A method for implementing national secret negotiation authentication based on an IKEv2 protocol
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- KOAL SOFTWARE CO LTD
- Filing Date
- 2026-03-24
- Publication Date
- 2026-06-19
Smart Images

Figure CN122247604A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of network security technology, and specifically relates to a method for implementing national cryptographic agreement authentication based on the IKEv2 protocol. This method aims to improve the security and compliance of network communications and ensure the secure use of sensitive national information. Background Technology
[0002] In the field of network security, the IKE (Internet Key Exchange) protocol is one of the important protocols for identity authentication and key negotiation. IKEv1 is the first version of this protocol, and the "GB / T 36968-2018 IPSec VPN Technical Specification" is based on this version. Although this specification provides support for identity authentication and key negotiation using Chinese national cryptographic dual certificates and algorithms, because it is based on IKEv1, it has some obvious shortcomings in practical applications, mainly including the following: 1) Complexity: The message exchange process of the IKEv1 protocol is relatively complex, involving multiple stages, which increases the difficulty of implementation, debugging, and troubleshooting. This complexity makes it easy for configuration errors to occur in actual deployment, thereby causing security issues.
[0003] 2) Low efficiency: The IKEv1 protocol requires multiple round trips during key negotiation, which significantly reduces efficiency in high-latency network environments such as mobile devices and wireless networks. Frequent message exchanges also lead to long negotiation times and low concurrency performance.
[0004] 3) Security vulnerabilities: The IKEv1 protocol is not adequately protected against replay attacks and denial-of-service attacks, and has security vulnerabilities under certain conditions. Moreover, due to its limited support for encryption algorithms, it is increasingly unable to meet the growing security needs.
[0005] With the rapid development of information technology, cybersecurity issues have become increasingly prominent. Compared to IKEv1, the IKEv2 protocol has made significant improvements in security, efficiency, and adaptability, and is clearly better able to meet current cybersecurity needs.
[0006] Currently, the IKEv2 protocol primarily uses international algorithms and certificates such as RSA for identity authentication and key negotiation, lacking support for Chinese national cryptographic certificates and algorithms. However, Chinese national cryptographic certificates and algorithms offer significant advantages in national security and the protection of sensitive information due to their inherent security characteristics and controllability. Furthermore, in recent years, the State Cryptography Administration has successively issued a series of related standards requiring various industries to use Chinese national cryptographic algorithms for data encryption and identity authentication.
[0007] With the further promotion and application of Chinese cryptographic algorithms and the increasing prominence of network security issues, there is an urgent need for an IKEv2 negotiation authentication method based on Chinese cryptographic certificates and algorithms to meet the needs of domestic network security.
[0008] Therefore, how to effectively integrate Chinese cryptographic algorithms and certificates into the IKEv2 protocol to provide a more secure and compliant method for identity authentication and key negotiation has become an urgent problem to be solved. Summary of the Invention
[0009] The purpose of this invention is to address the problem that the existing IKEv2 protocol does not support Chinese national cryptographic algorithms and dual national cryptographic certificates, and to provide a method for implementing Chinese national cryptographic negotiation authentication based on the IKEv2 protocol. By combining Chinese national cryptographic algorithms and dual national cryptographic certificates with the IKEv2 protocol, the security of network communication is enhanced.
[0010] To achieve the above objectives, the present invention provides the following technical solution: a method for implementing national cryptographic negotiation authentication based on the IKEv2 protocol, comprising the following steps: Step 1, IKEv2 Initial Exchange Phase: The client and server exchange IKE_SA_INIT messages. Through this message, both parties negotiate the algorithm and key, and confirm the algorithm to be used for subsequent authentication. a. The original message format is [HDR,SA,KE,Nonce], which is expanded to [HDR,SA,KE,CERT,Nonce]: a) Include the national cryptographic algorithms SM4_CBC / PRF_HMAC_SM3 / AUTH_HMAC_SM3 / curveSM2 in the SA payload for exchange, in order to negotiate the use of the national cryptographic algorithms for subsequent identity authentication and key negotiation; b) Send the local SM2 encryption certificate in the CERT payload to the peer. When exporting the shared key using the national cryptographic algorithm, the encryption public key (referred to as EncPub) in the SM2 encryption certificate will be used as one of the input parameters. c) The local end generates a national cryptographic temporary public key (EphemeralPubkey, abbreviated as EphPub) and a national cryptographic temporary private key (EphPri) based on the curveSM2 algorithm. The national cryptographic temporary public key (EphPub) is sent to the peer end via KE payload. When exporting the shared key using the national cryptographic algorithm, the national cryptographic temporary public key (EphPub) will be used as one of the input parameters. d) Send the random number generated on this end to the other end in the Nonce payload, and use it as one of the input parameters for generating SKEYSEED; b. After the message exchange is completed, both parties complete the negotiation of the national cryptographic algorithm, confirm that subsequent identity authentication will be based on the national cryptographic algorithm and national cryptographic certificate, and derive the shared key, SKEYSEED, and IKE_SA based on the curveSM2 algorithm: a) Export the shared key based on the curveSM2 algorithm: share_secret =curveSM2(PeerEncPub,PeerEphPub,LocalEncPri,LocalEphPri), where PeerEncPub is the public key of the peer's SM2 encryption certificate received from the CERT payload, PeerEphPub is the temporary public key of the peer's SM2 encryption certificate received from the KE payload, LocalEncPri is the private key of the local SM2 encryption certificate, and LocalEphPri is the temporary private key of the local SM2 encryption certificate. b) Derive SKEYSEED = PRF(Ni | Nr, share_secret), where Ni is a random number generated by the local end, Nr is a random number received from the peer end from the Nonce payload, share_secret is the shared key derived above, and the PRF algorithm is PRF_HMAC_SM3; c) Derive IKE_SA=PRF+(SKEYSEED,Ni|Nr|SPIi|SPIr), where Ni is the random number generated by the local end, Nr is the random number received from the peer end from the Nonce payload, share_secret is the shared key derived above, SPII is the cookie identifier value of the local end (derived from the HDR of the IKE_SA_INIT message), SPIR is the cookie identifier value of the local end (derived from the HDR of the IKE_SA_INIT message), and the PRF algorithm is PRF_HMAC_SM3; Step 2, IKEv2 Authentication Phase: The client and server exchange IKE_AUTH messages. Through this message, both parties authenticate each other and verify the legitimacy of their identities. The message format is: [HDR,SK{IDi,[CERT,][CERTREQ,][IDr,]AUTH,SAi2,TSi,TSr}]. This message is protected by the SK key, where the encryption algorithm is SM4_CBC, the authentication algorithm is AUTH_HMAC_SM3, and the SK key comes from the previously exported IKE_SA. Both parties use their respective SM2 signature private keys to generate signature results and send the signature results to the other party in the AUTH payload. Both parties send their own SM2 signature certificates to the other party in the CERT payload; Both parties send certificate requests to each other in the CERTREQ payload; Both parties use the SM2 signature certificate received from the other party to verify the other party's signature result, and use the certificate chain to verify the legitimacy of the other party's SM2 signature certificate; If the signature result and certificate chain verification pass, the identity authentication process is completed by both parties; otherwise, the negotiation process will be terminated. Step 3, Secure Communication Phase: Both parties use IPsec_SA derived from IKE_SA as the session key, combined with the encryption algorithm SM4_CBC and the authentication algorithm AUTH_HMAC_SM3 to ensure secure data transmission.
[0011] Compared with the prior art, the technical effects and advantages of the present invention are as follows: The IKEv2 protocol uses Chinese cryptographic algorithms and dual Chinese cryptographic certificates to complete the identity authentication and key negotiation process, which effectively solves the problem that the existing IKEv2 protocol cannot use Chinese cryptographic algorithms and dual Chinese cryptographic certificates, and has a huge advantage in terms of national security and protection of sensitive information. Attached Figure Description
[0012] Figure 1 This is a flowchart of the present invention. Detailed Implementation
[0013] To make the technical means, creative features, objectives, and effects of this invention easier to understand, the specific embodiments of this invention are further described below: Please see Figure 1 A method for implementing national cryptographic negotiation authentication based on the IKEv2 protocol includes the following steps: Step 1, IKEv2 Initial Exchange Phase: The client and server exchange IKE_SA_INIT messages. Through this message, both parties negotiate the algorithm and key, and confirm the algorithm to be used for subsequent authentication. a. The original message format is [HDR,SA,KE,Nonce], which is expanded to [HDR,SA,KE,CERT,Nonce]: a) Include the national cryptographic algorithms SM4_CBC / PRF_HMAC_SM3 / AUTH_HMAC_SM3 / curveSM2 in the SA payload for exchange, in order to negotiate the use of the national cryptographic algorithms for subsequent identity authentication and key negotiation; b) Send the local SM2 encryption certificate in the CERT payload to the peer. When exporting the shared key using the national cryptographic algorithm, the encryption public key (referred to as EncPub) in the SM2 encryption certificate will be used as one of the input parameters. c) The local end generates a national cryptographic temporary public key (EphemeralPubkey, abbreviated as EphPub) and a national cryptographic temporary private key (EphPri) based on the curveSM2 algorithm. The national cryptographic temporary public key (EphPub) is sent to the peer end via KE payload. When exporting the shared key using the national cryptographic algorithm, the national cryptographic temporary public key (EphPub) will be used as one of the input parameters. d) Send the random number generated on this end to the other end in the Nonce payload, and use it as one of the input parameters for generating SKEYSEED; b. After the message exchange is completed, both parties complete the negotiation of the national cryptographic algorithm, confirm that subsequent identity authentication will be based on the national cryptographic algorithm and national cryptographic certificate, and derive the shared key, SKEYSEED, and IKE_SA based on the curveSM2 algorithm: a) Export the shared key based on the curveSM2 algorithm: share_secret =curveSM2(PeerEncPub,PeerEphPub,LocalEncPri,LocalEphPri), where PeerEncPub is the public key of the peer's SM2 encryption certificate received from the CERT payload, PeerEphPub is the temporary public key of the peer's SM2 encryption certificate received from the KE payload, LocalEncPri is the private key of the local SM2 encryption certificate, and LocalEphPri is the temporary private key of the local SM2 encryption certificate. b) Derive SKEYSEED = PRF(Ni | Nr, share_secret), where Ni is a random number generated by the local end, Nr is a random number received from the peer end from the Nonce payload, share_secret is the shared key derived above, and the PRF algorithm is PRF_HMAC_SM3; c) Derive IKE_SA=PRF+(SKEYSEED,Ni|Nr|SPIi|SPIr), where Ni is the random number generated by the local end, Nr is the random number received from the peer end from the Nonce payload, share_secret is the shared key derived above, SPII is the cookie identifier value of the local end (derived from the HDR of the IKE_SA_INIT message), SPIR is the cookie identifier value of the local end (derived from the HDR of the IKE_SA_INIT message), and the PRF algorithm is PRF_HMAC_SM3; Step 2, IKEv2 Authentication Phase: The client and server exchange IKE_AUTH messages. Through this message, both parties authenticate each other and verify the legitimacy of their identities. The message format is: [HDR,SK{IDi,[CERT,][CERTREQ,][IDr,]AUTH,SAi2,TSi,TSr}]. This message is protected by the SK key, where the encryption algorithm is SM4_CBC, the authentication algorithm is AUTH_HMAC_SM3, and the SK key comes from the previously exported IKE_SA. Following the IKEv2 standard, each message is assigned a unique sequence number, a sliding replay window is configured, and messages with duplicate sequence numbers or those exceeding the replay window are discarded, effectively protecting against replay attacks. Both parties use their respective SM2 signature private keys to generate signature results and send the signature results to the other party in the AUTH payload. Both parties send their own SM2 signature certificates to the other party in the CERT payload; Both parties send certificate requests to each other in the CERTREQ payload; Both parties use the SM2 signature certificate received from the other party to verify the other party's signature result, and use the certificate chain to verify the legitimacy of the other party's SM2 signature certificate; If the signature result and certificate chain verification pass, the identity authentication process is completed by both parties; otherwise, the negotiation process will be terminated. Define exclusive error codes and error payloads for national cryptographic negotiation, and return standardized error information after verification failure; add an exception log module to record events such as negotiation failure, invalid certificate, and replay attack, and support attack tracing; set a threshold for the number of client authentication failures, lock the corresponding client IP if the threshold is exceeded, and prohibit re-negotiation in the short term.
[0014] By performing SM3 hashing on the IDi and IDi identifiers before transmission, or by using the SK key for additional encryption, the true identity characteristics can be hidden, thus improving the ability to protect identity privacy.
[0015] The certificate revocation status verification module has been added, supporting both local CRL caching and OCSP online verification, with priority given to the lightweight OCSP verification method. Verification of certificate validity period, certificate subject, certificate purpose, and issuing authority has also been added; only when all verifications pass is the certificate recognized as valid. It locally caches valid certificates and certificate chains, sets a cache expiration period, and allows repeated negotiation within the expiration period to reuse cached results without retransmitting or verifying certificates, thus significantly reducing negotiation time. After the cache expires, it automatically retrieves and verifies the certificate, balancing efficiency and security.
[0016] Step 3, Secure Communication Phase: Both parties use IPsec_SA derived from IKE_SA as the session key, combined with the encryption algorithm SM4_CBC and the authentication algorithm AUTH_HMAC_SM3 to ensure secure data transmission.
[0017] The server verifies whether the client's TSi / TSr conforms to the preset access permission policy, rejects unauthorized traffic selector requests, and only IPsec_SA that matches the authorization policy will be established to prevent unauthorized traffic access.
[0018] Configure time-based and traffic-based lifecycles for IPsec_SA. When the soft expiration threshold is reached, a smooth renegotiation is automatically triggered. After the renegotiation is completed, a new SA is switched. After hard expiration, the SA is forcibly destroyed, balancing security and business continuity.
[0019] It supports national cryptographic cards, physical cryptographic machines, and cloud cryptographic services, and migrates SM2 private key operations, key storage, and encryption / decryption operations to hardware cryptographic modules, eliminating the risk of key software leakage and achieving hardware-level cryptographic protection.
[0020] Supports adaptive algorithm negotiation: The SA payload is compatible with both traditional IKEv2 algorithms and national cryptographic algorithms. It adaptively selects the algorithm suite based on the capabilities of the peer device, enabling the mixed deployment of old and national cryptographic devices and reducing the difficulty of upgrading existing networks.
[0021] It should be noted that in this article, relational terms such as one and two are used only to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply any such actual relationship or order between these entities or operations.
[0022] Although embodiments of the invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.
Claims
1. A method for implementing national cryptographic negotiation authentication based on the IKEv2 protocol, characterized in that, Includes the following steps: Step 1, Initial Exchange Phase: The client and server exchange an extended IKE_SA_INIT message, which includes SA Payload, KE Payload, Nonce Payload, and CERT Payload. The client negotiates and determines the national cryptographic algorithm suite using the SA Payload, exchanges national cryptographic encryption certificates using the CERT Payload, and exchanges the generated national cryptographic temporary public key using the KE Payload. Subsequently, based on the encryption public key and temporary public key sent by the other end, and combined with the information from the client, the shared key is derived, and a secure association IKE_SA is established. Step 2, Identity Authentication Stage: Both parties exchange IKE_AUTH messages and use the national cryptographic signature certificate and the corresponding signature private key to complete two-way identity authentication and verify the legitimacy of the identities of both communicating parties; Step 3, Secure Communication Phase: After identity authentication and key negotiation are completed, the IPsec_SA security association is derived based on the IKE_SA, and the transmitted data is encrypted and authenticated using the national cryptographic algorithm.
2. The method for implementing national cryptographic negotiation authentication based on the IKEv2 protocol according to claim 1, characterized in that: The national cryptographic algorithm suite includes the SM4_CBC symmetric encryption algorithm, the PRF_HMAC_SM3 pseudo-random function, the AUTH_HMAC_SM3 authentication algorithm, and the curveSM2 key exchange algorithm.
3. The method for implementing national cryptographic negotiation authentication based on the IKEv2 protocol according to claim 1, characterized in that, Shared key during the initial exchange phase The formula for exporting share_secret is: share_secret = curveSM2(PeerEncPub, PeerEphPub, LocalEncPri,LocalEphPri); Among them, PeerEncPub is the national cryptographic public key obtained from the peer's CERT Payload, PeerEphPub is the national cryptographic temporary public key obtained from the peer's KE Payload, LocalEncPri is the local national cryptographic private key, and LocalEphPri is the local national cryptographic temporary private key.
4. The method for implementing national cryptographic negotiation authentication based on the IKEv2 protocol according to claim 3, characterized in that, The initial exchange phase also includes: Using the PRF_HMAC_SM3 algorithm, SKEYSEED is calculated based on the random numbers generated by both parties and the derived share_secret; and further combined with the cookie identifier value, the IKE_SA key for subsequent message protection is derived.
5. The method for implementing national cryptographic negotiation authentication based on the IKEv2 protocol according to claim 1, characterized in that, The identity authentication phase specifically includes: Both parties include their respective SM2 cryptographic signature certificates in the CERT Payload; Both parties carry the digital signature result generated by using the national cryptographic signature private key for the message content in the AUTH Payload; Both parties use the other party's SM2 national cryptographic signature certificate to verify the signature, and combine the certificate chain to complete the verification of the legitimacy of the other party's identity.
6. The method for implementing national cryptographic negotiation authentication based on the IKEv2 protocol according to claim 1, characterized in that: The national cryptographic algorithm includes, but is not limited to: The SM2, SM3, SM4_CBC, SM4_GCM, and SM4_CCM algorithms ensure the security and compliance of data transmission.