【摘要】：網(wǎng)絡通信安全已上升至我們國家的戰(zhàn)略高度,不論是互聯(lián)網(wǎng)還是大數(shù)據(jù)云計算時代,一直都是被關注的熱點。安全套接字層SSL協(xié)議是目前使用最廣泛的傳輸層安全通信協(xié)議,為應用數(shù)據(jù)安全傳輸提供保障,在電子政務與電子商務等領域發(fā)揮極其重要的作用,但采用傳統(tǒng)密碼算法的SSL協(xié)議滿足不了我國商業(yè)密碼應用的需求,面對日益嚴峻的安全形勢,國家密碼管理局發(fā)布了國密商用SM系列算法,并且還制定了《國密SSL VPN技術規(guī)范》來指導國密SSL VPN的研發(fā)。本文主要基于OpenSSL實現(xiàn)國密SM系列算法,再根據(jù)《國密SSL VPN技術規(guī)范》分析與實現(xiàn)國密SSL VPN協(xié)議。具體地講,主要包括以下三方面:1、借助OpenSSL的Engine密碼引擎機制擴展國密SM2、SM3、SM4算法,使OpenSSL Crypto密碼庫能夠支持國密SM系列算法。在實現(xiàn)國密算法基礎上,使用OpenSSL自帶的PKI工具搭建用于頒發(fā)與管理SM2證書的輕量級CA。2、通過分析SSL標準通信協(xié)議部分,擴展國密SSL VPN規(guī)范中規(guī)定的v1.0版本國密SSL協(xié)議。重點研究通信雙方密碼套件的協(xié)商過程,并加入在底層調用國密SM系列算法的國密密碼套件。3、基于擴展的OpenSSL搭建典型的安全Web應用測試環(huán)境,通過配置Web服務器與客戶端本地端口代理,使通信雙方采用國密SSL協(xié)議協(xié)商并使用國密密碼套件,并抓包驗證國密SSL協(xié)議實現(xiàn)的正確性。本文的研究成果可以為各類安全應用開發(fā)提供傳輸層安全通信支持,包括HTTPS安全Web通信與國密SSL VPN等。目前僅實現(xiàn)了ECC-SM1-SM3密碼套件,后續(xù)可以將其《國密SSL VPN技術規(guī)范》要求的所有套件均實現(xiàn),提供更完善的支持。
[Abstract]:The security of network communication has risen to the strategic height of our country. It has always been the focus of attention both in the Internet and in the age of large data cloud computing. The secure socket layer SSL protocol is the most widely used transport layer security communication protocol, providing security for the application of data security, and in the fields of e-government and e-commerce. It plays an extremely important role, but the traditional cryptographic algorithm SSL protocol can not meet the needs of Chinese commercial cipher application. Facing the increasingly severe security situation, the national cryptographic authority has issued the national secret commercial SM series algorithm, and also formulated the "national secret SSL VPN technical specification >" to guide the research and development of the national dense SSL VPN. This paper is mainly based on the research. OpenSSL implements the national dense SM series algorithm, and then analyzes and implements the national dense SSL VPN protocol according to the national secret SSL VPN specification. Specifically, it mainly includes the following three aspects: 1, with the aid of the Engine cryptographic engine mechanism of OpenSSL to expand the country dense SM2, SM3, SM4 algorithm, so that the OpenSSL cryptographic library can support the national dense algorithm. On the basis of the PKI tool brought by OpenSSL to build a lightweight CA.2 for issuing and managing SM2 certificates, by analyzing the SSL standard communication protocol part, extending the v1.0 version of the national dense SSL Protocol stipulated in the national dense SSL VPN specification. The negotiation process of the cipher suites of the communication parties is focused on, and the country is added to the country of the dense SM series algorithm in the underlying country. The secret cipher suite.3 builds a typical security Web application test environment based on the extended OpenSSL. By configuring the Web server and the client local port agent, the communication parties negotiate with the national secret SSL protocol and use the national secret cipher suite, and verify the correctness of the implementation of the national secret SSL protocol. The research results of this paper can be used for all kinds of security. Application development provides transport layer security communication support, including HTTPS secure Web communications and national secret SSL VPN. At present, only the ECC-SM1-SM3 cipher suite is implemented, followed by all the packages required by the national secret SSL VPN specification, providing more complete support.
【學位授予單位】：西安電子科技大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關期刊論文 前1條

1 閆永昭;鄭金州;;基于國密SM1算法的CPU卡應用[J];現(xiàn)代電子技術;2013年15期

相關碩士學位論文 前1條

1 魏云飛;基于OpenSSL的SSL協(xié)議設計與改進[D];云南大學;2011年

，

本文編號：2127515