contacts the client into a forwarding thread, and the client will encrypt its own request and send it. After decryption, the forwarding thread will decide whether to send a request to the resource server according to the permission range of the client. If the client permission is required, the forwarding thread will encrypt the obtained resources and send them to the client.

(3) Implementation of certificate management server

In this security platform, the role of certificate management server is to generate and issue certificates, verify the identities of clients and servers, and generate symmetric encryption keys. The certificate management server has a certificate repository, which stores the certificates of all cipher machines in the security platform system.