摘要
随着网络的快速发展和广泛应用,网络安全问题变得越来越重要,而身份认证作为网络安全体系的基础,一直是网络安全领域的研究热点。虽然基于USB Key(Universal Serial Bus Key)的身份认证能够解决安全性与易用性之间的矛盾,但如何保证其对各种应用更广泛的适应性,还有不少问题需要解决。
通过分析USB Key的应用特征,采用C/S(Client/Server)结构,在现有的基于冲击-响应的双因子认证方式基础上,提出了一个网络身份认证安全模型,并论述了模型的实现机理。结合应用需求,综合运用了数据加密、访问控制、权限鉴别和网络数据包的过滤技术,以确保安全易用的身份认证为原则设计了模型的体系结构,描述了具体的工作流程,详细地划分了系统的功能模块,并讨论了USB Key管理模块、认证通信模块、身份认证及访问控制模块、包过滤模块和加/解密模块间交互的基本操作流程。
基于所给模型,具体设计了基于角色的身份信息和基于角色应用映射关系的访问控制数据库的结构,并定义了完善的认证通信消息格式。同时采用完成端口机制实现了客户端和认证服务器间的通信,提高了对大并发量客户端I/O(Input/Output)请求的处理性能。采用NDIS(Network Driver Interface Specification)中间层驱动程序在OSI(Open System Interconnection)七层模型的网络层按不同的用户应用策略完成对网络数据包的过滤,细化了每个应用与访问者的安全管理粒度,保证了模型保护的网络系统仅向合法用户提供相应的应用服务,大大提高了模型所服务的各种应用系统的信息安全性。
实验结果表明,所建立的模型拓展了USB Key的用途,具有性能稳定的身份认证功能,还能提供对具体网络应用的无缝嵌入和访问控制功能,增强了网络应用的安全性,具有较好的实用性。
Network development gives more importance to security research. As the base of network security system, identity authentication is the research focus. Although the authentication based on USB Key (Universal Serial Bus Key) is secure and user-friendly, many problems exist in the adaptability to various applications.
After analyzing the characters of USB Key, a secure network identity authentication model based on impact-response mode is proposed, which adopts C/S (Client/Server) architecture. Several technologies, such as encryption, access control, authentication and packet filter, are employed in this model. Furthermore, more details about the model’s functions and modules are designed.
Based on the proposed model, the relationship between identity and application is defined in several tables and the structure of every authentication message is also introduced. The communication between client and server which is implemented by using completion port can be very effective when more I/O (Input/Output) requests come from client. The adopted NDIS (Network Driver Interface Specification) intermediate driver works on OSI (Open System Interconnection) network layer and filter every packet according to the access control rules, which protects the network system to supply the specific applications to authenticated users.
Experiments on the established model show the identity authentication function based on USB Key is very steady and the seamless embedded access control function is provided to the applications running on it. In a word, the security of network is enhanced.
引文
[1] 玉宏.黑客与防护.第一版.北京: 中国青年出版社,2001.1~12
[2] 何全胜,姚国祥.网络安全需求分析及安全策略研究.计算机工程,2000,26(6): 56~58
[3] Herringshaw C.Detecting attacks on networks.Computer,1997,30(12): 16~17
[4] 李静.计算机网络安全与防范措施.湖南省政法管理干部学院学报,2002,18(1): 87~89
[5] 谢冬青,李超,周洲仪.网络安全协议的一般框架及其安全性分析.湖南大学学报(自然科学版),2000,27(2): 90~94
[6] Kluepfel H M . Securing a global village and its resources . IEEE Communications Magazine,1994,32(9): 82~89
[7] Boutaba R,Polyrakis A.Projecting advanced enterprise network and service management to active networks.IEEE Network,2002,16(1): 28~33
[8] Lamport L.Password authentication with insecure communication. Communications of the ACM,1981,24(11): 770~772
[9] Richards K . Network based intrusion detection : a review of technologies.Computer & Security,1999,18(8): 671~682
[10] Comer D E.Internetworking with TCP/IP VolI:principles,protocols and architecture.3rd ed.Beijing:PHEI,2000.102~169
[11] 罗斌,裘正定.网络身份认证新技术.计算机安全,2005,17(10): 29
[12] 刘知贵,杨立春,蒲洁等.基于 PKI 技术的数字签名身份认证系统.计算机应用研究,2004,21(9): 158~160
[13] William T.Polk,Nelson E.Hastings,Ambarish Malpani.Public Key Infrastructures that Satisfy Security Goals.IEEE Internet Computing,2003,7(4): 60~67
[14] 徐勇,李征,张珏. Kerberos 身份认证的分析与改进.微计算机信息,2004,20(10): 124~125
[15] 包桂秋,林喜荣,苏晓生等.基于人体生物特征的身份鉴别技发术展概况.清华大学学报(自然科学版),2001,41(04-05): 72~76
[16] Prins C. Biometric technology law. Computer Law and Security Reports,1998,14(3): 159~165
[17] 余巍,吕葵,唐冶文等.分布式自治域安全的认证研究.计算机工程,1998,24(6): 38~40
[18] Zhou LD,Hass zj.Securing Ad Hoc networks.IEEE Network,1999,13(6): 24~29
[19] 张宏烈,张亦辰,李继国.基于群组通信的通用阈值签名和鉴别加密技术分析.黑龙江科技学院学报,2004,14(2): 106~109
[20] 廖传书,韩屏.基于 USB 的无源身份认证的实现.微机发展,2004,14(11): 62~64
[21] 严波,郭莉,潘强宗.基于 USB KEY 的身份鉴别技术研究与应用.高性能计算技术,2005,17(6): 36~38
[22] 孟丽荣,赵华伟,张海波.微型 PKI 客户端设计方案.计算机应用,2003,23(9):20~38
[23] 蔺守河,戴紫彬.一种基于指纹和 USB Key 的网络用户身份认证机制.计算机安全,2005,17(8): 26~32
[24] Ashith M B.1024-bit/2048-bit RSA implementation on 32-bit processor for public key cryptography.IETE Technical Review,2002,19(4): 203~205
[25] 王五一,唐刚,张永敏.谈信息加密及对称密钥加密技术.计算机应用研究,1999,16(12): 26~27
[26] 张淑芬,陈学斌,刘春风.RSA 公钥密码体制的安全性分析及其算法实现.计算机应用与软件,2005,22(7): 108~110
[27] 曾宪文,高桂革.对称密码加密系统与公钥密码加密系统.上海电机学院学报,2005,8(2): 49~52
[28] 邓江华,胡志华,牛冀平.AES 加密算法的研究与实现.微型电脑应用,2005,21(7): 15~19
[29] 何明星,范平志.新一代私钥加密标准 AES 进展与评述.计算机应用研究,2001,18(10): 4~6
[30] Moore J H,Simmons G J.Cycle Structure of the DES with weak and semi-weak keys.In: Odlyzko AM ed,Lecture Notes in Computer Science Advances in Cryptology-CRYPTIO’86.Berlin: Springer-Verlag,1987.186~194
[31] J Daemen,V Rijmen.Rijndael,the Advanced Encryption Standard.Dr. Dobb's Journal, 2001,26(3):137~139
[32] 高旸,胡向东.AES 算法的 DSP 实现.网络信息技术,2006,25(1): 38~44
[33] 雷倩睿,李鹏文,刘守义.网络安全防御中数据加密技术的研究.信息技术,2003,27(1): 6~9
[34] Sylvia Osborn,Ravi Sandhu,Qamar Munawer.Configuring Role-based Access Control to Enforce Mandatory and Discretionary Access Control Policies.ACM Transactions on Information and System Security,2000,3(2): 85~106
[35] Ferraiolo D,Barkley J,Kuhn D.A Role-Based Access Control Model and Reference Implementation Within a Corporate Intranet.ACM Transactions on Information and Systems Security,1999,2(1): 34~64
[36] Oh S,Park S.Task-role-based Access Control Model.Information Systems,2003,28(6): 533~562
[37] 宋善德,刘伟.基于任务-角色的访问控制模型.计算机工程与科学,2005,27(6): 4~9
[38] 朱雁辉.Windows 防火墙与网络封包截获技术北京.第一版.北京: 电子工业出版社,2002.5~9
[39] 史洪,高丰.基于 Winsock 协议栈的网络封包截获技术.高性能计算技术,17(2): 41~43
[40] 郭兴阳,高峰,唐朝京.一种 NDIS 中间层数据包过滤方法.计算机工程,2004,30(17): 102~103
[41] Anthony Jones,Jim Ohlund.WINDOWS 网络编程.第一版.北京:清华大学出版社,2002.1~29
[42] 盛利,刘旭.用完成端口管理 Windows Socket.现代计算机,2001(7): 39~43
[43] 王暹昊.用 I/O 完成端口设计多线程的服务应用程序.计算机与现代化,2003,8(3): 102~103