基于PKI的身份认证在电子政务中的应用研究
|
摘要
近年来电子政务已经成为我国各级政府机关信息化建设的热点,但伴随而来的是电子政务系统的信息安全问题。作为安全系统的第一道门槛,身份认证技术已成为电子政务安全的一个重要课题,它将对电子政务的安全性起着至关重要的作用。
目前,工商系统的信息化是自治区的重点建设对象。利用新的信息技术,通过网络对企业进行数字化的管理,实现与企业交互式办公,是工商管理发展的必然趋势。工商企业的新型年检方式——网上年检在为工商和企业带来便利、提高效率和节约成本的同时也带了安全隐患:冒名顶替、窃取信息、篡改信息等。传统的基于口令的身份认证方式是一种单向的弱验证方式,无法实现用户对所访问的网站的身份验证,同时数据在浏览器与服务器之间以明文形式传输,极不安全。本人针对此问题在参与实践的基础上研究开发了一种安全的强身份认证系统。
本文的主要工作是研究PKI(公钥基础设施)体系和信息安全技术,并在此基础上设计开发了一个基于PKI的身份认证系统。本系统主要以PKI为设计基础,以X.509数字证书为标准,以RSA公钥密码系统为数学模型,以SSL协议为通信标准,通过LDAP来实现证书和密钥的存储及管理。该系统模块已应用到工商企业网上年检系统中,不仅实现了用户与所访问网站之间的双向的身份验证,还解决了传统的口令认证方式中口令被破译以及在发送中被截获的问题。此外,在浏览器与服务器之间建立一个安全的信息传输通道,经过此通道的数据都将以密文的方式传输,从而解决了敏感信息在以往传统的明文方式传输中产生的弊端。最后,本文对该身份认证系统模块在具体应用中产生的潜在问题进行了分析和研究。
In recent years, build ing E-government has already become a hotspot in our governmentinformation construction, but the information system security of E-government becomes aproblem. As the first threshold for the safety system, the identity authentication technology hasbecome an important task of the E-government Security. It makes the most important functionin this safety field .
Nowadays, informatization of business system is the key targets of Xinjia ng autonomousregion. It is an inevitable trend that implementing the digital ma nagement for enterprises withnew information and network technologies can realize interactive work between the businesssystem and enterprises. There appears a new method for annual inspection by network. It canbring benefits, improve efficiency and cost savings . However, it also brings some security risks.For example, identity forgery, information stealing, information juggle and so on. Thetraditiona l and simple authentication which based on one-way is not safe enough. It has beenalready no longer able to keep up with the security requirement, that the enterprises wouldverify the identity of the web server. Furthermore, it is so dangerous that the data is transmittedas pla intext through the network. So, aiming at this problem, this paper designs a safe identityauthentication system.
The ma in work is researching PKI and the information security technology, anddevelop ing an identity authentication system based on PKI which is widely used in the field ofnetwork information security. This system ma inly takes PKI as the design foundation and takesthe X.509 as the standards. This system takes RSA public key cryptographic system as themathematica l model and takes SSL as the correspondence standards. The system uses LDAP tostore and ma nage the certifica tes and keys. This system not only solves the problem thatpassword is broken, but also solves the problem that password is intercepted when transmittingin the traditiona l authentication way. Furthermore, there is a safety channel between Browser and Web server, and the information that through the channel will be transferred to beciphertext. So, the defects of important information in the traditiona l way can be canceled. Atlast, this paper analyzes and researches the potentia l problems about the applica tion.
目前,工商系统的信息化是自治区的重点建设对象。利用新的信息技术,通过网络对企业进行数字化的管理,实现与企业交互式办公,是工商管理发展的必然趋势。工商企业的新型年检方式——网上年检在为工商和企业带来便利、提高效率和节约成本的同时也带了安全隐患:冒名顶替、窃取信息、篡改信息等。传统的基于口令的身份认证方式是一种单向的弱验证方式,无法实现用户对所访问的网站的身份验证,同时数据在浏览器与服务器之间以明文形式传输,极不安全。本人针对此问题在参与实践的基础上研究开发了一种安全的强身份认证系统。
本文的主要工作是研究PKI(公钥基础设施)体系和信息安全技术,并在此基础上设计开发了一个基于PKI的身份认证系统。本系统主要以PKI为设计基础,以X.509数字证书为标准,以RSA公钥密码系统为数学模型,以SSL协议为通信标准,通过LDAP来实现证书和密钥的存储及管理。该系统模块已应用到工商企业网上年检系统中,不仅实现了用户与所访问网站之间的双向的身份验证,还解决了传统的口令认证方式中口令被破译以及在发送中被截获的问题。此外,在浏览器与服务器之间建立一个安全的信息传输通道,经过此通道的数据都将以密文的方式传输,从而解决了敏感信息在以往传统的明文方式传输中产生的弊端。最后,本文对该身份认证系统模块在具体应用中产生的潜在问题进行了分析和研究。
In recent years, build ing E-government has already become a hotspot in our governmentinformation construction, but the information system security of E-government becomes aproblem. As the first threshold for the safety system, the identity authentication technology hasbecome an important task of the E-government Security. It makes the most important functionin this safety field .
Nowadays, informatization of business system is the key targets of Xinjia ng autonomousregion. It is an inevitable trend that implementing the digital ma nagement for enterprises withnew information and network technologies can realize interactive work between the businesssystem and enterprises. There appears a new method for annual inspection by network. It canbring benefits, improve efficiency and cost savings . However, it also brings some security risks.For example, identity forgery, information stealing, information juggle and so on. Thetraditiona l and simple authentication which based on one-way is not safe enough. It has beenalready no longer able to keep up with the security requirement, that the enterprises wouldverify the identity of the web server. Furthermore, it is so dangerous that the data is transmittedas pla intext through the network. So, aiming at this problem, this paper designs a safe identityauthentication system.
The ma in work is researching PKI and the information security technology, anddevelop ing an identity authentication system based on PKI which is widely used in the field ofnetwork information security. This system ma inly takes PKI as the design foundation and takesthe X.509 as the standards. This system takes RSA public key cryptographic system as themathematica l model and takes SSL as the correspondence standards. The system uses LDAP tostore and ma nage the certifica tes and keys. This system not only solves the problem thatpassword is broken, but also solves the problem that password is intercepted when transmittingin the traditiona l authentication way. Furthermore, there is a safety channel between Browser and Web server, and the information that through the channel will be transferred to beciphertext. So, the defects of important information in the traditiona l way can be canceled. Atlast, this paper analyzes and researches the potentia l problems about the applica tion.
引文
[1]汪玉凯.中国政府转型与电子政务建设[J].光明日报,2007,(6):1-2.
[2]赵大鹏.中国电子政务安全问题分析[J].大连海事大学学报,2007,6(5):91-94.
[3]崔瀛.PKI与电子政务安全[J].网络时空,2006,(2):24-25.
[4]薛辉.网络身份认证若干安全问题及其解决方案[J].计算机与数字工程,2007,35(1):81-83.
[5]屈晓辉,薛田良.网络安全身份认证研究[J].信息安全,2007,(3):87-89.
[6]Ashraf Elgohary.Design of an enhancement for SSL/TLS protocols[J].Computers & Security,2006,(25):297-306.
[7]吕格莉.网络环境下身份认证技术探析[J].现代计算机,2006,(11):53-55.
[8]黄清.网络安全系统中的身份认证技术应用及发展[J].中国现代教育装备,2007,(1):69-70.
[9]张晰楠.主流身份识别技术[J].软件世界,2006,(4):67-69.
[10]李定川.基于生物特征的身份识别技术[J].影像技术,2007,(1):44-52.
[11]王可一.USB Key身份认证技术[J].信息科技,2007,(10):101-103.
[12]关振胜.公钥基础设施PKI及其应用[M].北京:电子工业出版社,2008.78-79.
[13]吴琼.基于PKI体系的信息安全技术研究[J].现代计算机,2007,(3):44-46.
[14]Javier Lopez.PKI design based on the use of on-line certification authorities[J].Digital Object Identifier,2004,(2):91-102.
[15]刘晓知,覃峰.浅谈身份认证技术[J].科技信息,2007,(29):373-374.
[16]戈军.基于Kerberos身份认证的分析和改进[J].沈阳工程学院学,2006,(3):270-273.
[17]李亚辉.CA认证系统以及应用[J].现代电子技术,2006,(23):121-123.
[18]张群燕,王兵.公钥基础设施PKI[J].计算机与信息技术,2006,(6):32.
[19]Geraint Price.Public Key Infrastructure:A research agenda[J].Journal of Computer Security,2006,(14):391-417.
[20]梅云红.数字证书与网络安全[J].计算机与网络,2005,(5):41-43.
[21]谢冬青,冷健.PKI原理与技术[M].北京:清华大学出版社,2004.56-58.
[22]武金木.信息安全基础[M].武汉:武汉大学出版社,2007.112-113.
[23]李晖.网络信息安全技术[J].中兴通讯技术,2006,(1):52-56.
[24]William Stallings. NETWORK SECURITY ESSENTIALS[M].白国强译.北京:清华大学出版社,2007.84-85.
[25]Chik How Tan.Secure Public-Key Encrption Scheme Without Random Oracles[J].Information Science,2008,(4):3-14.
[26]张先红.数字签名原理与技术[M].北京:机械工业出版社,2004.102-103.
[27]李晓峰.SSL协议及其应用[J].信息安全与通信保密,2007,(10):22-25.
[28]郭正荣,周城.SSL协议工作过程及其应用[J].网络安全与应用,2006,(10):55-58.
[29]孙海涛.USB智能卡应用技术研究[J].科学技术与工程,2007,(16):4209-4213.
[30]Bruce Schneier.应用密码学[M].吴世忠译.北京:机械工业出版,2000.120-121.
[31]魏钦冰.RSA算法研究及其抗攻击风险量化分析[J].网络通讯与安全,2007,(1):71-72.
[32]张瑜.基于PKI的数字证书[J].兵工自动化,2006,(4):30-32.
[33]尹辉,程凤娟,徐朝辉.PMI技术及应用[J].河南科技,2007,(11):32-33.
[2]赵大鹏.中国电子政务安全问题分析[J].大连海事大学学报,2007,6(5):91-94.
[3]崔瀛.PKI与电子政务安全[J].网络时空,2006,(2):24-25.
[4]薛辉.网络身份认证若干安全问题及其解决方案[J].计算机与数字工程,2007,35(1):81-83.
[5]屈晓辉,薛田良.网络安全身份认证研究[J].信息安全,2007,(3):87-89.
[6]Ashraf Elgohary.Design of an enhancement for SSL/TLS protocols[J].Computers & Security,2006,(25):297-306.
[7]吕格莉.网络环境下身份认证技术探析[J].现代计算机,2006,(11):53-55.
[8]黄清.网络安全系统中的身份认证技术应用及发展[J].中国现代教育装备,2007,(1):69-70.
[9]张晰楠.主流身份识别技术[J].软件世界,2006,(4):67-69.
[10]李定川.基于生物特征的身份识别技术[J].影像技术,2007,(1):44-52.
[11]王可一.USB Key身份认证技术[J].信息科技,2007,(10):101-103.
[12]关振胜.公钥基础设施PKI及其应用[M].北京:电子工业出版社,2008.78-79.
[13]吴琼.基于PKI体系的信息安全技术研究[J].现代计算机,2007,(3):44-46.
[14]Javier Lopez.PKI design based on the use of on-line certification authorities[J].Digital Object Identifier,2004,(2):91-102.
[15]刘晓知,覃峰.浅谈身份认证技术[J].科技信息,2007,(29):373-374.
[16]戈军.基于Kerberos身份认证的分析和改进[J].沈阳工程学院学,2006,(3):270-273.
[17]李亚辉.CA认证系统以及应用[J].现代电子技术,2006,(23):121-123.
[18]张群燕,王兵.公钥基础设施PKI[J].计算机与信息技术,2006,(6):32.
[19]Geraint Price.Public Key Infrastructure:A research agenda[J].Journal of Computer Security,2006,(14):391-417.
[20]梅云红.数字证书与网络安全[J].计算机与网络,2005,(5):41-43.
[21]谢冬青,冷健.PKI原理与技术[M].北京:清华大学出版社,2004.56-58.
[22]武金木.信息安全基础[M].武汉:武汉大学出版社,2007.112-113.
[23]李晖.网络信息安全技术[J].中兴通讯技术,2006,(1):52-56.
[24]William Stallings. NETWORK SECURITY ESSENTIALS[M].白国强译.北京:清华大学出版社,2007.84-85.
[25]Chik How Tan.Secure Public-Key Encrption Scheme Without Random Oracles[J].Information Science,2008,(4):3-14.
[26]张先红.数字签名原理与技术[M].北京:机械工业出版社,2004.102-103.
[27]李晓峰.SSL协议及其应用[J].信息安全与通信保密,2007,(10):22-25.
[28]郭正荣,周城.SSL协议工作过程及其应用[J].网络安全与应用,2006,(10):55-58.
[29]孙海涛.USB智能卡应用技术研究[J].科学技术与工程,2007,(16):4209-4213.
[30]Bruce Schneier.应用密码学[M].吴世忠译.北京:机械工业出版,2000.120-121.
[31]魏钦冰.RSA算法研究及其抗攻击风险量化分析[J].网络通讯与安全,2007,(1):71-72.
[32]张瑜.基于PKI的数字证书[J].兵工自动化,2006,(4):30-32.
[33]尹辉,程凤娟,徐朝辉.PMI技术及应用[J].河南科技,2007,(11):32-33.