网络数据库安全的认证与授权
|
摘要
本文首先介绍网络数据库安全的基础:即现代密码学和数据库安全,接着介绍了指纹特征在身份认证中的原理。论文着重对身份认证和基于角色的存取控制授权访问进行了深入研究,并提出新的身份认证协议和访问授权方法。秘密信息和指纹特征相结合的身份认证协议是一种适用于向数据库请求敏感信息所采用的新型身份认证协议,扩展这个协议能够实现通信数据的安全。根据用户与角色的映射关联来获得用户和角色的映射表,根据角色、数据库和数据库表映射关联来获得角色和数据库表的授权表,通过角色的标识数字,认证服务器动态采用不同安全级别的认证技术对用户进行认证,并能根据认证结果作出授权判断,这种方法使用应用程序来实现授权而不需依赖于具体数据库。应用服务器上的日志记录和具体数据库本身提供的日志记录综合在一起来获得简单有效的新型日志记录方法。将客户端密钥存储在一个用盐和口令算法加密的文件中,这种密钥存储方法既安全又方便。在最后,将上述功能模块应用于设计的安全数据库管理系统中,并在系统中详细介绍了这些模块的设计与实现。这个系统为增强安全性的数据库管理系统,它不依赖于任何具体的数据库,而是在已有C2级安全的DBMS之上来增强数据库的安全性,并可以与具体数据库所提供的原有安全功能结合在一起使用,能够提供身份认证、角色授权、日志记录、通信加密的功能。论文提出的协议和方案能充分、自主地保障网络数据库的安全。
The thesis introduce the base of network database security, which includes modern cryptology and database security, and introduce principle of fingerprint characteristic in identity identification. The thesis emphasize further research on both identity identification and authorization access based on role access control. A new identity identification protocol and a new method of access authorization are presented. Identity identification protocol, which is union of confidential information and fingerprint characteristic, is a kind of new identity identification protocol used to request sensitive information to database . Extending the protocol can achieve the security of communication data. Mapping table of user and role is established through their relevance, and authorizing table of role and table is obtained in terms of map relevance among role, database, database table. By the role's flag number, certification server dynamically applies different secure identification technique to give identification to users, and gives authorization decision according to result of identification. The method realizes authorization through program, and is not dependent on concrete database. New method of log records is achieved by integrating log records of application server into log records of database. Private key in client is stored in the file encrypted by salt and password algorithm, and the method of private key storage is both secure and convenient. At last, the foregoing function modules are applied to the Security Database Manage System, and the design and realization of these modules are introduced in detail in the system. The system can enhance security of database which has C2 class security, and it does not depend on any specific database. It can be combined with security function of specific database, and can provide functions such as identity identification, role authorization, log records and communication encryption. The protocol and the project, which the thesis present, can safeguard security of network database fully and freely.
The thesis introduce the base of network database security, which includes modern cryptology and database security, and introduce principle of fingerprint characteristic in identity identification. The thesis emphasize further research on both identity identification and authorization access based on role access control. A new identity identification protocol and a new method of access authorization are presented. Identity identification protocol, which is union of confidential information and fingerprint characteristic, is a kind of new identity identification protocol used to request sensitive information to database . Extending the protocol can achieve the security of communication data. Mapping table of user and role is established through their relevance, and authorizing table of role and table is obtained in terms of map relevance among role, database, database table. By the role's flag number, certification server dynamically applies different secure identification technique to give identification to users, and gives authorization decision according to result of identification. The method realizes authorization through program, and is not dependent on concrete database. New method of log records is achieved by integrating log records of application server into log records of database. Private key in client is stored in the file encrypted by salt and password algorithm, and the method of private key storage is both secure and convenient. At last, the foregoing function modules are applied to the Security Database Manage System, and the design and realization of these modules are introduced in detail in the system. The system can enhance security of database which has C2 class security, and it does not depend on any specific database. It can be combined with security function of specific database, and can provide functions such as identity identification, role authorization, log records and communication encryption. The protocol and the project, which the thesis present, can safeguard security of network database fully and freely.
引文
[1]王育民,何大可.保密学——基础与应用.西安电子科技大学出版社,1990.12
[2]冯登国,裴定一.密码学导引.科学出版社,1999.4
[3]卿斯汉.密码学与计算机网络安全.清华大学出版社,2001.7
[4]冯登国,吴文玲分.分组密码的设计与分析.清华大学出版社,2000.9
[5]冯克勤,代数数论.科学出版社.2000.7
[6]刘启原,刘怡.数据库与信息系统的安全.科学出版社,2000.1
[7]王锡林,郭庆平等.计算机安全.人民邮电出版社1995.1
[8]杨琴等.一种基于指纹识别的网络通信安全平台.计算机工程,2001.3 Vol.27 No.3
[9]佩英.数据库安全应用服务器的研究与实现.软件学报,2001.1 Vol.12,No.1
[10]王能斌.数据库系统.电子工业出版社,1998.8
[11]冯登国,卿斯汉.信息安全——核心理论与实践.国防工业出版社,2000.6
[12]吴兴兴等.网络数据库应用实例.人民邮电出版社,2001.1
[13]21世纪美国高级加密标准——推荐算法Rijndael文集.总参某部第五十一研究所,2000.11
[14]王星明等. 融合自动指纹认证的安全密码体制在网络安全中的应用计算机应用研究,2000.2
[15]卢开澄.计算机密码学——计算机网络中的数据保密与安全(第二版).清华大学出版社,1998
[16]余建斌.黑客的攻击手段及用户对策.人民邮电出版社,1998
[17]曹鹏,乔秦宝,翁清.一种使用智能卡的网络身份认证密钥分发体制.武汉大学学报(自然科学版),1998,44(3):369-372
[18]李中献,詹榜华,杨义先.认证理论与技术的发展.电子学报,1999,27(1):98-102
[19]陆明,叶凡,胡道元.WWW安全机制研究.电子科技导报,1998,第一期:14-19
[20]王鹏,董群.数据库技术及其应用.人民邮电出版社,2000.8
[21]杨义先等译.WWW安全技术.人民邮电出版社,2001.1
[22]许春根,江于.基于角色访问控制的动态建模.计算机工程,2002.1 Vol.28 NO.1
[23]唐飞龙,姚君遗.Web数据库访问技术的分析与研究.计算机工程,2001.7 Vol.27 NO.7
[24]顾绍元,祝琛琛.一种基于角色存取控制在MIS中的实施方法.计算机工程,2001.7,Vol.27,No.7
[25]http://www. digitalpersona. com/Technology/security. html
[26]国内外的网络安全现状分析.http://www.rising.com.cn/safety/safetymain.htm
[27]冯登国.国内外信息安全研究现状及发展趋势.网络安全技术与应用,2001.1
[28]宋志敏等.数据库安全的研究与进展.计算机工程与应用.2001.1
[29]鞠时光.对象关系型数据库管理系统的开发.科学出版社,2001.3
[30]楚狂等.网络安全与防火墙技术.人民邮电出版社,2000.4
[31]李克洪,王大玲.实用密码学与计算机数据安全.东北大学,出版社
[32]高品均,陈荣良.加密算法与密钥管理、加脱密引擎.计算机世界2000年第27期
[33]Jess Garms, Daniel. Professional Java Security. Wrox Press, 2002. 1
[34]Jennifer G. Steiner, Clifford Neuman, and Jerrfey I. Schiller. "Kerberos: An Authentication Service for Open Network Systems." Proceedings of the 1988 USENIX Winter Conference, February 1988, Dallas, Texas, Pages 191-202.
[35]William Stallins. Cryptography and Network Security, Principles and Practice. Wrox Publishing Company, 2001. 4
[36]Kaller Karu and Anil K. Jain, Fingerprint Classfication, Pattern Recogniton, 1996. vol 29, No 3
[37]M. Kawagos and A. Tojo, Automatic Classification of Fingerprint Pattern, IPSJ Technical Report on Computer Vision, 1982, Vol 18-22
[38]Louis Coetzee, Fingerprint Recognition in Low quality images, Pattern Recognition, 1993, vol 26, No 10, pp. 1441-1460
[39]Sandhu RS, Coyre EJ, Feinstein HL, etal. Role-base access control models. IEEE Computer, 1996, 29(2): 38-47
[40]Silvana Castano et al. Database Security. Addison-Wesley Publishing Company, 1994
[41]Shekhar Swamy. Database Security. 1996
[42]Sylvia Osborn. Integrating Security System Using Role-based Access Control. International Conference on Information Security, Shanghai, China, 1999. 10, 11-13
[43]Deng PS. Fast Control in Object Oriented Repetitive Access. IEEE
Transaction on Database, 1994. 4, 173-175
[44] Glover C, Mukkamala R. Multilevel Secure Database. A New Approach. IEEE Transaction on Database Security, 1991. 3, 691-694
[45] Fint, A. and Sharmir, A., How to Prove Yourself:Practical Solutions to Identification and Signature Problems, Advances in Cryptology-Crypto' 86Spring-Verlag, 1987
[46] Stinsion, D. R., Cryptography-Theory and Practice, CRC Press, 1995
[47] Adams,D. A.,Pappa, S. R. Issure in Client/Server Security. Information System Security, 1995
[48] Jain A K, Hong, Pankanti S, et al. An Identity-authentication System Using Fingerprint. Proceedings of the IEEE, 1997, 85 (9) : 1364-1388
[49] Miller B.Vital Signs of Identity. IEEE Spectrum, 1994. 2
[50] Needham R M, Schroceder M D. Using encryption for authentication in large networks of computers[J]. Communications of the Acm, 1978
[51] ITU-T Recommendation X.509,USA.the Directiory:Authentication Framework[s]
[52] Ahitub N, Nenmann S. Processing Encrypted Data. Communications of the ACM, 1987
[53] R. Rivest,The MD5 Message Digest Algorithm, RFC1321, 1992
[54] IEEE P1364/D13(Draft Version 13) . Standard Specification for Public Key Cryptography, IEEE, 1999. 12
[2]冯登国,裴定一.密码学导引.科学出版社,1999.4
[3]卿斯汉.密码学与计算机网络安全.清华大学出版社,2001.7
[4]冯登国,吴文玲分.分组密码的设计与分析.清华大学出版社,2000.9
[5]冯克勤,代数数论.科学出版社.2000.7
[6]刘启原,刘怡.数据库与信息系统的安全.科学出版社,2000.1
[7]王锡林,郭庆平等.计算机安全.人民邮电出版社1995.1
[8]杨琴等.一种基于指纹识别的网络通信安全平台.计算机工程,2001.3 Vol.27 No.3
[9]佩英.数据库安全应用服务器的研究与实现.软件学报,2001.1 Vol.12,No.1
[10]王能斌.数据库系统.电子工业出版社,1998.8
[11]冯登国,卿斯汉.信息安全——核心理论与实践.国防工业出版社,2000.6
[12]吴兴兴等.网络数据库应用实例.人民邮电出版社,2001.1
[13]21世纪美国高级加密标准——推荐算法Rijndael文集.总参某部第五十一研究所,2000.11
[14]王星明等. 融合自动指纹认证的安全密码体制在网络安全中的应用计算机应用研究,2000.2
[15]卢开澄.计算机密码学——计算机网络中的数据保密与安全(第二版).清华大学出版社,1998
[16]余建斌.黑客的攻击手段及用户对策.人民邮电出版社,1998
[17]曹鹏,乔秦宝,翁清.一种使用智能卡的网络身份认证密钥分发体制.武汉大学学报(自然科学版),1998,44(3):369-372
[18]李中献,詹榜华,杨义先.认证理论与技术的发展.电子学报,1999,27(1):98-102
[19]陆明,叶凡,胡道元.WWW安全机制研究.电子科技导报,1998,第一期:14-19
[20]王鹏,董群.数据库技术及其应用.人民邮电出版社,2000.8
[21]杨义先等译.WWW安全技术.人民邮电出版社,2001.1
[22]许春根,江于.基于角色访问控制的动态建模.计算机工程,2002.1 Vol.28 NO.1
[23]唐飞龙,姚君遗.Web数据库访问技术的分析与研究.计算机工程,2001.7 Vol.27 NO.7
[24]顾绍元,祝琛琛.一种基于角色存取控制在MIS中的实施方法.计算机工程,2001.7,Vol.27,No.7
[25]http://www. digitalpersona. com/Technology/security. html
[26]国内外的网络安全现状分析.http://www.rising.com.cn/safety/safetymain.htm
[27]冯登国.国内外信息安全研究现状及发展趋势.网络安全技术与应用,2001.1
[28]宋志敏等.数据库安全的研究与进展.计算机工程与应用.2001.1
[29]鞠时光.对象关系型数据库管理系统的开发.科学出版社,2001.3
[30]楚狂等.网络安全与防火墙技术.人民邮电出版社,2000.4
[31]李克洪,王大玲.实用密码学与计算机数据安全.东北大学,出版社
[32]高品均,陈荣良.加密算法与密钥管理、加脱密引擎.计算机世界2000年第27期
[33]Jess Garms, Daniel. Professional Java Security. Wrox Press, 2002. 1
[34]Jennifer G. Steiner, Clifford Neuman, and Jerrfey I. Schiller. "Kerberos: An Authentication Service for Open Network Systems." Proceedings of the 1988 USENIX Winter Conference, February 1988, Dallas, Texas, Pages 191-202.
[35]William Stallins. Cryptography and Network Security, Principles and Practice. Wrox Publishing Company, 2001. 4
[36]Kaller Karu and Anil K. Jain, Fingerprint Classfication, Pattern Recogniton, 1996. vol 29, No 3
[37]M. Kawagos and A. Tojo, Automatic Classification of Fingerprint Pattern, IPSJ Technical Report on Computer Vision, 1982, Vol 18-22
[38]Louis Coetzee, Fingerprint Recognition in Low quality images, Pattern Recognition, 1993, vol 26, No 10, pp. 1441-1460
[39]Sandhu RS, Coyre EJ, Feinstein HL, etal. Role-base access control models. IEEE Computer, 1996, 29(2): 38-47
[40]Silvana Castano et al. Database Security. Addison-Wesley Publishing Company, 1994
[41]Shekhar Swamy. Database Security. 1996
[42]Sylvia Osborn. Integrating Security System Using Role-based Access Control. International Conference on Information Security, Shanghai, China, 1999. 10, 11-13
[43]Deng PS. Fast Control in Object Oriented Repetitive Access. IEEE
Transaction on Database, 1994. 4, 173-175
[44] Glover C, Mukkamala R. Multilevel Secure Database. A New Approach. IEEE Transaction on Database Security, 1991. 3, 691-694
[45] Fint, A. and Sharmir, A., How to Prove Yourself:Practical Solutions to Identification and Signature Problems, Advances in Cryptology-Crypto' 86Spring-Verlag, 1987
[46] Stinsion, D. R., Cryptography-Theory and Practice, CRC Press, 1995
[47] Adams,D. A.,Pappa, S. R. Issure in Client/Server Security. Information System Security, 1995
[48] Jain A K, Hong, Pankanti S, et al. An Identity-authentication System Using Fingerprint. Proceedings of the IEEE, 1997, 85 (9) : 1364-1388
[49] Miller B.Vital Signs of Identity. IEEE Spectrum, 1994. 2
[50] Needham R M, Schroceder M D. Using encryption for authentication in large networks of computers[J]. Communications of the Acm, 1978
[51] ITU-T Recommendation X.509,USA.the Directiory:Authentication Framework[s]
[52] Ahitub N, Nenmann S. Processing Encrypted Data. Communications of the ACM, 1987
[53] R. Rivest,The MD5 Message Digest Algorithm, RFC1321, 1992
[54] IEEE P1364/D13(Draft Version 13) . Standard Specification for Public Key Cryptography, IEEE, 1999. 12