基于组件的网络密文数据库系统
摘要
计算机技术和通信技术的不断发展使得越来越多的重要数据需要在网络中传输、存储,网络数据库系统的安全问题因此显得更加重要。实现网络数据库系统安全的一个有效方法是建立网络密文数据库。通过采用数据加密,数字签名、身份认证的方法,结合严格的访问授权控制,可以防止攻击者对信息的窃取与篡改。
本文首先介绍了公钥基础结构PKI(Public Key Infrastruction)的基本组成和公钥加密的原理;详细说明了组件对象模型COM(Component Object Model)的技术规范和实现机制。其次,根据数据在网络传输中的保密需求,遵循PKI思想,采用其数字证书机制,提出了以PKI安全组件为核心的网络密文数据库系统的设计思想和NCDS解决方案。NCDS方案在局域网内实现了企业级认证中心CA(Certificate Authority)以承担PKI中核心的证书管理工作。该方案不仅解决了系统中通信双方的身份认证、访问授权、信息机密性、完整性和不可抵赖性等安全问题。同时,采用分布式组件对象模型DCOM(Distribute COM)机制实现分布环境中PKI安全组件间的通信与协作,使网络密文数据库系统具有良好的透明性,易用性、兼容性和可扩展性。最后,以NCDS解决方案为基础,设计并实现了TT_NCDS应用实例,通过测试,达到了系统设计目标。
With the increasingly development of Computer and Communication technology, information sharing over the Internet steps into a new flourish stage, and security of network database system becomes more important. Network cryptography database is an effective method to realize system security. In order to prevent intruders from stealing or tampering with crucial information, the fundamental requirements for Network Cryptography Database System are to identify the parties involved, to protect information from unauthorized access and to apply signature on encrypted data.
This article describes the elements of Public Key Infrastructure (PKI) and show how they are well suited to provide reliable secure services. In addition, it describes the criterion and implementation of Component Object Model (COM) in detail. Finally, according to the request for secure data transmission in an open network, a design scheme for a component-based Network Cryptography Database System, an adopter of PKI technology is developed.
The scheme implements enterprise security communication platform based on certificate authority (CA). Besides role-based access control, it provides for identity authentication, encryption to keep information confidential, data integrity, and nonrepudiation. It also enables the use of encryption and digital signature services in a consistent manner across a wide variety of applications and does authentication hi a way that is transparent to end users with its own compatible and scalable PKI components based on COM / DCOM (Distribute COM).
本文首先介绍了公钥基础结构PKI(Public Key Infrastruction)的基本组成和公钥加密的原理;详细说明了组件对象模型COM(Component Object Model)的技术规范和实现机制。其次,根据数据在网络传输中的保密需求,遵循PKI思想,采用其数字证书机制,提出了以PKI安全组件为核心的网络密文数据库系统的设计思想和NCDS解决方案。NCDS方案在局域网内实现了企业级认证中心CA(Certificate Authority)以承担PKI中核心的证书管理工作。该方案不仅解决了系统中通信双方的身份认证、访问授权、信息机密性、完整性和不可抵赖性等安全问题。同时,采用分布式组件对象模型DCOM(Distribute COM)机制实现分布环境中PKI安全组件间的通信与协作,使网络密文数据库系统具有良好的透明性,易用性、兼容性和可扩展性。最后,以NCDS解决方案为基础,设计并实现了TT_NCDS应用实例,通过测试,达到了系统设计目标。
With the increasingly development of Computer and Communication technology, information sharing over the Internet steps into a new flourish stage, and security of network database system becomes more important. Network cryptography database is an effective method to realize system security. In order to prevent intruders from stealing or tampering with crucial information, the fundamental requirements for Network Cryptography Database System are to identify the parties involved, to protect information from unauthorized access and to apply signature on encrypted data.
This article describes the elements of Public Key Infrastructure (PKI) and show how they are well suited to provide reliable secure services. In addition, it describes the criterion and implementation of Component Object Model (COM) in detail. Finally, according to the request for secure data transmission in an open network, a design scheme for a component-based Network Cryptography Database System, an adopter of PKI technology is developed.
The scheme implements enterprise security communication platform based on certificate authority (CA). Besides role-based access control, it provides for identity authentication, encryption to keep information confidential, data integrity, and nonrepudiation. It also enables the use of encryption and digital signature services in a consistent manner across a wide variety of applications and does authentication hi a way that is transparent to end users with its own compatible and scalable PKI components based on COM / DCOM (Distribute COM).
引文
(1) 中国金融认证中心,PKI基础,http://www.cfca.com.cn/tech/pki.htm
(2) Derek Atkins, er al. Internet Security Professional Reference. First Edition. New Riders Publishing, 1997. 153
(3) Jeff Schmidt. Microsoft Windows 2000 Security Handbook. First Edition. Publishing House of Electronics Industry, 2001. 311
(4) 电子商务认证中心,PKI基本组成, http://www.cnca.net/cs/knowledge/basic/g404. html
(5) RSA Labotatories, PKCS标准体系, http://www.rsasecurity.com/rsalabs/pkcs/index.html
(6) 潘爱民,COM原理与应用,第一版,北京:清华大学出版社, 1999. 9
(7) Microsoft, DCOM Technical OverView, http://www.microsoft.com/com/tech/DCOM.asp
(8) David J.Kruglinski. Inside Visual C++. Fourth Edition. Microsoft Press, 1997. 489
(9) Paul Wing, Using Public-Key Infrastructures for Security and Risk Management. IEEE Communications Magazine, September 1999: 71-73
(10) Mary Kirtland. Designing Compnent-Based Applications. First Edition. Microsoft Press, 1998. 8
(11) Ican Mclean. Windows 2000 Security Little Black Book. First Edition. China Machine Press, 2001. 137
(12) Abraham Silberschatz, Henry F.Korth. Database System Concepts. Third Edition. China Machine Press, 1999. 111
(13) Sixto Ortiz Jr, E-mail Protection Advances with New Technologies. Computer, January 2000, vol33:21-23
(14) Ford W, Baum M. Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption. First Edition. New Jersey: Prentic Hall, 1997
(2) Derek Atkins, er al. Internet Security Professional Reference. First Edition. New Riders Publishing, 1997. 153
(3) Jeff Schmidt. Microsoft Windows 2000 Security Handbook. First Edition. Publishing House of Electronics Industry, 2001. 311
(4) 电子商务认证中心,PKI基本组成, http://www.cnca.net/cs/knowledge/basic/g404. html
(5) RSA Labotatories, PKCS标准体系, http://www.rsasecurity.com/rsalabs/pkcs/index.html
(6) 潘爱民,COM原理与应用,第一版,北京:清华大学出版社, 1999. 9
(7) Microsoft, DCOM Technical OverView, http://www.microsoft.com/com/tech/DCOM.asp
(8) David J.Kruglinski. Inside Visual C++. Fourth Edition. Microsoft Press, 1997. 489
(9) Paul Wing, Using Public-Key Infrastructures for Security and Risk Management. IEEE Communications Magazine, September 1999: 71-73
(10) Mary Kirtland. Designing Compnent-Based Applications. First Edition. Microsoft Press, 1998. 8
(11) Ican Mclean. Windows 2000 Security Little Black Book. First Edition. China Machine Press, 2001. 137
(12) Abraham Silberschatz, Henry F.Korth. Database System Concepts. Third Edition. China Machine Press, 1999. 111
(13) Sixto Ortiz Jr, E-mail Protection Advances with New Technologies. Computer, January 2000, vol33:21-23
(14) Ford W, Baum M. Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption. First Edition. New Jersey: Prentic Hall, 1997