建设银行新疆区分行应用安全控管系统方案设计
摘要
为配合新疆建行全集中项目的实施,提出了建立新疆建行计算机系统的应用安全控管系统项目。本论根据项目规划的要求,在系统分析了新疆建行信息网络系统的安全风险和安全需求的基础上,确定了该信息系统的安全建设目标,并具此给出了新疆建行计算机应用系统的安全解决方案,为银行计算机应用系统提供一个统一的应用安全平台。本设计方案以信息系统安全理论与系统工程学原理为基础,在网络环境下构建了应用安全平台,实现了一个跨硬件机型与操作系统台的、与具体应用部署方式无关的统一的安全策略配置,实现了包括身份认证、访问控制、数据机密性和完整性控制、应用密钥管理服务、抗抵赖、安全审计、数据安全等安全服务。为银行异构的计算机应用系统提供了应用级的、完整的和统一的安全服务,自身完整的安全机制。本系统在经过为期近一年的项目开发和几次优化后,应用安全控管系统工程全部完成,经过建设银行新疆区分行的在线运行,系统可稳定而高效的完成各种安全处理,起到了良好的效果。
This thesis is based on the integrated security management system presently used by China Construction Bank Xinjiang Branch, one of whose main architecture designer and developer, the writer, summarizes the commonest core security problems, issues and experiences to the trans-platform, not only the hardware platform but operation system, encountered and concluded by the development organization. This system's architecture is based on the advanced PKI techniques and encryptions techniques, configured with indispensable hardware for security technology to form a substantial application security platform. This integrated application security platform provides the muti-platform applications systematical uniform security services, mainly including user's identification, confidentiality and integrity for data transmission, access control, user's digital sign and verification, cryptographic key management etc, to fulfill the trans-computer-type and trans-operation system control & management system, which is independent of different business applications or business procedures. To sum up, under this security system, not only the security services for integrated business processing system can be ensured, the reciprocity of data interchange and security services between different business applications can also be ensured.
This thesis is based on the integrated security management system presently used by China Construction Bank Xinjiang Branch, one of whose main architecture designer and developer, the writer, summarizes the commonest core security problems, issues and experiences to the trans-platform, not only the hardware platform but operation system, encountered and concluded by the development organization. This system's architecture is based on the advanced PKI techniques and encryptions techniques, configured with indispensable hardware for security technology to form a substantial application security platform. This integrated application security platform provides the muti-platform applications systematical uniform security services, mainly including user's identification, confidentiality and integrity for data transmission, access control, user's digital sign and verification, cryptographic key management etc, to fulfill the trans-computer-type and trans-operation system control & management system, which is independent of different business applications or business procedures. To sum up, under this security system, not only the security services for integrated business processing system can be ensured, the reciprocity of data interchange and security services between different business applications can also be ensured.
引文
1.《加快科技创新和新产品开发调研报告-信息安全部分》,中国建设银行总行信息技术部,2002.5
2.戴宗坤、罗万伯等编著《信息系统安全》 电子工业出版社,2002.11
3. 《BS7799》, BRITISH STANDARD INSTITUTE (BSI), 1999
4.陈爱民,《开放系统互连(OSI)概述》,军队指挥自动化,1988.7
5.BRUCE SCHNEIER,《应用密码学》,机械工业出版社,2000.4
6.戴宗坤、唐三平《VPN与网络安全》金城出版社,2000.9
7.MIKE HENDRY,《智能卡安全与应用》,人民邮电出版社,2002.2
8. RSA LABORATORIES, 《CRYPTOGRAPHIC TOKEN INTERFACE STANDARD》, PKCS11 V2.10, 1999.12
9. ANSI, 《AMERICAN NATIONAL STANDARD FOR FINANCIAL INSTITUTION KEY MANAGEMENT》, ANSI X9.17, 1985
10.《商用密码管理条例》,中华人民共和国国务院令273号,1999.10
11. RSA LABORATORIES, 《RSA ENCRYPTION STANDARD》, PKCS #1, 1993.11
12. RSA LABORATORIES, 《PASSWORD BASED ENCRYPTION STANDARD》, PKCS #5, 1993.11
13.胡克瑾等,《IT审计》,电子工业出版社,2002.9
14.GB 17859-1999,《计算机信息系统安全保护等级划分准则》,中华人民共和国国家标准,1999.9
15.《中国建设银行应用系统安全规范》,中国建设银行总行,2002.5
16.关义章、戴宗坤主编,罗万伯、周安民、谭兴烈等编著《信息系统安全工程学》电子工业出版社,2002.12
17.陈静《中国金融系统信息化及其发展趋势》,《网络世界》2000.10
18.张卓其,《电子银行安全技术》,电子工业出版社,2003.1
19.陈爱民、于康友、管海明,《计算机的安全与保密》,电子工业出版社,
1992.9
20.张文典等,《计算机安全》,高等教育出版社,1990.2
21. ANDREW NASH、WILLIAM DUANE, 《PKI IMPLEMENTING AND MANAGING E-SECURiTY》, 清华大学出版社, 2002.12
22.《中国建设银行十五信息化建设规划》,中国建设银行总行,2000
23.ERIC RESCORLA,《SSL与TSL》,中国电力出版社,2002.10
24. RON A. WEBER, 《INFORMATION SYSTEMCONTROL AND AUDIT》, PRENTICE HALL, 1999
25. ANSI, 《PUBLIC KEY CRYPTOGRAPHY FOR THE FINANCIAL SERVICES INDUSTRY-CERTIFICATE MANAGEMENT》, ANSI X9.57 1997
26. WEB SITES, WWW.OPENSSL.COM, WWW.OPENSSL.COM
27. WEB SITES, WWW.RSA.COM, RSA SECURITY CO.
2.戴宗坤、罗万伯等编著《信息系统安全》 电子工业出版社,2002.11
3. 《BS7799》, BRITISH STANDARD INSTITUTE (BSI), 1999
4.陈爱民,《开放系统互连(OSI)概述》,军队指挥自动化,1988.7
5.BRUCE SCHNEIER,《应用密码学》,机械工业出版社,2000.4
6.戴宗坤、唐三平《VPN与网络安全》金城出版社,2000.9
7.MIKE HENDRY,《智能卡安全与应用》,人民邮电出版社,2002.2
8. RSA LABORATORIES, 《CRYPTOGRAPHIC TOKEN INTERFACE STANDARD》, PKCS11 V2.10, 1999.12
9. ANSI, 《AMERICAN NATIONAL STANDARD FOR FINANCIAL INSTITUTION KEY MANAGEMENT》, ANSI X9.17, 1985
10.《商用密码管理条例》,中华人民共和国国务院令273号,1999.10
11. RSA LABORATORIES, 《RSA ENCRYPTION STANDARD》, PKCS #1, 1993.11
12. RSA LABORATORIES, 《PASSWORD BASED ENCRYPTION STANDARD》, PKCS #5, 1993.11
13.胡克瑾等,《IT审计》,电子工业出版社,2002.9
14.GB 17859-1999,《计算机信息系统安全保护等级划分准则》,中华人民共和国国家标准,1999.9
15.《中国建设银行应用系统安全规范》,中国建设银行总行,2002.5
16.关义章、戴宗坤主编,罗万伯、周安民、谭兴烈等编著《信息系统安全工程学》电子工业出版社,2002.12
17.陈静《中国金融系统信息化及其发展趋势》,《网络世界》2000.10
18.张卓其,《电子银行安全技术》,电子工业出版社,2003.1
19.陈爱民、于康友、管海明,《计算机的安全与保密》,电子工业出版社,
1992.9
20.张文典等,《计算机安全》,高等教育出版社,1990.2
21. ANDREW NASH、WILLIAM DUANE, 《PKI IMPLEMENTING AND MANAGING E-SECURiTY》, 清华大学出版社, 2002.12
22.《中国建设银行十五信息化建设规划》,中国建设银行总行,2000
23.ERIC RESCORLA,《SSL与TSL》,中国电力出版社,2002.10
24. RON A. WEBER, 《INFORMATION SYSTEMCONTROL AND AUDIT》, PRENTICE HALL, 1999
25. ANSI, 《PUBLIC KEY CRYPTOGRAPHY FOR THE FINANCIAL SERVICES INDUSTRY-CERTIFICATE MANAGEMENT》, ANSI X9.57 1997
26. WEB SITES, WWW.OPENSSL.COM, WWW.OPENSSL.COM
27. WEB SITES, WWW.RSA.COM, RSA SECURITY CO.