公用客户端环境下城市电子化服务安全方案设计和实现
|
摘要
随着互联网技术的发展,人类社会迈入了一个崭新的信息时代。在社会信息化的不断推进过程中,人们享受着电子信息化带来的便利。同时信息技术的日新月异加快了人们享受这种便利的速度。作为各类社会活动的主体参与者和最终受益者——市民,往往受到文化背景、经济条件、技术瓶颈等客观事务的限制,无法通过合适的渠道充分享用信息服务。公用终端机打破了这种限制,能够随时随地的为人们提供全天候、自主、自助式服务。这些服务包括信息查询服务如社保卡信息服务,公共交通卡查询和公共信息查询,电子商务,网上办事。电子化服务的本质就是将电子化服务集成到公用客户端上为市民服务,以解除人们排长队奔跑之苦。
和家用PC比较,公用客户端处于一个完全开放的环境中,开放的面向广大市民,开放地提供各种服务,服务的运行也在一个开放的互联网环境中。由于服务是集成的,电子化服务系统服务器也是完全向服务提供商开放的。本文讨论的就是在这样一个开放的公用客户端环境下,开放的互联网中,完全开放的前置服务器集成电子化服务过程中的安全问题。电子化服务的宗旨是便民,所有的服务提供必须建立在安全的基础之上,在保障市民利益的前提下,服务的提供才是真正便民的。
本文首先对公用客户端环境下城市电子化服务背景、特点,系统结构和运作方式做了详细介绍。然后针对系统结构和特点,主要从物理安全、运行安全、信息安全等方面分别对公用客户端、前置服务器和电子化服务做了详细的安全分析之后,通过对现有安全解决方案的研究,针对本系统自身的公用客户端环境这个特点,提出了一整套的安全方案。
本文有创新的提出了三级密钥体系结构,创建了系统自身的PKI(Public Key Infrastructure)中心。本文解决了分布式环境下基于
中文摘要
XML跨平台语言数据安全的传输问题,并且提出了SSL基础之上的
Socket安全传输方案。系统采用UML面向对象建模语言对系统进行建
模,利用JZEE技术构建系统框架,开发了一套系统平台安全组件。最
后本文对课题进行了回顾和总结,并对课题将来的发展做了展望。
本课题对公用客户端环境下的应用系统在分布式环境下的应用,提
供了一个安全参考模型。系统将安全作成组件,可以在其他应用系统
安全应用中使用,所以本课题对于其他应用系统有一定的实用价值。
Along with the development of technology of Internet, the human society marches toward one brand-new information age. In the course of constant promotion of the social informationization, people are enjoying the facility that the electronic informationization bring. The change quickening people of the information technology enjoy the convenient speed at the same time. As the subject participant of all kinds of social activities and beneficiary finally -The citizen, often receive the restrictions of objective affairs, such as culture background, economic condition, technological bottleneck,etc., Unable to fully enjoys information service through the suitable channel. Public customer ends break that kind of restrictions and make the information service available anytime and anywhere.
That a citizen who uses the power terminal station in the public place that city electronic service serve can enjoy various kinds of services that can't obtain in home, such as the social security card information service, the public transport card inquiry and public information inquiry. The essence served in electronization is to provide citizens convenient service by integrating services on the public customer ends.
Compared with home PC, public customer ends are totally in the open environment, The open one faces the masses of citizens, offers various kinds of services open, and the serving is in one open Internet environment too. The server of electronic service system which integrates the services is open to service providers. So what this paper is discussed is the security issue in the process of services integration under the environment of such a open public customer ends, open Internet, and the open Front End Server. For being convenient for people, services providing should base on the foundation of security. On the premise of ensuring citizen's interests, it is really convenient for people to serve and offer.
Firstly, this paper introduces the background, features, structure and running principle of city electronic service under public customer ends environment in detail. Through analyzing the security requirements of public customer ends, Front End Server and electronic services in the view of physical security, running security and information security, this paper sets forth the complete security scheme.
This paper brings forth tertiary key system structure and build system own PK.I (Public Key Infrastructure) .It also proposes SSL transmit scheme safely by the Sockets of foundation. The proposal of system security scheme solves data safe transmission problem in the form of XML among the distributed environment The system adopts UML target's modeling language and carries on modeling, utilizes J2EE technology to structure frames systematically. This paper reviewed and summarized the subject at last, and looked into the distance of the development in the future of the subject.
The research topic of this paper offers a very good security reference model for the application of distributed system under the public customer ends. The component of security module in the system can be used in the other security system, so it has equal practical value for other application system.
和家用PC比较,公用客户端处于一个完全开放的环境中,开放的面向广大市民,开放地提供各种服务,服务的运行也在一个开放的互联网环境中。由于服务是集成的,电子化服务系统服务器也是完全向服务提供商开放的。本文讨论的就是在这样一个开放的公用客户端环境下,开放的互联网中,完全开放的前置服务器集成电子化服务过程中的安全问题。电子化服务的宗旨是便民,所有的服务提供必须建立在安全的基础之上,在保障市民利益的前提下,服务的提供才是真正便民的。
本文首先对公用客户端环境下城市电子化服务背景、特点,系统结构和运作方式做了详细介绍。然后针对系统结构和特点,主要从物理安全、运行安全、信息安全等方面分别对公用客户端、前置服务器和电子化服务做了详细的安全分析之后,通过对现有安全解决方案的研究,针对本系统自身的公用客户端环境这个特点,提出了一整套的安全方案。
本文有创新的提出了三级密钥体系结构,创建了系统自身的PKI(Public Key Infrastructure)中心。本文解决了分布式环境下基于
中文摘要
XML跨平台语言数据安全的传输问题,并且提出了SSL基础之上的
Socket安全传输方案。系统采用UML面向对象建模语言对系统进行建
模,利用JZEE技术构建系统框架,开发了一套系统平台安全组件。最
后本文对课题进行了回顾和总结,并对课题将来的发展做了展望。
本课题对公用客户端环境下的应用系统在分布式环境下的应用,提
供了一个安全参考模型。系统将安全作成组件,可以在其他应用系统
安全应用中使用,所以本课题对于其他应用系统有一定的实用价值。
Along with the development of technology of Internet, the human society marches toward one brand-new information age. In the course of constant promotion of the social informationization, people are enjoying the facility that the electronic informationization bring. The change quickening people of the information technology enjoy the convenient speed at the same time. As the subject participant of all kinds of social activities and beneficiary finally -The citizen, often receive the restrictions of objective affairs, such as culture background, economic condition, technological bottleneck,etc., Unable to fully enjoys information service through the suitable channel. Public customer ends break that kind of restrictions and make the information service available anytime and anywhere.
That a citizen who uses the power terminal station in the public place that city electronic service serve can enjoy various kinds of services that can't obtain in home, such as the social security card information service, the public transport card inquiry and public information inquiry. The essence served in electronization is to provide citizens convenient service by integrating services on the public customer ends.
Compared with home PC, public customer ends are totally in the open environment, The open one faces the masses of citizens, offers various kinds of services open, and the serving is in one open Internet environment too. The server of electronic service system which integrates the services is open to service providers. So what this paper is discussed is the security issue in the process of services integration under the environment of such a open public customer ends, open Internet, and the open Front End Server. For being convenient for people, services providing should base on the foundation of security. On the premise of ensuring citizen's interests, it is really convenient for people to serve and offer.
Firstly, this paper introduces the background, features, structure and running principle of city electronic service under public customer ends environment in detail. Through analyzing the security requirements of public customer ends, Front End Server and electronic services in the view of physical security, running security and information security, this paper sets forth the complete security scheme.
This paper brings forth tertiary key system structure and build system own PK.I (Public Key Infrastructure) .It also proposes SSL transmit scheme safely by the Sockets of foundation. The proposal of system security scheme solves data safe transmission problem in the form of XML among the distributed environment The system adopts UML target's modeling language and carries on modeling, utilizes J2EE technology to structure frames systematically. This paper reviewed and summarized the subject at last, and looked into the distance of the development in the future of the subject.
The research topic of this paper offers a very good security reference model for the application of distributed system under the public customer ends. The component of security module in the system can be used in the other security system, so it has equal practical value for other application system.
引文
[1]http://www.tongtech.com/pdf/ecommerce.pdf;2003
[2]杨义先,林晓东,邢育森.信息安全综论.北京邮电大学 http://www.lhtelecom.com.cn/knowlodge/zyjs/wlaq/auzs.htm
[3]杨义先等;《网络信息安全与保密》;北京邮电大学出版社;1999
[4]Bruce Schneier著;Applied Cryptography(第2版);http://www.counterpane.com/applied.html
[5]Jess Garms, Daniel Somerfield; Professional Java Security; 电子工业出版社;2002
[6]Freier, karltor, kocher, The SSL protocol Version3.0[DB/OL]. http://www.netscape.com/newsref/ss13.0,1996-11-18
[7]董剑安,吴秋峰;SSL应用算法安全研究;网络安全技术与应用;2002(11).9-11
[8]http://sinbad.zhoubin.com/read.html?board=Network&num=41;2003
[9]杜鹏,贾晨军.丛军;基于PKI的角色识别访问控制技术初探;计算机工程.2003,29(6).137-138,165
[10]http://java.sun.com/j2se/1.4/download.html
[11]http://java.sun.com/products/jce/
[12]http://www-900.ibm.com/developerWorks/cn/cnonlinetutorial.nsf/gethtml? OpenAgent&url=/developerWorks/cn/education/java/j-jsse/tutorial/j-jsse-2-1.html:2003
[13]http://java.sun.com/j2se/1.4/docs/guide/security/
[14]http://java.sun.com/products/jsse/INSTALL.html
[15]http://java.sun.com/j2se/1.4/docs/guide/security/jsse/JSSERefGuide.html
[16]Ed Roman; 《Master EJB》[M]; NewYork:John Wiley&Sons.Inc;2002.
[17]Wendy Boggs, Michael Boggs等;UML with Rational Rose从入门到精通;电子工业出版社,北京,2000年3月。
[18]周广学,刘艺;信息安全学;机械工业出版社;2003
[19]Grady Booch, James Rumbaugh, Ivar Jacobson; 《The Unified Modeling Language》;机械工业出版社
[20]BEA System. JOLT; http://edocs.bea.com/tuxedo/tux80/atmi/dvconfi4.htm#30511,2001
[21]BEA System. Tuxedo: http://edocs.bea.com/tuxedo/tux80/index.htm
[22]何永忠 王晓京;用XML实现电子公文的签名和加密;计算机应用,2002,22(8).85-88
[23]SSL证书;http://www.verisign.com/products/site/index.html
[24]Douglar R.Stinson; Cryptography Theory and Practice(Second Edition);电子工业出版社;2003
[25]陈华 张小刚等;一种基于指纹识别的IC卡门禁系统;计算机工程.2002,28(7).202-203,263
[26]Jakob Carlstrom,. Raphael Rom Application-aware Admission Control and Scheduling in Web Servers (2003)
[27]Ulf Leonhardt and Jeff Magee Dept. of Computing, Imperial College. Security Considerations for a Distributed Location Service (1998)
[28]Nicholas Yialelis, Emil Lupu, Morris Sloman. Role-Based Security for Distributed Object Systems (1996).
[29]http://www.ibc-ecom.com/ecom/main/security.htm
[30]唐雪莲;通过CA证书获取安全认证的JAVA实现;电脑开发与应用.2002,15(7).34-36
[31]林琪 卢昱;使用Java安全Socket扩展包(JSSE)实现SSL;装备指挥技术学院学报.2002,13(3).62-66
[32]张峰岭;基于Java2的身份认证数字签名和SSL实现技术;现代计算机:下半月刊.2002(4).27-31
[33]王敏 吉逸;Java2环境下身份认证和授权机制的研究;微机发展.2003,13(5).40-42
[34] 马亚娜 钱焕延等;混合密码系统在安全传输中的应用;计算机应用研究.2003,20(2).-90-92
[35] 韩秀玲 王行愚;Internet密钥交换协议中主密钥的安全保护策略;计算机工程.2002,28(11).-52-54;
[36] 郭涛 彭建喜 等;数字签名技术;信息网络安全.2002(8).-34-36
[37] 刘微微 程海蓉;信息安全专题介绍之二:公钥基础设施PKI/CA认证安全体系;计算机辅助工程.2002,11(1).73-78
[38] 刘占全;《网络管理与防火墙技术》;人民邮电出版社;1999
[39] http://www-900.ibm.com/developerWorks/cn/cnedu.nsf/java-onlinecourse-bvtitle/2DBEBC316EDDA154C8256 C4F00062FE9?OpenDocument
[40] 石伟鹏,杨小虎;基于SOAP协议的WebService安全基础规范(WS—Secudty);计算机应用研究.2003,20(2).-100-102,105
[2]杨义先,林晓东,邢育森.信息安全综论.北京邮电大学 http://www.lhtelecom.com.cn/knowlodge/zyjs/wlaq/auzs.htm
[3]杨义先等;《网络信息安全与保密》;北京邮电大学出版社;1999
[4]Bruce Schneier著;Applied Cryptography(第2版);http://www.counterpane.com/applied.html
[5]Jess Garms, Daniel Somerfield; Professional Java Security; 电子工业出版社;2002
[6]Freier, karltor, kocher, The SSL protocol Version3.0[DB/OL]. http://www.netscape.com/newsref/ss13.0,1996-11-18
[7]董剑安,吴秋峰;SSL应用算法安全研究;网络安全技术与应用;2002(11).9-11
[8]http://sinbad.zhoubin.com/read.html?board=Network&num=41;2003
[9]杜鹏,贾晨军.丛军;基于PKI的角色识别访问控制技术初探;计算机工程.2003,29(6).137-138,165
[10]http://java.sun.com/j2se/1.4/download.html
[11]http://java.sun.com/products/jce/
[12]http://www-900.ibm.com/developerWorks/cn/cnonlinetutorial.nsf/gethtml? OpenAgent&url=/developerWorks/cn/education/java/j-jsse/tutorial/j-jsse-2-1.html:2003
[13]http://java.sun.com/j2se/1.4/docs/guide/security/
[14]http://java.sun.com/products/jsse/INSTALL.html
[15]http://java.sun.com/j2se/1.4/docs/guide/security/jsse/JSSERefGuide.html
[16]Ed Roman; 《Master EJB》[M]; NewYork:John Wiley&Sons.Inc;2002.
[17]Wendy Boggs, Michael Boggs等;UML with Rational Rose从入门到精通;电子工业出版社,北京,2000年3月。
[18]周广学,刘艺;信息安全学;机械工业出版社;2003
[19]Grady Booch, James Rumbaugh, Ivar Jacobson; 《The Unified Modeling Language》;机械工业出版社
[20]BEA System. JOLT; http://edocs.bea.com/tuxedo/tux80/atmi/dvconfi4.htm#30511,2001
[21]BEA System. Tuxedo: http://edocs.bea.com/tuxedo/tux80/index.htm
[22]何永忠 王晓京;用XML实现电子公文的签名和加密;计算机应用,2002,22(8).85-88
[23]SSL证书;http://www.verisign.com/products/site/index.html
[24]Douglar R.Stinson; Cryptography Theory and Practice(Second Edition);电子工业出版社;2003
[25]陈华 张小刚等;一种基于指纹识别的IC卡门禁系统;计算机工程.2002,28(7).202-203,263
[26]Jakob Carlstrom,. Raphael Rom Application-aware Admission Control and Scheduling in Web Servers (2003)
[27]Ulf Leonhardt and Jeff Magee Dept. of Computing, Imperial College. Security Considerations for a Distributed Location Service (1998)
[28]Nicholas Yialelis, Emil Lupu, Morris Sloman. Role-Based Security for Distributed Object Systems (1996).
[29]http://www.ibc-ecom.com/ecom/main/security.htm
[30]唐雪莲;通过CA证书获取安全认证的JAVA实现;电脑开发与应用.2002,15(7).34-36
[31]林琪 卢昱;使用Java安全Socket扩展包(JSSE)实现SSL;装备指挥技术学院学报.2002,13(3).62-66
[32]张峰岭;基于Java2的身份认证数字签名和SSL实现技术;现代计算机:下半月刊.2002(4).27-31
[33]王敏 吉逸;Java2环境下身份认证和授权机制的研究;微机发展.2003,13(5).40-42
[34] 马亚娜 钱焕延等;混合密码系统在安全传输中的应用;计算机应用研究.2003,20(2).-90-92
[35] 韩秀玲 王行愚;Internet密钥交换协议中主密钥的安全保护策略;计算机工程.2002,28(11).-52-54;
[36] 郭涛 彭建喜 等;数字签名技术;信息网络安全.2002(8).-34-36
[37] 刘微微 程海蓉;信息安全专题介绍之二:公钥基础设施PKI/CA认证安全体系;计算机辅助工程.2002,11(1).73-78
[38] 刘占全;《网络管理与防火墙技术》;人民邮电出版社;1999
[39] http://www-900.ibm.com/developerWorks/cn/cnedu.nsf/java-onlinecourse-bvtitle/2DBEBC316EDDA154C8256 C4F00062FE9?OpenDocument
[40] 石伟鹏,杨小虎;基于SOAP协议的WebService安全基础规范(WS—Secudty);计算机应用研究.2003,20(2).-100-102,105