PKI/PMI应用研究及在公安信息化中的实现
|
摘要
由于计算机网络具有开放性、多样性及操作系统和应用系统存在固有缺陷的原因,易受黑客、木马、病毒、恶意软件和其他非授权行为威胁和攻击。随着基于Internet电子政务、电子商务、网上购物等业务迅猛发展,网络安全问题越来越突出。公安信息系统实现异地联网,虽然不与Internet相联,也存在上述网络安全问题,能否彻底、有效地解决这些问题也就决定着公安信息系统建设是否成功。
2004年,公安内部主管部门启动公安信息中心信息化建设项目,要求对省、市信息中心的原有网络、数据库系统及OA系统等进行改造,在安全可靠前提条件下实现应用系统互联,并逐步实现全国联网。
本文基于“公安信息中心局域网改造及信息化建设”项目,对公安信息化基础理论进行系统探索和总结,从完善软件体系结构和保障应用安全出发,着力研究解决公安应用系统建设“信息孤岛”及安全保障问题。实现公安信息化必须在PKI/PMI技术框架下将原有各公安信息中心孤立的、不联网应用系统改造成互联应用系统,将原有基于用户名/口令登录方式应用系统改造成基于PKI/PMI工作模式、能够独立授权管理和访问控制的应用系统。
本文重点研究应用系统中必不可少的用户身份认证、权限管理等问题,应用PKI/PMI组件技术。该组件基于PKI/PMI技术体系,实现X.509标准证书的发放和管理以及相关安全通信、信息加密、数字签名等,建立一个统一的相互信任体系。采用高度集中的用户身份管理和访问权限设定,以及多种审计技术,为复杂网络系统和应用提供可管理的复合安全技术,实现身份认证、访问控制和信息加密,保证应用系统运行安全。该组件基于各种应用服务和操作系统底层构造,为应用系统、应用服务器提供全面的安全服务。它可以适用多种操作系统和应用环境,提供标准应用接口,对上层应用系统完全透明,为公安信息化系统建设提供网络安全。
本文结合在PKI/PMI安全组件基础上建成的一个公安信息系统子系统――办公自动化系统,阐述PKI/PMI组件在公安信息系统中具体应用及工作模式。
本文设计并实现基于PKI/PMI技术框架的安全组件,建立公安信息系统安全与运行管理平台。通过该平台统一、规范接口,实现统一身份认证和访问授权控制,同时采取集中审计措施对涉及到系统安全的操作进行监控,保障应用系统、相关数据库资源、敏感信息资源的安全,实现可控、安全的访问。
The computer network is vulnerable to hackers, Trojans, viruses, malicious software and other non-authorized acts because of its characteristics of openness, diversity and the inherent flaws of operating systems and application programs. With the rapid development of related industries, such as Internet-based e-government, e-commerce, online shopping, the security of network is becoming more and more important. The police network system is not connected with the Internet, but when it realizes remote networking, it also encounters the mentioned security problems of network. Whether these problems can be solved completely and effectively or not will directly determine whether the construction of police information system can succeed.
In 2004 the internal governing department of the police starts up the construction of the police information center. These projects demand that all networks, database systems and OA systems in provincial and municipal information centers should be reconstructed and based on a safe and reliable condition. Then the realization of the applied systems connected with each other and nationwide networking will be gradually achieved.
Based on the project of“The Reconstruction of the LAN of Police Information Center and The Construction of Information Systems”, this thesis systemically explores and summarizes the basic theories of the police information systems. As the main content of this thesis, the problems of security and“the isolated islands of information " in police application systems are studied and solved. The police information systems must be realized using the PKI and PMI technology. The original isolated application systems in each police information center are connected to form a connecting application system and the application systems which are based on user’s name/password also must be changed into one that is based on the mode of PKI/PMI which can be accessed and managed independently.
This thesis focuses on the issues, such as the authentification of user and permission management, which are necessary for application system. The PKI/PMI subassembly technology is also applied in the present thesis. Based on the PKI/PMI technology it realizes the issuance and management of the X.509 standard certificate, the related safety communications, information encryption, digital signature, and so on. And it also establishes and maintains a unified system of mutual trust. By using the highly centralized management of user identities, the access rights settings, and a variety of audit technologies, it offers the manageable and complex security technology for complicated network system and its application, It can achieve authentication, accessed control and information encryption to ensure the safe operation of application systems. Based on a variety of applications and the underlying operating system structure, it can provide a full range of security services for applications system and application servers. It can be applied to a variety of operating systems and application environments, offer standard application interface, completely transparent for the upper application system, and provide network security for the construction of police information systems.
Combined with the subsystem of the information system of police---office automation systems built on the basis of PKI/PMI secure component, this thesis describes the detailed applications and operation mode of the PKI/PMI secure components in the police information system.
In this thesis the security units based on the framework of PKI/PMI technology is designed and implemented, and the management platform on which the police information system can safely run is established. Through the uniform and standardized interfaces the unification authorized authentication and access control is realized. At the same time, by using the concentrate and audit measures to monitor the operation which relate to the system security and protect applications, the relevant database resources, the security of sensitive information resources, and the controllable and safe access can be realized.
2004年,公安内部主管部门启动公安信息中心信息化建设项目,要求对省、市信息中心的原有网络、数据库系统及OA系统等进行改造,在安全可靠前提条件下实现应用系统互联,并逐步实现全国联网。
本文基于“公安信息中心局域网改造及信息化建设”项目,对公安信息化基础理论进行系统探索和总结,从完善软件体系结构和保障应用安全出发,着力研究解决公安应用系统建设“信息孤岛”及安全保障问题。实现公安信息化必须在PKI/PMI技术框架下将原有各公安信息中心孤立的、不联网应用系统改造成互联应用系统,将原有基于用户名/口令登录方式应用系统改造成基于PKI/PMI工作模式、能够独立授权管理和访问控制的应用系统。
本文重点研究应用系统中必不可少的用户身份认证、权限管理等问题,应用PKI/PMI组件技术。该组件基于PKI/PMI技术体系,实现X.509标准证书的发放和管理以及相关安全通信、信息加密、数字签名等,建立一个统一的相互信任体系。采用高度集中的用户身份管理和访问权限设定,以及多种审计技术,为复杂网络系统和应用提供可管理的复合安全技术,实现身份认证、访问控制和信息加密,保证应用系统运行安全。该组件基于各种应用服务和操作系统底层构造,为应用系统、应用服务器提供全面的安全服务。它可以适用多种操作系统和应用环境,提供标准应用接口,对上层应用系统完全透明,为公安信息化系统建设提供网络安全。
本文结合在PKI/PMI安全组件基础上建成的一个公安信息系统子系统――办公自动化系统,阐述PKI/PMI组件在公安信息系统中具体应用及工作模式。
本文设计并实现基于PKI/PMI技术框架的安全组件,建立公安信息系统安全与运行管理平台。通过该平台统一、规范接口,实现统一身份认证和访问授权控制,同时采取集中审计措施对涉及到系统安全的操作进行监控,保障应用系统、相关数据库资源、敏感信息资源的安全,实现可控、安全的访问。
The computer network is vulnerable to hackers, Trojans, viruses, malicious software and other non-authorized acts because of its characteristics of openness, diversity and the inherent flaws of operating systems and application programs. With the rapid development of related industries, such as Internet-based e-government, e-commerce, online shopping, the security of network is becoming more and more important. The police network system is not connected with the Internet, but when it realizes remote networking, it also encounters the mentioned security problems of network. Whether these problems can be solved completely and effectively or not will directly determine whether the construction of police information system can succeed.
In 2004 the internal governing department of the police starts up the construction of the police information center. These projects demand that all networks, database systems and OA systems in provincial and municipal information centers should be reconstructed and based on a safe and reliable condition. Then the realization of the applied systems connected with each other and nationwide networking will be gradually achieved.
Based on the project of“The Reconstruction of the LAN of Police Information Center and The Construction of Information Systems”, this thesis systemically explores and summarizes the basic theories of the police information systems. As the main content of this thesis, the problems of security and“the isolated islands of information " in police application systems are studied and solved. The police information systems must be realized using the PKI and PMI technology. The original isolated application systems in each police information center are connected to form a connecting application system and the application systems which are based on user’s name/password also must be changed into one that is based on the mode of PKI/PMI which can be accessed and managed independently.
This thesis focuses on the issues, such as the authentification of user and permission management, which are necessary for application system. The PKI/PMI subassembly technology is also applied in the present thesis. Based on the PKI/PMI technology it realizes the issuance and management of the X.509 standard certificate, the related safety communications, information encryption, digital signature, and so on. And it also establishes and maintains a unified system of mutual trust. By using the highly centralized management of user identities, the access rights settings, and a variety of audit technologies, it offers the manageable and complex security technology for complicated network system and its application, It can achieve authentication, accessed control and information encryption to ensure the safe operation of application systems. Based on a variety of applications and the underlying operating system structure, it can provide a full range of security services for applications system and application servers. It can be applied to a variety of operating systems and application environments, offer standard application interface, completely transparent for the upper application system, and provide network security for the construction of police information systems.
Combined with the subsystem of the information system of police---office automation systems built on the basis of PKI/PMI secure component, this thesis describes the detailed applications and operation mode of the PKI/PMI secure components in the police information system.
In this thesis the security units based on the framework of PKI/PMI technology is designed and implemented, and the management platform on which the police information system can safely run is established. Through the uniform and standardized interfaces the unification authorized authentication and access control is realized. At the same time, by using the concentrate and audit measures to monitor the operation which relate to the system security and protect applications, the relevant database resources, the security of sensitive information resources, and the controllable and safe access can be realized.
引文
[1]关振胜,《公钥基础设施 PKI 与认证机构 CA》[M],电子工业出版社,2002.1;
[2]谢冬青 冷健,《PKI原理与技术》[M],清华大学出版社,2003;
[3]胡昌振,把握我国信息安全技术跨越式发展机遇[J],计算机安全,2003, P31;
[4]欧三任,公安工作信息化的内涵及其实现途径[J],长沙铁道学院学报,2004. 9;
[5]渔河,关于金盾工程实践中问题的思考,广东公安科技,2004;
[6]龙毅宏,美国和加拿大 PKI/CA 体系的分析[J],网络世界,2002(7);
[7]Peter Alterman,The U.S. Federal PKI and the Federal Bridge Certification Authority [S], Federal PKI Steering Committee and Acting Director, Federal Bridge Certification Authority, May 7, 2001;
[8]ITU-T Recommendation X.509|ISO/IEC 9594-8: “Information Technology-Open Systems Interconnection, The Directory: Public Key and Attribute Certificate Frameworks” , Feb,2001. P71-109;
[9]Babak Sadighi Firozabadi,Using Authority Certificates to Create Management Structures, Lecture Notes in Computer Science Volume 2467/2002 P134-145;
[10]Ed Dawson,A New Design of Privilege Management Infrastructure for Organizations Using Outsoured PKI, In Proe. of 5th International Conference on Information Security, pages136-149, 2002;
[11]R. Horsley, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, RFC3280, 2002.4;
[12]S. Farrell,An Internet Attribute Certificate Profile for Authorization, RFC 3281, 2002.4;
[13]IETF, Internet-Drafts: Attribute Certificate Policies extension。http://www.ietf.org.;
[14]Javier Lopez, Antonio Manna, PKI design based on the use of on-line certification authorities ,《International Journal of Information Security》,2004.2;
[15]李涛,《网络安全概论》[M],电子工业出版社,2004.6;
[16]卢开橙,《计算机密码学》[M],清华大学出版社,1998;
[17]Carlisle Adams and Stever Lloyd,Understanding Public-Key Infrastructure: Concepts, Standards, and Deployment Considerations [M]. Macmillan Technical Publishing, 1999;
[18]《信息处理系统 开放系统互连》,中华人民共和国国家标准 GB/T 9387.2—1995 ISO 7498-2—1989;
[19]S.Farrell, An Internet Attribute Certificate Profile for Authorization, RFC3281,April 2002;
[20]马春旺,基于 PKI 的 PMI 的研究与实现 [D] ,吉林大学,2003;
[21]Nian Liu,Bin Duan,Jian Wang and Shenglong Huang,Study on PMI based access control ofsubstation automation system,Power Engineering Society General Meeting, 2006. IEEE 18-22 June 2006 Page 7;
[22]William Stallings,《 密码编码学与网络安全》[M] ,电子工业出版社,2001.4.
[23]R. Housley, “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile”, RFC3280, April 2002;
[24]吴鹏 王晓峻 苏新宁,基于PKI/PMI的Web应用安全解决方案[J],计算机工程与应用2006年 42卷 6期 P1-3;
[25]Biao Li, Kaiyu Dai, Shensheng Zhang,Virtual Certificate Authority for Virtual Enterprises Advanced Issues of E-Commerce and Web-Based Information Systems, WECWIS 2001, Third International Workshop on.21-22 June 2001 Page:222 – 224;
[26]WAHL M,Lightweight Directory Access Protocol(v3),RDC225,1997;
[27]蔡亦波,利用 LDAP 实现 PKI 证书的操作[D],上海交通大学,2001;
[28]张军,基于 LDAP 目录服务器的研究与实现[D],中国科学院软件研究所,2002;
[29]David W. Chadwick,The PERMIS X.509 role based Privilege Management Infrastructure, Future generation computer systems, 2003.19, P 277-289;
[30]李俊娥,PKI 与 PMI 联合安全认证系统及其设计[J],计算机应用,2002.12, P7-10;
[31]D. Bruschi, A. CurtiA.,quantitative study of Public Key Infrastructures, 《Computers & Security》,Vol22, 2003;
[32]沈剑,基于 PKI 的证书管理和交叉认证 [D] ,上海交通大学,2003;
[33]刘宏月 范九伦 马建峰,访问控制技术研究进展[J],小型计算机系统,2004年25卷 1期,P56-59;
[34]Carlisle Adams, A Global PMI for Electronic Content Distribution, In Proc. of The 7th Annual International Workshop on Selected Areas in Cryptography, pages 158一168, 2000;
[35]熊雁凌,安全WWW服务器的设计与实现及PKI体系的设计 [D] ,中国科学院软件研究所,2003;
[36]谭寒生,授权管理基础设施PMI的研究及原型设计与实现 [D] ,电子科技大学,2003;
[37]杨绚渊 刘艳 陆建德,一种改进的交叉认证路径构造算法设计[J], Vol.32,No.24 计算机工程,2006.12 p146-148;
[38]姜峰 袁卫中,角色访问控制在PKI中的实现[J] , 计算机工程与应用,2003,20(1),P150-153;
[39]霍雪松 唐德善 朱红,基于PKI/PMI的电力WEB应用安全框架[J],微计算机信息2007 Vol.23 No.3 P.61-62;
[40]Jordi Forne, "Web-based Authorization based on X.509 Privilege Management Infrastructure", In Proc. of 2003 IEEE Pacific Rim Conference onCommunications Computers, and Signal Processing, pages 565-568, vo1.2, 2003;
[41]B. Blobbed, "Using a Privilege Management Infrastructure for secure web-based e -health applications", Computer Communications, 2003.26, P l863-1872;
[42]邱意民,《基于PKI/CA和PMI/AA技术的认证授权体系在电子政务中的安全应用》,第十七次全国计算机安全学术交流会暨电子政务安全研讨会论文集,2002, P 200-202;
[43]余胜生、欧阳长春,访问控制技术在SSL VPN系统中的应用[J],华中科技大学学报 Vol.34 No.7 2006.7。
[2]谢冬青 冷健,《PKI原理与技术》[M],清华大学出版社,2003;
[3]胡昌振,把握我国信息安全技术跨越式发展机遇[J],计算机安全,2003, P31;
[4]欧三任,公安工作信息化的内涵及其实现途径[J],长沙铁道学院学报,2004. 9;
[5]渔河,关于金盾工程实践中问题的思考,广东公安科技,2004;
[6]龙毅宏,美国和加拿大 PKI/CA 体系的分析[J],网络世界,2002(7);
[7]Peter Alterman,The U.S. Federal PKI and the Federal Bridge Certification Authority [S], Federal PKI Steering Committee and Acting Director, Federal Bridge Certification Authority, May 7, 2001;
[8]ITU-T Recommendation X.509|ISO/IEC 9594-8: “Information Technology-Open Systems Interconnection, The Directory: Public Key and Attribute Certificate Frameworks” , Feb,2001. P71-109;
[9]Babak Sadighi Firozabadi,Using Authority Certificates to Create Management Structures, Lecture Notes in Computer Science Volume 2467/2002 P134-145;
[10]Ed Dawson,A New Design of Privilege Management Infrastructure for Organizations Using Outsoured PKI, In Proe. of 5th International Conference on Information Security, pages136-149, 2002;
[11]R. Horsley, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, RFC3280, 2002.4;
[12]S. Farrell,An Internet Attribute Certificate Profile for Authorization, RFC 3281, 2002.4;
[13]IETF, Internet-Drafts: Attribute Certificate Policies extension。http://www.ietf.org.;
[14]Javier Lopez, Antonio Manna, PKI design based on the use of on-line certification authorities ,《International Journal of Information Security》,2004.2;
[15]李涛,《网络安全概论》[M],电子工业出版社,2004.6;
[16]卢开橙,《计算机密码学》[M],清华大学出版社,1998;
[17]Carlisle Adams and Stever Lloyd,Understanding Public-Key Infrastructure: Concepts, Standards, and Deployment Considerations [M]. Macmillan Technical Publishing, 1999;
[18]《信息处理系统 开放系统互连》,中华人民共和国国家标准 GB/T 9387.2—1995 ISO 7498-2—1989;
[19]S.Farrell, An Internet Attribute Certificate Profile for Authorization, RFC3281,April 2002;
[20]马春旺,基于 PKI 的 PMI 的研究与实现 [D] ,吉林大学,2003;
[21]Nian Liu,Bin Duan,Jian Wang and Shenglong Huang,Study on PMI based access control ofsubstation automation system,Power Engineering Society General Meeting, 2006. IEEE 18-22 June 2006 Page 7;
[22]William Stallings,《 密码编码学与网络安全》[M] ,电子工业出版社,2001.4.
[23]R. Housley, “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile”, RFC3280, April 2002;
[24]吴鹏 王晓峻 苏新宁,基于PKI/PMI的Web应用安全解决方案[J],计算机工程与应用2006年 42卷 6期 P1-3;
[25]Biao Li, Kaiyu Dai, Shensheng Zhang,Virtual Certificate Authority for Virtual Enterprises Advanced Issues of E-Commerce and Web-Based Information Systems, WECWIS 2001, Third International Workshop on.21-22 June 2001 Page:222 – 224;
[26]WAHL M,Lightweight Directory Access Protocol(v3),RDC225,1997;
[27]蔡亦波,利用 LDAP 实现 PKI 证书的操作[D],上海交通大学,2001;
[28]张军,基于 LDAP 目录服务器的研究与实现[D],中国科学院软件研究所,2002;
[29]David W. Chadwick,The PERMIS X.509 role based Privilege Management Infrastructure, Future generation computer systems, 2003.19, P 277-289;
[30]李俊娥,PKI 与 PMI 联合安全认证系统及其设计[J],计算机应用,2002.12, P7-10;
[31]D. Bruschi, A. CurtiA.,quantitative study of Public Key Infrastructures, 《Computers & Security》,Vol22, 2003;
[32]沈剑,基于 PKI 的证书管理和交叉认证 [D] ,上海交通大学,2003;
[33]刘宏月 范九伦 马建峰,访问控制技术研究进展[J],小型计算机系统,2004年25卷 1期,P56-59;
[34]Carlisle Adams, A Global PMI for Electronic Content Distribution, In Proc. of The 7th Annual International Workshop on Selected Areas in Cryptography, pages 158一168, 2000;
[35]熊雁凌,安全WWW服务器的设计与实现及PKI体系的设计 [D] ,中国科学院软件研究所,2003;
[36]谭寒生,授权管理基础设施PMI的研究及原型设计与实现 [D] ,电子科技大学,2003;
[37]杨绚渊 刘艳 陆建德,一种改进的交叉认证路径构造算法设计[J], Vol.32,No.24 计算机工程,2006.12 p146-148;
[38]姜峰 袁卫中,角色访问控制在PKI中的实现[J] , 计算机工程与应用,2003,20(1),P150-153;
[39]霍雪松 唐德善 朱红,基于PKI/PMI的电力WEB应用安全框架[J],微计算机信息2007 Vol.23 No.3 P.61-62;
[40]Jordi Forne, "Web-based Authorization based on X.509 Privilege Management Infrastructure", In Proc. of 2003 IEEE Pacific Rim Conference onCommunications Computers, and Signal Processing, pages 565-568, vo1.2, 2003;
[41]B. Blobbed, "Using a Privilege Management Infrastructure for secure web-based e -health applications", Computer Communications, 2003.26, P l863-1872;
[42]邱意民,《基于PKI/CA和PMI/AA技术的认证授权体系在电子政务中的安全应用》,第十七次全国计算机安全学术交流会暨电子政务安全研讨会论文集,2002, P 200-202;
[43]余胜生、欧阳长春,访问控制技术在SSL VPN系统中的应用[J],华中科技大学学报 Vol.34 No.7 2006.7。