安全Web网站的一种实现模型SWM
摘要
为了确保政府网站的安全性与权威性,每年国家财政不惜花巨资木建设专用网络,但收效甚微,政府网站被黑客入侵的事件屡有发生。事实表明,传统的网络安全技术手段(如防火墙、专网技术等)并不能真正保证信息系统的安全。
本文在SSL、公用密码技术的基础上,提出了安全Web网站的通用模型SWM。SWM不仅可以提供非保密的大众化服务,同时还为特殊的群体(如国家干部等)提供安全的保密服务,其具体内容包括:
1.存储加密系统
能够根据服务器端机密信息的不同秘密程度采用不同的加密算法和加密强度对信息进行加密存储,即便黑客侵入,获取的也只是加密后的内容,无法得到有用信息;
2.传输加密系统
利用SSL协议实现,能够对所有通过SSL信道传送的内容进行SSL加密并附带消息认证码,可防止第三者窃听或篡改;
3.客户端安全代理系统
能够在代理与服务器端提供高强度(密钥长度128位以上)的加密传输,解决了现有浏览器如IE、Netscape Navigator只能提供低强度加密(56位以下)的尴尬境地;
4.动态认证系统
能够对通信双方的身份进行实时认证,防止第三者冒充;
5.安全的Web服务
SWM能够提供安全的Web服务如“beb页面、安全电子邮件、安全文件
下载、无忧论坛、放心聊天”等,并给出了详细的设计思路。
本文的意义在于,为党政网的建设提供了一套切实可行的网络安全解决方
案,利用此方案可在公共网络上建设一个具高可靠性、高安全性的网站。方案
的核心技术自主开发,不存在后门,性价比高,对党政网的建设具有很好的参
考价值。
To assure the security and authority of the government website,Finance Department spends much money on constructing Intranet, but the results is little. The information about the hacker destroying the website of political party comes now and then. The fact indicates that the traditional secure technology can not assure the security of the information system in deed.
Based on the technology of SSL and public key encryption, the paper produces
a common model-SWM for secure website . The modle can not only provide
popularizer with the non-secretive service but also provide the special man (such as leader) with the secure secretive service . The content of the SWM includes as follows:
1. storage encryption system
It can encrypt the information on server side with different algorithm and strength . Even if the hacker intrude the server , he can only get the ciphertext and can not get the plaintext out from it;
2. transmission encryption system
It is implemented on the base of the protocol SSL . It can encrypt everything that passes through the SSL channels and append the message authentication code(MAC) , while prevent the eavesdropping and tampering by the third party;
3. secure proxy on client side
The proxy can provide high strength(with key of 128bit upwards) encrypted transmission between the secure web server and proxy while solve the problem that the current brower such as IE and Netscape Navigator can only
provide the low strength(with max key length of 56bit) encryption ;
4. dynamic authentication
It can authenticate the other side in communication , avoiding the imitation by the third party;
5. Secure Web Service provided by S WM
SWM can provide the secure web service such as Web page , secure email, secure file download , forum with no inconvenience , charting with no secure worry and present the detailed method to construct it.
The contribution of the paper is to produce a feasible secure network solution for constructing political party website . With the solution ,one can construct a website with high reliability and high security through internet. The solution has the autonomout intellectual property, great economic benefit and good reference worth.
本文在SSL、公用密码技术的基础上,提出了安全Web网站的通用模型SWM。SWM不仅可以提供非保密的大众化服务,同时还为特殊的群体(如国家干部等)提供安全的保密服务,其具体内容包括:
1.存储加密系统
能够根据服务器端机密信息的不同秘密程度采用不同的加密算法和加密强度对信息进行加密存储,即便黑客侵入,获取的也只是加密后的内容,无法得到有用信息;
2.传输加密系统
利用SSL协议实现,能够对所有通过SSL信道传送的内容进行SSL加密并附带消息认证码,可防止第三者窃听或篡改;
3.客户端安全代理系统
能够在代理与服务器端提供高强度(密钥长度128位以上)的加密传输,解决了现有浏览器如IE、Netscape Navigator只能提供低强度加密(56位以下)的尴尬境地;
4.动态认证系统
能够对通信双方的身份进行实时认证,防止第三者冒充;
5.安全的Web服务
SWM能够提供安全的Web服务如“beb页面、安全电子邮件、安全文件
下载、无忧论坛、放心聊天”等,并给出了详细的设计思路。
本文的意义在于,为党政网的建设提供了一套切实可行的网络安全解决方
案,利用此方案可在公共网络上建设一个具高可靠性、高安全性的网站。方案
的核心技术自主开发,不存在后门,性价比高,对党政网的建设具有很好的参
考价值。
To assure the security and authority of the government website,Finance Department spends much money on constructing Intranet, but the results is little. The information about the hacker destroying the website of political party comes now and then. The fact indicates that the traditional secure technology can not assure the security of the information system in deed.
Based on the technology of SSL and public key encryption, the paper produces
a common model-SWM for secure website . The modle can not only provide
popularizer with the non-secretive service but also provide the special man (such as leader) with the secure secretive service . The content of the SWM includes as follows:
1. storage encryption system
It can encrypt the information on server side with different algorithm and strength . Even if the hacker intrude the server , he can only get the ciphertext and can not get the plaintext out from it;
2. transmission encryption system
It is implemented on the base of the protocol SSL . It can encrypt everything that passes through the SSL channels and append the message authentication code(MAC) , while prevent the eavesdropping and tampering by the third party;
3. secure proxy on client side
The proxy can provide high strength(with key of 128bit upwards) encrypted transmission between the secure web server and proxy while solve the problem that the current brower such as IE and Netscape Navigator can only
provide the low strength(with max key length of 56bit) encryption ;
4. dynamic authentication
It can authenticate the other side in communication , avoiding the imitation by the third party;
5. Secure Web Service provided by S WM
SWM can provide the secure web service such as Web page , secure email, secure file download , forum with no inconvenience , charting with no secure worry and present the detailed method to construct it.
The contribution of the paper is to produce a feasible secure network solution for constructing political party website . With the solution ,one can construct a website with high reliability and high security through internet. The solution has the autonomout intellectual property, great economic benefit and good reference worth.
引文
1 Teo Pock Chueng, Z. M. Yusoff, A.. Z.. Sha'ameri, "Implement of Pipelined Data Encryption Standard(DES) Using Altera CPLD", 2000 IEEE TENCOM VOL3, pages 17-21
2 Tat Chee Wan, A. Goh, C. K. Ng, G. S. P, "Integating Public Key Cryptography into the Simple Network Management Protocol (Snmp) Framework", 2000 IEEE TENCOM VOL3, pages 271-276
3 Alwyn Goh, G. S. Poh, "A Multi-Protocol Cryptographic Framework for the Authentication of Digital Streams", 2000 IEEE TENCOM VOL3 , pages 130-135
4 No 398, Y. Chang, Ng Chee Hock, "Providing Quality of Service Guarantee in Internet by a Proxy Method", 2000 IEEE TENCOM VOL3, pages 51-54
5 Sdsuo Tsuruta, R. Yamamoto, T. Onoyama, K. Oyanagi, "A Method fo Validating Frequently Revised Specifications Having Open Parts", 2000 IEEE TENCOM VOL3, pages 124-129
6 X.. Yi, D. Siew, "Security Agent-Mediated online auction framework", 2000 IEEE INTERNATIONAL CONFERENCE ON CONSUMER ELECTRONICS, pages 114-115
7 David Siew and XunYi, "Agent-Mediated Internet Advertising Models", 2000 IEEE INTERNATIONAL CONFERENCE ON CONSUMER ELECTRONICS, pages 116-117
8 Vensor M. Shaw, Abdul Wahab, Samual Sung, Naresh Kumar Agarwal, "An Intellegent Web Browser for Internet/Electronic Commerce", 1998 IEEE INTERNATIONAL CONFERENCE ON CONSUMER ELECTRONICS, pages 80-81
9 RFC1945 Hypertext Transfer Protocol - HTTP 1.0
10 RFC2246 The TLS Protocol 1.0RFC2459 Internet X.509 Public Key Infrastructure
11 RFC2817 Upgrading to TLS Within HTTP 1.1
12 RFC2818 HTTP Over TLS
13 RFC2314 PKCS #10 Certification Request Syntax
14 RFC2315 PKCS #7 Cryptographic Message Syntax
15 RFC2986 PKCS #10 Certification Request Syntax Specification
16 INTERNET-DRAFT Tunneling SSL Through a WWW Proxy
17 INTERNET-DRAFT The SSL Protocol Version 3.0
18 Openssl FAQS www.openssl.org
19 Openssl user mailer list www.user@mailer.net
20 Home.netscape.com/security
21 冷丽琴,《详细设计报告——一种安全网站的实现技术》
22 冷丽琴,《测试报告——一种安全网站的实现技术》
23 冷丽琴,《用户使用手册——一种安全网站的实现技术》
24 www.infosec.org.cn,中国计算机安全
25 infosec.cs.pku.edu.cn,北京大学计算机系信息安全研究室
26 www.china-infosec.org.cn,中国信息网络安全
27 sky.net.cn,天网安全阵线
28 www.hexin.com.cn,核新软件
29 www.weguardnet.com,网安
30 William Stallings,《网络安全要素——应用与标准》,人们邮电出版社,2000
31 Merike Kaeo,《网络安全性设计》,人们邮电出版社,2000
32 拉斯.克兰德,《挑战黑客——网络安全的最终解决方案》,电子工业出版社,2000
33 Anonymous著,《Linux安全技术最大化》,电子工业出版社,2000
34 卢开澄,《计算机密码学——计算机网络中的数据保密与安全》,清华大学出版社,1998
35 Bruce Schneier著,何德全审校,《应用密码学》,机械工业出版社,2000
36 蒋东兴、林鄂华,《网络程序设计指南》,清华大学出版社,1995
37 www.linuxaid.com.cn,Linux专业技术服务网站
38 www.linuxforum.com,中国Linux论坛
39 Warren W.Gay,《Linux编程24学时教程》,机械工业出版社,2000
40 李香敏,《用Linux组建电子商务网站》,北京希望电子出版所,2000
41 Robin Burk,《UNIX技术大全——系统管理员卷》,机械工业出版社,1998
42 K.Wall,M.Watson,M.Whitis著,《GNU/Linux》编程指南,清华大学出版社
43 三位工作室,《网站设计超级COOL——PHP3/4》,2000
44 郭金峰,林宇,《PHP&MySQL Web网络编程》,人民邮电出版社,2001
45 张炜,《基于Linux的防火墙工具箱》,硕士学位论文
46 王先旺,《黑客攻击侦测系统》,硕士学位论文
47 尹鹏,《CA》,硕士学位论文
48 王耀,《安全电子邮件系统》,硕士学位论文
49 顾婷婷,李涛,王伍戎,尹鹏,“RSA和RSA数字签名的实现”, 已投往四川大学报(工程版),处于审稿过程中。
2 Tat Chee Wan, A. Goh, C. K. Ng, G. S. P, "Integating Public Key Cryptography into the Simple Network Management Protocol (Snmp) Framework", 2000 IEEE TENCOM VOL3, pages 271-276
3 Alwyn Goh, G. S. Poh, "A Multi-Protocol Cryptographic Framework for the Authentication of Digital Streams", 2000 IEEE TENCOM VOL3 , pages 130-135
4 No 398, Y. Chang, Ng Chee Hock, "Providing Quality of Service Guarantee in Internet by a Proxy Method", 2000 IEEE TENCOM VOL3, pages 51-54
5 Sdsuo Tsuruta, R. Yamamoto, T. Onoyama, K. Oyanagi, "A Method fo Validating Frequently Revised Specifications Having Open Parts", 2000 IEEE TENCOM VOL3, pages 124-129
6 X.. Yi, D. Siew, "Security Agent-Mediated online auction framework", 2000 IEEE INTERNATIONAL CONFERENCE ON CONSUMER ELECTRONICS, pages 114-115
7 David Siew and XunYi, "Agent-Mediated Internet Advertising Models", 2000 IEEE INTERNATIONAL CONFERENCE ON CONSUMER ELECTRONICS, pages 116-117
8 Vensor M. Shaw, Abdul Wahab, Samual Sung, Naresh Kumar Agarwal, "An Intellegent Web Browser for Internet/Electronic Commerce", 1998 IEEE INTERNATIONAL CONFERENCE ON CONSUMER ELECTRONICS, pages 80-81
9 RFC1945 Hypertext Transfer Protocol - HTTP 1.0
10 RFC2246 The TLS Protocol 1.0RFC2459 Internet X.509 Public Key Infrastructure
11 RFC2817 Upgrading to TLS Within HTTP 1.1
12 RFC2818 HTTP Over TLS
13 RFC2314 PKCS #10 Certification Request Syntax
14 RFC2315 PKCS #7 Cryptographic Message Syntax
15 RFC2986 PKCS #10 Certification Request Syntax Specification
16 INTERNET-DRAFT Tunneling SSL Through a WWW Proxy
17 INTERNET-DRAFT The SSL Protocol Version 3.0
18 Openssl FAQS www.openssl.org
19 Openssl user mailer list www.user@mailer.net
20 Home.netscape.com/security
21 冷丽琴,《详细设计报告——一种安全网站的实现技术》
22 冷丽琴,《测试报告——一种安全网站的实现技术》
23 冷丽琴,《用户使用手册——一种安全网站的实现技术》
24 www.infosec.org.cn,中国计算机安全
25 infosec.cs.pku.edu.cn,北京大学计算机系信息安全研究室
26 www.china-infosec.org.cn,中国信息网络安全
27 sky.net.cn,天网安全阵线
28 www.hexin.com.cn,核新软件
29 www.weguardnet.com,网安
30 William Stallings,《网络安全要素——应用与标准》,人们邮电出版社,2000
31 Merike Kaeo,《网络安全性设计》,人们邮电出版社,2000
32 拉斯.克兰德,《挑战黑客——网络安全的最终解决方案》,电子工业出版社,2000
33 Anonymous著,《Linux安全技术最大化》,电子工业出版社,2000
34 卢开澄,《计算机密码学——计算机网络中的数据保密与安全》,清华大学出版社,1998
35 Bruce Schneier著,何德全审校,《应用密码学》,机械工业出版社,2000
36 蒋东兴、林鄂华,《网络程序设计指南》,清华大学出版社,1995
37 www.linuxaid.com.cn,Linux专业技术服务网站
38 www.linuxforum.com,中国Linux论坛
39 Warren W.Gay,《Linux编程24学时教程》,机械工业出版社,2000
40 李香敏,《用Linux组建电子商务网站》,北京希望电子出版所,2000
41 Robin Burk,《UNIX技术大全——系统管理员卷》,机械工业出版社,1998
42 K.Wall,M.Watson,M.Whitis著,《GNU/Linux》编程指南,清华大学出版社
43 三位工作室,《网站设计超级COOL——PHP3/4》,2000
44 郭金峰,林宇,《PHP&MySQL Web网络编程》,人民邮电出版社,2001
45 张炜,《基于Linux的防火墙工具箱》,硕士学位论文
46 王先旺,《黑客攻击侦测系统》,硕士学位论文
47 尹鹏,《CA》,硕士学位论文
48 王耀,《安全电子邮件系统》,硕士学位论文
49 顾婷婷,李涛,王伍戎,尹鹏,“RSA和RSA数字签名的实现”, 已投往四川大学报(工程版),处于审稿过程中。