Một giải pháp quản lý kết nối mật cho IPSec trên FPGA

Tóm tắt—IPSec (Internet Protocol Security) là bộ giao thức an toàn nhằm bảo vệlưu lượng dữ liệu qua mạng Internet. Mỗi kết nối mật trong mô hình triển khai IPSec có một bộ thuật toán, tham số bảo mật riêng. Để đảm bảo các kết nối mật hoạt động ổn định trong môi trường truyền tin với băng thông lớn, việc quản lý nhiều kết nối mật đồng thời trên thiết bị IPSec đóng vai trò vô cùng quan trọng. Do tính phức tạp của quá trình quản lý, thông thường vấn đề này được thực hiện bằng phần mềm trên hệđiều hành. Giải pháp này bị hạn chế do quá trình trao đổi dữ liệu giữavi mạch Field Programmable Gate Array (FPGA) và bộ vi xử lý. Trong bài viết này, nhóm tác giả đưa ra một giải pháp tổ chức, quản lý kết nối mật sau khi sử dụng giao thức Internet Key Exchange (IKE) để trao đổi khóa cho IPSec trên FPGA sử dụng ngôn ngữ mô tả phần cứng, nhằm đáp ứng yêu cầu tốc độ cao với nhiều kết nối.Abstract—IPSec (Internet Protocol Security) is a secure protocol aiming to protect data traffic via the Internet. There is a separate set of algorithms and security parameters in each secure connection in the IPSec deployment model. In order to ensure stable connections in high-bandwidth environments, managing multiple secure connections simultaneously on IPSec devices holds a significant role. Due to the complexity of the management process, this is commonly done by software on the operating system. This solution is restricted due to data exchange between field-programmable gate array (FPGA) and microprocessor. In this article, a solution was proposed to organize and manage a confidential connection after using Internet Key Exchange (IKE) to exchange keys for IPSec directly using hardware description language on FPGA, aiming to meet high-speed requirements with many connections.

Automated State-Machine-Based Analysis of Hostname Verification in IPsec Implementations

Owing to the advent and rapid development of Internet communication technology, network security protocols with cryptography as their core have gradually become an important means of ensuring secure communications. Among numerous security protocols, certificate authentication is a common method of identity authentication, and hostname verification is a critical but easily neglected process in certificate authentication. Hostname verification validates the identity of a remote target by checking whether the hostname of the communication partner matches any name in the X.509 certificate. Notably, errors in hostname verification may cause security problems with regard to identity authentication. In this study, we use a model-learning method to conduct security testing for hostname verification in internet protocol security (IPsec). This method can analyze the problems entailed in implementing hostname verification in IPsec by effectively inferring the deterministic finite automaton model that can describe the matching situation between the certificate subject name and the hostname for different rules. We analyze two popular IPsec implementations, Strongswan and Libreswan, and find five violations. We use some of these violations to conduct actual attack tests on the IPsec implementation. The results show that under certain conditions, attackers can use these flaws to carry out identity impersonation attacks and man-in-the-middle attacks.

Metode Internet Protocol Security (IPSec) Dengan Virtual Private Network (VPN) Untuk Komunikasi Data

Virtual Private Network (VPN) is a local communication network that is connected through a public network, with private network data security, data transfer closure from illegal access and network scalability to become the main standard in Virtual Private Network (VPN). In building a VPN at PT. Penas (Persero) conducted by the method of Internet Protocol Security (IP Sec). IP Sec works on the network layer, protects and authenticates communications on IP between hosts and functions both on IPv6 and IPv4 traffic. IP Sec is actually a feature that is owned by IPv6 but by some developers it was applied to IPv4. PT. Penas (Persero) is a subsidiary of PT. PPA (Persero), which in PT. Penas, the local network system and the internet and also data communication with PT. PPA (Persero) that are used are still very simple and vulnerable to the security of its data. The results of this study are implementing VPN with IP Sec method at PT. Penas, where with the concept of IP security, internet access in conducting data communication between PT. PPA (Persero) and PT. Penas can be done quickly, realtime, and confidential. Because basically VPN is a relatively safe way of networking because it uses encryption and special protocols to provide data security. Keywords: Networking, Secur, Virtual Private Network. Abstrak Virtual Private Network (VPN) merupakan suatu jaringan komunikasi lokal yang terhubung melalui jaringan publik, dengan private network keamanan data, ketertutupan transfer data dari akses ilegal serta skalabilitas jaringan menjadi standar utama dalam Virtual Private Network (VPN). Dalam membangun VPN pada PT.Penas (Persero) dilakukan dengan metode Internet Protocol Security (IP Sec). IP Sec bekerja pada lapisan network, memproteksi dan mengotentikasi komunikasi pada IP antara host dan berfungsi baik pada lalulintas IPv6 maupun IPv4. IP Sec sebenarnya adalah fitur yang dimiliki oleh IPv6 namun oleh beberapa developer diaplikasikan ke dalam IPv4. PT. Penas (Persero) merupakan anak perusahaan dari PT. PPA (Persero), yang mana pada PT.Penas ini, sistem jaringan lokal dan internet dan juga komunikasi data dengan PT.PPA (Persero) yang digunakan masih sangat sederhana dan rentan terhadap keamanan datanya. Hasil penelitian ini adalah mengimplementasikan VPN dengan metode IP Sec pada PT.Penas, dimana dengan konsep IP security ini akses internet dalam melakukan komunikasi data antara kantor Pusat PT.PPA (Persero) dengan PT.Penas dapat dilakukan secara cepat, realtime, dan rahasia. Karena pada dasarnya VPN itu cara jaringan yang relatif aman karena menggunakan enkripsi dan protokol khusus untuk memberikan keamanan data. Kata kunci: Jaringan, Keamanan, Virtual Private Network (VPN).

Internet Protocol Security as the Network Cryptography System

Internet Protocol Security (IP Security) is a security protocol that serves to secure information in the event of an exchange on the internet. It happens if there is a connection between private IP and public IP. This protocol will exchange packets on the IP layer safely. It provides two types of encryption options, transport, and tunnel. Transport mode will encrypt the data section without changing the packet header. The algorithm used to encrypt data is a symmetric cryptography algorithm. This protocol authenticates and encrypts every packet from a data transmission session. Also, it can generate keys between the sender and the recipient at the first time it is activated and can negotiate the cryptographic keys that will be used during the session. IP Security is an end-to-end cryptosystem that works at the internet layer of the Internet Protocol Suite. The protocol serves to protect the data flow in host-to-host, network-to-network, and network-to-host as well.