体育科研信息管理系统的设计及安全性研究
|
摘要
本文首先介绍了论文研究的项目背景和体育科研信息系统相关安全技术,重点介绍了公开密钥加密机制及SSL协议,然后详细介绍了PKI技术和CA认证系统。本文系统地介绍了体育科研信息管理系统的开发设计过程,并提出了一些关键问题的解决方法。在充分了解安全技术和设计构建体育科研信息系统的基础上,应用CA技术实现身份认证。
山西省体育科研信息管理系统是以山西省体育局体育科研所的体育信息管理需求为背景,以提高体育局的信息管理效率,适应现代化体育管理要求,推动体育局科学化、规范化管理为目的而设计开发的软件系统。本系统在设计时充分考虑了应用对象及环境,并要兼顾以后网络发展和业务需求扩充的需要,同时还要满足政府对于电子政务建设的指导精神,遵循系统先进性、实用性、安全保密性、标准化、可扩展性、可靠性、可维护性原则,建立合理、资源优化的系统设计方案。
在具体设计时,本文首先对体育科研信息管理系统进行了概要分析,确定了总体目标和系统功能需求及用户的特点。然后介绍了系统的总体框架,详细描述了系统的功能需求,并进行系统的功能模块和数据库的设计。在设计实现时,提出并解决了一些重要问题,例如代码优化,防止SQL注入及不同用户不同权限的实现。
网络系统安全性直接涉及到信息的安全和网络运行的可靠性。系统安全的首要防线是建立完善的访问控制体系,阻止非法用户对政府部门敏感信息的访问。本文采用基于角色的访问控制修改模型,根据角色确定权限并可对具体用户进行权限的调整。用户的身份认证不再使用传统的安全性较低的口令方式,而是采用基于CA的认证技术,由此来确保认证的安全可靠。
本文以山西省体育科研信息管理系统的开发过程及安全性分析为主线,分析了系统设计的流程及各阶段完成的任务,探讨了本系统开发中所涉及的关键技术,总结出系统主要的特性和存在的不足,并提出了今后工作的发展方向和最终目标。
First, this article introduced its research background and some security technology related to Shanxi province sports scientific research management information system, emphasized on public key encryption and SSL protocol, and then introduced public key inrastructure and certificate authority. This article systematicly introduced the development and design of the sports research information management system and put forward some solution of key problems. At the base of learning fully of the security technology and designing the sports research information management system, this paper designed the identity authority module in the application of certificate authority.
The development of the Shanxi province sports scientific research management information system taked Shanxi province sports Tech Lab's need of sports information management as the background and was for the sake of improving the efficiency of the management of the sports information, adapting the modem sports management request and normalizing the management. While designing the system, this paper considered applied object and environments enoughly and had to give attention to meet the future need of network development and the business enlargement, and to satisfy the demand of the government's leading spirit that the electronics governmental affairs construct should follow the principle of system forerunner, practicability, safe confidentiality, standardization, expansibility, reliability, maintainability. The establishment of system should be reasonable, optimizing resource.
This article first analyzed schematicly of the sports scientific research management information system to determine the overall item and system function demand and the characteristic of users. Then it introduced the overall frame of the system, described the function demand of the system in detail and designed the function module and database of the system. At the time to realize the designing, it put forward and solved some important questions, for example, optimizing the code, preventing the injection of SQL and realizing the different rights of different users.
The security of network system involves directly the security of information and the reliality of network running. The key of the security of the information system was to establish access control system preventing non-authority person accessing government's sensitive information. The modification model of Role-Based Access Control was put forward in the paper, which could confirm the authority according to the role and carry on the adjustment of the authority to concrete users. Users's identity authentication no longer adopted the traditional password way with lower security, but adopted authentication technology based on certificate authority to improve the security of system.
This paper mainly presented a description of the development and security analysis of the Shanxi province sports scientific research management information system. It analysed the procedure of the design and the work completed in each stage, discussed the key technique involved in the development, summarized the main features and shortages of the system and put forward the future works.
山西省体育科研信息管理系统是以山西省体育局体育科研所的体育信息管理需求为背景,以提高体育局的信息管理效率,适应现代化体育管理要求,推动体育局科学化、规范化管理为目的而设计开发的软件系统。本系统在设计时充分考虑了应用对象及环境,并要兼顾以后网络发展和业务需求扩充的需要,同时还要满足政府对于电子政务建设的指导精神,遵循系统先进性、实用性、安全保密性、标准化、可扩展性、可靠性、可维护性原则,建立合理、资源优化的系统设计方案。
在具体设计时,本文首先对体育科研信息管理系统进行了概要分析,确定了总体目标和系统功能需求及用户的特点。然后介绍了系统的总体框架,详细描述了系统的功能需求,并进行系统的功能模块和数据库的设计。在设计实现时,提出并解决了一些重要问题,例如代码优化,防止SQL注入及不同用户不同权限的实现。
网络系统安全性直接涉及到信息的安全和网络运行的可靠性。系统安全的首要防线是建立完善的访问控制体系,阻止非法用户对政府部门敏感信息的访问。本文采用基于角色的访问控制修改模型,根据角色确定权限并可对具体用户进行权限的调整。用户的身份认证不再使用传统的安全性较低的口令方式,而是采用基于CA的认证技术,由此来确保认证的安全可靠。
本文以山西省体育科研信息管理系统的开发过程及安全性分析为主线,分析了系统设计的流程及各阶段完成的任务,探讨了本系统开发中所涉及的关键技术,总结出系统主要的特性和存在的不足,并提出了今后工作的发展方向和最终目标。
First, this article introduced its research background and some security technology related to Shanxi province sports scientific research management information system, emphasized on public key encryption and SSL protocol, and then introduced public key inrastructure and certificate authority. This article systematicly introduced the development and design of the sports research information management system and put forward some solution of key problems. At the base of learning fully of the security technology and designing the sports research information management system, this paper designed the identity authority module in the application of certificate authority.
The development of the Shanxi province sports scientific research management information system taked Shanxi province sports Tech Lab's need of sports information management as the background and was for the sake of improving the efficiency of the management of the sports information, adapting the modem sports management request and normalizing the management. While designing the system, this paper considered applied object and environments enoughly and had to give attention to meet the future need of network development and the business enlargement, and to satisfy the demand of the government's leading spirit that the electronics governmental affairs construct should follow the principle of system forerunner, practicability, safe confidentiality, standardization, expansibility, reliability, maintainability. The establishment of system should be reasonable, optimizing resource.
This article first analyzed schematicly of the sports scientific research management information system to determine the overall item and system function demand and the characteristic of users. Then it introduced the overall frame of the system, described the function demand of the system in detail and designed the function module and database of the system. At the time to realize the designing, it put forward and solved some important questions, for example, optimizing the code, preventing the injection of SQL and realizing the different rights of different users.
The security of network system involves directly the security of information and the reliality of network running. The key of the security of the information system was to establish access control system preventing non-authority person accessing government's sensitive information. The modification model of Role-Based Access Control was put forward in the paper, which could confirm the authority according to the role and carry on the adjustment of the authority to concrete users. Users's identity authentication no longer adopted the traditional password way with lower security, but adopted authentication technology based on certificate authority to improve the security of system.
This paper mainly presented a description of the development and security analysis of the Shanxi province sports scientific research management information system. It analysed the procedure of the design and the work completed in each stage, discussed the key technique involved in the development, summarized the main features and shortages of the system and put forward the future works.
引文
[1]冯登国,网络安全原理与技术,科学出版社,2003,38-79
[2]刘靖,安全电子商务技术的研究,广东通信技术,2003,Vol.22(3):23-24
[3]谢丹夏,电子商务只能够协议和安全技术,计算机与现代化,2004,Vol.35(33):16-20
[4]黄允聪,网络安全基础,清华大学出版社,2000.5,23-140
[5]郭栋,孙锋,唐植明,加密与解密实战攻略,清华大学出版社,2003.1,22-89
[6]William Stallings著,刘玉珍,王丽娜,傅建明,编译,密码编码学与网络安全:原理与实践(第三版),电子工业出版社,2004.1,24-167
[7]王锐,陈靓,靳若明,周刚 译,网络最高安全技术指南,机械工业出版社,1998.5,77-140
[8]Andrew S等著,熊桂喜,王小虎 译Computer Networks(Third Edition),计算机网络(第三版),清华大学出版社,2002,45-90
[9]宁磊,周卫,Linux专家之路—Linux网络与安全管理,人民邮电出版社,2001.11,128-290
[10]卢开澄,计算机密码学—计算机网络中的数据保密与安全(第3版),清华大学出版社,2003.12
[11]范红,冯登国,安全协议理论与方法,科学出版社,2003.10
[12]段钢,加密与解密(第二版),电子工业出版社,2003.7
[13]段海新,Eugene,Schultz等,网络安全事件响应,人民邮电出版社,2002.5
[14]Linda McCarthy著,赵学良 译,信息安全—企业抵御风险之道,清华大学出版社,2003.9
[15]史兴华,Aron HsiaoLinux,系统安全基础,人民邮电出版社,2002.2
[16]冯登国,计算机通信网络安全,清华大学出版社,2001.3
[17]Andrew Nash,William Duane,Celia Joseph,Derek Brink著,张玉清,陈建奇,杨波,薛伟等编著,公钥基础设施(PKI):实现和管理电子安全,清华大学出版社,2002.12
[18]谢冬青,冷健,PKI原理与技术,清华大学出版社,2004.1
[19]黄允聪,网络安全基础,清华大学出版社,2000.5
[20]周学广,刘艺,信息安全学,机械工业出版,2003.3
[21]崔凯,Eric Rescorla,SSL与TLS,中国电力出版,2002.10
[21]潇湘工作室,Merike Kaeo,网络安全性设计,人民邮电出版,2000.10
[22]潇湘工作室,William stallings,网络安全要素—应用与标准,人民邮电出版社,2000.11
[23]Andrew S.Tanenbau著,熊桂喜,王小虎,译,Computer Nerworks(Third Edition),计算机网络(第三版),清华大学出版社,2002
[24]Eric Maiwald著,李庆荣,黄开枝等译,网络安全实用教程(第二版),清华大学出版社,2003.11
[25]Ferry,网络安全与数据完整性指南,机械工业出版社,1998.4
[26]Gary R.Wright W.Richard Stevens著,陆雪莹,蒋慧等译,谢希仁 校,TCP/IP详解(卷2:实现),机械工业出版社,2003.4
[27]关振胜,公钥基础设施PKI与认证机构CA,电子工业出版社,2002.1
[28]Merike Kaeo,网络安全性设计,人民邮电出版社,2000.10
[29]Mohan Atreya著,贺军编著,数字签名,清华大学出版社,2003.1
[30]Peter Norton,Mike Stockman,网络安全指南,人民邮电出版社,2000.11
[31]肖孟强,王承君,基于EPASS1000网络身份安全认证解决方案的设计,北京航空航天大学学报,2004,Vol.7(2):11-14
[32]曹天杰,张永平,基于智能卡的电子商务认证,现代计算机,2001,Vol.41(15):7-9
[33]王洪,谢晓尧,电子商务中数据安全性及完整性,贵州工业大学学报,1999,Vol.135(33):13-15
[2]刘靖,安全电子商务技术的研究,广东通信技术,2003,Vol.22(3):23-24
[3]谢丹夏,电子商务只能够协议和安全技术,计算机与现代化,2004,Vol.35(33):16-20
[4]黄允聪,网络安全基础,清华大学出版社,2000.5,23-140
[5]郭栋,孙锋,唐植明,加密与解密实战攻略,清华大学出版社,2003.1,22-89
[6]William Stallings著,刘玉珍,王丽娜,傅建明,编译,密码编码学与网络安全:原理与实践(第三版),电子工业出版社,2004.1,24-167
[7]王锐,陈靓,靳若明,周刚 译,网络最高安全技术指南,机械工业出版社,1998.5,77-140
[8]Andrew S等著,熊桂喜,王小虎 译Computer Networks(Third Edition),计算机网络(第三版),清华大学出版社,2002,45-90
[9]宁磊,周卫,Linux专家之路—Linux网络与安全管理,人民邮电出版社,2001.11,128-290
[10]卢开澄,计算机密码学—计算机网络中的数据保密与安全(第3版),清华大学出版社,2003.12
[11]范红,冯登国,安全协议理论与方法,科学出版社,2003.10
[12]段钢,加密与解密(第二版),电子工业出版社,2003.7
[13]段海新,Eugene,Schultz等,网络安全事件响应,人民邮电出版社,2002.5
[14]Linda McCarthy著,赵学良 译,信息安全—企业抵御风险之道,清华大学出版社,2003.9
[15]史兴华,Aron HsiaoLinux,系统安全基础,人民邮电出版社,2002.2
[16]冯登国,计算机通信网络安全,清华大学出版社,2001.3
[17]Andrew Nash,William Duane,Celia Joseph,Derek Brink著,张玉清,陈建奇,杨波,薛伟等编著,公钥基础设施(PKI):实现和管理电子安全,清华大学出版社,2002.12
[18]谢冬青,冷健,PKI原理与技术,清华大学出版社,2004.1
[19]黄允聪,网络安全基础,清华大学出版社,2000.5
[20]周学广,刘艺,信息安全学,机械工业出版,2003.3
[21]崔凯,Eric Rescorla,SSL与TLS,中国电力出版,2002.10
[21]潇湘工作室,Merike Kaeo,网络安全性设计,人民邮电出版,2000.10
[22]潇湘工作室,William stallings,网络安全要素—应用与标准,人民邮电出版社,2000.11
[23]Andrew S.Tanenbau著,熊桂喜,王小虎,译,Computer Nerworks(Third Edition),计算机网络(第三版),清华大学出版社,2002
[24]Eric Maiwald著,李庆荣,黄开枝等译,网络安全实用教程(第二版),清华大学出版社,2003.11
[25]Ferry,网络安全与数据完整性指南,机械工业出版社,1998.4
[26]Gary R.Wright W.Richard Stevens著,陆雪莹,蒋慧等译,谢希仁 校,TCP/IP详解(卷2:实现),机械工业出版社,2003.4
[27]关振胜,公钥基础设施PKI与认证机构CA,电子工业出版社,2002.1
[28]Merike Kaeo,网络安全性设计,人民邮电出版社,2000.10
[29]Mohan Atreya著,贺军编著,数字签名,清华大学出版社,2003.1
[30]Peter Norton,Mike Stockman,网络安全指南,人民邮电出版社,2000.11
[31]肖孟强,王承君,基于EPASS1000网络身份安全认证解决方案的设计,北京航空航天大学学报,2004,Vol.7(2):11-14
[32]曹天杰,张永平,基于智能卡的电子商务认证,现代计算机,2001,Vol.41(15):7-9
[33]王洪,谢晓尧,电子商务中数据安全性及完整性,贵州工业大学学报,1999,Vol.135(33):13-15