Research on ssl vpn Security Technology in Embedded Networks

Source: Internet
Author: User
Tags ssl connection

Internet has become an important channel for people to  and communicate with each other. Combining embedded systems with the Internet, connecting embedded devices to the Internet is the development trend of embedded applications today. Both Internet and Web Services and embedded systems have low cost and high efficiency. integrating them into one has many potential advantages, such as the use of TCP/IP and HTTP protocols, it can be seamlessly connected to Ethernet. It can be remotely monitored, diagnosed, and controlled using a standard Web browser. The embedded Web technology can be used to implement Internet-based Remote Data Collection, remote control, automatic alarm, and other functions, which greatly expands the application scope of embedded systems and makes full use of network resources, achieve wider information sharing and more information services.

The embedded Internet solves the network problem of terminal devices. However, the network environment provided by the Internet does not guarantee the security of the access system. The security of the embedded Internet is directly related to the development of the embedded Internet and its application prospects, therefore, when designing an embedded Internet system, you must consider the security of embedded Internet communication. In the embedded network system, you need to solve the following problems:

1) Many Web servers not only need to access data, but also provide control over devices, machines, and even factories. This means that if an embedded system encounters a problem, it will endanger devices or factories, the result is not only the loss of information, but also the loss of control. This requires a high level of security based on the low cost of the embedded environment.

2) data is transmitted over the public Internet and may be attacked at any time.

3) Many embedded systems require continuous operation for several months, years, or even 10 years, which imposes extremely strict requirements on system stability, therefore, it must ensure stable operation in any situation for a long time.

4) Most embedded systems are subject to strict resource restrictions. However, as the performance of embedded processors and other hardware continues to improve, it is possible to apply complex network security protocols.

Currently, SSLVPN and IPSecVPN are two popular Internet remote secure access technologies. They have similar features, but there are also some differences. IPSecVPN provides a complete network layer connection function, which is the best option to achieve secure connection to the private network. IPSecVPN must be supported by a software client. It does not support public Internet site access, but can be accessed by Web or non-Web enterprise applications. The "Zero client" architecture of SSLVPN is particularly suitable for remote user connection. Users can access Enterprise Network Web applications through any Web browser. However, SSLVPN only encrypts an application channel of both parties, rather than the entire channel of both parties, so that SSLVPN also has certain security risks. Compared with the implementation feasibility and running overhead, SSLVPN is obviously more suitable for embedded systems that use Internet and Web services.


2.1VPN Introduction

VPN (VirtualPrivateNetwork) refers to the technology for establishing a private network on a public network. The connection between any two nodes of the VPN network is not a point-to-point physical link required by the traditional private network, but a logical network built on the network platform provided by the public network service provider ISP. User data is transmitted through a logical tunnel (point-to-point virtual line) established by the ISP in the public network, the corresponding encryption and authentication technologies are used to ensure secure transmission of internal network data on the public network, so as to realize the uniqueness of network data transmission and ensure security.

2.2SSL Protocol

SSL is a security protocol based on Web applications. It specifies the security mechanism for data exchange between application protocols (such as HTTP, Telnet, FTP, etc.) and TCP/IP protocols, provides data encryption, server authentication, and optional client authentication for TCP/IP connections. SSL can seamlessly implement Internet protocol stack processing between TCP/IP and the application layer without any impact on other protocol layers.

As an application layer protocol, SSL uses public key system And X.509 digital certificate technology to protect the confidentiality and integrity of information transmission. The SSL protocol consists of two layers: the SSL handshake layer and the record layer. The upper layer is the handshake layer, including the SSL handshake protocol, the SSL modified ciphertext protocol, the SSL alarm protocol, and the application data protocol; the lower layer is the SSL record protocol, as shown in figure 1. They provide authentication, encryption, and tamper-proofing for application access connections. The SSL handshake protocol is mainly used for mutual authentication between servers and customers. It negotiates encryption algorithms and MAC algorithms and generates encryption keys sent in SSL records. The SSL warning protocol is used to send SSL-related alarms to peer entities. The SSL record protocol provides basic security services for various high-level protocols.

Figure 1 SSL protocol stack

The handshake protocol plays an important role in SSL data transmission. Through the handshake protocol, data encryption and authentication can be implemented to ensure end-to-end secure transmission and effectively prevent external attacks on the Web.

2.3 sslvpns

SSLVPN uses the PKI certificate system through the SSL protocol, various cryptographic algorithms such as DES, 3DES, AES, RSA, MD5, and SHA1 are used during transmission to ensure data confidentiality, integrity, and non-repudiation, implements secure information exchange on the Internet. Nowadays, almost all browsers have SSL functions, which are becoming a key protocol for enterprise applications, wireless access devices, Web Services, and secure access management.

SSL-based VPN provides many favorable conditions for embedded systems, including:

1) You can use standard software such as Web browsers to access embedded systems.

2) SSL allows customer identification without storing passwords in embedded systems. This is especially beneficial to embedded systems that require remote operations.

3) SSL provides multiple encryption standards, allowing system designers to balance security risks and encryption strength.

4) SSL provides client and server authentication.

The core of SSLVPN is the SSL protocol. Currently, there are multiple toolboxes based on the standard SSL protocol, however, it cannot run well in an embedded environment due to its large data structure and comprehensive system management. Another major defect is that the generation of symmetric keys requires a large amount of computing and cannot be implemented by simple and effective hardware. In addition, when designing a system, you must fully consider client authentication, therefore, we must make targeted cutting and Optimization on conventional SSL protocols to meet the needs of embedded applications.

3 SSL embedded Optimization Design

To ensure the use of SSL technology in a limited embedded resource environment, standard SSL protocols must be cropped and optimized. The main optimization aspects are: re-design the SSL internal module, introduce the session reuse module, adopt only one-way Server Authentication RSA mode, and select the encryption algorithm to adapt to the characteristics of embedded computing.

3.1 session Reuse

The core of the SSL protocol is the handshake protocol. The connection process is as follows:

Figure 2SSL handshake

From the above SSL connection process, it is not difficult to see that the SSL handshake process requires a lot of system time (CPU processing) and Space (memory ), therefore, session reuse is necessary for Embedded browsers to achieve the next SSL connection between servers and browsers.

The process of session reuse is: the customer and the server establish the first session through the complete handshake process, and then both parties save the session. When the customer uses session reconnection, The session_id is used as the session_id of the current session, otherwise it is left empty. After the server receives the client's client_hello message, it will view the session_id. If it is null, it will not re-use the session. The server will generate a new session_id and send it to the client in server_hello; otherwise, the server will find the session_id Session from session, the session parameter is restored as the current parameter. After receiving the server_hello message, the customer checks whether the session_id sent from the server is consistent with the reused session_id. If the same, the session is reused. Otherwise, both parties negotiate the session parameters again. Through session reuse, the server and browser can omit the public key and authentication operations, and can reuse the previous private key.

3.2 One-way authentication

One-way SSL server authentication. An application running as an SSL client can verify the identity of the application running as an SSL server without providing reverse authentication. In this way, the client authentication steps can be removed, the number of handshakes can be reduced to reduce system overhead, and certificates can be distributed to authorized users using PKI, which can also meet the security requirements of most practical applications.

3.3 algorithm selection

In the SSL handshake process, the server CPU time is mostly used to decrypt private keys and compute master keys. At the same time, the SSL connection performance is also largely dependent on the algorithm used, therefore, algorithms have an important impact on SSL in embedded systems. In an embedded browser, you can select the 512-bit RSA public key algorithm. The RSA mode only authenticates the server, reducing the number of handshakes; the symmetric encryption algorithm RC4-128 which is suitable for embedded environment is used to encrypt the transmitted data, the fastest running hash function MD5128 can be used to calculate the message Verification Code MAC.

4SSLVPN application solution and implementation

We have designed an application scheme based on SSLVPN technology and constructed the implementation body of the SSL protocol. The implementation principle is: through negotiation between the client and the server, the RSA algorithm is used for encryption to establish a secure channel. The information transmitted in this channel is encrypted through RC4 to ensure data confidentiality; the MD5 function is used to extract the message verification code for the transmitted information to ensure the integrity of the information. The certificate exchange technology is used to identify and authenticate the client and server, and the identity is verifiable.

This scheme can be divided into two parts: the client and the server to implement the SSL protocol. The program framework is as follows:


Certificates and key files required during transmission:

1) generate the private key of the server (key file): opensslgenrsa-des3-outserver.key512;

2) generate Certificate Signing Request CSR: opensslreq-new-keyserver.key-outserver.csr;

3) generate the key file of CA: openssl-des3-outca.key1024;

4) generate CA self-signed certificate: opensslreq-new-x509-keyca.key-outca.crt;

5) use the generated CA certificate to sign the generated server. csr and client. csr file:./sigh. shserver. csr.

In the program we choose RC4 for encryption, MD5 for Message Digest (first MD5 calculation, after RC4 encryption), by SSL_CTX_set_cipher_list (ctx, "RC4-MD5.

We have implemented the above SSL optimization scheme in the embedded LinuxWeb browser application on the S3C2410 hardware platform. The actual application test results meet our design goals. Using streamlined and optimized SSL in embedded products is a practical solution. by simplifying the handshake process, reducing the number of new connections, session reuse, and selecting encryption algorithms, this makes it more suitable for the practical application of embedded systems. The disadvantage is that SSLVPN can only access Web-based applications at present, and remote users cannot perform non-Web-based applications. In addition, because SSLVPN does not encrypt the entire channel of both parties, it can only provide limited security protection for resources to access, it cannot be ensured that only simple files such as uploaded files and email attachments are displayed, which makes it difficult to ensure that other files are not exposed to the outside and has certain security risks. This is a challenge facing SSLVPN and a key issue that we will focus on in the future.

5 conclusion

The performance improvement of the embedded system processor and other hardware makes the VPN based on SSL and TLS possible. SSL adopts security technologies such as communication data encryption and identity authentication, it ensures the confidentiality, identity authentication, non-repudiation and integrity of the data transmission process, and prevents various Web attacks, such as eavesdropping, spoofing, tampering, and session hijacking. With the increasing importance of embedded network security, we believe that SSLVPN will be more widely used.

Edit recommendations]

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.