The mobile VPN based on IPSec is a practical scheme for mobile terminals to access remote information systems.However,the identity authentication of IPSec does not consider the integrity and creditability of the mobile terminals.It leads to the terminal security leakage and brings potential dangers to the accessed system and information.To this problem,a mobile IPSec VPN system supporting trusted authentication is presented with its configuration and key design issues.The system implements not only the security functions of common IPSec VPNs,but also following functions as multi-factor authentication with trusted attestation,dynamic access control based on trust value,etc.Then,the implementation of a prototype as well as its performance test and analysis is presented to prove it can ensure terminal's trusted access,data secure transmission,and accessed network resources/services availability and manageability.%基于IPSec协议的移动VPN系统为移动终端的远程接入提供了可行的解决方案,但IPSec协议的普通身份认证没有考虑移动终端系统的完整性和可信性,造成终端安全漏洞,给被接入系统和被访问信息带来安全隐患.针对这个问题,提出支持可信认证的移动IPSec VPN系统,并给出其系统架构和关键技术.该系统在实现了普通IPSec VPN系统的安全功能之外,增加了多因子与可信证明相结合的复合认证功能、基于信任的动态访问控制功能.并对其进行了原型实现和性能测试及分析,表明了在将时间代价合理控制的前提下,该系统有效确保了终端的可信接入、通信信道中数据传输的安全可靠以及被接入网络的资源安全及应用服务的可用性和可管控性.
展开▼
