Construction of Computer Encrypted Secure Communication Environment Based on Private Virtual Network Technology

Transcription

1 Construction of Computer Encrypted Secure Communication Environment Based on Private Virtual Network Technology Peng Lu Bright Oceans Inter-Telecom Co.,Ltd Beijing, China Abstract The establishment of mobile secure network transmission platform has provided a new though and important guarantee for network communication security in the field of information security. In order to improve the reliability of data and aiming at the potential security risk in social behavior, a secure transmission strategy with the masking and hidden effect has been proposed to realize data transmission system based on this strategy. This transmission strategy proposes a communication mechanism with the purpose of hiding communication to ensure the security and reliability of communication by combining special communication agreement with private virtual network technology and data encryption technology. Meanwhile, associated guardian mechanism is used in the service system to ensure the stable operation of the entire system. Finally, application environment is deployed for the mobile secure network transmission platform, and functions and stability of the subcontracting steganography transmission system are tested. The experimental s show that the system has reached the design requirement in terms of feasibility and effectiveness. This system contributes a lot to computer encrypted secure communication environment and improves supports for the security of communication. Keywords - private virtual network; computer encryption; secure communication environment I. INTRODUCTION With the continuous development of the Internet, it plays an increasingly important role in people's daily life, and people increasingly use the Internet as an information exchange platform. However, the Internet is a completely open network space, and the Internet has become an important way for many criminals to steal information. Secure information directly affects the application and development of the Internet, is an important research direction of information technology at home and abroad []. At present, in the field of network communication, network security has received much attention, and the most concerned issue of network security is how to ensure the establishment of a safe remote connection. For enterprises, it is how to guarantee that their sensitive core secrets are not stolen. This promotes more enterprises resources planning (ERP) and customer relationship management to use the web to realize network security [2]. Concerns about the network layer on the traditional IPsec VPN cannot reach the requirement of safe access to the Internet and identification verification. However, through the SSL agreement on the application level, SSL VPN is more suitable for guaranteeing the security of surfing the Internet [3]. Network packet camouflage communication system is composed of network package random transit camouflage communication terminal, special security server and file directory server, so it provides users with a comprehensive, all-round and consistent network data security solution [4]. It not only provides traditional end-to-end protection and a series other security functions like encrypting, verifying users network transmission data and checking the consistence of data, but also protect users data in camouflage, transfers between various nodes in the Internet so as to prevent leakage of information due to relevant analysis of social behavior. This paper studies the subcontracting security strategy in network subcontracting camouflage communication mechanism and designs special safety agreement, and realizes the file server, special server and customer end based on this camouflage communication strategy and safety agreement. II. STATE OF THE ART The core issue of information security in modern information system is the theory and application of cryptography and its basis is the establishment and evaluation of reliable information system [5]. In the field of secure data transmission, the focus of people s attention mainly includes cryptography theory and technology, secure transmission protocol, reliable network system and protection means based on these three regards and developing corresponding safe products, etc. Research onto password theory and technology concludes two parts: password theory and technology based on mathematics and password theory and technology not based on mathematics. Password theory and technology based on mathematics guarantees the security of data through mathematical operation, such as block cipher, public key encryption, authentication code, identification recognition, serial cipher, Hash function, digital signature, and key management, etc. Password theory and technology not based on mathematics guarantees the security of data through physical and biological means, such as information hiding, quantum cryptography, and recognition theory and technology based on biological features. The research into security agreement mainly focuses on constantly improving DOI 0.503/IJSSST.a.6.4B ISSN: x online, print

2 the security of security agreement and analyzing and designing security agreement according to practical application. The research focus of security protocol is the continuous improvement of security protocol and the analysis and design of security protocol for practical application. The main research content is divided into the monitoring and prevention of attacks and the analysis of the reliability of the protocol itself. The latter is the key to the research. Research on security architecture mainly includes the following aspects: Security Architecture Modeling and analysis, the establishment of inspection and system safety assessment methods and rules. Based on these models, strategies and principles of system development. Research on the theory and technology of information countermeasure mainly includes: information hiding theory and technology, hacker prevention system, information analysis and monitoring, counters, principle and technique of intrusion detection and computer viruses, emergency response system, artificial immune system, in anti-virus and anti-intrusion system application. Embedded mobile terminal is more and more popular with its special features and portable features. At present, embedded terminal also gradually comes into the field of information security [6]. At present, embedded mobile terminal is used both in China and abroad to ensure the safety of the products, which are mainly divided into three categories: one category is small, portable products, the product mainly only identity certification, such as the banking system widely used the U-Key, network game using secret security token ring, etc., the characteristics of this kind of product is small and portable, the manufacturing cost is very low, its uniqueness is to ensure the safe and reliable; the second category is special encryption products, the product is designed for special needs or the application environment of dedicated encryption terminal, which can provide a more professional, to protect. The third is based on mobile phone safety protection, due to the popularity of smart phones, mobile phones have become one of mobile terminal products on behalf of, the mobile phone also in people's life and work play more and more important role, and based on the protection system of the mobile phone is related to the field of the focus of the study. III. METHODOLOGY A. Establishment of IPSEC VPN Network IPSEC VPN technology creates an encrypted tunnel and provides a special line for data transmission on the public network so as to guarantee the security of data transmitted to the end [7]. Its basic structure is after the application level conducts safety configuration and parameter consultation, packaging and splitting are conducted on the IP level, and these two levels are connected and interact with each other through the interface level. Openswan is a mature open-source project providing a feasible, effective and stable solution for the establishment of the IPSECVPN network (see Fig.). However, as the encrypted terminal machine uses the special agreement to deal with the encryption of data, and a special real random to produce the exchange key needed by the chip, it is necessary to transform and transplant Openswan. Figure Openswan B. Camouflage Hiding Transmission Protocol Camouflage hiding transmission protocol is a transmission protocol on the application level, especially designed for camouflage hiding transmission strategy, and it is the theoretical support and basis for the entire secure network transmission platform [8]. All data transmission network security platform application layer must comply with camouflage hiding the transport protocol package, otherwise it will be seen as meaningless data receiving program is the client, the server dropped. The basic format of the package includes an all packets identification mark and data segments. Data segment identifier used to explain the role of the transmission target packet data section also contains header and data, the different roles of the packet header and the specific content of the project will be different. C. Client End The client end is the key to completing the entire camouflage encryption of each encrypted terminal. According to different functions, the backstage logic of the client end can be divided into initialization module, heartbeat message module, sending module, monitoring module, HTTP module, basic service module and the daemon. D. Special Server Special server is responsible for the administration and maintenance terminal encryption, and it will be for every encryption terminal with encryption terminal network conditions, and other basic information in order to establish the basic information of VPN network. In addition, HTTP server will take charge of packet processing target query and other functions. Its function can be divided for encryption terminal legitimate verification, the global list of maintenance, encryption information management of the terminal, encryption terminal HTTP query and other four parts. DOI 0.503/IJSSST.a.6.4B ISSN: x online, print

3 E. File Sever A file server is used to save offline file and the target for the offline or NAT environment of the terminal and design. It can not only save the file, also provides a simple file operation for encryption terminal [9]. The file server will establish a file directory for each encrypted terminal that has been registered at the special server with the machine code as the directory name [0]. The work flow and management server file server processes are basically the same, only different in the concerns about the identification. F. Resume Module When some files failed to be successfully transmitted due to various reasons, users can choose to retransmit the files. When users determine to retransmit the filed, they will obtain relevant information about the send according to file sending record and send an IP data inquiry package to the special sever []. Specialize server will query the encryption terminal state at this time, if it is the online and non-nat environment, its IP address to send it to the applicant, applicant will according to the IP address to the Party issued a HTTP request datagram packet, the sender receives the packet, it will prompt the user, after confirmation, according to their own send records to find the file, if the file cannot be found, the user is prompted to select the file, and from the application package in a read start position, re package start file transfer. If the document is not available, the application will be sent to the applicant. Here special attention, because HTTP is designed for the convenience of short time break, when unable to connect or the sender to exchange packets, the user will file by sending the offline sent to the file server (see Figure 2). It is not within a group, for the sake of safety, resume will not start. Figure 2 Linux Http G. Basic Service Module and the Guardian Process Basic service module includes the name of the application, the offline files to delete, download, file list query and other functions of the background logic. The guard process will check the status of all listening classes. [2]. Linux will terminate the hang up process (see Figure 3). Daemon to monitor all of the associated process, when they abnormally exit, restart the process, and a monitor each process will also see daemon, when daemon quit unexpectedly will be restarted. IV. Figure 3 Linux Guardian process RESULT ANALYSIS AND DISCUSSION A. Hardware Environment In actual testing process, choose the 0 sets of encryption terminal and a server PC machine network composition, respectively, in the local area network and telecom 4MADSL network test, in the telecom ADSL test, each terminal and the server have direct access to the individual a ADSL broadband, completely simulated real environment. B. Software Environment Encryption terminal operating system to use Linux tailoring, and add the FPGA, keyboard, mouse, touch screen, random generation chip, USB2.0, cards and other related hardware driver. Firewall uses the open source Iptable, and the establishment of IPSECVPN network uses open source Openswan The sever is a Windows XP operation system, on which two FedoraLinux operation systems are run through the virtual machine, which respectively simulate the special sever and the file sever. C. Test Procedure In order to effectively test the actual effects of camouflage hiding communication and make it convenient to check the test s, during testing for the server and client programs added output test, when the client sends a packet, the sending process will send the target, transmission mode, the actual transmission destination IP address and packet role is displayed in the client interface. Source receiving process will receive any data after the received packet IP, packet role in forwarding the object displayed in the client interface. TcpDump will run test tool DOI 0.503/IJSSST.a.6.4B ISSN: x online, print

4 for network monitoring. TcpDump can be intercepted network packet interaction, it supports filtering for network layer protocol, host, or port, and to provide and, or, not and so logical statement to remove useless information. Here to capture all packets flowing through the network card through TcpDump, packets with the user interface displays are compared to determine the actual effect of camouflage to hide communications [3]. Initialization Test System: first of all, start relevant procedures of the sever, and then power on the terminal encryption, encrypted communication in a LAN environment functions directly connected to the server, and automatically initialized. ADSL in telecommunications networks, dial-up after the initialization process will begin. Following the consultations first global list is returned, it is ready in the state list can see the status of the terminal with the other terminal of the same group. Table I shows the test s of the initialization process. TABLE I SYSTEM INITIALIZATION TEST CASES Expected Establishment of All data communication is encrypted VPN IPSEC in VPN after initialization 2 Global list After the connection with the server acquisition to obtain a global list of the group At this time, use the Ping order for test and use the TcpDump to het the database on the target terminal, and it can be found that the seized data package is encrypted with ESP, indicating that the initialization process is completely right and VPN network is also established. Transmission test: Test for the of online terminals within the same group reached more than 5 sets, using steganography transmission mode to transfer files. At the same time, open the command line to run the TcpDump monitoring data packets, and observe the terminal file to send and receive information tips. When in a terminal sent data packets, each terminal is successively displayed received transit packets tips and by tcpdump intercepted data package can find these data are encrypted data packet. Then use the direct transmission mode for the same test, then found that only a side and the target data have received the report. In parallel transmission test, using steganography transmission mode of multi terminal also to a terminal transmission, a plurality of terminal cross transmission and the s were analyzed. Table II shows the transmission process of test cases. TABLE II TRANSFER PROCESS TEST CASES Expected Transmission interface The transport process to receive the proper parameters, and establish the parameters transmission record file 2 Transfer mode The target terminal received packet transfer non transmission process 3 Direct transmission mode The transmission process of non-target terminal will not receive packet transfer 4 Http Cut off the network test http 5 Files recording Interrupt transmission in the process of sending and receiving file check to send files / records 6 Camouflage protocol System for the contents of the agreement can be correctly identified, not in the scope of the data package is ignored 7 Send and receive progress Send and receive progress correctly display 8 Line transfer Parallel transfer does not occur when the file is received by chaos or non - Human File sever test: restart the terminal after sending files to the terminal by the off-line mode, and the sent file can be seen on the distant file information page. Table III shows the test case of file sever. TABLE III FILE SERVER TEST CASES Offline file sending 2 Offline file list Expected The client automatically sends the target to the file server for the NAT environment and the offline state. It can display the application terminal offline file information 3 Offline file operation It is able to complete the change of the name of the offline files, delete, download operation D. Performance Test The system s performance is tested mainly in three aspects: system stability, system transmission speed and system security. System stability test: according to the of the system, it is possible for the terminal to be online for a long time. Therefore, continue to work time is an important standard to measure the stability of the system. In the testing process, terminal, and server continued two weeks of continuous online and simulation files are sent to observe DOI 0.503/IJSSST.a.6.4B ISSN: x online, print

5 the working condition of the system, and through forced the end of the service process test system to deal with the processing, to test the stability of the system is consistent with the expected. Table IV is the stability test cases. TABLE IV SYSTEM STABILITY CASES Expected Long term online work The system works normally for 4 days 2 Emergency treatment Service process termination will not affect the normal operation of the entire system. System transmission speed testing: transmission system efficiency depends on the transmission speed and useful data in the transmission of data packets for the proportion of, in this project, due to transmission strategy design free user control of sub packet size, so that the user can according to the actual transmission of data security level to set the packet size, the system will according to user set subcontracting to analyze cutting data packets and are therefore useful data rate is determined completely by the user. According to the, the transfer mode is a kind of transmission mode, which can improve the security of the transmission mode, and the actual transmission efficiency is different [4]. Transmission speed in this mode is not a concern index of system performance, but its basic requirement is not because of the design of the protocol itself, which leads to the failure of transmission. And direct transmission mode with ordinary transmission as, its efficiency is directly decided by the bandwidth, under extreme worst case is when a packet is less than K, transmission efficiency for 97% of the standard TCP, and this situation in practical application rarely appear. Table V test cases for transmission speed. 2 TABLE V TRANSMISSION SPEED TEST CASES Direct transmission mode Transfer mode Expected Speed close to TCP direct transmission The waiting time of the dynamic calculation is not due to the failure of non-human causes. System security test: the whole system security is the most important indicator of the performance of the system, the security strategy of the project design, the main focus on the security of encryption and transmission target analysis of the potential risks. Through long-term observation TcpDump capture all data entry. Test cases and s are shown in Table VI. 2 Data encryption transmission path TABLE VI SECURITY TEST CASES Expected All the data access was grabbed by TcpDump is encrypted data Data packet transmission target clutter, cannot be analyzed E. Analysis of Test Results Through various tests, the expected functions in have been realized, but in theadsl environment, due to the characteristics of ADSL downlink transmission bandwidth of different, ing in steganography transmission process under actual uplink bandwidth limitations, especially for sending and receiving of pressure test in all the terminal at the same time, with direct transmission than, transmission speed decreased significantly, but still in the range of acceptable. In addition, the test found that the use of a single packet received a reply to the next packet serial packet transmission strategy in the actual network environment is particularly good performance. There is no normal transmission but because the transmission speed is too slow to cause the receiver to think that the transmission failed. [5]. Test s show that the camouflage transmission strategy has achieved the expected goal. V. CONCLUSION Through research onto the special security network, this paper proposes the subcontract camouflage hiding communication strategy, which combines the mainstream network information security means at present both in Chins and abroad, equipped with the special subcontracted camouflage hiding transmission protocol and takes the LUNUX terminal as the platform to realize a set of safe data transmission system, providing a new and more flexible safe protective measures for the security information in the risky information fields, and through using it in reality, various functions of the system are analyzed and tested. Through establishing special network realization and safety channel, the camouflage hiding transmission strategy changes the traditional direct transmission model of sending from the sender to the receiver. Through the system test and function test, various functions of the system have reached the expectation. Compared with some traditional security transmission strategies, its subcontract hidden mechanism hides the real sender and receiver, effectively preventing some behaviors of obtaining implementation information by guessing the sending intension and targeted implementing information according to the transmission target. In this paper, the confusing data package is processed subsequently, and the current strategy is relatively simple and can be further improved to reduce the possibility of impact from the main process. DOI 0.503/IJSSST.a.6.4B ISSN: x online, print

6 REFERENCES [] Anthes G. Security in the cloud. Communications of the ACM, vol. 53, no., pp. 6-8, 200. [2] Shabtai A, Fledel Y, Kanonov U, et al. Google android: A comprehensive security assessment. IEEE Security & Privacy, vol. 2, no. 9,pp , 200. [3] Liu A X, Chen F. Privacy preserving collaborative enforcement of firewall policies in virtual private networks. Parallel and Distributed Systems, IEEE Transactions on, vol. 22, no. 5, pp , 20. [4] Chowdhury N M M K, Boutaba R. A survey of network virtualization. Computer Networks, vol. 54, no. 5, pp , 200. [5] Micciancio D. A first glimpse of cryptography's Holy Grail. Communications of the ACM, vol. 53, no. 3, pp , 200. [6] Juste P S, Wolinsky D, Boykin P O, et al. SocialVPN: Enabling wide-area collaboration with integrated social and overlay networks. Computer Networks, vol. 54, no. 2, pp , 200. [7] Zissis D, Lekkas D. Addressing cloud computing security issues. Future Generation computer systems, vol. 28, no. 3, pp , 202. [8] Gokulakrishnan. PERFORMANCE OF TOPOLOGY AWARE RELIABLE ROUTING PROTOCOL FOR LARGE SCALE VIRTUAL PRIVATE NETWORK. Journal of Computer Science, vol. 0, no. 9, pp , 204. [9] Liyanage M, Gurtov A. Securing virtual private LAN service by efficient key management. Security & Communication Networks, vol. 7, no., pp. 3, 204. [0] Shao Z Z, Qiao J F, Li H, et al. Improved Elliptic Encryption Algorithm. Applied Mechanics & Materials, vol. 0, no. 60, pp , 204. [] Simion D, Ursuleanu M F, Graur A, et al. Efficiency Consideration for Data Packets Encryption within Wireless VPN Tunneling for Video Streaming. International Journal of Computers Communications & Control, vol. 8, no., pp , 202. [2] Swire P. From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud. Social Science Electronic Publishing, vol. 2, no. 4, pp , 202. [3] Liu M, Liu Y X, Wang Q S, et al. Multimedia Field Network Construction Based on Movement of VPN. Journal of Jilin University, 20, 29(4): [4] Jeong H C, Kim H K, Lee S, et al. Detection of zombie PCs based on spam analysis. Ksii Transactions on Internet & Information Systems, vol. 6, no. 5, pp , 202. [5] Abdellatif K M, Chotin-Avot R, Mehrez H. Authenticated encryption on FPGAs from the static part to the reconfigurable part. Microprocessors & Microsystems, vol. 38, no. 6, pp , 204. DOI 0.503/IJSSST.a.6.4B ISSN: x online, print