网络认证系统研究与应用
摘要
网格安全问题时网格计算中的一个核心问题。由于目前网格安全的国际标准还处在制定阶段,包括全球网格论坛GGF(Global Grid Forum)、对象管理组织OMG(Object Management Group)、万维网联盟W3C(World Wide Web Consortium)以及Globus项目组在内的诸多团体都试图争夺网格标准的制定权。
网格安全是国家利益、集体利益和用户切身利益的大事,是只能依靠我国自身力量发展的技术。其中,用户访问身份验证技术能够确认参与加密对话的实体的身份,防止黑客伪造身份、恶意窃听和篡改,在网格计算的通信安全和资源访问安全方面起到重要的保护作用。
本文以网络计算中的安全认证技术为背景,首先从网格计算所面临的安全威胁着手,讲述了现在普遍采用的四种安全模型,并进一步探讨如何利用安全认证技术构筑一个可靠高效的认证系统,提出一种新的模型体系,并设计一个认证支持系统。
Grid security is the kernel of Grid computations. There is not an uniform international standard of grid security now, Some international organizations, such as GGF( Global Grid Forum) OMG( Object Management Group) W3C( World Wide Web Consortium) and Globus Grid Forum, are instituting the standards of grid security by themselves and contesting the right to became the international standard.
The Grid Security is closely related to the immediate interests of our country, society and subscribers, which only can be developed by technology power of our own. Among these, Client Access Authentication Technology ensures encrypting communications participator's identification against hacker's fabricating status, malicious bugging and distorting, and plays an important role in protecting the security of Grid computations communication and recourses accessing.
This paper focuses on the Grid Security and it elaborates on the application of security certificate technology. We will list the threaten on the Grid computations, then we analyze the grid security structure, to state the four models. We will introduce the principles of the models, and introduce how to create a safety Certificate Authority (CA) System. And in this article, a new model will be created and a new certificate authority system will be established.
网格安全是国家利益、集体利益和用户切身利益的大事,是只能依靠我国自身力量发展的技术。其中,用户访问身份验证技术能够确认参与加密对话的实体的身份,防止黑客伪造身份、恶意窃听和篡改,在网格计算的通信安全和资源访问安全方面起到重要的保护作用。
本文以网络计算中的安全认证技术为背景,首先从网格计算所面临的安全威胁着手,讲述了现在普遍采用的四种安全模型,并进一步探讨如何利用安全认证技术构筑一个可靠高效的认证系统,提出一种新的模型体系,并设计一个认证支持系统。
Grid security is the kernel of Grid computations. There is not an uniform international standard of grid security now, Some international organizations, such as GGF( Global Grid Forum) OMG( Object Management Group) W3C( World Wide Web Consortium) and Globus Grid Forum, are instituting the standards of grid security by themselves and contesting the right to became the international standard.
The Grid Security is closely related to the immediate interests of our country, society and subscribers, which only can be developed by technology power of our own. Among these, Client Access Authentication Technology ensures encrypting communications participator's identification against hacker's fabricating status, malicious bugging and distorting, and plays an important role in protecting the security of Grid computations communication and recourses accessing.
This paper focuses on the Grid Security and it elaborates on the application of security certificate technology. We will list the threaten on the Grid computations, then we analyze the grid security structure, to state the four models. We will introduce the principles of the models, and introduce how to create a safety Certificate Authority (CA) System. And in this article, a new model will be created and a new certificate authority system will be established.
引文
[1] Ian Foster & Carl Kesselman, 《The Grid: Blueprint for a New Computing Infrastructure》, 1998:
[2] Gabrielle Allen, Edward Seidel, John Shalf, 《Scientific Computing of the Grid》, 2002;
[3] Glen Bruce,《分布式计算的安全原理》,机械工业出版社,2002.9:
[4] Behrouz Forouzan, 《Intoducion to data communication networking》, 2002.5;
[5] Stephen R.Schach, 《Object-Oriented and Classical Software Engineering (Fitth Edition)》, 机械工业出版社,2002.8:
[6] R.J. Allan 等, 《A Globus Developers' Guide with Installation and Maintenance Hints (Globus 1.1. x开发人员安装和维护指南)》2001.10.19;
[7] Ian Foster, Carl Kesselman,Jeffrey M. Nick, Steven Tuecke, 《The Physiology of the Grid-An Open Grid Services Architecture for Distributed Systems Integration》, 2002;
[8] Andrew S.Tanenbaum, 《Computer Networks (Third Edition)》, 清华大学出版社;
[9] Peng Liu, Yao Shi,Francis C.M.Lau,Cho-Li Wang, San-Li Li, (Grid Demo Proposal: AntiSpamGrid》, 会议报告, 2003;
[10] 肖侬、卢锡城、王怀民,《网络计算的四种形式》,国防科技大学并行与分布处理国家重点实验室,2002.10.24;
[11] 都志辉、陈渝、刘鹏,《网格计算》,清华大学出版社,2002;
[12] 刘鹏,《我国网格研究现状》,清华大学高性能所网格研究组,2003.03.02;
[13] 段宁华,《网络应用解决方案》,人民邮电出版社,2002.7;
[14] 谈恩华、李伟,《Globus项目进展和技术水平分析》,研究报告,2001.2.12;
[15] 高传善、钱松荣等,《数据通信与计算机网络》,高等教育出版社,2002.2;
[16] 陈鸣,《网络工程设计教程》,科学出版社,2002.9;
[17] 余镇危,《百兆位千兆位计算机网络技术》,北航出版社,1998.11;
[18] Globus, http://www.globus.org/;
[19] 网格计算概述(IBM),http://www-900.ibm.com/cn/grid/index.shtml;
[20] 中国网格,http://www.chinagrid.com/;
[21] 网格,梦想与现实的距离,《计算机世界报》2003年第3期B18;
[22] 高端计算(网格)环境,http://www.ict.ac.cn/kexue/xm2.htm;
[23] GGF GETS "GLOBAL WORKSPACE", http://www.gridforum.org/;
[24] CGF数据网格工作组,http://www.chinagrid.net/grid/datateam/index.htm;
[25] OGSA-DAI 3.0 安装配置指南,http://www.ogsadai.org.uk;
[26] 信息网格-下一代信息服务平台,http://hpclab.cs.tsinghua.edu.cn/news/20030204.htm;
[27] Carlisle Adams,Steve Lloyd,《公开密钥基础设施—概念、标准和实施》.冯登国等译,人民邮电出版社,2001;
[28] RolfOppliger,《www安全技术》.杨义先等译,人民邮电出版社,2001;
[29] RFC 2560 Internet X.509 Public Key Infrastructre: Online Certificate Status Protocol-OCSP;
[30] Introduction to Grid Computing with Globus (网格计算红皮书) http://www.ibm.com;
[31] 《4万亿次的精彩》,《电脑报》2003年12月22日第50期(总第617期);
[32] 分布式安全性,http://www.microsoft.com/security/worldwide.asp;
[33] Frederick J Hirsch, 《Certificates using SSLeay》, 1999;
[34] Alan O Freier, Philip Karlton, 《The SSL Protocol Version 3.0. Netacape Communications》, 1996;
[35] OpenSSL for Windows Developer's Guide, http://www.visualSSL.com;
[36] 卢开澄,《计算机密码学:计算机网络中的数据保密与安全》,清华大学出版社,1998.7;
[37] 王育民,刘建伟,《通信网的安全—理论与技术》,西安电子科技大学出版社,1999.4:
[38] Naganand Doraswamy,Dan Harkins,IPSec—新一代因特网安全标准,机械工业出版社,2000.1;
[39] RFC 1510, "The Kerberos Network Authentication Service(V5)":
[40] 周明天、汪文勇,《TCPflP网络原理与技术》,清华大学出版社,1996.4;
[41] 于增贵,《数字签名标准》,电讯技术,1995.8;
[42] 赵家敏,《电子货币》,广东经济出版社,2002.5。
[2] Gabrielle Allen, Edward Seidel, John Shalf, 《Scientific Computing of the Grid》, 2002;
[3] Glen Bruce,《分布式计算的安全原理》,机械工业出版社,2002.9:
[4] Behrouz Forouzan, 《Intoducion to data communication networking》, 2002.5;
[5] Stephen R.Schach, 《Object-Oriented and Classical Software Engineering (Fitth Edition)》, 机械工业出版社,2002.8:
[6] R.J. Allan 等, 《A Globus Developers' Guide with Installation and Maintenance Hints (Globus 1.1. x开发人员安装和维护指南)》2001.10.19;
[7] Ian Foster, Carl Kesselman,Jeffrey M. Nick, Steven Tuecke, 《The Physiology of the Grid-An Open Grid Services Architecture for Distributed Systems Integration》, 2002;
[8] Andrew S.Tanenbaum, 《Computer Networks (Third Edition)》, 清华大学出版社;
[9] Peng Liu, Yao Shi,Francis C.M.Lau,Cho-Li Wang, San-Li Li, (Grid Demo Proposal: AntiSpamGrid》, 会议报告, 2003;
[10] 肖侬、卢锡城、王怀民,《网络计算的四种形式》,国防科技大学并行与分布处理国家重点实验室,2002.10.24;
[11] 都志辉、陈渝、刘鹏,《网格计算》,清华大学出版社,2002;
[12] 刘鹏,《我国网格研究现状》,清华大学高性能所网格研究组,2003.03.02;
[13] 段宁华,《网络应用解决方案》,人民邮电出版社,2002.7;
[14] 谈恩华、李伟,《Globus项目进展和技术水平分析》,研究报告,2001.2.12;
[15] 高传善、钱松荣等,《数据通信与计算机网络》,高等教育出版社,2002.2;
[16] 陈鸣,《网络工程设计教程》,科学出版社,2002.9;
[17] 余镇危,《百兆位千兆位计算机网络技术》,北航出版社,1998.11;
[18] Globus, http://www.globus.org/;
[19] 网格计算概述(IBM),http://www-900.ibm.com/cn/grid/index.shtml;
[20] 中国网格,http://www.chinagrid.com/;
[21] 网格,梦想与现实的距离,《计算机世界报》2003年第3期B18;
[22] 高端计算(网格)环境,http://www.ict.ac.cn/kexue/xm2.htm;
[23] GGF GETS "GLOBAL WORKSPACE", http://www.gridforum.org/;
[24] CGF数据网格工作组,http://www.chinagrid.net/grid/datateam/index.htm;
[25] OGSA-DAI 3.0 安装配置指南,http://www.ogsadai.org.uk;
[26] 信息网格-下一代信息服务平台,http://hpclab.cs.tsinghua.edu.cn/news/20030204.htm;
[27] Carlisle Adams,Steve Lloyd,《公开密钥基础设施—概念、标准和实施》.冯登国等译,人民邮电出版社,2001;
[28] RolfOppliger,《www安全技术》.杨义先等译,人民邮电出版社,2001;
[29] RFC 2560 Internet X.509 Public Key Infrastructre: Online Certificate Status Protocol-OCSP;
[30] Introduction to Grid Computing with Globus (网格计算红皮书) http://www.ibm.com;
[31] 《4万亿次的精彩》,《电脑报》2003年12月22日第50期(总第617期);
[32] 分布式安全性,http://www.microsoft.com/security/worldwide.asp;
[33] Frederick J Hirsch, 《Certificates using SSLeay》, 1999;
[34] Alan O Freier, Philip Karlton, 《The SSL Protocol Version 3.0. Netacape Communications》, 1996;
[35] OpenSSL for Windows Developer's Guide, http://www.visualSSL.com;
[36] 卢开澄,《计算机密码学:计算机网络中的数据保密与安全》,清华大学出版社,1998.7;
[37] 王育民,刘建伟,《通信网的安全—理论与技术》,西安电子科技大学出版社,1999.4:
[38] Naganand Doraswamy,Dan Harkins,IPSec—新一代因特网安全标准,机械工业出版社,2000.1;
[39] RFC 1510, "The Kerberos Network Authentication Service(V5)":
[40] 周明天、汪文勇,《TCPflP网络原理与技术》,清华大学出版社,1996.4;
[41] 于增贵,《数字签名标准》,电讯技术,1995.8;
[42] 赵家敏,《电子货币》,广东经济出版社,2002.5。