数据库用户认证机制的研究和实现
|
摘要
数据库用户认证是数据库服务器通过一些手段判断是否允许客户端以它所要求的用户名进行联接的过程。它是认证技术和数据库技术的紧密结合。随着各种第三方认证产品和加密技术的出现,数据库用户认证在理论和实践上都有了长足的进步。但现有的数据库产品大都是国外的产品,安全技术的不可见性使国家的信息安全受到极大威胁。因此,开发具有自主知识产权的国产数据库具有重要的意义。
本文的研究目标是在深入研究开放源代码软件PostgreSQL数据库管理系统认证机制的基础上提出一种安全,实用,有效的国产通用数据库系统的用户认证机制。本文主要研究以下几种认证机制:
1) 操作系统认证机制。该机制通过使用网络用户的安全特性控制登录访问,实现与WindowsNT4.0或Windows 2000的登录安全集成。该技术允许用户不需要输入用户名和密码即可迅速登陆进入数据库系统,并可利用操作系统的安全技术提供更多的安全功能。
2) 新的一次性口令认证机制。针对PostgreSQL原有认证机制具有易遭受口令猜测攻击和服务器端假冒攻击的缺陷,本文设计了一种简单而有效的口令认证机制。该认证机制不需要使用任何加密系统,就能有效加强对各种攻击手段的防范能力。
3) 基于击键特征的用户认证机制。针对一旦口令失窃,数据库安全就无从谈起。而现有的各种生物认证技术又需要特殊的硬件支持,价格昂贵。因此本文提出一种基于击键特征的用户认证机制作为强认证的一种选择。
此外,本文还介绍了采用以上技术设计的通用国产数据库系统用户认证的框架,并介绍了部分实现。
Database authentication is the process by which the database server establishes the identity of the client, and by extension determines whether the client application (or the user who runs the client application) is permitted to connect with the user name that was requested It is the combination of authentication technology and database technology .With the development of the third-party authentication product and cryptosystems ,database authentication has a great advancement both in theory and practice .But current database products are purchased from foreign countries ,our country's information security is unreliable without grasping the key security technologies .It is significant to develop a national database with our own technologies.
The goal of this paper is to provide a secure , practical and efficient user authentication mechanism which is based on the deeply research on the open source DBMS software PostgreSQL and other related technologies.
Specially, this paper focuses on the following authentication mechanisms:
1) Operating system authentication .This mechanism controls logging access by the security features of network user .implementing integration with access control mechanisms of Windows NT 4.0 or Windows 2000.This technology allows user to access database without inputting user id and password and provides more security functions by utilizing the security technologies of operating system.
2) A new one time password authentication scheme .The original password authentication is vulnerable to guess attack and server personating attack .To overcome the vulnerability of this scheme ,this paper designs a simple and efficient password authentication schema .The enhanced schema can improve the system's ability to defend all kinds of the attacks without using any cryptosystems.
3) User authentication based on keystroke features .Database security is meaningless if the password is stolen .Current approach for authentication based on biometrics must be supported with special hardware device with high expense. This paper proposes a new approach based on keystroke features as a strong authentication choice.
Additionally, this paper also introduces the framework of common national DBMS user authentication with the technologies mentioned above, and provides part of its implementation.
本文的研究目标是在深入研究开放源代码软件PostgreSQL数据库管理系统认证机制的基础上提出一种安全,实用,有效的国产通用数据库系统的用户认证机制。本文主要研究以下几种认证机制:
1) 操作系统认证机制。该机制通过使用网络用户的安全特性控制登录访问,实现与WindowsNT4.0或Windows 2000的登录安全集成。该技术允许用户不需要输入用户名和密码即可迅速登陆进入数据库系统,并可利用操作系统的安全技术提供更多的安全功能。
2) 新的一次性口令认证机制。针对PostgreSQL原有认证机制具有易遭受口令猜测攻击和服务器端假冒攻击的缺陷,本文设计了一种简单而有效的口令认证机制。该认证机制不需要使用任何加密系统,就能有效加强对各种攻击手段的防范能力。
3) 基于击键特征的用户认证机制。针对一旦口令失窃,数据库安全就无从谈起。而现有的各种生物认证技术又需要特殊的硬件支持,价格昂贵。因此本文提出一种基于击键特征的用户认证机制作为强认证的一种选择。
此外,本文还介绍了采用以上技术设计的通用国产数据库系统用户认证的框架,并介绍了部分实现。
Database authentication is the process by which the database server establishes the identity of the client, and by extension determines whether the client application (or the user who runs the client application) is permitted to connect with the user name that was requested It is the combination of authentication technology and database technology .With the development of the third-party authentication product and cryptosystems ,database authentication has a great advancement both in theory and practice .But current database products are purchased from foreign countries ,our country's information security is unreliable without grasping the key security technologies .It is significant to develop a national database with our own technologies.
The goal of this paper is to provide a secure , practical and efficient user authentication mechanism which is based on the deeply research on the open source DBMS software PostgreSQL and other related technologies.
Specially, this paper focuses on the following authentication mechanisms:
1) Operating system authentication .This mechanism controls logging access by the security features of network user .implementing integration with access control mechanisms of Windows NT 4.0 or Windows 2000.This technology allows user to access database without inputting user id and password and provides more security functions by utilizing the security technologies of operating system.
2) A new one time password authentication scheme .The original password authentication is vulnerable to guess attack and server personating attack .To overcome the vulnerability of this scheme ,this paper designs a simple and efficient password authentication schema .The enhanced schema can improve the system's ability to defend all kinds of the attacks without using any cryptosystems.
3) User authentication based on keystroke features .Database security is meaningless if the password is stolen .Current approach for authentication based on biometrics must be supported with special hardware device with high expense. This paper proposes a new approach based on keystroke features as a strong authentication choice.
Additionally, this paper also introduces the framework of common national DBMS user authentication with the technologies mentioned above, and provides part of its implementation.
引文
[1] M.Peyravian and N.Zunic,"Methods for protecting password transmission ," Computers & Security, vol. 19,no.5,pp.466-469,2000
[2] Chi-Kwong Chan and L. M. Cheng. Cryptanlysis of timestamp-based password authentication scheme. Computers~4 Security, 21(1):74-76, 2002.
[3] Chien-Ming Chen and Wei-Chi Ku. Stolen-verifier attack on two new strong-password authentication protocols. IEICE Transactions on Communications, E85-B(11):2519-2521, November 2002."
[4] Hung-Yu Chien, Jinn-Ke Jan, and Yuh-Min Tseng. A modified remote login authentication scheme based on geometric approach. Journal of Systems and Software, 55:287-290, 2001.
[5] Min-Shiang Hwang. Cryptanalysis of remote login authentication scheme. Computer Communications, 22(8):742-744, 1999.
[6] Min-Shiang Hwang. A remote password authentication scheme based on the digitalsignature method. International Journal of Computer Mathematics, 70:657-666, 1999.
[7] Min-Shiang Hwang, Cheng-Chi Lee, aud Yuan-Liang Tang. An improvement of SPLICE/AS in WIDE against guessing attack. International Journal of Inforraatica, 12(2):297-302, 2001.
[8] Min-Shiang Hwang and Li-Hua Li. A new remote user authentication scheme usingsmart cards. IEEE Transactions on Consumer Electronics, 46(1):28-30, 2000.
[9] Cheng-Chi Lee, Min-Shiang Hwemg, and Wei-Pang Yang. A flexible remote user authentication scheme using smart cards. A CM Operating; Systems Review, 36(3):46-52,2002.
[10] Cheng-Chi Lee, Li-Hua Li, and Min-Shiang Hwang. A remote user authentication scheme using hash functions. A CM Operating Systems Review, 36(4):23-29, 2002.
[11] Li-Hua Li, Iuon-Chung Lin, arLd Min-Shiang Hwang. A remote password authentication scheme for multi-server architecture using neural networks. IEEE Transactions on Neural Networks, 12(6):1498-1504, 2001.
[12] C. L. Lin, H. M. Sun, and T. Hwang. Attacks and solutions on strong-password authentication. IEICE Transactions on Communications, E84-B(9):2622-2627, September 2001.
[13] Yuan-Liang Tang Min-Shiang Hwang, Cheng-Chi Lee. A simple remote user authentication scheme. Mathematical and Computer Modelling, 36:103-107, 2002.
[14] M. Saudirigama, A. Shimizu, and M. T. Noda. Simple and secure password authentication protocol(sas). IEICE Transactions on Communications, E83-B(6): 1363-1365,June 2000.
[15] Monrose F,Rubin A D.Keystroke Dynamics as a Biometric for Authentication.Future Generation Computing Systems (FGCS) Journal:Security on the Web (Special Issue),2000-03:341-345
[16] Monrose F,Reiter M K,Wetzel S.Password Hardening Based on Keystroke Dynamics.In:Proceedings of the 6th ACM Conference on Computer and Communication Security, 1999-11:26-32
[17] Robinson J A,Liang V M,Chambers J A M,et al.Computer User Verification Using Login String Keystroke Dynamics.IEEE Transactions on Systems, Man,and Cybernetics,part A,1998,28(2):63-70
[18] SQLSERVER联机从书.Microsoft,2000
[19] PostgreSQL 7.3.2 Programmer's Guide. PostgreSQL Global Development Group, 2001
[20] PostgreSQL 7.3.2 Developer's Guide. PostgreSQL Global Development Group, 2001
[21] 李中献,詹榜华,杨义先.认证理论与技术的发展.电子学报,1999,27(1):98-102
[22] 李重武 倪惜珍.认证理论与技术.微型机与应用.2003,22(2):34-37
[23] 黄天戌,王海燕.Kerberos系统的分析和改进方案.计算机应用.2003,23(3):13-15
[24] 朱明,周津等.基于击键特征的用户身份认证新方法.计算机工程.2002,28(10):138-139,142
[25] 宋如顺,曲维光.基于用户击键特征识别的用户认证系统.计算机工程与应用.2002,38(16).69-70,92
[26] 戴英侠,左英男.SSL协议的安全缺陷与改进.中国科学院研究生院学报.2000,17(1):86-92
[27] 叶锡君,吴国新.一次性口令认证技术的分析与改进.计算机工程.2000,26(9).27-29
[28] 范训礼,吴和生,谢俊元.网络环境下一次性口令身份认证的研究与实现.计算机科学.2003,30(5).-153-156
[2] Chi-Kwong Chan and L. M. Cheng. Cryptanlysis of timestamp-based password authentication scheme. Computers~4 Security, 21(1):74-76, 2002.
[3] Chien-Ming Chen and Wei-Chi Ku. Stolen-verifier attack on two new strong-password authentication protocols. IEICE Transactions on Communications, E85-B(11):2519-2521, November 2002."
[4] Hung-Yu Chien, Jinn-Ke Jan, and Yuh-Min Tseng. A modified remote login authentication scheme based on geometric approach. Journal of Systems and Software, 55:287-290, 2001.
[5] Min-Shiang Hwang. Cryptanalysis of remote login authentication scheme. Computer Communications, 22(8):742-744, 1999.
[6] Min-Shiang Hwang. A remote password authentication scheme based on the digitalsignature method. International Journal of Computer Mathematics, 70:657-666, 1999.
[7] Min-Shiang Hwang, Cheng-Chi Lee, aud Yuan-Liang Tang. An improvement of SPLICE/AS in WIDE against guessing attack. International Journal of Inforraatica, 12(2):297-302, 2001.
[8] Min-Shiang Hwang and Li-Hua Li. A new remote user authentication scheme usingsmart cards. IEEE Transactions on Consumer Electronics, 46(1):28-30, 2000.
[9] Cheng-Chi Lee, Min-Shiang Hwemg, and Wei-Pang Yang. A flexible remote user authentication scheme using smart cards. A CM Operating; Systems Review, 36(3):46-52,2002.
[10] Cheng-Chi Lee, Li-Hua Li, and Min-Shiang Hwang. A remote user authentication scheme using hash functions. A CM Operating Systems Review, 36(4):23-29, 2002.
[11] Li-Hua Li, Iuon-Chung Lin, arLd Min-Shiang Hwang. A remote password authentication scheme for multi-server architecture using neural networks. IEEE Transactions on Neural Networks, 12(6):1498-1504, 2001.
[12] C. L. Lin, H. M. Sun, and T. Hwang. Attacks and solutions on strong-password authentication. IEICE Transactions on Communications, E84-B(9):2622-2627, September 2001.
[13] Yuan-Liang Tang Min-Shiang Hwang, Cheng-Chi Lee. A simple remote user authentication scheme. Mathematical and Computer Modelling, 36:103-107, 2002.
[14] M. Saudirigama, A. Shimizu, and M. T. Noda. Simple and secure password authentication protocol(sas). IEICE Transactions on Communications, E83-B(6): 1363-1365,June 2000.
[15] Monrose F,Rubin A D.Keystroke Dynamics as a Biometric for Authentication.Future Generation Computing Systems (FGCS) Journal:Security on the Web (Special Issue),2000-03:341-345
[16] Monrose F,Reiter M K,Wetzel S.Password Hardening Based on Keystroke Dynamics.In:Proceedings of the 6th ACM Conference on Computer and Communication Security, 1999-11:26-32
[17] Robinson J A,Liang V M,Chambers J A M,et al.Computer User Verification Using Login String Keystroke Dynamics.IEEE Transactions on Systems, Man,and Cybernetics,part A,1998,28(2):63-70
[18] SQLSERVER联机从书.Microsoft,2000
[19] PostgreSQL 7.3.2 Programmer's Guide. PostgreSQL Global Development Group, 2001
[20] PostgreSQL 7.3.2 Developer's Guide. PostgreSQL Global Development Group, 2001
[21] 李中献,詹榜华,杨义先.认证理论与技术的发展.电子学报,1999,27(1):98-102
[22] 李重武 倪惜珍.认证理论与技术.微型机与应用.2003,22(2):34-37
[23] 黄天戌,王海燕.Kerberos系统的分析和改进方案.计算机应用.2003,23(3):13-15
[24] 朱明,周津等.基于击键特征的用户身份认证新方法.计算机工程.2002,28(10):138-139,142
[25] 宋如顺,曲维光.基于用户击键特征识别的用户认证系统.计算机工程与应用.2002,38(16).69-70,92
[26] 戴英侠,左英男.SSL协议的安全缺陷与改进.中国科学院研究生院学报.2000,17(1):86-92
[27] 叶锡君,吴国新.一次性口令认证技术的分析与改进.计算机工程.2000,26(9).27-29
[28] 范训礼,吴和生,谢俊元.网络环境下一次性口令身份认证的研究与实现.计算机科学.2003,30(5).-153-156