网络身份认证技术研究和VIKEY身份认证系统的实现
|
摘要
随着计算机网络的发展和网络应用的迅速普及,网络安全受到人们的日益重视。网络环境中的身份认证技术是网络安全中的一个重要课题,对于网络应用的安全起着非常重要的作用。身份认证技术解决的是验证网络通讯双方真实身份的问题,目的是为了在通信双方之间建立相互信任的关系。通过对身份认证技术的理论分析和系统设计等方面的研究,可以增强现有认证系统的安全性、可用性和易管理性,提高系统的效率,为网络安全系统应用提供高效实用的解决方案。本文以身份认证机制和认证协议为研究重点,围绕网络中身份认证系统的特点和应用环境以及作者参与开发的VIKEY在线动态口令双因子身份认证系统等方面进行了研究。论文的主要工作包括以下几个方面:
1)身份认证的密码学理论基础分析。密码学是身份认证技术的基础,密码机制实现了身份认证的认证信息安全传输、完整性保证和不可否认性保证。本文对对称加密和非对称加密的体制工作原理、典型算法和优缺点,单向散列函数的原理,不可否认机制原理等进行了介绍;分析了与身份认证相联系的信息认证,并讨论了与公钥认证机制密切联系的数字签名和数字证书。
2)身份认证协议和认证机制分析。安全可靠的身份认证协议和认证机制是身份认证技术的核心。本文从当前身份认证的主要方式开始论述,介绍了认证协议的设计、分析方法和安全性,并对一些典型身份认证协议进行了说明;然后论述了已有的身份认证系统的主要认证机制。本文还针对当前网络环境中,一些使用认证机制的典型应用认证协议的过程和原理进行了讨论。
3)Kerberos系统分析和改进。Kerberos系统是MIT开发的分布式网络环境下的认证系统。本文分析了Kerberos认证系统的组成、域内认证方案的协议过程和多领域认证服务方案,并对Kerberos协议模型的功能特性和局限性进行了研究。本文提出了使用公钥体制加密会话密钥,客户端与认证服务器的会话密钥由客户端使用随机数产生,并用现时取代时间戳的方法对原协议进行了改进,使整个协议的安全性得到进一步提高。
4)公钥基础设施PKI认证体系的分析。PKI是一种遵循标准的利用公钥加密技术为网上通信的开展提供一套安全的基础平台,在国内外得到广泛的应用。本文分析了现有的PKI的体系组成、功能、标准和协议,并对其核心认证机构CA系统进行了分析;对X.509认证服务,包括X.509数字证书的内容及其认证过程进行了讨论;对PKI认证体系的实施和发展也进行了分析。
5)VIKEY身份认证系统的设计与实现。VIKEY身份认证系统是作者参与设计和实现的基于网络环境的客户机/服务器访问的动态双因子身份认证系统。该系统采用了动态口令认证机制,实现了用户在网络环境中对WWW、Telnet、FTP等流行的应用访问中的透明的身份认证服务。本文论述了系统的认证原理,
包括*SB小钥匙原理、认证算法设计、系统结构和认证流程,并对系统实现的
上要软件模块,包括认证客J腕、认证服务器端、系统管理程序和数据库设计进
行了研究。观过对该系统的优点和缺陷的分析,说明了它是一个简练、安全、高
效的身份认证方案,具有很好的应用前景。
Recently, great attention has been paid to the information security because of the rapid growth of computer networks. User authentication technique, especially authentication protocols and systems, play important roles in the field of information security. Authentication is to reliably verify the identity of network communication entities, and it is the base of mutual-trust relationship between entities. The study of authentication protocol on both theoretical analysis and system design will improve the security, usability, efficiency and management of network security platforms, provide high efficiency and practical security solutions to network applications. In this dissertation, we put our focus on the authentication protocols and the design of a VIKEY user authentication system. The contributions of the dissertation are as follows.
1) Cryptology is the foundation of authentication. It is the base of the data privacy, data integrity and authentication. The truly secure and reliable methods of authentication in an open network are based on authentication protocols. It is also the core issue of authentication protocols. We discuss two categories cryptographic, symmetric key based and public key based, and the principles of hash function, non-repudiation mechanism and message authentication. We also discuss digital signature and digital certificates, which are the basis of Public Key Infrastructure (PKI).
2) Security and efficiency authentication protocols are the core of the user authentication system. We study the authentication method. The categories, design method analysis and security analysis of authentication protocols are introduced. The process of some classic authentication protocols is described in detail. Their different features and application environment are also discussed through analysis of classic authentication protocols. Then we analyze the main authentication mechanism.
3) Kcrbcros is an authentication system used in distributed networks. The Kerberos components, inter-realm and cross-realm authentication scheme are introduced. Its function character and limitations are also analyzed. An improved scheme, which uses public-key encrypt session key, client creating random as the session key of client and server, nonce replace timestamp, is put forward. The security has enhanced through the improved scheme.
4) Public Key Infrastructure(PKI) has been widely used nowadays. We discussed its components, functions, protocols and standard. Certification Authority (CA), which is the core of PKI, is discussed in detail. We also describe the X.509 certificates and authentication process. According to our analysis of PKI, we can see it is an important authentication technique.
5) We design and implement a user authentication system, named VIKEY, which is based on dynamic password authorization mechanism, using USB key as user authentication device. VIKEY system can provide transparent authentication services to popular applications such as WWW, Telnet, FTP, etc. in network environment. We discuss the principle and structure of the system, including authentication protocol, software module and database management. According to the
analysis of the system, we come to a conclusion that it is a real secure, practical and useful one.
1)身份认证的密码学理论基础分析。密码学是身份认证技术的基础,密码机制实现了身份认证的认证信息安全传输、完整性保证和不可否认性保证。本文对对称加密和非对称加密的体制工作原理、典型算法和优缺点,单向散列函数的原理,不可否认机制原理等进行了介绍;分析了与身份认证相联系的信息认证,并讨论了与公钥认证机制密切联系的数字签名和数字证书。
2)身份认证协议和认证机制分析。安全可靠的身份认证协议和认证机制是身份认证技术的核心。本文从当前身份认证的主要方式开始论述,介绍了认证协议的设计、分析方法和安全性,并对一些典型身份认证协议进行了说明;然后论述了已有的身份认证系统的主要认证机制。本文还针对当前网络环境中,一些使用认证机制的典型应用认证协议的过程和原理进行了讨论。
3)Kerberos系统分析和改进。Kerberos系统是MIT开发的分布式网络环境下的认证系统。本文分析了Kerberos认证系统的组成、域内认证方案的协议过程和多领域认证服务方案,并对Kerberos协议模型的功能特性和局限性进行了研究。本文提出了使用公钥体制加密会话密钥,客户端与认证服务器的会话密钥由客户端使用随机数产生,并用现时取代时间戳的方法对原协议进行了改进,使整个协议的安全性得到进一步提高。
4)公钥基础设施PKI认证体系的分析。PKI是一种遵循标准的利用公钥加密技术为网上通信的开展提供一套安全的基础平台,在国内外得到广泛的应用。本文分析了现有的PKI的体系组成、功能、标准和协议,并对其核心认证机构CA系统进行了分析;对X.509认证服务,包括X.509数字证书的内容及其认证过程进行了讨论;对PKI认证体系的实施和发展也进行了分析。
5)VIKEY身份认证系统的设计与实现。VIKEY身份认证系统是作者参与设计和实现的基于网络环境的客户机/服务器访问的动态双因子身份认证系统。该系统采用了动态口令认证机制,实现了用户在网络环境中对WWW、Telnet、FTP等流行的应用访问中的透明的身份认证服务。本文论述了系统的认证原理,
包括*SB小钥匙原理、认证算法设计、系统结构和认证流程,并对系统实现的
上要软件模块,包括认证客J腕、认证服务器端、系统管理程序和数据库设计进
行了研究。观过对该系统的优点和缺陷的分析,说明了它是一个简练、安全、高
效的身份认证方案,具有很好的应用前景。
Recently, great attention has been paid to the information security because of the rapid growth of computer networks. User authentication technique, especially authentication protocols and systems, play important roles in the field of information security. Authentication is to reliably verify the identity of network communication entities, and it is the base of mutual-trust relationship between entities. The study of authentication protocol on both theoretical analysis and system design will improve the security, usability, efficiency and management of network security platforms, provide high efficiency and practical security solutions to network applications. In this dissertation, we put our focus on the authentication protocols and the design of a VIKEY user authentication system. The contributions of the dissertation are as follows.
1) Cryptology is the foundation of authentication. It is the base of the data privacy, data integrity and authentication. The truly secure and reliable methods of authentication in an open network are based on authentication protocols. It is also the core issue of authentication protocols. We discuss two categories cryptographic, symmetric key based and public key based, and the principles of hash function, non-repudiation mechanism and message authentication. We also discuss digital signature and digital certificates, which are the basis of Public Key Infrastructure (PKI).
2) Security and efficiency authentication protocols are the core of the user authentication system. We study the authentication method. The categories, design method analysis and security analysis of authentication protocols are introduced. The process of some classic authentication protocols is described in detail. Their different features and application environment are also discussed through analysis of classic authentication protocols. Then we analyze the main authentication mechanism.
3) Kcrbcros is an authentication system used in distributed networks. The Kerberos components, inter-realm and cross-realm authentication scheme are introduced. Its function character and limitations are also analyzed. An improved scheme, which uses public-key encrypt session key, client creating random as the session key of client and server, nonce replace timestamp, is put forward. The security has enhanced through the improved scheme.
4) Public Key Infrastructure(PKI) has been widely used nowadays. We discussed its components, functions, protocols and standard. Certification Authority (CA), which is the core of PKI, is discussed in detail. We also describe the X.509 certificates and authentication process. According to our analysis of PKI, we can see it is an important authentication technique.
5) We design and implement a user authentication system, named VIKEY, which is based on dynamic password authorization mechanism, using USB key as user authentication device. VIKEY system can provide transparent authentication services to popular applications such as WWW, Telnet, FTP, etc. in network environment. We discuss the principle and structure of the system, including authentication protocol, software module and database management. According to the
analysis of the system, we come to a conclusion that it is a real secure, practical and useful one.
引文
[1] W. Stallings. Network Security Essentials: Applications and Standards. Prentice-Hall, Inc., 2000.
[2] G. Gaskell, M. Looi. Integrating Smart Cards into Authentication Systems. Advances in Cryptology-EUROCRYPT'1995 Proceedings, Berlin: Spring Verlag, 1995:271~281.
[3] R. Rivest. The MD-5 Message-Digest Algorithm, RFC 1320,1993.
[4] Chang Yu Cheng, Kamaruzzaman Seman, Jasmy Yunus. Authentication Public Terminals with Smart. IEEE Trans on Communications, 2000.
[5] B. Clifford Neuman and Theodore Ts'o. Kerberos: An Authentication Service for Computer Networks, IEEE Communications, 32(9):33-38. September 1994.
[6] J. Kohl, C. Neuman. The Kerberos Network Authentication Service (V5) RFC1510. IETF Network Working Group, 1993.
[7] S. M. Bellovin, M. Merritt. Limitations of the Kerberos authentication system. In Proceedings of the Winter 1991 Usenix Conference, January 1991.
[8] N. Hailer, C. Metz, P. Nesser, M. Straw. A One-Time Password System. RFC2289. IETF Network Working Group, 1998.
[9] N. Hailer. The S/KEY One-Time Password System. RFC1760. IETF Network Working Group, 1995.
[10] D.Mitton, M. St.Johns, S. Barkley, D. Nelson, B. Patil. Authentication, Authorizatlon, and Accounting: Protocol Evaluation. RFC3127. IETF Network Working Group, 1998.
[11] C. Rigney, S. Willens, A. Rubens, W. Simpson. Remote Authentication Dial In User Service (RADIUS). RFC2865. IETF Network Working Group, 2000.
[12] 李中献.网络安全关键技术的研究与实现.北京邮电大学,1999.
[13] 陆明.网络环境下身份认证协议的研究.清华大学,1998.
[14] 刘卫宁.基于Internet应用的客户认证协议的研究,重庆大学,1999.
[15] 田建波.认证协议的分析设计,西安电子科技大学,1998.
[16] William Stallings.密码编码学与网络安全:原理与实践(第二版),电子工业出版社,2001
[17] Merike Kaeo.网络安全性设计.人民邮电出版社,2000.
[18] 关振胜.公钥基础设施PKI与认证机构CA.电子工业出版社,2002.
[19] 蔡皖东.计算机网络技术.西安电子科技大学出版社,1998.
[20] 宁磊,周卫.Linux网络与安全管理.人民邮电出版社,2001.
[21] Neil Matthew.Linux高级编程.机械出版社,2002.
[22] 张威.Linux网络编程教程.北京希望电子出版社,2002.
[23] Roberta Bragg.Windows 2000安全技术.清华大学出版社,2002.
[24] Andrew S.Tanenbaum.计算机网络.清华大学出版社,1998.
[25] Douglas E.Comer,David L.Stevens.用TCP/IP进行网际互连第二卷:设计、实现和内部构成(第二版).电子工业出版社,2000.
[26] 程龙,杨海兰.电子商务安全.经济科学出版社,2002.
[27] 冯登国.计算机通信网络安全.清华大学出版社,2001.
[28] Bruce Schneier.应用密码学.机械工业出版社,2000.
[29] 冯登国,裴定一.密码学导引.科学出版社,1999.
[30] 李中献,詹榜华,杨义先.认证理论与技术的发展,电子学报,1999.1
[31] 盛焕烨,王钰.基于Kerberos的公开密钥身份认证协议.计算机工程,1998.9:39-42.
[32] 康腊梅,陈基禄,陈海蓉.基于Kerberos的身份认证协议.电力情报,2000年,3期.
[33] 吕学文,陈传波.分布式网络中的Kerberos安全认证体系.交通与计算机,2001年,19卷
[34] 陈立志,李凤华,戴英侠,基于动态口令的身份认证机制及其安全性的分析,计算机工程,2002年10期,48-49.
[35] 曲毅,网络安全中身份认证技术的研究,淮海工学院学报,2001年3期,24-27.
[36] 李金库,张德运,张勇,身份认证机制及其安全性分析,计算机应用研究,2001年2期,126-128.
[37] 比宝祥,肖德宝,网络信息交换的OTP认证技术,华中师范大学学报(自然科学版),2001年6期,154-157.
[38] http://www.ietf.org/rfc.txt
[2] G. Gaskell, M. Looi. Integrating Smart Cards into Authentication Systems. Advances in Cryptology-EUROCRYPT'1995 Proceedings, Berlin: Spring Verlag, 1995:271~281.
[3] R. Rivest. The MD-5 Message-Digest Algorithm, RFC 1320,1993.
[4] Chang Yu Cheng, Kamaruzzaman Seman, Jasmy Yunus. Authentication Public Terminals with Smart. IEEE Trans on Communications, 2000.
[5] B. Clifford Neuman and Theodore Ts'o. Kerberos: An Authentication Service for Computer Networks, IEEE Communications, 32(9):33-38. September 1994.
[6] J. Kohl, C. Neuman. The Kerberos Network Authentication Service (V5) RFC1510. IETF Network Working Group, 1993.
[7] S. M. Bellovin, M. Merritt. Limitations of the Kerberos authentication system. In Proceedings of the Winter 1991 Usenix Conference, January 1991.
[8] N. Hailer, C. Metz, P. Nesser, M. Straw. A One-Time Password System. RFC2289. IETF Network Working Group, 1998.
[9] N. Hailer. The S/KEY One-Time Password System. RFC1760. IETF Network Working Group, 1995.
[10] D.Mitton, M. St.Johns, S. Barkley, D. Nelson, B. Patil. Authentication, Authorizatlon, and Accounting: Protocol Evaluation. RFC3127. IETF Network Working Group, 1998.
[11] C. Rigney, S. Willens, A. Rubens, W. Simpson. Remote Authentication Dial In User Service (RADIUS). RFC2865. IETF Network Working Group, 2000.
[12] 李中献.网络安全关键技术的研究与实现.北京邮电大学,1999.
[13] 陆明.网络环境下身份认证协议的研究.清华大学,1998.
[14] 刘卫宁.基于Internet应用的客户认证协议的研究,重庆大学,1999.
[15] 田建波.认证协议的分析设计,西安电子科技大学,1998.
[16] William Stallings.密码编码学与网络安全:原理与实践(第二版),电子工业出版社,2001
[17] Merike Kaeo.网络安全性设计.人民邮电出版社,2000.
[18] 关振胜.公钥基础设施PKI与认证机构CA.电子工业出版社,2002.
[19] 蔡皖东.计算机网络技术.西安电子科技大学出版社,1998.
[20] 宁磊,周卫.Linux网络与安全管理.人民邮电出版社,2001.
[21] Neil Matthew.Linux高级编程.机械出版社,2002.
[22] 张威.Linux网络编程教程.北京希望电子出版社,2002.
[23] Roberta Bragg.Windows 2000安全技术.清华大学出版社,2002.
[24] Andrew S.Tanenbaum.计算机网络.清华大学出版社,1998.
[25] Douglas E.Comer,David L.Stevens.用TCP/IP进行网际互连第二卷:设计、实现和内部构成(第二版).电子工业出版社,2000.
[26] 程龙,杨海兰.电子商务安全.经济科学出版社,2002.
[27] 冯登国.计算机通信网络安全.清华大学出版社,2001.
[28] Bruce Schneier.应用密码学.机械工业出版社,2000.
[29] 冯登国,裴定一.密码学导引.科学出版社,1999.
[30] 李中献,詹榜华,杨义先.认证理论与技术的发展,电子学报,1999.1
[31] 盛焕烨,王钰.基于Kerberos的公开密钥身份认证协议.计算机工程,1998.9:39-42.
[32] 康腊梅,陈基禄,陈海蓉.基于Kerberos的身份认证协议.电力情报,2000年,3期.
[33] 吕学文,陈传波.分布式网络中的Kerberos安全认证体系.交通与计算机,2001年,19卷
[34] 陈立志,李凤华,戴英侠,基于动态口令的身份认证机制及其安全性的分析,计算机工程,2002年10期,48-49.
[35] 曲毅,网络安全中身份认证技术的研究,淮海工学院学报,2001年3期,24-27.
[36] 李金库,张德运,张勇,身份认证机制及其安全性分析,计算机应用研究,2001年2期,126-128.
[37] 比宝祥,肖德宝,网络信息交换的OTP认证技术,华中师范大学学报(自然科学版),2001年6期,154-157.
[38] http://www.ietf.org/rfc.txt