Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Design and implementation of a transparent cryptographic security layer into the transport layer

: Leyer, T.
: Nagel, U.; Wolthusen, S.

Paderborn, 2001
Paderborn, Univ., Dipl.-Arb., 2001
Fraunhofer IGD ()
computer communication network; computer security; data encryption(standard); authentication; cryptographic control; Public key cryptosystem

The realization of a cryptographically secured Virtual Private Network (VPN) layer was the topic of this thesis. Although the
implementation was done for UNIX hosts, interoperability with other platforms was required. The prototype had to provide transparency for users and applications and state-of-the art cryptographic security. It was integrated into the CIPRESS system developed at the Fraunhofer Institute for Computer Graphics.
First an analysis of possible solutions for the cryptographic processing as well as for the network integration was carried out.
Among other possible solutions, e. g. the design of a custom cryptographic protocol, the use of the well tested Secure Socket Layer (SSL) protocol was figured out to be the best choice. It is reliable, proven by a wide deployment, and provides a flexible framework for integration of new cryptographic methods.
The most suitable solution for the network integration turned out to be a UNIX kernel module based on the STREAMS mechanism, which provides a well defined interface for implementing extensions to the UNIX network interface. This avoids re-implementating networked applications, since the commonly used interface is changing. Like that a STREAMS module was the right choice for a general solution.
The implemented prototype consists of two applications. The STREAMS module operating on kernel level processes transfered data in two layers. The first layer called VPN-layer checks whether a connection to another host should be allowed or not and whether to encrypt the transferred data. For already established connections the VPN layer encrypts the data payload using symmetric encryption provided by SSL. The second layer is invoked when a new connection to a host dedicated to encryption is requested. It establishes an SSL secured connection to the destinated host. For configuration and certificate handling a daemon operating in user level has been deployed.