基于PKI的办公自动化网络信息安全研究
|
摘要
随着计算机网络技术和通信技术在电子政务、电子商务的广泛应用,办公自动化为企业或政府的管理和决策提供了科学的依据。但是信息安全保密问题也时刻令人担忧,办公自动化系统作为信息网络的一个特殊应用领域,运行着大量需要保护的数据和信息,有其自身的特殊性,如果系统的安全性被破坏,造成敏感信息暴露或丢失,或网络被攻击等安全事件,可能导致严重的后果。如何保证办公自动化系统在网络环境下数据信息传输的及时性、完整性、机密性和不可否认性,已成为当前网络信息安全领域内研究的主要课题,基于公开密钥密码理论和技术建立起来的PKI较好地为解决这一问题提供了保障。
PKI技术采用证书管理公钥,通过认证中心CA,解决了网络中密钥管理和身份认证问题,并实现了数据的加/解密和鉴别,保证了网络安全的可靠实现。
论文通过对PKI相关理论和技术的研究,创新性地将PKI技术应用于办公自动化网络,设计并实现了一个具有较高安全性、通用性和可扩展性的密码服务系统。该系统能根据PKCS标准发放和管理证书、产生和管理密钥,并为用户提供PKI服务。主要贡献如下:
(1)分析了办公自动化系统中存在的安全问题,详细论述了办公自动化系统与网络安全、密码技术与网络信息安全之间的关系,提出了办公自动化信息安全有效的解决方案;
(2)深入研究和讨论了所涉及的密码理论相关知识及PKI的相关理论和体系结构,对CryptoAPI和CDSA进行了研究和总结。提出了基于PKI/CA环境的OA系统设计原则,并在考虑办公自动化网络的特殊性基础之上,根据实际网络中的运行需求,设计了一个基于PKI/CA机制的安全服务体系结构;
(3)根据系统的需求,在提出的安全服务解决方案和安全服务体系结构的基础之上设计了一个密码服务器,主要包括:公共安全接口PSI、管理调度单元、实时监控和日志单元、密码服务单元,并详细介绍了其核心部分密码服务单元各模块的实现过程;
(4)在实验室条件下对密码服务单元进行了仿真测试,测试结果满足理论要求。
With the widespread application of the computer network technology and the communication technology in the electronic government affairs and the electronic commerce, Office automation have provided the science basis for the enterprise or government's management and the decision-making. But we are anxious to the information security, as the special application domain in the information network, the office automation system is moving the data and the information which massive needs to protect. It has its own particularity. If the system security is destroyed and creates the sensitive information exposition or loses, or the network is attacked and so on, it possibly causes the serious consequence. How to guarantee timeliness, the integrity, the confidentiality and undeniable of the office automation systems to transmit data message under the network environment has become the main topic in the current network information security domain. PKI which based on the public key password theory and the technology provides the safeguard well to solve this problem.
Using the certificate management public key, through authentication center CA, the PKI technology has solved the key management and the status authentication in the network, and has realized the data Canadian/decipher and the distinction, and has guaranteed the network security reliable realization.
Through the research on PKI theories and the technical, the paper innovatively applies the PKI technology to the office automation network and designes and realizes password service systemwhich has the high security, the versatility and the extendibility. According to the PKCS standard, this system can provide and manage certificate, produce and manage the key, and provides the PKI service for the user. The main contribution is as follows:
(1)The thesis has analyzed the security problem which exists in the office automation system, elaborated the relations among the office automation system and the network security, the password technology and the network information security relations in detail, and proposed the effective solution to the office automation information security.
(2)The thesis thoroughly studied and discussed the password theory knowledge and the PKI theories and the architecture, and researched and the summarized the Crypto API and CDSA. and proposed design principle of OA system based on PKI/CA the environment, and on considering particular foundation of the office automation network, according to the network demand in movement, has designed a safe service architecture based on the PKI/CA mechanism.
(3)According to the system demand, based on the safe service solution plan and the safe service architecture which proposed, it has designed a password service including: Public interface PSI, scheduling management unit, real-time monitoring and log unit, the password service unit, and details of the core of the password server ,password service unit in the process of the realization of the modules.
(4)It carried on the simulation test to the system under the laboratory condition and the test result has satisfied the theory request.
PKI技术采用证书管理公钥,通过认证中心CA,解决了网络中密钥管理和身份认证问题,并实现了数据的加/解密和鉴别,保证了网络安全的可靠实现。
论文通过对PKI相关理论和技术的研究,创新性地将PKI技术应用于办公自动化网络,设计并实现了一个具有较高安全性、通用性和可扩展性的密码服务系统。该系统能根据PKCS标准发放和管理证书、产生和管理密钥,并为用户提供PKI服务。主要贡献如下:
(1)分析了办公自动化系统中存在的安全问题,详细论述了办公自动化系统与网络安全、密码技术与网络信息安全之间的关系,提出了办公自动化信息安全有效的解决方案;
(2)深入研究和讨论了所涉及的密码理论相关知识及PKI的相关理论和体系结构,对CryptoAPI和CDSA进行了研究和总结。提出了基于PKI/CA环境的OA系统设计原则,并在考虑办公自动化网络的特殊性基础之上,根据实际网络中的运行需求,设计了一个基于PKI/CA机制的安全服务体系结构;
(3)根据系统的需求,在提出的安全服务解决方案和安全服务体系结构的基础之上设计了一个密码服务器,主要包括:公共安全接口PSI、管理调度单元、实时监控和日志单元、密码服务单元,并详细介绍了其核心部分密码服务单元各模块的实现过程;
(4)在实验室条件下对密码服务单元进行了仿真测试,测试结果满足理论要求。
With the widespread application of the computer network technology and the communication technology in the electronic government affairs and the electronic commerce, Office automation have provided the science basis for the enterprise or government's management and the decision-making. But we are anxious to the information security, as the special application domain in the information network, the office automation system is moving the data and the information which massive needs to protect. It has its own particularity. If the system security is destroyed and creates the sensitive information exposition or loses, or the network is attacked and so on, it possibly causes the serious consequence. How to guarantee timeliness, the integrity, the confidentiality and undeniable of the office automation systems to transmit data message under the network environment has become the main topic in the current network information security domain. PKI which based on the public key password theory and the technology provides the safeguard well to solve this problem.
Using the certificate management public key, through authentication center CA, the PKI technology has solved the key management and the status authentication in the network, and has realized the data Canadian/decipher and the distinction, and has guaranteed the network security reliable realization.
Through the research on PKI theories and the technical, the paper innovatively applies the PKI technology to the office automation network and designes and realizes password service systemwhich has the high security, the versatility and the extendibility. According to the PKCS standard, this system can provide and manage certificate, produce and manage the key, and provides the PKI service for the user. The main contribution is as follows:
(1)The thesis has analyzed the security problem which exists in the office automation system, elaborated the relations among the office automation system and the network security, the password technology and the network information security relations in detail, and proposed the effective solution to the office automation information security.
(2)The thesis thoroughly studied and discussed the password theory knowledge and the PKI theories and the architecture, and researched and the summarized the Crypto API and CDSA. and proposed design principle of OA system based on PKI/CA the environment, and on considering particular foundation of the office automation network, according to the network demand in movement, has designed a safe service architecture based on the PKI/CA mechanism.
(3)According to the system demand, based on the safe service solution plan and the safe service architecture which proposed, it has designed a password service including: Public interface PSI, scheduling management unit, real-time monitoring and log unit, the password service unit, and details of the core of the password server ,password service unit in the process of the realization of the modules.
(4)It carried on the simulation test to the system under the laboratory condition and the test result has satisfied the theory request.
引文
[1]刘杨,文彬宏,徐飞斯.基于PKI技术的政府专用办公自动化系统的设计与实现[J].广西科学院学报,2007,23(4):347-349,359.
[2]刘伟,朱一凡,魏洪涛.工作流技术在办公自动化中的应用[J].计算机工程与设计,2006,07:228-229.
[3]何慧敏,唐忠,覃肖云,谢晓宇.浅谈办公自动化的研究[J].广西医科大学学报,2007,24:302-304.
[4]P.C.Gardner,J r.A System for the Auto mated Office Environment[J].IBM Systems Journal,1981,20(3):321-345.
[5]杨雄.基于PKI的网络安全技术在军队OA中应用研究:[D].重庆:重庆大学,2005.
[6]王军.南京财经大学办公自动化系统的设计与开发[J].中国教育信息化,2007,152:24.
[7]王锐.基于PKI技术的电子政务:[D].哈尔滨:哈尔滨理工大学,2006.
[8]李灵,山秀明,任勇.网络安全概述[J].中国工程科学,2004,6(1):10-15.
[9]马如奇,王书文.密码技术与网络信息安全[J].福建电脑,2007,8:45-46.
[10]江为强,陈波.PKI/CA技术的起源、现状和前景综述[J].西南科技大学学报,2003,18(4).
[11]张丽锋.(AMT研究院).PKI发展篇——PKI现状与未来[OL/EB].2004,11.http://www.amteam.org/k/ITSP/2004-11/484605.html.
[12]胡庆辉,赵正文,李丽萍.PKI技术在政府办公自动化系统信息安全中的应用[J].网络技术与应用,2004,9:43-44.
[13]雷丽萍.浅谈电子政务中的信息安全管理[J].渭南师范学院学报,2005,S2:71-72.
[14]S.M.Bellovin and M.Merritt.Encrypted key exchange.Computer Society[J],2004,06:72-84.
[15]卢开澄.计算机密码学[M].北京:清华大学出版社,2001.50-168.
[16]杨波.现代密码学[M].第二版.北京:清华大学出版社,2007.23-85.
[17]William Stallings,(杨明,谢希仁等译).密码编码学与网络安全原理与实践[M]. 北京:电子工业出版社,2001.4.
[18]林茂琼,熊凯,李敏强.基于AES的数据加密方案[J].计算机工程,2002,28(4):141-142.
[19]李荣森,秦杰,窦文华.RSA系列算法在工程中的应用研究[J].计算机科学,2007,34(2):86-90.
[20]齐晓虹,刘冬,赵岳松.RSA公开密钥密码体制的密钥生成研究[J].武汉理工大学学报.2001,23(6):37-40.
[21].徐秋亮,李大兴.椭圆曲线密码体制[J].计算机研究与发展,1999.P1282-1284.
[22]刘梅娟.办公自动化系统的安全性研究及应用:[D].北京:北京邮电大学,2007.
[23]RayHunt.Technological Infrastructure for PKI and Digital Certification[J].ComPuter Communications,2001,24:1460-1471.
[24]林涛.基于PKI的数据安全研究:[D].重庆:重庆大学,2005.
[25]刘三满,李明浩.数字签名技术.科技情报开发与经济[J],2005,22:211-213.
[26]史创明,王立新.数字签名及PKI技术原理及应用[J].微计算机信息,2005,21(8):122-124.
[27]关志聪.深入浅出图说网络加密技术[J].电脑知识与技术,2007,08:334-335.
[28]张慧.PKI技术研究[J].湖北教育学院学报,2007,24(8):42-43.
[29]肖凌,李之棠.公开密钥基础设施结构[J].计算机工程与应用.2002.11.
[30]缪黎明.基于PKI的身份认证和数据加密的研究:[D].杭州:浙江大学,2008.
[31]范林秀,陈舒娅,王喜进.基于PKI的身份论证在电子商务中的研究[J].电脑知识与技术,2007,9:979-978.
[32]刘远航.PKI实现与应用中的一些问题:[D].吉林:吉林大学,2004.
[33]钟读杭,陈怀义,宁洪.CA认证管理系统中证书撤销机制的研究与实现[J].计算机工程,2002,28(6):129-131.
[34]ITU-T Recommendation X.509|ISO/IEC 9594-8:Information Technology Open Systems Interconnection-The Directory:Public-key and Attribute Certificate Frameworks.2000(X.509 V412000]).
[35]W.E.Burr,"Public Key Infrastructure(PKI)Technical Specification:Part A-Technical Concept of Operations"[EB/OL],Working Draft,4September 1998,http://csrc.nist.gov/pki/twg/baseline/pkicon20b.pdf.
[36]John Linn,"Trust Model and Management in Public-KeyInfrastructures"[EB/OL],Technical Report,6 November 2000,ftp://ftp.rsasecurity.com/pub/p dfs/PKIPaper.pdf.
[37]D.W.Chadwick,A.J.Young,N.K.Cicovic.Merging and Extending the PGP and PEM Trust Models-The ICE-TEL Trust Model[J],IEEE Networks Mag.,May 1997:16-24.
[38]冯世立,李鹏飞,张海峰.USB安全钥在电子政务系统的应用[J].计算机安全,2006(2):31-32.
[39]郑芳.基于PKI的CA的设计与实现:[D].上海:华中师范大学,2005.
[40]亚玲,禹勇.基于签名的安全数字时间戳方案[J].计算机应用,2005,02:381-389.
[41]周永彬.PKI理论与应用技术:[D].北京:中国科学院研究生院,2003.
[42]Tom Austin,PKI:A Wiley Tech Brief[M].New Yorw Wiley Computer Publishing,2001,32-38.
[43]李明柱,PKI技术及应用开发指南[EB/OL].http://www-128.ibm.com/Developerworks/cn/security/se-pkiusing/index.html,2002.6.
[44]谭安芬.从CDSA看安全体系架构[J].信息网络安全,2003(12):42-44.
[45]PKCS标准.[EB/OL].http://www.rsasecurity.com/rsalabs/pkcs,2002.
[46]RSA.PKCS#1:RSA Cryptography Standard.[EB/OL].http://www.rsasecurity.com/rsalabs/node.asp?id=2124.
[47]Arman Danesh,Felix Lau.Safe and Secure[A].Ali Mehrassa,Secure Your Home Network and Protect Your Privacy Online[C].Indiana:Sams Publishing,2001:238-239.
[48]Fred Cohen.Managing Network Security[J].The Limits of Cryptography Network Seeuritv,1999(11):10-2.
[49]汪渊,李思昆.基于代理中间件的两级身份认证系统的研究与实现[J].计算机工程与应用,2001,37(19):101-103.
[50]樊会锋.WEB应用服务器安全服务的设计与实现:[D].北京:中国科学院研究生院,2004.
[51]谢颖莹.基于PKI的身份认证系统的研究与实现:[D].北京:华北电力大学,2007.
[52]Wright M A.An Overview of PKI[J].Network Security,1999(9):14-17.
[53]沈士根,殷联甫,汪承众.高校校园网PKI的设计[J].计算机应用,2004,24(7),90-92.
[54]Richard C.Leinecker,Visual C++开发人员参考手册[M].(金帆翻译组).北京:机械工业出版社,1998.48-53.
[2]刘伟,朱一凡,魏洪涛.工作流技术在办公自动化中的应用[J].计算机工程与设计,2006,07:228-229.
[3]何慧敏,唐忠,覃肖云,谢晓宇.浅谈办公自动化的研究[J].广西医科大学学报,2007,24:302-304.
[4]P.C.Gardner,J r.A System for the Auto mated Office Environment[J].IBM Systems Journal,1981,20(3):321-345.
[5]杨雄.基于PKI的网络安全技术在军队OA中应用研究:[D].重庆:重庆大学,2005.
[6]王军.南京财经大学办公自动化系统的设计与开发[J].中国教育信息化,2007,152:24.
[7]王锐.基于PKI技术的电子政务:[D].哈尔滨:哈尔滨理工大学,2006.
[8]李灵,山秀明,任勇.网络安全概述[J].中国工程科学,2004,6(1):10-15.
[9]马如奇,王书文.密码技术与网络信息安全[J].福建电脑,2007,8:45-46.
[10]江为强,陈波.PKI/CA技术的起源、现状和前景综述[J].西南科技大学学报,2003,18(4).
[11]张丽锋.(AMT研究院).PKI发展篇——PKI现状与未来[OL/EB].2004,11.http://www.amteam.org/k/ITSP/2004-11/484605.html.
[12]胡庆辉,赵正文,李丽萍.PKI技术在政府办公自动化系统信息安全中的应用[J].网络技术与应用,2004,9:43-44.
[13]雷丽萍.浅谈电子政务中的信息安全管理[J].渭南师范学院学报,2005,S2:71-72.
[14]S.M.Bellovin and M.Merritt.Encrypted key exchange.Computer Society[J],2004,06:72-84.
[15]卢开澄.计算机密码学[M].北京:清华大学出版社,2001.50-168.
[16]杨波.现代密码学[M].第二版.北京:清华大学出版社,2007.23-85.
[17]William Stallings,(杨明,谢希仁等译).密码编码学与网络安全原理与实践[M]. 北京:电子工业出版社,2001.4.
[18]林茂琼,熊凯,李敏强.基于AES的数据加密方案[J].计算机工程,2002,28(4):141-142.
[19]李荣森,秦杰,窦文华.RSA系列算法在工程中的应用研究[J].计算机科学,2007,34(2):86-90.
[20]齐晓虹,刘冬,赵岳松.RSA公开密钥密码体制的密钥生成研究[J].武汉理工大学学报.2001,23(6):37-40.
[21].徐秋亮,李大兴.椭圆曲线密码体制[J].计算机研究与发展,1999.P1282-1284.
[22]刘梅娟.办公自动化系统的安全性研究及应用:[D].北京:北京邮电大学,2007.
[23]RayHunt.Technological Infrastructure for PKI and Digital Certification[J].ComPuter Communications,2001,24:1460-1471.
[24]林涛.基于PKI的数据安全研究:[D].重庆:重庆大学,2005.
[25]刘三满,李明浩.数字签名技术.科技情报开发与经济[J],2005,22:211-213.
[26]史创明,王立新.数字签名及PKI技术原理及应用[J].微计算机信息,2005,21(8):122-124.
[27]关志聪.深入浅出图说网络加密技术[J].电脑知识与技术,2007,08:334-335.
[28]张慧.PKI技术研究[J].湖北教育学院学报,2007,24(8):42-43.
[29]肖凌,李之棠.公开密钥基础设施结构[J].计算机工程与应用.2002.11.
[30]缪黎明.基于PKI的身份认证和数据加密的研究:[D].杭州:浙江大学,2008.
[31]范林秀,陈舒娅,王喜进.基于PKI的身份论证在电子商务中的研究[J].电脑知识与技术,2007,9:979-978.
[32]刘远航.PKI实现与应用中的一些问题:[D].吉林:吉林大学,2004.
[33]钟读杭,陈怀义,宁洪.CA认证管理系统中证书撤销机制的研究与实现[J].计算机工程,2002,28(6):129-131.
[34]ITU-T Recommendation X.509|ISO/IEC 9594-8:Information Technology Open Systems Interconnection-The Directory:Public-key and Attribute Certificate Frameworks.2000(X.509 V412000]).
[35]W.E.Burr,"Public Key Infrastructure(PKI)Technical Specification:Part A-Technical Concept of Operations"[EB/OL],Working Draft,4September 1998,http://csrc.nist.gov/pki/twg/baseline/pkicon20b.pdf.
[36]John Linn,"Trust Model and Management in Public-KeyInfrastructures"[EB/OL],Technical Report,6 November 2000,ftp://ftp.rsasecurity.com/pub/p dfs/PKIPaper.pdf.
[37]D.W.Chadwick,A.J.Young,N.K.Cicovic.Merging and Extending the PGP and PEM Trust Models-The ICE-TEL Trust Model[J],IEEE Networks Mag.,May 1997:16-24.
[38]冯世立,李鹏飞,张海峰.USB安全钥在电子政务系统的应用[J].计算机安全,2006(2):31-32.
[39]郑芳.基于PKI的CA的设计与实现:[D].上海:华中师范大学,2005.
[40]亚玲,禹勇.基于签名的安全数字时间戳方案[J].计算机应用,2005,02:381-389.
[41]周永彬.PKI理论与应用技术:[D].北京:中国科学院研究生院,2003.
[42]Tom Austin,PKI:A Wiley Tech Brief[M].New Yorw Wiley Computer Publishing,2001,32-38.
[43]李明柱,PKI技术及应用开发指南[EB/OL].http://www-128.ibm.com/Developerworks/cn/security/se-pkiusing/index.html,2002.6.
[44]谭安芬.从CDSA看安全体系架构[J].信息网络安全,2003(12):42-44.
[45]PKCS标准.[EB/OL].http://www.rsasecurity.com/rsalabs/pkcs,2002.
[46]RSA.PKCS#1:RSA Cryptography Standard.[EB/OL].http://www.rsasecurity.com/rsalabs/node.asp?id=2124.
[47]Arman Danesh,Felix Lau.Safe and Secure[A].Ali Mehrassa,Secure Your Home Network and Protect Your Privacy Online[C].Indiana:Sams Publishing,2001:238-239.
[48]Fred Cohen.Managing Network Security[J].The Limits of Cryptography Network Seeuritv,1999(11):10-2.
[49]汪渊,李思昆.基于代理中间件的两级身份认证系统的研究与实现[J].计算机工程与应用,2001,37(19):101-103.
[50]樊会锋.WEB应用服务器安全服务的设计与实现:[D].北京:中国科学院研究生院,2004.
[51]谢颖莹.基于PKI的身份认证系统的研究与实现:[D].北京:华北电力大学,2007.
[52]Wright M A.An Overview of PKI[J].Network Security,1999(9):14-17.
[53]沈士根,殷联甫,汪承众.高校校园网PKI的设计[J].计算机应用,2004,24(7),90-92.
[54]Richard C.Leinecker,Visual C++开发人员参考手册[M].(金帆翻译组).北京:机械工业出版社,1998.48-53.