CN106506147B - Method for realizing IPsec-VPN based on cryptographic algorithm - Google Patents
Method for realizing IPsec-VPN based on cryptographic algorithm Download PDFInfo
- Publication number
- CN106506147B CN106506147B CN201610951107.3A CN201610951107A CN106506147B CN 106506147 B CN106506147 B CN 106506147B CN 201610951107 A CN201610951107 A CN 201610951107A CN 106506147 B CN106506147 B CN 106506147B
- Authority
- CN
- China
- Prior art keywords
- algorithm
- kernel
- encryption
- library
- encryption engine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
Abstract
The invention provides a method for realizing IPsec-VPN based on a cryptographic algorithm, which is characterized by comprising user layer algorithm expansion and kernel layer algorithm expansion, wherein the user layer algorithm expansion comprises the following steps: establishing an encryption library and an encryption engine library and dynamically loading the encryption engine library; the kernel layer algorithm expansion steps are as follows: the system comprises a construction state cryptographic algorithm driving module, a loading state cryptographic algorithm driving module, an application state cryptographic algorithm driving module and an unloading state cryptographic algorithm driving module. The invention adopts an encryption engine mechanism on a user layer, does not need to change system kernel codes, only needs to define an encryption library and an encryption engine library, realizes a cryptographic algorithm interface needing to be expanded in the encryption engine library, and dynamically loads the cryptographic algorithm interface before use; the kernel layer adopts the algorithm function to realize modularization, the system is dynamically loaded when needed, only a small amount of codes need to be added in the system kernel, and the module is not compiled into the kernel, thereby controlling the size of the kernel.
Description
Technical Field
The invention provides a method for realizing IPsec-VPN, in particular to a method for realizing IPsec-VPN based on a cryptographic algorithm.
Background
With the development of cryptographic technology and computing technology, the 1024-bit RSA public key cryptographic algorithm is facing increasingly serious security threats, and the national secret SM2 algorithm has the following advantages compared with the RSA algorithm: the signature speed and the key pair generation speed are far faster than those of RSA; the unit security strength of the SM2 cryptographic algorithm is higher than that of the RSA algorithm. In order to ensure the safety of the key economic system password application and prevent the influences of sensitive data leakage of the key economic system, the harm to the national safety and the like caused by the attack of a non-autonomous password algorithm, the national password bureau recommends the use of a domestic password algorithm which comprises an asymmetric encryption algorithm SM2, a Hash algorithm SM3 and a symmetric encryption algorithm SM 4.
The problem of algorithm expansion is involved when a cryptographic algorithm is used, and the algorithm expansion is divided into two cases: the algorithm expansion at the user layer is the first one, and the algorithm expansion at the kernel layer is the second one. The algorithm expansion of the user layer is realized by a common method, firstly, an algorithm needing to be expanded is realized, and then, a place for calling the original algorithm in a software code is replaced by a place for calling the expansion algorithm, so that a software algorithm is used, but if a hardware algorithm is used, application program interfaces of various manufacturers are not uniform and the difference between hardware cannot be shielded, interface function names need to be modified at every place for calling the hardware algorithm interfaces in the software code, so that the workload of developers can be increased without doubt, and the maintenance of the software code is not facilitated; the general method of the algorithm extension of the kernel layer is that firstly, an algorithm to be extended is implemented in a kernel code, then the algorithm calling place in the kernel is replaced with an algorithm calling the extension, and finally the kernel is compiled, so that the generated kernel is very large, and the whole kernel needs to be recompiled when few functions are added to the existing kernel, the kernel is updated in the system, and the updating of the kernel inevitably causes the function of the whole system to be suspended, which is not favorable for the continuous development of field services.
Disclosure of Invention
The technical problems to be solved by the invention are that the existing national cryptographic algorithm extension has the problem of non-uniform application program interfaces in a user layer, and the problem of occupying kernel space and requiring recompilation of a system kernel exists in a kernel layer.
In order to solve the above technical problems, the present invention provides a method for implementing IPsec-VPN based on a cryptographic algorithm, which is characterized by comprising a user layer algorithm extension and a kernel layer algorithm extension, wherein,
the user layer algorithm expansion comprises the following steps:
step 1.1, establishing an encryption library and an encryption engine library, storing an SM2 encryption engine in the encryption engine library, and storing an SM2 algorithm interface in the encryption library;
step 1.2, dynamically loading an encryption engine library, selecting an SM2 encryption engine in the encryption engine library according to encryption requirements, and calling an SM2 algorithm interface in the encryption library by using an SM2 encryption engine;
the kernel layer algorithm extension comprises the following steps:
step 2.1, constructing a national cryptographic algorithm drive module, and declaring permission of the constructed national cryptographic algorithm drive module according to GPL compatible permission of a system kernel module;
2.2, loading a national secret algorithm driving module, executing the national secret algorithm driving module when a system kernel is dynamically loaded according to encryption requirements, registering a national secret SM3 algorithm structural body and a national secret SM4 algorithm structural body, realizing the loading initialization of an SM3 algorithm interface by using the national secret SM3 algorithm structural body, and realizing the loading initialization of a national secret SM4 algorithm interface by using the national secret SM4 algorithm structural body;
step 2.3, applying a national cryptographic algorithm driving module, and realizing the function of protecting the packet stream by the IPsec-VPN in a system kernel by using the national cryptographic algorithm driving module;
and 2.4, unloading the national secret algorithm driving module, and logging out the SM4 algorithm structural body and the SM3 algorithm structural body after encryption is applied, so that unloading of the SM3 algorithm interface and the SM4 algorithm interface is realized.
An encryption engine mechanism is adopted on a user layer, a system kernel code does not need to be changed, only one encryption library and an encryption engine library need to be defined, a cryptographic algorithm interface needing to be expanded is realized in the encryption engine library, dynamic loading is carried out before use, a software encryption library or hardware encryption equipment provided by a third party can be transparently used for encryption, and the method is very convenient; the kernel layer adopts the algorithm function of expanding to realize modularization, and dynamically loads in the system when needed, so the method has the advantages that only a small amount of codes are needed to be added in the kernel of the system, the module is not compiled into the kernel, the size of the kernel is controlled, once the module is loaded, the module is completely the same as other parts of the kernel of the system, the kernel of the system can directly call the function realized by the module, meanwhile, the kernel of the system only needs to be upgraded once, the module is separated from the kernel of the system, and the kernel of the system does not need to be recompiled to upgrade the kernel when the function of the module has problems.
As a further limited solution of the present invention, the cryptographic algorithm driver module is a part of a system kernel encryption framework, and is used for loading and calling the IPsec module carried by the system kernel. The national cryptographic algorithm driving module is used as a part of a system kernel encryption framework, can be directly loaded and called by an IPsec module carried by a system kernel, and is convenient and flexible to use.
The invention has the beneficial effects that: (1) an encryption engine mechanism is adopted on a user layer, a system kernel code does not need to be changed, only one encryption library and an encryption engine library need to be defined, a cryptographic algorithm interface needing to be expanded is realized in the encryption engine library, dynamic loading is carried out before use, a software encryption library or hardware encryption equipment provided by a third party can be transparently used for encryption, and the method is very convenient; (2) the kernel layer adopts the algorithm function of expanding to realize modularization, and dynamically loads in the system when needed, so the method has the advantages that only a small amount of codes are needed to be added in the kernel of the system, the module is not compiled into the kernel, the size of the kernel is controlled, once the module is loaded, the module is completely the same as other parts of the kernel of the system, the kernel of the system can directly call the function realized by the module, meanwhile, the kernel of the system only needs to be upgraded once, the module is separated from the kernel of the system, and the kernel of the system does not need to be recompiled to upgrade the kernel when the function of the module has problems.
Drawings
FIG. 1 is a schematic diagram of the workflow of the openssl engine of the present invention;
fig. 2 is a schematic diagram of an IPsec-VPN implementation framework of the present invention.
Detailed Description
The invention discloses a method for realizing IPsec-VPN based on a cryptographic algorithm, which comprises user layer algorithm expansion and kernel layer algorithm expansion, wherein,
the user layer algorithm expansion comprises the following steps:
step 1.1, establishing an encryption library and an encryption engine library, storing an SM2 encryption engine in the encryption engine library, and storing an SM2 algorithm interface in the encryption library;
step 1.2, dynamically loading an encryption engine library, selecting an SM2 encryption engine in the encryption engine library according to encryption requirements, and calling an SM2 algorithm interface in the encryption library by using an SM2 encryption engine;
the kernel layer algorithm extension comprises the following steps:
step 2.1, constructing a national cryptographic algorithm drive module, and declaring permission of the constructed national cryptographic algorithm drive module according to GPL compatible permission of a system kernel module;
2.2, loading a national secret algorithm driving module, executing the national secret algorithm driving module when a system kernel is dynamically loaded according to encryption requirements, registering a national secret SM3 algorithm structural body and a national secret SM4 algorithm structural body, realizing the loading initialization of an SM3 algorithm interface by using the national secret SM3 algorithm structural body, and realizing the loading initialization of a national secret SM4 algorithm interface by using the national secret SM4 algorithm structural body;
step 2.3, applying a national cryptographic algorithm driving module, and realizing the function of IPsec-VPN protection packet flow in a system kernel by using the national cryptographic algorithm driving module, wherein the national cryptographic algorithm driving module is a part of a system kernel encryption framework and can be directly loaded and called by an IPsec module carried by the system kernel;
and 2.4, unloading the national secret algorithm driving module, and logging out the SM4 algorithm structural body and the SM3 algorithm structural body after encryption is applied, so that unloading of the SM3 algorithm interface and the SM4 algorithm interface is realized.
The invention relates to an IPsec-VPN realized based on open source software, wherein the IPsec (Internet Protocol Security) is a set of Protocol family established for providing high-quality, interoperable and cryptography-based communication Security at an IP layer, and the IPsec-VPN refers to a VPN (Virtual Private Network) technology for realizing remote access by adopting an IPsec Protocol. The IPsec-VPN supports kernel above Linux 2.6. Starting with the linux2.6 core, the core itself carries the IPsec module. The IPsec-VPN function is to establish key exchange of the secure packet flow, and the function of protecting the packet flow is realized in the Linux kernel. An asymmetric encryption algorithm is used in the key exchange process of establishing the safe packet flow, and a hash algorithm and a symmetric encryption algorithm are used in the protection packet flow process.
The problem of algorithm expansion is involved when a cryptographic algorithm is used, and the algorithm expansion is divided into two cases: the algorithm expansion at the user layer is the first one, and the algorithm expansion at the kernel layer is the second one.
Aiming at the problems of the user layer, the invention utilizes the encryption engine mechanism of the openssl, does not need to change the core code, only needs to define an encryption engine, calls a cryptographic algorithm interface needing to be expanded in the encryption engine, and dynamically loads the cryptographic algorithm interface before use, so that the openssl can transparently use a software encryption library or hardware encryption equipment provided by a third party to encrypt, is very convenient, can shield the difference between hardware, and only needs to modify the hardware algorithm call interface in the externally expanded encryption engine when changing the hardware encryption equipment, and does not need to modify an application program. The method comprises the following specific steps:
step 1.1, establishing an encryption engine library, and firstly storing each SM2 encryption engine needing to be expanded in the encryption engine library, wherein the SM2 encryption engine comprises an SM 3526 encryption engine, the encryption engine is used for calling an algorithm interface in a software encryption library or hardware encryption equipment provided by a third party, and the SM2 encryption engine is used for calling an SM2 algorithm interface in the encryption library;
step 1.2, firstly dynamically loading encryption engines, calling each encryption engine in an encryption engine library, then specifying the required encryption engine, using more than one encryption engine in an application program, and finally calling an SM2 algorithm interface through an SM2 encryption engine.
As shown in fig. 1, the generic encryption interface of the application openssl has two ways to call the security module: the method comprises the steps of directly calling an encryption Engine base supported inside an openssl, calling an expanded hardware encryption base through the encryption Engine, and for unsupported hardware, firstly realizing an externally expanded encryption Engine, namely the step 1, loading the encryption Engine base realized in the step 1 through an internal Dynamic Engine (Dynamic Engine), and then accessing an algorithm interface of specific hardware through the external encryption Engine, namely the step 2.
Aiming at the problems of the kernel layer, the invention compiles the extended algorithm function implementation codes into modules and dynamically loads the modules in the Linux system when needed. Therefore, only a small amount of codes are needed to be added into the kernel, the module is not compiled into the kernel, the size of the kernel is controlled, once the module is loaded, the module is completely the same as other parts of the kernel, and the kernel can directly call the functions realized by the module. And the kernel of the system only needs to be upgraded once, the module is separated from the kernel, and the kernel does not need to be recompiled to upgrade the kernel when the function of the kernel is in a problem. The Linux kernel supports a plurality of encryption algorithms, including a symmetric encryption algorithm (such as AES) and a digest algorithm (such as md 5), wherein the algorithms are used as the lowest layer of an encryption functional framework and provide actual operation of encryption and decryption, and the kernel provides a unified framework for managing the algorithms. Wherein the encryption algorithm is deregistered through crypto _ register _ alg () registration and crypto _ unregister _ alg (), and the digest algorithm is deregistered through crypto _ register _ shake () registration and crypto _ unregister _ shake (). The method comprises the following specific steps:
step 2.1, constructing a national cryptographic algorithm driver MODULE, and performing permission declaration on the constructed national cryptographic algorithm driver MODULE according to GPL compatible permission rights of a system kernel MODULE, wherein MODULE permission (LICENSE) declares that the MODULE permission is necessary for the Linux kernel driver MODULE, in a Linux2.6 kernel, acceptable LICENSE comprises GPL, GPL v2, GPL and additional rights, Dual BSD/GPL, Dual MPL/GPL and Proprietary, in most cases, the kernel MODULE shall follow the GPL compatible permission rights, in the invention, MODULE _ LICENSE ("GPL") is used for completing the MODULE permission declaration, and if the MODULE is not declared, a kernel tainted alarm is received when the MODULE is loaded, so that normal use of the MODULE is influenced;
step 2.2, loading a national secret algorithm driving module, and executing the national secret algorithm driving module when a system kernel is dynamically loaded according to encryption requirements, wherein the system kernel module is dynamically loaded through an insmod command, a national secret SM3 algorithm structural body and a national secret SM4 algorithm structural body are registered, specifically, a national secret SM4 algorithm structural body is registered through crypto _ register _ alg (), a national secret SM3 algorithm structural body is registered through crypto _ register _ shash (), the loading initialization of an SM3 algorithm interface is realized by using the national secret SM3 algorithm structural body, and the loading initialization of the national secret SM4 algorithm interface is realized by using the national secret SM4 algorithm structural body;
step 2.3, applying a national cryptographic algorithm driving module, and realizing the function of IPsec-VPN protection packet flow in a system kernel by using the national cryptographic algorithm driving module, wherein the national cryptographic algorithm driving module is a part of a system kernel encryption framework and can be directly loaded and called by an IPsec module carried by the system kernel;
and 2.4, unloading the national secret algorithm driving module, and after encryption is applied, logging out the SM4 algorithm structural body and the SM3 algorithm structural body, so that the SM3 algorithm interface and the SM4 algorithm interface are unloaded, specifically, logging out the SM4 algorithm structural body through crypto _ unregister _ alg () and logging out the SM3 algorithm structural body through crypto _ unregister _ shash ().
As shown in fig. 2, an IKE KEY negotiation module and a configuration management module in the IPsec-VPN are located in a linux user layer, and are respectively implemented by a KEY management daemon and a configuration management process to complete a KEY negotiation function and a security policy library (SPD) security association library (SAD) management function, and a PF _ KEY socket is used for interaction between the two modules and a kernel. The processing of ESP encrypted messages is carried out in a Linux kernel layer, an IPsec processing module is carried by the Linux kernel, the SM3 and SM4 algorithms in an encryption algorithm library are called, and the SM3 and SM4 algorithms in the encryption library are realized by dynamically loading kernel modules supporting the SM3 and SM4 algorithms.
The nouns of the related art terms are explained as follows:
IPsec-VPN
the IPsec-VPN is a VPN (Virtual Private Network) technology that realizes remote access by using an IPsec protocol. IPsec (Internet Protocol Security) is a suite of protocols established to provide high-quality, interoperable, cryptography-based communication Security at the IP layer.
IKE
The Internet key exchange protocol can be used for negotiating a Virtual Private Network (VPN), and can also be used for a remote user (the IP address of the remote user does not need to be known in advance) to access a security host or a network to support client negotiation.
openssl
openssl is a functionally rich and self-contained open source security toolbox. It provides the main functions of: SSL protocol implementations (including SSLv2, SSLv3, and TLSv1), a number of soft algorithms (symmetric/asymmetric/digest), a large number of operations, asymmetric algorithm key generation, asn.1 codec libraries, certificate request (PKCS10) codecs, digital certificate codecs, CRL codecs, OCSP protocols, digital certificate verification, PKCS7 standard implementations, and PKCS12 personal digital certificate format implementations. openssl employs C as a development language, which makes it excellent cross-platform performance. The openssl supports platforms such as Linux, UNIX, windows, Mac and the like.
Encryption engine
The Openssl hardware Engine (Engine) enables users to easily add their own hardware to Openssl, replacing the software algorithms they provide. An Engine provides a set of various calculation methods in cryptographic calculations, which are used to control various cryptographic calculations of openssl.
Claims (2)
1. A method for realizing IPsec-VPN based on the cryptographic algorithm is characterized in that the method comprises user layer algorithm expansion and kernel layer algorithm expansion, wherein,
the user layer algorithm expansion comprises the following steps:
step 1.1, establishing an encryption library and an encryption engine library, storing an SM2 encryption engine in the encryption engine library, and storing an SM2 algorithm interface in the encryption library;
step 1.2, dynamically loading an encryption engine library, selecting an SM2 encryption engine in the encryption engine library according to encryption requirements, and calling an SM2 algorithm interface in the encryption library by using an SM2 encryption engine;
the kernel layer algorithm extension comprises the following steps:
step 2.1, constructing a national cryptographic algorithm drive module, and declaring permission of the constructed national cryptographic algorithm drive module according to GPL compatible permission of a system kernel module;
2.2, loading a national secret algorithm driving module, executing the national secret algorithm driving module when a system kernel is dynamically loaded according to encryption requirements, registering a national secret SM3 algorithm structural body and a national secret SM4 algorithm structural body, realizing the loading initialization of an SM3 algorithm interface by using the national secret SM3 algorithm structural body, and realizing the loading initialization of a national secret SM4 algorithm interface by using the national secret SM4 algorithm structural body;
step 2.3, applying a national cryptographic algorithm driving module, and realizing the function of protecting the packet stream by the IPsec-VPN in a system kernel by using the national cryptographic algorithm driving module;
2.4, unloading the national secret algorithm driving module, and after encryption is applied, logging out the SM4 algorithm structural body and the SM3 algorithm structural body, so that unloading of the SM3 algorithm interface and the SM4 algorithm interface is realized;
step 1, an encryption engine mechanism is adopted in a user layer, a system kernel code is not changed, an encryption library and an encryption engine library are defined, an expanded cryptographic algorithm interface is realized in the encryption engine library, and dynamic loading is carried out before use; step 2, the kernel layer adopts the algorithm function to realize modularization, dynamically loads in the system, adds corresponding codes in the kernel of the system, and the module is not compiled into the kernel, thereby controlling the size of the kernel.
2. A method of implementing IPsec-VPN based on a cryptographic algorithm as claimed in claim 1, characterized in that: and the cryptographic algorithm driving module is a part of a system kernel encryption framework and is used for loading and calling an IPsec module carried by a system kernel.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610951107.3A CN106506147B (en) | 2016-10-27 | 2016-10-27 | Method for realizing IPsec-VPN based on cryptographic algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610951107.3A CN106506147B (en) | 2016-10-27 | 2016-10-27 | Method for realizing IPsec-VPN based on cryptographic algorithm |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106506147A CN106506147A (en) | 2017-03-15 |
| CN106506147B true CN106506147B (en) | 2022-04-12 |
Family
ID=58321210
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610951107.3A Active CN106506147B (en) | 2016-10-27 | 2016-10-27 | Method for realizing IPsec-VPN based on cryptographic algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106506147B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109067803A (en) * | 2018-10-10 | 2018-12-21 | 深信服科技股份有限公司 | A kind of SSL/TLS encryption and decryption communication means, device and equipment |
| CN111786872A (en) * | 2020-06-29 | 2020-10-16 | 北京天融信网络安全技术有限公司 | Data processing method and device for VPN (virtual private network) equipment |
| CN113032488A (en) * | 2021-03-23 | 2021-06-25 | 无锡井通网络科技有限公司 | Distributed system based on pluggable encryption subsystem and encryption method |
| CN113935018B (en) * | 2021-12-16 | 2022-03-11 | 飞腾信息技术有限公司 | Password operation method, system on chip and computer equipment |
| CN114996724B (en) * | 2022-04-25 | 2024-05-03 | 麒麟软件有限公司 | Safe operating system based on cryptographic algorithm module |
| CN116915387A (en) * | 2023-09-14 | 2023-10-20 | 山东三未信安信息科技有限公司 | Extensible database transparent encryption device and method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2154834A1 (en) * | 2008-08-14 | 2010-02-17 | Juniper Networks, Inc. | Routing device having integrated MPLS-Aware firewall |
| CN101651597A (en) * | 2009-09-23 | 2010-02-17 | 北京交通大学 | Deployment method of IPSec-VPN in address discrete mapping network |
| CN104468519A (en) * | 2014-11-12 | 2015-03-25 | 成都卫士通信息产业股份有限公司 | Embedded electric power safety protection terminal encryption device |
| CN104519055A (en) * | 2014-12-11 | 2015-04-15 | 曙光信息产业(北京)有限公司 | VPN (virtual private network) service implementation method, VPN service implementation device and VPN server |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010068698A2 (en) * | 2008-12-09 | 2010-06-17 | Glue Networks, Inc. | System and method for providing virtual private networks |
-
2016
- 2016-10-27 CN CN201610951107.3A patent/CN106506147B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2154834A1 (en) * | 2008-08-14 | 2010-02-17 | Juniper Networks, Inc. | Routing device having integrated MPLS-Aware firewall |
| CN101651597A (en) * | 2009-09-23 | 2010-02-17 | 北京交通大学 | Deployment method of IPSec-VPN in address discrete mapping network |
| CN104468519A (en) * | 2014-11-12 | 2015-03-25 | 成都卫士通信息产业股份有限公司 | Embedded electric power safety protection terminal encryption device |
| CN104519055A (en) * | 2014-12-11 | 2015-04-15 | 曙光信息产业(北京)有限公司 | VPN (virtual private network) service implementation method, VPN service implementation device and VPN server |
Non-Patent Citations (3)
| Title |
|---|
| 4 密码算法和密钥种类;国家密码管理局;《IPSec VPN技术规范》;20140213;第4页 * |
| Linux加密框架设计与实现(第一部份);独孤九*;《Chinaunix论坛》;20111207;第1-32页 * |
| VPN网关的设计和实现;刘剑波;《计算机工程》;20040228;第30卷(第3期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106506147A (en) | 2017-03-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106506147B (en) | Method for realizing IPsec-VPN based on cryptographic algorithm | |
| US10043029B2 (en) | Cloud storage encryption | |
| US10896257B2 (en) | Secure boot of virtualized computing instances | |
| EP2913956B1 (en) | Management control method and device for virtual machines | |
| US8555377B2 (en) | Secure virtual machine | |
| US8839004B1 (en) | Secure cloud computing infrastructure | |
| JP2019526843A (en) | Dynamic access to hosted applications | |
| CN112948871A (en) | Techniques to protect computing data in a computing environment | |
| Alder et al. | Migrating SGX enclaves with persistent state | |
| CA3117713C (en) | Authorization with a preloaded certificate | |
| KR20170048604A (en) | Data management for an application with multiple operation modes | |
| US10045212B2 (en) | Method and apparatus for providing provably secure user input/output | |
| US11700277B2 (en) | Providing access to data in a secure communication | |
| WO2020073712A1 (en) | Method for sharing secure application in mobile terminal, and mobile terminal | |
| US11741221B2 (en) | Using a trusted execution environment to enable network booting | |
| JP2022541796A (en) | Secure runtime system and method | |
| WO2022160697A1 (en) | Authorization authentication and software development kit generation methods and apparatuses, and electronic device | |
| WO2013097209A1 (en) | Encryption method, decryption method, and relevant device and system | |
| CN113992346A (en) | Implementation method of security cloud desktop based on state password reinforcement | |
| WO2023051337A1 (en) | Data processing method and apparatus, and device and storage medium | |
| US11456861B2 (en) | Computing system and related methods providing connection lease exchange with secure connection lease communications | |
| CN102111321A (en) | Encryption/decryption chip drive method used for VPN | |
| US9336696B2 (en) | Enhanced security setup for media decryption | |
| KR101730984B1 (en) | Data management for an application with multiple operation modes | |
| CN109450899B (en) | Key management method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |