A new standard in secure networking.

摘要

The growth of networks, both wired and wireless, has brought with it a tremendous increase in flexibility and ease of use of computing. Typical wired networks transmit frames unencrypted. This has often been adequate since to intercept packets requires to be in physical possession of the wires. Conversely, wireless networks have had encryption designed in from the beginning to protect against unauthorized use and reception of network data. The current encryption standard for wireless networks is wireless equivalent privacy (WEP). It has serious security weaknesses that have been effectively compromised. Newer options are currently available that are believed to not contain the same problems. Unfortunately, any system that shares a common key with many users is fundamentally insecure since it is impossible to trust every user in the system.; This paper presents the author's own attempt to present a solution to this problem. This design is based on making a cryptographic layer that processes all network packets before sending it to the physical device for transmission. The design presented herein has several major goals. First, it must minimize the ability of anyone, including insiders, to analyze the network traffic. Second, it must prevent any client from being able to decrypt packets not intended for that client. It must be as simple as possible since, "You can't secure what you don't understand." Lastly, given the other considerations, it should be as fast as possible.; Each possible communications path is encrypted under a unique key, with those keys negotiated through elliptic curve based public key cryptography. Digital signatures are used to verify the origin and integrity of negotiation packets. Key changing is handled automatically. The use of public key cryptography insures that it is impossible for one station to impersonate another. Traffic analysis is made extremely difficult for everyone, including insiders, through the use of randomly generated path variables and common packet design. Access control is possible on a per station basis, with each station able to control the nodes it will accept communications from. The designs is coded in C and implemented as Linux kernel modules.