结合数字证书技术解决P2P网络安全的设计与实现
|
摘要
21世纪世界的变革天翻地覆,其中变化最为巨大,并引起世人关注和改变人们生活最多的就是计算机网络和信息技术,它们的迅猛发展促进了全社会信息化极大进步及现代化进展节奏的大步加快,同时也就随之产生了诸多新的安全问题及风险,并且这些安全和风险是不可定向、不可预知的、不间断产生的。其中,网络的安全性首当其冲,全球的信息远程交流现今大多数都是通过网络,而像计算机病毒、非法木马进入、后门被不法人员知晓、欺骗攻击、非法监听、非法信息共享及信息知识产权问题都是网络安全中的主要问题。
在网络信息传递中,P2P技术(即Peer to Peer,称为对等连接或对等网络)已发展成为联网信息双向动态交流的运用最为频繁的信息控制技术,点对点技术的广泛使用,除容易大量造成计算机病毒、非法木马进入外,最多程度上引起地不良后果是成为了非法信息共享和违反信息知识产权问题的帮凶。而今,如果解决非法信息共享和违反信息知识产权问题成为世界网络技术维护者的头痛问题,现在,找到了一些解决方法,其一就是利用身份认证来解决。作为信息防护的第一道防线,身份认证是确保信息资源只能被合法用户所访问的重要保障。用好数字证书技术可以在一定程度上解决这些问题。
身份认证是指计算机及网络系统确认操作者身份的过程。计算机系统和计算机网络是一个虚拟的数字世界,在这个数字世界中,一切信息包括用户的身份信息都是用一组特定的数据来表示的。如何保证以数字身份进行操作的操作者就是这个数字身份合法拥有者,也就是说保证操作者的物理身份与数字身份相对应,成为了一个重要的问题。
P2P在信息的交流与传递中,容易造成信息非法使用、知识产权被窃取,经过多样分析,结合运用P2PACT系统,采用数字证书技术的来开发集中式身份认证系统,合理运用数字证书技术,通过对信息系统与之的衔接改造,较好地解决了P2P网络传递中用户身份识别的问题。该系统主要由身份认证模块和权限管理模块组成,所用技术为基于PKI技术的数字身份证书技术。该系统的投入使用,有效解决了如下问题:信息系统安全传输问题;信息系统全网范围的身份认证问题;关键操作抗抵赖问题;内部人员越级访问机密信息的恶意篡改问题;系统安全运行的管理问题;部门与部门之间的信息交流中可能带来的安全问题等。
该系统已经已得到了试运行,结果显示该系统具有良好的安全性、可靠性、高效性、扩展性,较好的解决了P2P下载面临的网络安全的信息非法共享和盗用知识产权问题。
Computer networks and the rapid development of information technology enterprises and promote the development of the information society of great progress, but also a lot of the resulting new security problems and risks. As an information system first line of defense, identity authentication information resources is to ensure that only legitimate users visit was an important guarantee.
Authentication refers to the computer and network system operator confirmed the identity of the process. Computer systems and computer networks is a virtual digital world, in this digital world, all information, including the identity of the user with a group of information are specific to the data said. How to ensure that the digital identity of the operator is operating this figure as legitimate owners, ie guarantee the physical identity of the operator status with the corresponding figures have become an important issue.
The technology based on digital certificates centralized authentication system, use of digital certificates technology, the information system through the interface with the transformation can solve the Network Information System user identification problems. The system is mainly composed authentication module and authority management modules, based on the techniques used by the PKI technology as digital certificate technology. The system put into use, effectively address the following issues: information transmission system security; Network Information System-wide scope of the identity problem; Non-repudiation key operational issues; Internal personnel leapfrog visit malicious tampering with confidential information; System security operational management issues; departments in the exchange of information between the possible security problems.
The system platform for the Internet industry in a certain province has been test run showed that the system has good security, reliability, high efficiency, scalability, better information systems solve the security problems faced.
在网络信息传递中,P2P技术(即Peer to Peer,称为对等连接或对等网络)已发展成为联网信息双向动态交流的运用最为频繁的信息控制技术,点对点技术的广泛使用,除容易大量造成计算机病毒、非法木马进入外,最多程度上引起地不良后果是成为了非法信息共享和违反信息知识产权问题的帮凶。而今,如果解决非法信息共享和违反信息知识产权问题成为世界网络技术维护者的头痛问题,现在,找到了一些解决方法,其一就是利用身份认证来解决。作为信息防护的第一道防线,身份认证是确保信息资源只能被合法用户所访问的重要保障。用好数字证书技术可以在一定程度上解决这些问题。
身份认证是指计算机及网络系统确认操作者身份的过程。计算机系统和计算机网络是一个虚拟的数字世界,在这个数字世界中,一切信息包括用户的身份信息都是用一组特定的数据来表示的。如何保证以数字身份进行操作的操作者就是这个数字身份合法拥有者,也就是说保证操作者的物理身份与数字身份相对应,成为了一个重要的问题。
P2P在信息的交流与传递中,容易造成信息非法使用、知识产权被窃取,经过多样分析,结合运用P2PACT系统,采用数字证书技术的来开发集中式身份认证系统,合理运用数字证书技术,通过对信息系统与之的衔接改造,较好地解决了P2P网络传递中用户身份识别的问题。该系统主要由身份认证模块和权限管理模块组成,所用技术为基于PKI技术的数字身份证书技术。该系统的投入使用,有效解决了如下问题:信息系统安全传输问题;信息系统全网范围的身份认证问题;关键操作抗抵赖问题;内部人员越级访问机密信息的恶意篡改问题;系统安全运行的管理问题;部门与部门之间的信息交流中可能带来的安全问题等。
该系统已经已得到了试运行,结果显示该系统具有良好的安全性、可靠性、高效性、扩展性,较好的解决了P2P下载面临的网络安全的信息非法共享和盗用知识产权问题。
Computer networks and the rapid development of information technology enterprises and promote the development of the information society of great progress, but also a lot of the resulting new security problems and risks. As an information system first line of defense, identity authentication information resources is to ensure that only legitimate users visit was an important guarantee.
Authentication refers to the computer and network system operator confirmed the identity of the process. Computer systems and computer networks is a virtual digital world, in this digital world, all information, including the identity of the user with a group of information are specific to the data said. How to ensure that the digital identity of the operator is operating this figure as legitimate owners, ie guarantee the physical identity of the operator status with the corresponding figures have become an important issue.
The technology based on digital certificates centralized authentication system, use of digital certificates technology, the information system through the interface with the transformation can solve the Network Information System user identification problems. The system is mainly composed authentication module and authority management modules, based on the techniques used by the PKI technology as digital certificate technology. The system put into use, effectively address the following issues: information transmission system security; Network Information System-wide scope of the identity problem; Non-repudiation key operational issues; Internal personnel leapfrog visit malicious tampering with confidential information; System security operational management issues; departments in the exchange of information between the possible security problems.
The system platform for the Internet industry in a certain province has been test run showed that the system has good security, reliability, high efficiency, scalability, better information systems solve the security problems faced.
引文
[1]ITU-T Recommendation X.509,Information Technology-Open Systems Interconnection,The Directory:Authentication Framework.1997.6:15-64
[2]沈涛,马红光等.网络数据加密算法研究及其应用[J].计算机工程与应用,2005,17:21-22
[3]Michael Myers,Rich Ankney,Ambarish Matpani,et al.X.509 Internet Public Key Infrastructure Online Certificate Status Protocol-OCSP.RFC 2560,PKIX Working Group,1999,3:23-25
[4]P Kocher.On Certificate Revocaiton and Validation.Financial Cryptog2 Raphy,1998,1,172-177.
[5]X.509 Internet Public Key Infrastructure On-line Certificate Status Protocol OCSP.RFC 2560,1999,2:35-38
[6]Housley R,et al.Intemrnet X.509 Public Key Infrastructure,Certificate and CRL Profile RFC 2459,1999,5:41-49
[7]BruceSchneier吴世忠等译.应用密码学.北京:机械工业出版社,2000,6:42-47
[8]Frakes W.B.,Gandel P.B..Representing Reusable Software.Information and Software Technology,1990,32(10):653-665
[9]李政文.信息安全理论与技术.北京:人民邮电出版社,2003,7:52-57
[10]刘启原,刘怡.数据库与信息系统的安全.北京:科学出版社,2000,4:21-23
[11]周贤伟.IPSec解析.北京:国防工业出版社,2006,1:34-39
[12]周武,冯登国.联邦公钥基础设施(PKI)技术简介.密码与信息,1999,(3):24-32
[13]Andrew Nash.公钥基础设施(PKI)-实现和管理电子安全.张玉清等译.北京:机械工业出版社,2005,3:34-38
[14]谢冬青,冷健.PKI原理和技术.北京:清华大学出版社,2004,1:37-44
[15]Cooper,James W.,The Design Patterns Java Companion.Addison-Wesley Design Patterns Series.,2000,5:35-28
[16]Paul Reed,Jr.,Reference Architecture:The Best of Best Practices,1999,4:17-23
[17]Alan Shalloway,James R.Trott,Design Patterns Explained:A New Perspective on Object-Oriented Design,Addison-Wesley,2001,1:24-27
[18]段云所,魏仕民,唐礼勇等.信息安全概论.北京:高等教育出版社,2003,9(3):15-30
[19]Linda McCarthy.赵学良译信息安全--企业抵御风险之道.北京:清华大学出版社,2003,9:78-80
[20]飞天诚.信软件加密原理与应用.北京:电子工业出版社,2004,11:18-25
[21]马燕曹,周 湛.信息安全法规与标准.北京:机械工业出版社,2004,4:15-21
[22]Network Associates.Next Generation Intrusion Detection in High- Speed Networks,2000,1:34-40
[23]李海泉.计算机网络的安全与加密.北京:科学出版社,2001,3:37-41
[24]R.Amadio and D.Lugiez,On the reach ability problem in cryptographic protocols,Theoretical Computer Science,2000,1:34-39
[25]Bruce Schneier,Applied Cryptography:Protocols,Algorithms,and Source code inc[M],New York:John Wiley&Sons,2006,9:17-23
[26]戴宗坤,罗万伯,唐三平等.信息系统安全[M].北京:金城出版社,2005,2:18-30
[27]Dobertin,H,The Status of MDS a Recent Attack.Crypto Bytes[J],Summer,2006,7:45-51
[28]Heart-Beat Kent S,Atkinson R.RFC 2401:Security Architecture for the Internet Protocol.IETF,Internet,2006.11:61-71
[29]普宾芳,温大勇,杨一平等.电子政务系统基于角色的权限管理研究.计算机工程与应用,2004,22:6-19
[30]Axel van Lamsweerde,Requirements Engineering in the Year 00:A Researtch Perspective,Universite catholique de Louvain,2000,3:32-37
[31]Bashar Nuseibeh,Steve Easerbrook,Requirements Engineering;A Roadmap,Imperial College,University of Toronto,1999,2:31-35
[32]卢梅,李明树.软件需求工程-方法及工具评述.计算机研究与发展,1999,(11):29
[33]祝世海.采用原型法减少软件需求分析的风险信息技术.教育学院学报,2002,7(2):2
[34]P2P技术原理及安全性问题浅析 郭丽、杨振启网络安全与技术运用2005/6
[35]寻找IM/P2P安全策略 裘晓峰、赵粮 通信产业报2006/06/02
[36]对等计算的实际使用:对等网络中的信任与安全Todd Sundsted IBM2005/11/01
[37]对等网络中的信任和安全性 网博
[38]利用JXTA平台保障P2P安全的研究 邵丽炯、贺亮、章磊、高传善 微型电脑应用 2004年第20卷第1期
[39]P2P技术与信息安全程学旗、余智华、陆天波、吕建明2004/08/02
[40]JXTA技术与应用发展 务实ZDNet China 2005/02/27
[41]W.M.P var der Aalst,A.H.M ter Hofstede,Advanced Workflow Patterns,2002,5:14-17
[42]David Hollingsworth,Workflow Management Coalition The Workflow Reference Model,1997,1:46-51
[43]蔡燕敏.基于UML的面向对象的需求分析方法.电脑知识与技术,2006,7(4):21-23
[44]李陶深,赵文静.面向对象程序设计与方法.武汉:武汉理工大学出版社,2003,8:41-45
[45]邵维忠,杨芙清.面向对象的系统分析.北京:清华大学出版社,1998,1:24-35
[46]I.Sommerville,Software engineering,Fifth ed.New York:Addison-Wesley,1996,3:21-22
[47]D.G.Wastell,"The fetish of technique:methodology as a social defence," Information Systems Journal,vol.6,pp.,1996,1:25-49
[48]J.L.Malouin and M.Landry,"The miracle of universal methods in systems design," Journal of Applied Systems Analysis,vol.10,pp.47-62,2003,7:31-41
[49]A.F.Chalmers,What is this thing called Science,Third ed.Buckingham:Open University Press,1999,1:42-44
[50]郑人杰.计算机软件测试技术.北京:清华大学出版社,2002,2(4):32-45
[51]叶锡君,吴国新,许勇等.一次性口令认证技术的分析与改进[J].计算机工程,2000(9):27-29
[52]赵家玉.谈软件开发中的需求分析[J].教育学院学报,2005,6(2):16-31
[53]Sandhu RS,Coyne EJ,Feinstein HL,etal.Rose-based Access Control Models[J].IEEEComputer,1996,29(2):38-47
[54]张逸.软件设计精要与模式.北京:电子工业出版社,2003,7:42-45
[55]Erich Gamma,Richard Helm,Ralph Johnson,John Vlissides.设计模式-可复用面向对象软件的基础(双语版).北京:机械工业出版社,2006,3:67-75
[56]李文旋,王国庆.中间件技术分析与应用.北京:清华大学出版社,2006,6:27-31
[2]沈涛,马红光等.网络数据加密算法研究及其应用[J].计算机工程与应用,2005,17:21-22
[3]Michael Myers,Rich Ankney,Ambarish Matpani,et al.X.509 Internet Public Key Infrastructure Online Certificate Status Protocol-OCSP.RFC 2560,PKIX Working Group,1999,3:23-25
[4]P Kocher.On Certificate Revocaiton and Validation.Financial Cryptog2 Raphy,1998,1,172-177.
[5]X.509 Internet Public Key Infrastructure On-line Certificate Status Protocol OCSP.RFC 2560,1999,2:35-38
[6]Housley R,et al.Intemrnet X.509 Public Key Infrastructure,Certificate and CRL Profile RFC 2459,1999,5:41-49
[7]BruceSchneier吴世忠等译.应用密码学.北京:机械工业出版社,2000,6:42-47
[8]Frakes W.B.,Gandel P.B..Representing Reusable Software.Information and Software Technology,1990,32(10):653-665
[9]李政文.信息安全理论与技术.北京:人民邮电出版社,2003,7:52-57
[10]刘启原,刘怡.数据库与信息系统的安全.北京:科学出版社,2000,4:21-23
[11]周贤伟.IPSec解析.北京:国防工业出版社,2006,1:34-39
[12]周武,冯登国.联邦公钥基础设施(PKI)技术简介.密码与信息,1999,(3):24-32
[13]Andrew Nash.公钥基础设施(PKI)-实现和管理电子安全.张玉清等译.北京:机械工业出版社,2005,3:34-38
[14]谢冬青,冷健.PKI原理和技术.北京:清华大学出版社,2004,1:37-44
[15]Cooper,James W.,The Design Patterns Java Companion.Addison-Wesley Design Patterns Series.,2000,5:35-28
[16]Paul Reed,Jr.,Reference Architecture:The Best of Best Practices,1999,4:17-23
[17]Alan Shalloway,James R.Trott,Design Patterns Explained:A New Perspective on Object-Oriented Design,Addison-Wesley,2001,1:24-27
[18]段云所,魏仕民,唐礼勇等.信息安全概论.北京:高等教育出版社,2003,9(3):15-30
[19]Linda McCarthy.赵学良译信息安全--企业抵御风险之道.北京:清华大学出版社,2003,9:78-80
[20]飞天诚.信软件加密原理与应用.北京:电子工业出版社,2004,11:18-25
[21]马燕曹,周 湛.信息安全法规与标准.北京:机械工业出版社,2004,4:15-21
[22]Network Associates.Next Generation Intrusion Detection in High- Speed Networks,2000,1:34-40
[23]李海泉.计算机网络的安全与加密.北京:科学出版社,2001,3:37-41
[24]R.Amadio and D.Lugiez,On the reach ability problem in cryptographic protocols,Theoretical Computer Science,2000,1:34-39
[25]Bruce Schneier,Applied Cryptography:Protocols,Algorithms,and Source code inc[M],New York:John Wiley&Sons,2006,9:17-23
[26]戴宗坤,罗万伯,唐三平等.信息系统安全[M].北京:金城出版社,2005,2:18-30
[27]Dobertin,H,The Status of MDS a Recent Attack.Crypto Bytes[J],Summer,2006,7:45-51
[28]Heart-Beat Kent S,Atkinson R.RFC 2401:Security Architecture for the Internet Protocol.IETF,Internet,2006.11:61-71
[29]普宾芳,温大勇,杨一平等.电子政务系统基于角色的权限管理研究.计算机工程与应用,2004,22:6-19
[30]Axel van Lamsweerde,Requirements Engineering in the Year 00:A Researtch Perspective,Universite catholique de Louvain,2000,3:32-37
[31]Bashar Nuseibeh,Steve Easerbrook,Requirements Engineering;A Roadmap,Imperial College,University of Toronto,1999,2:31-35
[32]卢梅,李明树.软件需求工程-方法及工具评述.计算机研究与发展,1999,(11):29
[33]祝世海.采用原型法减少软件需求分析的风险信息技术.教育学院学报,2002,7(2):2
[34]P2P技术原理及安全性问题浅析 郭丽、杨振启网络安全与技术运用2005/6
[35]寻找IM/P2P安全策略 裘晓峰、赵粮 通信产业报2006/06/02
[36]对等计算的实际使用:对等网络中的信任与安全Todd Sundsted IBM2005/11/01
[37]对等网络中的信任和安全性 网博
[38]利用JXTA平台保障P2P安全的研究 邵丽炯、贺亮、章磊、高传善 微型电脑应用 2004年第20卷第1期
[39]P2P技术与信息安全程学旗、余智华、陆天波、吕建明2004/08/02
[40]JXTA技术与应用发展 务实ZDNet China 2005/02/27
[41]W.M.P var der Aalst,A.H.M ter Hofstede,Advanced Workflow Patterns,2002,5:14-17
[42]David Hollingsworth,Workflow Management Coalition The Workflow Reference Model,1997,1:46-51
[43]蔡燕敏.基于UML的面向对象的需求分析方法.电脑知识与技术,2006,7(4):21-23
[44]李陶深,赵文静.面向对象程序设计与方法.武汉:武汉理工大学出版社,2003,8:41-45
[45]邵维忠,杨芙清.面向对象的系统分析.北京:清华大学出版社,1998,1:24-35
[46]I.Sommerville,Software engineering,Fifth ed.New York:Addison-Wesley,1996,3:21-22
[47]D.G.Wastell,"The fetish of technique:methodology as a social defence," Information Systems Journal,vol.6,pp.,1996,1:25-49
[48]J.L.Malouin and M.Landry,"The miracle of universal methods in systems design," Journal of Applied Systems Analysis,vol.10,pp.47-62,2003,7:31-41
[49]A.F.Chalmers,What is this thing called Science,Third ed.Buckingham:Open University Press,1999,1:42-44
[50]郑人杰.计算机软件测试技术.北京:清华大学出版社,2002,2(4):32-45
[51]叶锡君,吴国新,许勇等.一次性口令认证技术的分析与改进[J].计算机工程,2000(9):27-29
[52]赵家玉.谈软件开发中的需求分析[J].教育学院学报,2005,6(2):16-31
[53]Sandhu RS,Coyne EJ,Feinstein HL,etal.Rose-based Access Control Models[J].IEEEComputer,1996,29(2):38-47
[54]张逸.软件设计精要与模式.北京:电子工业出版社,2003,7:42-45
[55]Erich Gamma,Richard Helm,Ralph Johnson,John Vlissides.设计模式-可复用面向对象软件的基础(双语版).北京:机械工业出版社,2006,3:67-75
[56]李文旋,王国庆.中间件技术分析与应用.北京:清华大学出版社,2006,6:27-31