Web环境下的MES系统信息安全的研究
摘要
本课题结合武汉理工大学机电工程学院信息化工作室的天工MES系统的开发经验,从阻止系统入侵和入侵检测两个不同的角度,对该MES系统的信息安全隐患及可能的其它外部威胁进行了系统的深入分析。
本文提出了Web环境下的MES系统运行的安全目标,并将MES系统安全目标分解成几个可度量的子目标。设计MES系统软件的安全架构方案,着重讨论在确保MES系统安全和高效运行的前提下,利用访问控制机制、防火墙机制以及入侵检测机制,如何将重要数据进行加密保护和入侵防护,从而提高MES系统软件的安全性能和抗攻击能力,提高MES系统的可用性和可靠性。根据国际信息安全标准架构的描述和国内外信息安全系统的策略,提出了Web环境下MES系统软件运行和维护应具有的安全策略。
本文系统地介绍了安全架构所采用的VPN技术、Web服务和当前流行的软件安全加密算法等关键技术。筛选了适合MES系统的高效、安全的数据加密算法并付诸实施,并对各种加密解密算法进行了归纳和总结。
为了说明该系统安全架构的可用性和安全性,对系统安全架构的部分功能进行模拟实现,对Web环境下的MES系统整体安全性的真实实现进行论述,并给出数据加密解密算法的实现效果图,对入侵检测系统的功能点和MES系统中基于Web服务的身份验证进行了实现。
论文的最后总结了本课题的工作,并对未来的研究方向作了展望。
The thesis combined the development experience of the Tian Gong MES software of Wuhan University of Technology,Mechanical and electronic engineering college,this thesis analyzed the information security risk and probable other external threat of the MES system.It emphasized on preventing the system from invading and intrusion detection.
The thesis presented the security operation target of MES system in the web environment,and decomposed the security target into some measureable sub-targets. The security architecture was designed to keep the MES system from secure.It was specially discussed how to encrypt the valuable data and to prevent the intrusion,and taking advantage of access control mechanism,firewall mechanism and invasion detecting mechanism in order to insure the MES system operate safely and efficiently. Thereby it increased security and ability to counter-attack,enhanced the usability and reliability of MES system.The security strategy about operating and maintaining on MES system in the web environment was formulated in accordance with the description of international information security standard and the strategy of information security system.
In this thesis the key technology of a secure architecture was also presented, including VPN,Web Service and encryption algorithm for MES software security.The encryption algorithms were evaluated.
To make out the feasibility and security of system security architecture,some functions of the architecture were implemented.Examples were given to show the implementation of MES system total security in the web environment,and present achievements of data encryption and decryption algorithm,the implementation of intrusion detection system function and authentication based web service in the MES system.
In the end,the work was summarized,and the future direction of research projects was presented.
本文提出了Web环境下的MES系统运行的安全目标,并将MES系统安全目标分解成几个可度量的子目标。设计MES系统软件的安全架构方案,着重讨论在确保MES系统安全和高效运行的前提下,利用访问控制机制、防火墙机制以及入侵检测机制,如何将重要数据进行加密保护和入侵防护,从而提高MES系统软件的安全性能和抗攻击能力,提高MES系统的可用性和可靠性。根据国际信息安全标准架构的描述和国内外信息安全系统的策略,提出了Web环境下MES系统软件运行和维护应具有的安全策略。
本文系统地介绍了安全架构所采用的VPN技术、Web服务和当前流行的软件安全加密算法等关键技术。筛选了适合MES系统的高效、安全的数据加密算法并付诸实施,并对各种加密解密算法进行了归纳和总结。
为了说明该系统安全架构的可用性和安全性,对系统安全架构的部分功能进行模拟实现,对Web环境下的MES系统整体安全性的真实实现进行论述,并给出数据加密解密算法的实现效果图,对入侵检测系统的功能点和MES系统中基于Web服务的身份验证进行了实现。
论文的最后总结了本课题的工作,并对未来的研究方向作了展望。
The thesis combined the development experience of the Tian Gong MES software of Wuhan University of Technology,Mechanical and electronic engineering college,this thesis analyzed the information security risk and probable other external threat of the MES system.It emphasized on preventing the system from invading and intrusion detection.
The thesis presented the security operation target of MES system in the web environment,and decomposed the security target into some measureable sub-targets. The security architecture was designed to keep the MES system from secure.It was specially discussed how to encrypt the valuable data and to prevent the intrusion,and taking advantage of access control mechanism,firewall mechanism and invasion detecting mechanism in order to insure the MES system operate safely and efficiently. Thereby it increased security and ability to counter-attack,enhanced the usability and reliability of MES system.The security strategy about operating and maintaining on MES system in the web environment was formulated in accordance with the description of international information security standard and the strategy of information security system.
In this thesis the key technology of a secure architecture was also presented, including VPN,Web Service and encryption algorithm for MES software security.The encryption algorithms were evaluated.
To make out the feasibility and security of system security architecture,some functions of the architecture were implemented.Examples were given to show the implementation of MES system total security in the web environment,and present achievements of data encryption and decryption algorithm,the implementation of intrusion detection system function and authentication based web service in the MES system.
In the end,the work was summarized,and the future direction of research projects was presented.
引文
[1]罗国富,施法中.制造执行系统及其相关技术研究.机械制造,2004,4.
[2]李建华.制造执行系统MES现状及发展趋势探讨[J].自动化博览,2005(3):80-82.
[3]蒋凌燕,楼佩煌.基于Web的制造执行系统实现技术研究[J].机械制造与自动化,2004,33(1).
[4]胡春等.制造执行系统体系结构中功能模型的研究.信息与控制.2002,31(6):561-566.
[5]彭艳萍.敏捷型生产车间的信息通讯与集成[D].西安:西北工业大学,2004.
[6]房亚东,何卫平,王苏安等.支持网络化制造的企业资源管理的研究[J].计算机应用研究,2005,22(4):42-43,46.
[7]孙彦广,刘晓强,顾佳晨,张强.制造执行系统(MES)的定位[J].冶金自动化,2003.(5)
[8]何霆,刘文煌,梁力平.MES的计划、调度集成问题研究[J].制造业自动化,2003.(3)
[9]石建玲,宋海生,李金良.基于Web制造执行系统的设备管理系统研究[J].现代制造工程,2003.(8).
[10]刘遵仁,于忠清.从零开始—SQL Server 2000中文版基础培训教程.北京:人民邮电出版社,2002.
[11]张道藩.软件工程.北京:清华大学出版社,2003.
[12]宋佳兴,周悦芝,刘卫东.基于Web的分布式信息系统体系结构模型[J].计算机工程与应用,2001,37(3).
[13]柳树春,廖孟杨等.Brower/Server模式管理信息系统的设计与实现[J].计算机工程与应用,2003,36(6).
[14]刘克龙,冯登国,石文昌著.安全操作系统原理与技术.第1版.北京:科学出版社.2004.07.
[15]谭毓安.网络攻击防护编码设计.第1版.北京:北京希望电子出版社.2002.03:92-104.
[16]王晓峰,王尚平,秦波.数据库加密方法研究.西安理工大学学报,2002(6):263-268.
[17][美]Carlton R.Davis著.IPSec:VPN的安全实施.周永彬,冯登国等译.北京:清华大学出版社,2002.01.
[18][美]Michael E.Whitman,Herbet J.Mattord著.信息安全原理.徐焱译.第1版.北京:清华大学出版社,2004.03.
[19]蔡勉,卫宏儒.信息系统安全理论与技术.第1版.北京:北京工业大学出版社.2006.09.
[20]陈瑾,罗敏,张焕国.入侵检测技术概述.计算机工程与应用,2004(2):133-136.
[21]王达.虚拟专用网(VPN)精解.第1版.北京:清华大学出版社,2004.01.
[22][美]Bruce Schneier著.应用密码学.吴世忠,祝世雄,张文政等译.第1版.北京:机械工业出版社 2002.01.
[23]冯登国.国内外密码学研究现状及发展趋势.通信学报,2002(5):18-26.
[24][加]Douglas R.Stinson著.密码学原理与实践(第二版).冯国登译,第1版.北京电子工业出版社,2003.02.
[25]翟东铠.一种加强SSL协议安全性的解决方案[J].计算机应用与软件.2005 22(6):108-109.
[26]李林广.Web服务安全技术研究与应用[D].河海大学硕士论文.2005.
[27]陈静.Web服务通信的安全性研究[D].河海大学硕士论文.2005.
[28]周颖.基于可信SOAP的Web Services安全架构实现[D].武汉理工大学硕士论文.2004.
[29]YongBin Zhou,DengGuo Feng. Side-Channel Attacks:Ten Years After Its Publication and the Impacts on Cryptographic Module Security Testing. Physical Security Testing Workshop, Hawaii,2005.
[30]Martin G. and Marc H. SOAP Version 1.2 Part1: Messaging Framework [EB/OL]. W3C Candidate Recommendation. http://www.w3.org/TR/soap12-part1/. 2003,6.
[31]Lu xiao,Heys HA. Asimple power analysis attack against the key schedule of the Camellia block cipher. Information Processing Letters,2005,vol.95(3):409-412.
[32]Stefan Mangard. Hardware Countermeasures against DPA — AStatisticalAnalysis of Their Effectiveness. Topics in Cryptology,CT-RSA 2004,2004,vol.2964:222-235.
[33]SHA-1 Secure Hash Function[EB/OL]. http: //pajhome. org. uk/crypt/md5 /, 2004.
[34]Tim Bray, etc. Extensible Markup Language (XML) 1.0 (Third Edition). 2004,2.
[35]J.den Hartog,J.Verschuren,E.de Vink,et al.Pinpas:A Tool for Power Analysis of Smartcards. Proceedings of the Sec2003,2003.
[36]ChangKyun Kim,JaeCheol Ha,Sung-Hyun Kim,et al. ASecure and Practical CRT-Based RSA to Resist Side Channel Attacks. ICCSA 2004,LNCS 3043,2004:150-158.
[37]Climent J-J,Alvarez R,Tortosa L,et al. An efficient binary sequence generator with cryptographic applications. Applied Mathematics and Computation,2005,vol.l67:16-27.
[38]Kemal BICAKCI,Nazife BAYKAL, Improving the Security and Flexibility of One-Time Passwords by Signature Chains, Turk J Elec Engin Vol 11 No 3 2003.
[39]Constantin Popescu. A secure key agreement protocol using Elliptic Curves. International Journal of Computers and Applications,2005,vol.27:202-1501.
[40]Katsuyuki Okeya,Tsuyoshi Takagi. Security Analysis of CRT-based cryptosystems. Applied Cryptography and Network Security,ACNS 2004,2004:383-397.
[41]Andrey Sidorenko,Berry Schoenmakers. Concrete Security of the Blum-Blum-Shub Pseudo random Generator. Cryptography and Coding: 10th IMA International Conference,LNCS3796, 2005:355-375.
[42]Alessandro Cilardo,Luigi Coppolino,Nicola Mazzocca,et al. Elliptic curve cryptography engineering. Proceedings of the IEEE,2006,vol.94:395-405.
[43]Kaihara.Marcelo E,Takaqi.Naofumi.A hardware algorithm for modular multiplication /division based on the extended Euclidean algorithm. IEICE Transactions on Fundamentals of Electronics,Communications and Computer Sciences,2005:3610-3617.
[44]Kris Tiri, Ingrid Verbauwhede. Simulation for Side-Channel information leaks. Proceedings- Design Automation Conference,2005:228-233.
[45]Donq-Guk Han,Jongin Lim,Izu T,et al. Side channel cryptanalysis on XTR public key cryptosystem. IEICE Transactions on Fundamentals of Electronics,Communications and Computer Sciences,2005:1214-1223.
[2]李建华.制造执行系统MES现状及发展趋势探讨[J].自动化博览,2005(3):80-82.
[3]蒋凌燕,楼佩煌.基于Web的制造执行系统实现技术研究[J].机械制造与自动化,2004,33(1).
[4]胡春等.制造执行系统体系结构中功能模型的研究.信息与控制.2002,31(6):561-566.
[5]彭艳萍.敏捷型生产车间的信息通讯与集成[D].西安:西北工业大学,2004.
[6]房亚东,何卫平,王苏安等.支持网络化制造的企业资源管理的研究[J].计算机应用研究,2005,22(4):42-43,46.
[7]孙彦广,刘晓强,顾佳晨,张强.制造执行系统(MES)的定位[J].冶金自动化,2003.(5)
[8]何霆,刘文煌,梁力平.MES的计划、调度集成问题研究[J].制造业自动化,2003.(3)
[9]石建玲,宋海生,李金良.基于Web制造执行系统的设备管理系统研究[J].现代制造工程,2003.(8).
[10]刘遵仁,于忠清.从零开始—SQL Server 2000中文版基础培训教程.北京:人民邮电出版社,2002.
[11]张道藩.软件工程.北京:清华大学出版社,2003.
[12]宋佳兴,周悦芝,刘卫东.基于Web的分布式信息系统体系结构模型[J].计算机工程与应用,2001,37(3).
[13]柳树春,廖孟杨等.Brower/Server模式管理信息系统的设计与实现[J].计算机工程与应用,2003,36(6).
[14]刘克龙,冯登国,石文昌著.安全操作系统原理与技术.第1版.北京:科学出版社.2004.07.
[15]谭毓安.网络攻击防护编码设计.第1版.北京:北京希望电子出版社.2002.03:92-104.
[16]王晓峰,王尚平,秦波.数据库加密方法研究.西安理工大学学报,2002(6):263-268.
[17][美]Carlton R.Davis著.IPSec:VPN的安全实施.周永彬,冯登国等译.北京:清华大学出版社,2002.01.
[18][美]Michael E.Whitman,Herbet J.Mattord著.信息安全原理.徐焱译.第1版.北京:清华大学出版社,2004.03.
[19]蔡勉,卫宏儒.信息系统安全理论与技术.第1版.北京:北京工业大学出版社.2006.09.
[20]陈瑾,罗敏,张焕国.入侵检测技术概述.计算机工程与应用,2004(2):133-136.
[21]王达.虚拟专用网(VPN)精解.第1版.北京:清华大学出版社,2004.01.
[22][美]Bruce Schneier著.应用密码学.吴世忠,祝世雄,张文政等译.第1版.北京:机械工业出版社 2002.01.
[23]冯登国.国内外密码学研究现状及发展趋势.通信学报,2002(5):18-26.
[24][加]Douglas R.Stinson著.密码学原理与实践(第二版).冯国登译,第1版.北京电子工业出版社,2003.02.
[25]翟东铠.一种加强SSL协议安全性的解决方案[J].计算机应用与软件.2005 22(6):108-109.
[26]李林广.Web服务安全技术研究与应用[D].河海大学硕士论文.2005.
[27]陈静.Web服务通信的安全性研究[D].河海大学硕士论文.2005.
[28]周颖.基于可信SOAP的Web Services安全架构实现[D].武汉理工大学硕士论文.2004.
[29]YongBin Zhou,DengGuo Feng. Side-Channel Attacks:Ten Years After Its Publication and the Impacts on Cryptographic Module Security Testing. Physical Security Testing Workshop, Hawaii,2005.
[30]Martin G. and Marc H. SOAP Version 1.2 Part1: Messaging Framework [EB/OL]. W3C Candidate Recommendation. http://www.w3.org/TR/soap12-part1/. 2003,6.
[31]Lu xiao,Heys HA. Asimple power analysis attack against the key schedule of the Camellia block cipher. Information Processing Letters,2005,vol.95(3):409-412.
[32]Stefan Mangard. Hardware Countermeasures against DPA — AStatisticalAnalysis of Their Effectiveness. Topics in Cryptology,CT-RSA 2004,2004,vol.2964:222-235.
[33]SHA-1 Secure Hash Function[EB/OL]. http: //pajhome. org. uk/crypt/md5 /, 2004.
[34]Tim Bray, etc. Extensible Markup Language (XML) 1.0 (Third Edition). 2004,2.
[35]J.den Hartog,J.Verschuren,E.de Vink,et al.Pinpas:A Tool for Power Analysis of Smartcards. Proceedings of the Sec2003,2003.
[36]ChangKyun Kim,JaeCheol Ha,Sung-Hyun Kim,et al. ASecure and Practical CRT-Based RSA to Resist Side Channel Attacks. ICCSA 2004,LNCS 3043,2004:150-158.
[37]Climent J-J,Alvarez R,Tortosa L,et al. An efficient binary sequence generator with cryptographic applications. Applied Mathematics and Computation,2005,vol.l67:16-27.
[38]Kemal BICAKCI,Nazife BAYKAL, Improving the Security and Flexibility of One-Time Passwords by Signature Chains, Turk J Elec Engin Vol 11 No 3 2003.
[39]Constantin Popescu. A secure key agreement protocol using Elliptic Curves. International Journal of Computers and Applications,2005,vol.27:202-1501.
[40]Katsuyuki Okeya,Tsuyoshi Takagi. Security Analysis of CRT-based cryptosystems. Applied Cryptography and Network Security,ACNS 2004,2004:383-397.
[41]Andrey Sidorenko,Berry Schoenmakers. Concrete Security of the Blum-Blum-Shub Pseudo random Generator. Cryptography and Coding: 10th IMA International Conference,LNCS3796, 2005:355-375.
[42]Alessandro Cilardo,Luigi Coppolino,Nicola Mazzocca,et al. Elliptic curve cryptography engineering. Proceedings of the IEEE,2006,vol.94:395-405.
[43]Kaihara.Marcelo E,Takaqi.Naofumi.A hardware algorithm for modular multiplication /division based on the extended Euclidean algorithm. IEICE Transactions on Fundamentals of Electronics,Communications and Computer Sciences,2005:3610-3617.
[44]Kris Tiri, Ingrid Verbauwhede. Simulation for Side-Channel information leaks. Proceedings- Design Automation Conference,2005:228-233.
[45]Donq-Guk Han,Jongin Lim,Izu T,et al. Side channel cryptanalysis on XTR public key cryptosystem. IEICE Transactions on Fundamentals of Electronics,Communications and Computer Sciences,2005:1214-1223.