IPsec_SSL VPN identity authentication process in brief

Language 2023-09-30 17:09:31 views: null

1. IPsec VPN identity authentication (refer to the national secret standard "GMT 0022-2014 IPsec VPN Technical Specification")

IKE Phase 1 (Main Mode)

  • "Message 2" is sent by the responder. The message specifically contains an SA payload (confirming the accepted SA proposal), the responder's signature certificate and encryption certificate. This message is transmitted in clear text, so the message content can be seen in detail through protocol analysis tools such as wireshark, and both the signature certificate and the encryption certificate can be exported.

  • "Message 3" is sent by the initiator. At this time, the initiator already has the responder's encryption certificate and begins to use digital envelope encryption to transmit key exchange parameters ( use the public key in the responder's encryption certificate to encrypt the temporary symmetric key Ski, and then use Ski Encrypt Ni and IDi ), and send the signature certificate and encryption certificate of the party in plain text at the same time, and the signature for identity authentication .

  • "Message 4" is sent by the responder. What should be noted here is that after receiving "Message 3", the responder must use the private key corresponding to the encryption certificate to unlock the digital envelope and obtain the key parameters. This process can also be considered It is the identity authentication of the initiator to the responder. In addition, "Message 3" also contains the signature of the initiator. The responder uses the signature certificate sent along with the message to verify the signature . This process is the responder's identity authentication of the initiator. "Message 4" has a similar structure to "Message 3". It also uses a digital envelope to transmit key exchange parameters ( use the public key in the initiator's encryption certificate to encrypt the temporary symmetric key Skr, and then use Skr to encrypt Nr and IDr ). It is also appended later. Signed by myself . At this point, the identity authentication of both parties is basically completed. In "Message 5" and "Message 6", both parties will confirm the consistency of the key exchange information respectively.

To sum up, during the establishment of IPsec VPN tunnel, identity authentication mainly uses signature certificates, and encryption certificates are also involved .

2. SSL VPN identity authentication (refer to the national encryption standard "GMT 0024-2014 SSL VPN Technical Specifications")

SSL handshake protocol (identity authentication, security parameter negotiation) (note that the following * identification message only appears during two-way identity authentication)

  1. The server sends a "Certificate message", which contains the server signing certificate and encryption certificate.
  2. The server then sends a "Server Key Exchange message", where the server's signature private key is used to sign the random numbers of both parties and the server's encryption certificate . (The client verifies this signature through the server's signature certificate to complete the identity authentication of the server)
  3. The server sends a "*Certificate Request message", which contains a list of certificate types that the client is required to provide.
  4. The server sends "Server Hello Done" to indicate the end of the Hello phase of the handshake process.
  5. After receiving the above message, the client needs to verify whether the server certificate is valid and verify the signature to complete the server identity authentication .
  6. The client sends the "*Certificate message" (including the plaintext signing certificate and encryption certificate) according to the requirements of the "*Certificate Request message".
  7. The client sends a "Client Key Exchange message". This message mainly contains the pre-master key, which is generated by the client, encrypted using the server's encryption certificate and sent to the server .
  8. The client sends a "*Certificate Verify message", which is used by the server to identify whether the client is the legal holder of the signing certificate. The specific method is: the client uses sm3_hash to calculate the contents of all handshake-related messages starting from the client hello message until this message (excluding this message), and then uses the client's signature private key to sign, and the server uses it after receiving this message . Client signature certificate verification.

To sum up, during the establishment of SSL VPN tunnel, identity authentication mainly uses signature certificates, and encryption certificates are also involved.

Guess you like

Origin blog.csdn.net/ryanzzzzz/article/details/133379589
Recommended
Ranking
A quick primer on numpy basics
Two sister tease python project
Java | Multiple keywords in the replacement content are returned to the front end in red style
C ++: references
The string leetcood 1018 is a binary prefix divisible by 5
Flutter 布局组件
Java combat spingboot-redis
PMP pre-exam sprint and wrong questions sorting
ActiveMq C# Message Features: Delayed and Timed Message Delivery
DSP28377S_ copy a program from the RAM to FLASH portion DETAILS
Daily
More
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)

Code World

© 2018 codetd.com