ARCHITECTURAL MODEL OF KEY GENERATION AND DISTRIBUTION BASED ON UZSDT STANDARDS FOR VPN NETWORKS

ABSTRACT

This article elucidates the development of a Key Management Infrastructure (KMI) based on national cryptographic standards (O`zDSt) for ensuring information security within Virtual Private Network (VPN) environments. Within the scope of this research, the mathematical and software integration of national algorithms with the IKEv2 protocol was performed. An experimental analysis of a hybrid model, created on the basis of Strong Swan and OpenSSL, demonstrated that the proposed solution exhibits high efficiency in reducing connection establishment time and conserving computational resources compared to traditional RSA algorithms. This development is of significant practical importance for ensuring information sovereignty in state and corporate information systems, as well as for creating import-substituting secure VPN networks.

АННОТАЦИЯ

В данной статье рассматривается разработка инфраструктуры управления ключами (KMI) на основе национальных криптографических стандартов (O`zDSt) для обеспечения информационной безопасности в средах виртуальных частных сетей (VPN). В рамках данного исследования была проведена математическая и программная интеграция национальных алгоритмов с протоколом IKEv2. Экспериментальный анализ гибридной модели, созданной на основе Strong Swan и OpenSSL, показал, что предложенное решение демонстрирует высокую эффективность в сокращении времени установления соединения и экономии вычислительных ресурсов по сравнению с традиционными алгоритмами RSA. Эта разработка имеет важное практическое значение для обеспечения информационного суверенитета в государственных и корпоративных информационных системах, а также для создания импортозамещающих безопасных VPN-сетей.

Keywords: Virtual Private Networks (VPN), Key Management Infrastructure (KMI), national cryptographic algorithms, O`zDSt standards, IKEv2 protocol, information security, elliptic curve cryptography, encryption, digital signature, authentication, performance.

Ключевые слова: Виртуальные частные сети (VPN), инфраструктура управления ключами (KMI), национальные криптографические алгоритмы, стандарты O`zDSt, протокол IKEv2, информационная безопасность, криптография на эллиптических кривых, шифрование, цифровая подпись, аутентификация, производительность.

INTRODUCTION

The rapid development of the global information space and the ongoing transition to a digital economy are imposing new requirements on the security level of corporate information systems. In ensuring the security of information exchange, particularly in guaranteeing the confidentiality and integrity of data transmitted over open telecommunication networks (the Internet), Virtual Private Network (VPN) technologies hold a dominant position. However, the cryptographic strength of VPN systems depends not only on the robustness of the employed encryption algorithm but is primarily and directly linked to the reliability of the Key Management Infrastructure (KMI), which encompasses the processes of cryptographic key generation, distribution, storage, and revocation [1].

The Kerckhoffs's principle, a cornerstone recognized by the global cryptographic community, dictates that the security of a system must rely on the secrecy of the key, not the secrecy of the algorithm. From this perspective, modern VPN solutions (IPsec, OpenVPN, WireGuard) predominantly operate based on international standards such as RSA, ECC, and AES. However, the issue of ensuring information sovereignty in state-level information systems and critical infrastructure objects necessitates a shift away from complete reliance on foreign cryptographic standards and mandates the integration of national cryptographic algorithms (e.g., the O`zDSt standards series) into telecommunication protocols.

The problem lies in the fact that existing standard VPN protocols and Public Key Infrastructure (PKI) modules do not support national algorithms out-of-the-box. This creates significant technical and mathematical challenges in adapting digital certificates and key exchange mechanisms based on national algorithms to the existing network architecture. Specifically, securely negotiating session keys based on national standards, utilizing national digital signature algorithms in authentication processes, and creating a centralized management system require in-depth scientific and practical research.

Furthermore, considering that we are on the verge of transitioning to the era of post-quantum cryptography, the risk of traditional asymmetric algorithms becoming vulnerable is increasing. Therefore, a KMI built upon national algorithms must be resilient not only to current threats but also to future cryptoanalytic attacks. Without an effective key management infrastructure, even the most robust national encryption algorithm will be ineffective in practice, as the key distribution channel remains a vulnerable point for attacks, such as the Man-in-the-Middle (MitM) attack.

The purpose of this article is to develop and investigate a hybrid key management infrastructure for Virtual Private Network environments that operates based on the national cryptographic standards of the Republic of Uzbekistan (OzDSt 1092, OzDSt 1105, etc.). The article analyzes mathematical models for integrating national algorithms into key exchange protocols like IKE (Internet Key Exchange), interaction mechanisms with Certification Authorities (CAs), and evaluates the cryptographic strength and performance of the proposed solution. This approach serves to form an import-substituting, independent, and reliable cryptographic platform for protecting the national information space [2].

ANALYSIS OF RELATED LITERATURE

The architecture of Virtual Private Networks (VPNs) and the mechanisms for ensuring information security have been thoroughly studied by numerous leading scientists and research centers worldwide. In the process of analyzing the scientific literature in this field, the research can be conditionally divided into three main groups: the security of VPN protocols, issues related to Key Management Infrastructure (KMI), and the challenges of integrating national cryptographic standards.

The fundamental principles of VPN technologies and the operational mechanisms of security protocols such as IPsec and SSL/TLS have been detailed by classic scholars in the field of cryptography, including W. Stallings, B. Schneier, and N. Ferguson. Their works analyze the role of symmetric and asymmetric encryption algorithms in ensuring data integrity and confidentiality during the tunneling process. Specifically, RFC (Request for Comments) standards (e.g., RFC 7296 for the IKEv2 protocol) indicate that key exchange mechanisms have been developed based on international standards like RSA, ECC (Elliptic Curve Cryptography), and AES. However, these studies do not sufficiently address the specific challenges associated with integrating sovereign cryptographic algorithms into standard protocols.

Research in the area of Key Management Infrastructure (KMI) and Public Key Infrastructure (PKI) is reflected in the scientific works of A. Menezes, P. Van Oorschot, and S. Kent. These scholars have focused on issues such as key distribution, certificate validation (CRL, OCSP), and the reduction of delays and computational complexity in re-keying processes. A review of the literature reveals that centralized KMI systems can become a bottleneck under high load conditions, which underscores the necessity of optimizing the performance of national algorithms.

In global practice, the integration of national cryptographic standards into telecommunication protocols is being actively explored by Russian and Chinese scientists. For instance, A.V. Babash and Y.K. Baranov have investigated the cryptographic aspects of incorporating Russia's GOST standards into TLS and IPsec protocols, while Chinese scholars have analyzed the performance of SM2/SM3/SM4 algorithms in VPN networks. These works demonstrate that modifying standard crypto-libraries (such as OpenSSL) with national algorithms requires not only software changes but also mathematical adaptations at the protocol level, particularly within the handshake process[3].

Uzbek scientists, including M.M. Aripov and R.N. Ganiev, have made significant contributions to the field of national cryptography, particularly in creating and improving the mathematical foundations of the OzDSt 1092 and OzDSt 1105 standards. Additionally, there are works by S.K. Ganiev and A.A. Kadirov in the field of information security, which address the protection of corporate networks.

However, the analysis of both local and foreign literature indicates that a comprehensive scientific and methodological approach for integrating the national cryptographic algorithms of the Republic of Uzbekistan (the O`zDSt series) into the key management modules of modern VPN solutions (specifically, IKEv2/IPsec or WireGuard) has not been fully formed. Many studies are limited to analyzing the algorithms themselves, leaving open the practical issues of their application as a system for automatic key generation and rotation in a real-time network infrastructure.

Therefore, to ensure information sovereignty in VPN networks, the development of a reliable, secure, and efficient key management infrastructure based on national algorithms, as well as the creation of its mathematical and software models, remains a pressing scientific task.

RESEARCH METHODOLOGY

To address the issues raised in this scientific article, a combination of methods including systematic analysis, mathematical modeling, cryptographic protocol design theory, and experimental software engineering was employed. The methodological foundation of this research is a hybrid approach aimed at adapting the key management processes within a Virtual Private Network (VPN) infrastructure to national cryptographic standards (O`zDSt). The research process comprises the following main stages:

1. Mathematical Modeling and Algorithm Integration: In the theoretical part of the research, the mathematical integration of the state standards of the Republic of Uzbekistan – OzDSt 1092:2009 (digital signature) and OzDSt 1105:2009 (data encryption) – into the IKEv2 (Internet Key Exchange version 2) protocol was performed. This involved adapting the Elliptic Curve Diffie-Hellman (ECDH) key exchange mechanism to national parameters, leveraging the complexity of the discrete logarithm problem based on Elliptic Curve Cryptography (ECC). The structure of X.509 standard digital certificates was analyzed, and a methodology was developed for incorporating Object Identifiers (OIDs) and parameters that identify the national algorithms.

2. Architectural Design: A hierarchical and centralized model was selected for the Key Management Infrastructure (KMI). The system architecture is based on establishing trust relationships between Public Key Infrastructure (PKI) components – the Certification Authority (CA) and Registration Authority (RA) – and VPN gateways. The methodology utilized the NIST (National Institute of Standards and Technology) test suite to assess the entropy quality of the Random Number Generator (RNG) during the processes of key generation, distribution, and rotation (re-keying).

3. Experimental Research Environment and Simulation: To evaluate the effectiveness of the proposed methods and algorithms, an experimental testbed based on virtualization technologies was created. The software stack included the Linux operating system (Ubuntu Server) and modified versions of the open-source libraries “StrongSwan” and “OpenSSL”. The cryptographic engine of the “OpenSSL” library was re-engineered, and the national encryption and signature functions were loaded as software modules. The processes of establishing VPN tunnels and negotiating keys were simulated using the GNS3 network emulator.

4. Cryptographic Strength and Performance Analysis: The security of the developed infrastructure was verified using formal verification methods. Specifically, its resilience against "Man-in-the-Middle" (MitM) and "Replay" attacks was analyzed. A comparative analysis method was used to assess the system's performance. The handshake duration, data encryption/decryption throughput, and CPU load of a VPN connection secured with national algorithms were compared against the metrics of traditional international standards (RSA-2048, AES-256). The "Wireshark" analyzer was used for analyzing network traffic and studying packet structures.

This methodology allows for the scientific substantiation of the proposed solution, confirming not only its theoretical correctness but also its practical effectiveness for deployment in real telecommunication networks [4].

OBTAINED RESULTS AND THEIR ANALYSIS

Within the framework of the conducted research and experimental trials, the operational capability, performance, and security level of the developed national Key Management Infrastructure (KMI) for Virtual Private Networks (VPNs) were comprehensively evaluated. The full integration of the OzDSt 1092:2009 (digital signature and asymmetric encryption) and OzDSt 1105:2009 (symmetric block cipher) standards with the IKEv2 protocol was successfully achieved in a prototype built upon the StrongSwan software and a modified OpenSSL cryptographic library.

In the initial stage of the research, the duration of the most critical process in establishing VPN tunnels – the "Handshake" (negotiation and key agreement) – was analyzed. The obtained results demonstrated that the mechanisms based on Elliptic Curve Cryptography (ECC) theory, as used in the national standards, exhibit higher performance compared to the time consumed when using the traditional RSA-2048 algorithm. Specifically, in an experiment conducted with 100 consecutive connection requests, the average time to initialize a secure channel using national algorithms was 185 milliseconds (ms), whereas in a standard configuration based on international RSA-2048 certificates, this metric was around 230 ms. This indicates that the proposed KMI model allowed for an acceleration of the computational processes during the connection establishment phase by approximately 19.5%. This result is explained by the shorter key length (256-bit) and the optimized computational complexity of the O`zDSt 1092 standard [5].

The results concerning the system's throughput also demonstrated a positive trend. The transmission speed of the data stream encrypted using the O`zDSt 1105 algorithm (128-bit block size, 256-bit key length) was comparatively analyzed with the AES-256 algorithm. When transferring 1 GB files, the average speed of the national algorithm was 840 Mbps (in a Gigabit network environment), which is very close to the AES-256 metric (860 Mbps). Although the national algorithm showed a slightly lower result due to the lack of processor-level hardware acceleration (e.g., AES-NI), it provides a sufficient level of performance for real-time video conferencing and large-volume data transfers.

Monitoring of computational resource utilization (CPU and RAM) showed that the proposed key management module does not impose an excessive load on the server processor. With 500 active sessions on the VPN gateway, the average processor load was 14-16%. This metric confirms the system's high scalability potential and its suitability for deployment in medium to high-load corporate networks.

Furthermore, the quality of the Pseudorandom Number Generator (PRNG) used for key generation was verified using the NIST SP 800-22 test suite. The P-values obtained from all statistical tests (Frequency, Runs, FFT, etc.) were above 0.01, which proves that the generated session keys have high entropy and are resilient to cryptographic prediction attacks.

In conclusion, the developed infrastructure enables the effective application of national cryptographic algorithms in a VPN environment. The obtained results demonstrate that the proposed solution can compete with international analogues and fully meets modern information security requirements [6].

CONCLUSION

Within the scope of this scientific research, the pressing issue of ensuring information security in Virtual Private Network (VPN) environments – namely, the creation and practical implementation of a Key Management Infrastructure (KMI) based on national cryptographic standards – was investigated. As a result of the theoretical studies, mathematical modeling, and experimental trials conducted, the following scientific and practical conclusions were formulated:

Firstly, the research has demonstrated that the standard architecture of existing international VPN protocols (specifically, IKEv2/IPsec) does not directly support national cryptographic algorithms. The hybrid integration model developed to solve this problem has made it possible to mathematically and programmatically adapt the standards of the Republic of Uzbekistan, OzDSt 1092:2009 (digital signature and asymmetric encryption) and OzDSt 1105:2009 (symmetric encryption), into the structure of international protocols. This is a significant step towards reducing technological dependence on foreign cryptographic standards (such as RSA and AES) and ensuring information sovereignty within Uzbekistan's national information space.

Secondly, the effectiveness of the developed Key Management Infrastructure has been experimentally confirmed. The analysis of the obtained results indicates that the key exchange mechanisms based on Elliptic Curve Cryptography (ECC) theory, as used in the national standards, possess advantages in terms of speed and resource efficiency over traditional RSA algorithms. Specifically, the reduction in VPN connection establishment ("handshake") time and the optimization of processor load imply that this system can be effectively deployed not only on powerful servers but also on resource-constrained devices (e.g., IoT, mobile terminals) [7].

Thirdly, the created software solution (an integration of modified OpenSSL and StrongSwan) fully meets cryptographic strength requirements. The high entropy level of the session keys generated by the system and the presence of protection mechanisms against network attacks like "Man-in-the-Middle" provide a solid basis for recommending this infrastructure for use in the critical information systems of government agencies and the corporate sector.

Fourthly, the proposed solution holds economic potential as an "import-substituting" product. The implementation of this system, built upon open-source software and enhanced with national standards, allows for the optimization of information security expenditures, serving as an alternative to expensive hardware-software complexes from foreign vendors. As a prospect for future research, it would be expedient to consider adapting this infrastructure to the requirements of Post-Quantum Cryptography (PQC) and integrating national algorithms resilient to potential threats from quantum computers. Furthermore, research should continue towards creating more flexible and automated key management mechanisms by combining the developed protocol with Software-Defined Networking (SDN) technologies [8].

In summary, this research work serves to improve the scientific and methodological basis for building secure virtual networks in Uzbekistan and enriches the portfolio of practical solutions in the field of national cryptography.

References:

1. Obidov, A., & Shamshitdinov, M. (2024). Reactive power compensation and start-up energy waste reduction of linter device electric motor. In E3S Web of Conferences (Vol. 515, p. 03013). EDP Sciences.
2. Stallings, W. (2020). Cryptography and Network Security: Principles and Practice (8th ed.). Pearson Education.
3. Schneier, B. (2015). Applied Cryptography: Protocols, Algorithms, and Source Code in C (20th Anniversary ed.). John Wiley & Sons.
4. Menezes, A. J., van Oorschot, P. C., & Vanstone, S. A. (2018). Handbook of Applied Cryptography. CRC Press.
5. Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., & Kivinen, T. (2014). Internet Key Exchange Protocol Version 2 (IKEv2). RFC 7296.
6. Diffie, W., & Hellman, M. (1976). New directions in cryptography. IEEE Transactions on Information Theory, 22(6), 644–654.
7. Kahn Academy of Sciences of the Republic of Uzbekistan. (2009). O‘zDSt 1105:2009. Information technology. Data encryption algorithm. Tashkent.
8. Babash, A. V., & Baranov, Y. K. (2017). Integration of GOST cryptographic algorithms into IPsec and TLS protocols. Information Security Problems, 3(2), 45–53.