基于智能卡的移动终端安全接入研究与实现
|
摘要
随着网络应用的迅猛发展和电子商务的广泛普及,人们通过移动终端从事各种商业活动逐渐成为了可能。然而,无线网络中潜在的安全问题也日益突出。为了解决这一矛盾,本文提出并初步构建了一种以智能卡和VPN技术相结合的方式来实现移动终端安全接入的系统。使运营商们可以毫无顾虑地开发丰富的移动增值业务而不必担心受到系统安全的限制。
本系统按其功能可分为三个模块:移动终端加密模块、安全接入模块和权威机构认证模块。移动终端使用智能卡设备可以实现证书的存储及数据信息的加密,而利用VPN技术可以为移动终端的安全接入搭建专用安全的数据传输通道。与此同时,智能卡作为硬件设备,它需要相应的驱动来告知操作系统它具有的功能以及如何调用。因此,我们采用RSA实验室提供的PKCS#11(The Public-KeyCryptography Standards#11)标准来开发智能卡的中间件。本课题开发的PKCS#11库与具体的加密设备、操作系统平台无关,为应用程序开发者屏蔽了底层安全技术的复杂性,给上层用户提供了方便易用的中间平台,它把信息安全模块从整个应用系统中分离出来成为通用的软件,提高了软件的可重用性。
本文详细描述了基于PKCS#11规范的PKCS#11库的设计思想和实现方案。结合系统背景,作者主要进行了以下几方面的工作:首先,通过对PKCS#11规范的分析和研究,提出适合于本系统智能卡设备的PKCS#11库的设计方案,将PKCS#11库分为通用功能库、通信库和工具库来分别实现;其次,采用面向对象的设计理念,提供了对多种不同的智能卡设备的封装;另外,对已设计好的PKCS#11库进行大量的测试结果分析,通过测试用例来验证一些主要函数接口的实现情况;最后,本文结合PKCS#11库的应用给出了系统的安全性能分析。
由于系统将智能卡的灵活性和VPN技术的安全性很好的结合起来,大大的提高了可靠程度、扩展了应用范围、满足了用户的安全需求,特别是在特殊行业或领域的因特网接入构造上发挥着现实指导意义。
With the rapid development of Internet applications and the wildly used technology of e-commerce, it is become more and more possible for people to use mobile terminals engaged in various business activities. However, the security problems in wireless network have also become increasingly prominent. In order to resolve this contradiction, the essay provides and initially constructs a system which used a combination technology of smart card and VPN to realize the secure access for mobile terminals. It makes the operators can develop all kinds of mobile value-added services without worry about the system security restrictions.
According to the function, the system can be divided into three modules: mobile terminals encryption module, secure access module and certificate authority module. We use the smart card to realize the storage of certificate and data encryption, the technology of VPN can be used to construct a dedicated data transmission channel for mobile terminals' secure access. At the same time, the smart card as a hardware device, it also requires corresponding drive to inform the operating system what function it have and how to use it .Therefore, we select the PKCS#11 standards which declared by RSA laboratory to develop the smart card middleware. The PKCS#11 lib we designed is independent of cryptographic devices and operating systems, and conceals the complexity of low-level information security technologies, thus provides a convenient middle platform for upper application developers. PKCS#11 lib separates the information security module form the whole application system and enhances its reusability.
This paper describes the PKCS#11 lib's design and realization based on PKCS#11 standards in detail. Under the system background, the author mainly conduct some jobs in the following aspects: first of all, through the analysis and research about the PKCS#11 standards, we propose a piece of design that suitable for our system's PKCS#11 lib, and we divided the PKCS#11 lib into three parts, such as the common function lib, the communication lib and the tool lib to realize respectively. Secondly, using the object-oriented design conception, it can also support many different kinds of smart card. In addition, we conduct a great many of test results analysis according to the finished PKCS#11 lib, using the test cases to verify some of the major function interface's achievement. Finally, the paper also shows us the system's safety performance analysis with the application of PKCS#11 lib.
Due to the system combined the flexibility of smart card and the security of VPN technology, it greatly improved the reliability and expanded the scope of application of the system, and it also meets the user's security needs. Particularly, it plays a practical guide to some specific areas' Internet access.
本系统按其功能可分为三个模块:移动终端加密模块、安全接入模块和权威机构认证模块。移动终端使用智能卡设备可以实现证书的存储及数据信息的加密,而利用VPN技术可以为移动终端的安全接入搭建专用安全的数据传输通道。与此同时,智能卡作为硬件设备,它需要相应的驱动来告知操作系统它具有的功能以及如何调用。因此,我们采用RSA实验室提供的PKCS#11(The Public-KeyCryptography Standards#11)标准来开发智能卡的中间件。本课题开发的PKCS#11库与具体的加密设备、操作系统平台无关,为应用程序开发者屏蔽了底层安全技术的复杂性,给上层用户提供了方便易用的中间平台,它把信息安全模块从整个应用系统中分离出来成为通用的软件,提高了软件的可重用性。
本文详细描述了基于PKCS#11规范的PKCS#11库的设计思想和实现方案。结合系统背景,作者主要进行了以下几方面的工作:首先,通过对PKCS#11规范的分析和研究,提出适合于本系统智能卡设备的PKCS#11库的设计方案,将PKCS#11库分为通用功能库、通信库和工具库来分别实现;其次,采用面向对象的设计理念,提供了对多种不同的智能卡设备的封装;另外,对已设计好的PKCS#11库进行大量的测试结果分析,通过测试用例来验证一些主要函数接口的实现情况;最后,本文结合PKCS#11库的应用给出了系统的安全性能分析。
由于系统将智能卡的灵活性和VPN技术的安全性很好的结合起来,大大的提高了可靠程度、扩展了应用范围、满足了用户的安全需求,特别是在特殊行业或领域的因特网接入构造上发挥着现实指导意义。
With the rapid development of Internet applications and the wildly used technology of e-commerce, it is become more and more possible for people to use mobile terminals engaged in various business activities. However, the security problems in wireless network have also become increasingly prominent. In order to resolve this contradiction, the essay provides and initially constructs a system which used a combination technology of smart card and VPN to realize the secure access for mobile terminals. It makes the operators can develop all kinds of mobile value-added services without worry about the system security restrictions.
According to the function, the system can be divided into three modules: mobile terminals encryption module, secure access module and certificate authority module. We use the smart card to realize the storage of certificate and data encryption, the technology of VPN can be used to construct a dedicated data transmission channel for mobile terminals' secure access. At the same time, the smart card as a hardware device, it also requires corresponding drive to inform the operating system what function it have and how to use it .Therefore, we select the PKCS#11 standards which declared by RSA laboratory to develop the smart card middleware. The PKCS#11 lib we designed is independent of cryptographic devices and operating systems, and conceals the complexity of low-level information security technologies, thus provides a convenient middle platform for upper application developers. PKCS#11 lib separates the information security module form the whole application system and enhances its reusability.
This paper describes the PKCS#11 lib's design and realization based on PKCS#11 standards in detail. Under the system background, the author mainly conduct some jobs in the following aspects: first of all, through the analysis and research about the PKCS#11 standards, we propose a piece of design that suitable for our system's PKCS#11 lib, and we divided the PKCS#11 lib into three parts, such as the common function lib, the communication lib and the tool lib to realize respectively. Secondly, using the object-oriented design conception, it can also support many different kinds of smart card. In addition, we conduct a great many of test results analysis according to the finished PKCS#11 lib, using the test cases to verify some of the major function interface's achievement. Finally, the paper also shows us the system's safety performance analysis with the application of PKCS#11 lib.
Due to the system combined the flexibility of smart card and the security of VPN technology, it greatly improved the reliability and expanded the scope of application of the system, and it also meets the user's security needs. Particularly, it plays a practical guide to some specific areas' Internet access.
引文
[1]Radhamani,Ramasamy.Security issues in WAP WTLS protocol.Communications,Circuits and Systems and West Sino Expositions.IEEE 2002 International Conference on Volume 1.29 June-1 July 2002.Page(s):483-487
[2]Cohen,R.On the establishment of an access VPN in broadband access networks.Communications Magazine.IEEE.2003.Volume 41.Issue 2.Page(s):156-163
[3]William Stallings.孟庆树,王丽娜,傅建明等译.密码编码学与网络安全—原理与实践.第四版.北京.电子工业出版社.2006
[4]冯登国.网络安全原理与技术.第一版.北京.科学出版社.2003.9
[5]牛少彰.信息安全概论.第一版.北京.北京邮电大学出版社.2004.04
[6]杨义先,钮心忻.网络安全理论与技术.第一版.北京.人民邮电出版社.2003.10
[7]Chris Brenton.马树奇等译.网络安全从入门到精通.第二版.北京.电子工业出版社.2003.04.78-80
[8]Carlise Adams,SteveLoyd.冯登国译.公开密钥基础设施——概念、标准和实施.人民邮电出版社.2001.01
[9]王爱英.智能卡技术.第一版.北京.清华大学出版社.2003.7.34-45
[10]Konigs.Cryptographic identification methods for smart cards in the process of standardization.CommunicationsMagazine.IEEE.June1991.Vol 29(Issue 6).Page(s):42-48
[11]刘淳,张其善,范晓红.智能卡在PKI系统中的应用.遥测遥控.2006.05
[12]RSA Laboratories.PKCS#11 v2.11:Cryptographic Token Interface Standard.Dec,2001
[13]崔涛.PKCS#11中的对象管理及其实现.计算机工程与设计.2006.10.Vol.27(No.20)
[14]刘晓蕾.PKCS#11中有关会话实现改进方案.计算机安全.2008.2
[15]Peyret,Lisimaque,Chua,T.Y.Smart cards provide very high security and flexibility in subscribers management.Consumer Electronics,IEEE.Aug 1990.Vol 36(Issue 3).Page(s):744-752
[16]Kun-Won Jang,Junho Choun,Myung-Hee Kim,Moon-seog Jun.Design and Verification of Security API Structure Based on PKCS #11.Computer and Information Technology,2006.CIT '06.The Sixth IEEE International Conference on Sept.2006.Page(s):165-165
[17]Yanyan Yang.An inter-domain Internet security policy management system for IPSec/VPN.Integrated Network Management.IFIP/IEEE Eighth International Symposium on24-28 March 2003.Page(s):231-244
[18]罗建超,周明天.基于PKCS#11规范的安全平台的设计与实现.计算机应用.2002.10.Vol.22
[19]Nam-Yih Lee.Integrating access control with user authentication using smart cards.Consumer Electronics,IEEE.Vol 46(Issue 4).Page(s):943-948
[20]高辉.无线接入技术及其发展特点.网络与信息.2006.12
[2]Cohen,R.On the establishment of an access VPN in broadband access networks.Communications Magazine.IEEE.2003.Volume 41.Issue 2.Page(s):156-163
[3]William Stallings.孟庆树,王丽娜,傅建明等译.密码编码学与网络安全—原理与实践.第四版.北京.电子工业出版社.2006
[4]冯登国.网络安全原理与技术.第一版.北京.科学出版社.2003.9
[5]牛少彰.信息安全概论.第一版.北京.北京邮电大学出版社.2004.04
[6]杨义先,钮心忻.网络安全理论与技术.第一版.北京.人民邮电出版社.2003.10
[7]Chris Brenton.马树奇等译.网络安全从入门到精通.第二版.北京.电子工业出版社.2003.04.78-80
[8]Carlise Adams,SteveLoyd.冯登国译.公开密钥基础设施——概念、标准和实施.人民邮电出版社.2001.01
[9]王爱英.智能卡技术.第一版.北京.清华大学出版社.2003.7.34-45
[10]Konigs.Cryptographic identification methods for smart cards in the process of standardization.CommunicationsMagazine.IEEE.June1991.Vol 29(Issue 6).Page(s):42-48
[11]刘淳,张其善,范晓红.智能卡在PKI系统中的应用.遥测遥控.2006.05
[12]RSA Laboratories.PKCS#11 v2.11:Cryptographic Token Interface Standard.Dec,2001
[13]崔涛.PKCS#11中的对象管理及其实现.计算机工程与设计.2006.10.Vol.27(No.20)
[14]刘晓蕾.PKCS#11中有关会话实现改进方案.计算机安全.2008.2
[15]Peyret,Lisimaque,Chua,T.Y.Smart cards provide very high security and flexibility in subscribers management.Consumer Electronics,IEEE.Aug 1990.Vol 36(Issue 3).Page(s):744-752
[16]Kun-Won Jang,Junho Choun,Myung-Hee Kim,Moon-seog Jun.Design and Verification of Security API Structure Based on PKCS #11.Computer and Information Technology,2006.CIT '06.The Sixth IEEE International Conference on Sept.2006.Page(s):165-165
[17]Yanyan Yang.An inter-domain Internet security policy management system for IPSec/VPN.Integrated Network Management.IFIP/IEEE Eighth International Symposium on24-28 March 2003.Page(s):231-244
[18]罗建超,周明天.基于PKCS#11规范的安全平台的设计与实现.计算机应用.2002.10.Vol.22
[19]Nam-Yih Lee.Integrating access control with user authentication using smart cards.Consumer Electronics,IEEE.Vol 46(Issue 4).Page(s):943-948
[20]高辉.无线接入技术及其发展特点.网络与信息.2006.12
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |