可信网络接入认证方法的研究
|
摘要
随着Internet的不断发展,网络逐渐成为工业和国防等领域中重要信息交换、处理的手段,所以必须保证网络具有足够的可信性、安全性,才能发挥出它的重要作用。但是,随着信息化的加快实施以及电子商务、电子政务的迅速发展,网络安全问题日益突出,病毒泛滥、黑客猖獗,导致网络可信度严重降低。通过研究,我们认为:目前导致安全事件的主要原因是主机软、硬件结构存在设计漏洞并且对用户没有进行严格的认证和授权控制。传统安全防范的重点放在对服务器和网络的保护上,而忽略终端接入者本身的安全。但大多数的攻击事件都是由终端接入者本身不安全而引起发的,所以只有从终端接入的源头就建立起安全体系,内外共防来构造真正安全可信的网络环境。本文在参考现有认证技术和可信计算的特点的基础上,提出了一种可信网络接入认证模型。该模型的基本思想是通过评估接入终端的安全状态信息来实施网络访问控制,将“隐患终端”摈弃在网络之外,构建一个“干净的”、“可信赖”的网络,从而减少网络安全事件发生的频率,提高网络应对安全威胁的能力。
本文将安全评估与传统的接入认证方法结合起来,设计了一个基于安全评估的接入认证系统。该系统不仅支持802.1x、VPV等现有接入技术,还支持我国第一个无线局域网认证协议WAPI。本文的主要内容如下:1.分析了当前网络面临的问题以及现有安全系统的不足,并介绍了本文涉及到的相关技术;2.对WAPI进行了改进,避免了“中间人攻击”的漏洞,并用BAN逻辑对改进后的协议安全性进行了形式化分析验证;3.提出了一种可信网络接入认证方法的模型,并对该模型的体系层次结构和消息交互流程进行了描述;4.描述了本文中可信网络接入认证方法在移动终端和移动数据网络中的实现,并对组件的功能结构进行了设计;5.对全文进行了总结,并指出了缺点和下一步工作。
总之,本文对可信网络接入认证技术进行了一些探索、研究,希望本文能够对可信网络技术的发展以及构建有中国自主产权的可信网络接入架构做出一定的贡献。
With development of Internet, the network has become the major mean of information exchanging in every field. However, it also brings more threats to the network due to the insufficient trust and security. Espacially, the fast development of E-commerce and E-government also makes the security problems of the network increasingly severe with too many viruses and Hackers. All of these lead to the decline of the credibility of the network. Through the study, we learn: The shortcoming in the design of software and hardware architecture, and without strict authentication and authorization to users, which are the main cause of security incidents. The traditional security safeguards focus on the protection of the server and the network, but ignore security of the terminal device itself. However, most of attacks arise from unsafe terminal devices. Only setting up security architecture from the source of terminal device, and combining with internal and external factors which can construct a trust and safe network environment. Refering to the existing authentication technology and the trusted computing technologies, this paper designs a model of the trusted network access authentication. The basic theory is to control network access privileges of endpoints by evaluating their security posture information through which unhealthy endpoints will be excluded. By prevent the unhealthy endpoints from accessing the network, the network is trusted and healthy, which doesn't have any weakness that can be used by hackers. Such a trusted network can effectively defend against threats and reduce frequency of attack.
Refering to security posture assessment and traditionary access authentication mechanism, this paper designs an access authentication model which based on security posture assessment. This model supports current access mechanism such as 802.1x, VPN, but also supports the authentication protocol WAPI contrived by CHINA. The mainly tasks are as follows: 1. analyzed the security problems and the shortages in the current network and the security system, and introduced the related technologies in the paper; 2. Improved WAPI and avoided "the-middle-man" attack, and used BAN logic to analyze the security of the improved protocol; 3. Particularly described the model, the system framework, the layer model structure of the trusted network access authentication mechanism; 4. Described the deployment of the trusted network access authentication model which located in the mobile terminal and mobile data netework; 5. Summarized the paper, and explained the shortage and following research works.
To sum up, based on the current trusted network access technologies, this paper searched and studed the trusted network access technology, and I hope this paper will do great contribution to the development of the trusted network access and might be contributed the future China self-owned trusted network access technology.
本文将安全评估与传统的接入认证方法结合起来,设计了一个基于安全评估的接入认证系统。该系统不仅支持802.1x、VPV等现有接入技术,还支持我国第一个无线局域网认证协议WAPI。本文的主要内容如下:1.分析了当前网络面临的问题以及现有安全系统的不足,并介绍了本文涉及到的相关技术;2.对WAPI进行了改进,避免了“中间人攻击”的漏洞,并用BAN逻辑对改进后的协议安全性进行了形式化分析验证;3.提出了一种可信网络接入认证方法的模型,并对该模型的体系层次结构和消息交互流程进行了描述;4.描述了本文中可信网络接入认证方法在移动终端和移动数据网络中的实现,并对组件的功能结构进行了设计;5.对全文进行了总结,并指出了缺点和下一步工作。
总之,本文对可信网络接入认证技术进行了一些探索、研究,希望本文能够对可信网络技术的发展以及构建有中国自主产权的可信网络接入架构做出一定的贡献。
With development of Internet, the network has become the major mean of information exchanging in every field. However, it also brings more threats to the network due to the insufficient trust and security. Espacially, the fast development of E-commerce and E-government also makes the security problems of the network increasingly severe with too many viruses and Hackers. All of these lead to the decline of the credibility of the network. Through the study, we learn: The shortcoming in the design of software and hardware architecture, and without strict authentication and authorization to users, which are the main cause of security incidents. The traditional security safeguards focus on the protection of the server and the network, but ignore security of the terminal device itself. However, most of attacks arise from unsafe terminal devices. Only setting up security architecture from the source of terminal device, and combining with internal and external factors which can construct a trust and safe network environment. Refering to the existing authentication technology and the trusted computing technologies, this paper designs a model of the trusted network access authentication. The basic theory is to control network access privileges of endpoints by evaluating their security posture information through which unhealthy endpoints will be excluded. By prevent the unhealthy endpoints from accessing the network, the network is trusted and healthy, which doesn't have any weakness that can be used by hackers. Such a trusted network can effectively defend against threats and reduce frequency of attack.
Refering to security posture assessment and traditionary access authentication mechanism, this paper designs an access authentication model which based on security posture assessment. This model supports current access mechanism such as 802.1x, VPN, but also supports the authentication protocol WAPI contrived by CHINA. The mainly tasks are as follows: 1. analyzed the security problems and the shortages in the current network and the security system, and introduced the related technologies in the paper; 2. Improved WAPI and avoided "the-middle-man" attack, and used BAN logic to analyze the security of the improved protocol; 3. Particularly described the model, the system framework, the layer model structure of the trusted network access authentication mechanism; 4. Described the deployment of the trusted network access authentication model which located in the mobile terminal and mobile data netework; 5. Summarized the paper, and explained the shortage and following research works.
To sum up, based on the current trusted network access technologies, this paper searched and studed the trusted network access technology, and I hope this paper will do great contribution to the development of the trusted network access and might be contributed the future China self-owned trusted network access technology.
引文
[1]Michael Burrows,Martin Abadiand Ronger Needham.A logic of authentication.ACM Transaction on Computer System.1990,8(1).18-36
[2]Bruce Schneier著,吴世忠等译.应用密码学.北京:机械工业出版社,2000-01.41-42,44
[3]eTrust Vulnerability Manager自动快速地发现安全漏洞http://www.ca.com.cn/securityclub/trend/news/031028
[4]可信网络研究 林闯 彭雪海 计算机学报 2005.05
[5]何谓可信网络架构 李洪培 计算机安全 2005年 第2期
[6]防火墙与网络安全 白青海 张海峰 季秀云 张铁元 内蒙古民族大学学报:自然科学版2006年21卷6期
[7]现代网络安全的基石--防火墙.锁延锋,马士尧.网络安全技术与应用,2003,(02)
[8]防火墙技术在网络中的应用.史晓龙.公安大学学报(自然科学版),2001,(03)
[9]防火墙的安全分析.徐海琛,魏柏丛.网络安全技术与应用,2002,(05)
[10]网络信息的可信度研究网民的视角张明新华中科技大学硕士学位论文 2005-03-30
[11]http://www.cctv.com/news/china/20050613/100276.shtml
[12]公钥基础设施PKI 张群燕 王兵 谯英 科技信息:学术版 2006年06x期
[13]IETF RFC 3280(2002):"Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List(CRL)Profile".
[14]Cisco.Cisco Network Admission Control.http://www.infosec.co.uk/ExhibitorLibrary/78/Cisco NAC.pdf.
[15]Microsoft.Introduction to Network Access Protection.http://www.microsoft.com/windowsserver2003/technologies/networking/nap/default.mspx.June 2004
[16]Microsoft.Introduction to Network Access Protection.http://www.microsoft.com/windowsserver2003/technologies/networking/nap/default.mspx.June 2004
[17]TCG.TCG TNC Architecture Version 1.0[S].https://www.trustedcomputinggroup.org/groups/network/TNC_Architecture_v1_0_r4.pdf.May 2005
[18]TCG.TCG TNC IF-IMC Specification Version 1.0[S].https://www.trustedcomputinggroup.org/groups/network/TNC_IFIMC_vl_0_r3.pdf.May 2005
[19]TCG.TCG TNC IF-IMV Specification Version 1.0[S].https://www.trustedcomputinggroup.org/groups/network/TNC_IFIMV_vl_0_r33pdf.May 2005
[20]TCG.TCG TNC IF-TNCCS,Specification Version 1.1[S].https://www.trustedcomputinggroup.org/groups/network/TNC_IFINCCS_vl_0_r3.pdf.February 2007
[21]TCG.TCG TNC IF-T:Protocol Bindings for Tunneled EAP Methods Specification Version 1.0[s].
https://www.trustedcomputinggroup.org/groups/network/TNC_IFT_vl.pdf.
May 2006
[22]TCG.TCG TNC IF-PEP:Protocol Bindings for Tunneled RADIUS Specification Version 1.0[S].https://www.trustedcomputinggroup.org/groups/network/TNC_IFPEP_vl.pdf.May 2006
[23]李鸿培.可信网络架构概述[EB/OL].http://www.icics2005.org/Framework%20of%20a%20Trusted%20Network.pdf 2005年12月
[24]L.Mamakos,K.Lidl,J.Evarts.RFC2516:A Method for Transmitting PPP Over Ethernet(PPPoE).http://www.ietf.org/rfc/rfc2516.txt
[25]PPP over Ethernet:A Comparison of Altematiyes for PC2to2xESL Modem Connectivity [EB/OL].http://www.redback.com/en2US/whitepp/pdf/wp pppoe comparison.pdf,2002 20 71
[26]乐德广,郭东辉,吴伯僖.PPPoE技术及其在宽带接入系统中的应用[J]。计算机应用研究。2003,3:130---132,136
[27]可信计算在VPN中的应用 刘宏伟 卫国斌 计算机应用 2006年26卷12期
[28]IEEE Std 802.1x-2001.IEEE standards for local and metropolitan area network:Port based network access control[S].2001.
[29]RADIUS在2802.1x中的应用 黄永锋 王滨 许晓东 计算机工程与设计 2006年3月第27卷第5期
[30]中华人民共和国国家标准GB 15692.11-2003.北京:中国标准出版社,2003
[31]基于国家标准GB 15629011的无线局域网鉴别技术 陈寿齐 曹秀英 无线通信技术2005年第2期
[32]TPM Main Part1 Design Principles Specification Version 1.2[Z].TCG Specification,2004-07.
[33]IBM.The Role of TPM in Enterprise Security[R].www.Trustedcomputinggroup.org,2004-10.
[34]冯登国.网络安全原理与技术.北京.科学出版社.2003.190-222
[35]杨义先,忸心忻.无线通信安全技术.北京.北京邮电大学出版社.2005-05.74-300
[36]姜楠,王健.移动网络安全技术与应用.北京.电子工业出版社.2004.2-79
[37]基于BAN逻辑的密码协议分析 缪祥华 高性能计算技术 2005年02月
[38]B.Aboba,L.Blunk,J.Vollbrecht,J.Carlson,H.Levkowetz,Ed."Extensible Authentication Protocol(EAP)",Interact Engineering Tast Force RFC3748,June,2004
[2]Bruce Schneier著,吴世忠等译.应用密码学.北京:机械工业出版社,2000-01.41-42,44
[3]eTrust Vulnerability Manager自动快速地发现安全漏洞http://www.ca.com.cn/securityclub/trend/news/031028
[4]可信网络研究 林闯 彭雪海 计算机学报 2005.05
[5]何谓可信网络架构 李洪培 计算机安全 2005年 第2期
[6]防火墙与网络安全 白青海 张海峰 季秀云 张铁元 内蒙古民族大学学报:自然科学版2006年21卷6期
[7]现代网络安全的基石--防火墙.锁延锋,马士尧.网络安全技术与应用,2003,(02)
[8]防火墙技术在网络中的应用.史晓龙.公安大学学报(自然科学版),2001,(03)
[9]防火墙的安全分析.徐海琛,魏柏丛.网络安全技术与应用,2002,(05)
[10]网络信息的可信度研究网民的视角张明新华中科技大学硕士学位论文 2005-03-30
[11]http://www.cctv.com/news/china/20050613/100276.shtml
[12]公钥基础设施PKI 张群燕 王兵 谯英 科技信息:学术版 2006年06x期
[13]IETF RFC 3280(2002):"Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List(CRL)Profile".
[14]Cisco.Cisco Network Admission Control.http://www.infosec.co.uk/ExhibitorLibrary/78/Cisco NAC.pdf.
[15]Microsoft.Introduction to Network Access Protection.http://www.microsoft.com/windowsserver2003/technologies/networking/nap/default.mspx.June 2004
[16]Microsoft.Introduction to Network Access Protection.http://www.microsoft.com/windowsserver2003/technologies/networking/nap/default.mspx.June 2004
[17]TCG.TCG TNC Architecture Version 1.0[S].https://www.trustedcomputinggroup.org/groups/network/TNC_Architecture_v1_0_r4.pdf.May 2005
[18]TCG.TCG TNC IF-IMC Specification Version 1.0[S].https://www.trustedcomputinggroup.org/groups/network/TNC_IFIMC_vl_0_r3.pdf.May 2005
[19]TCG.TCG TNC IF-IMV Specification Version 1.0[S].https://www.trustedcomputinggroup.org/groups/network/TNC_IFIMV_vl_0_r33pdf.May 2005
[20]TCG.TCG TNC IF-TNCCS,Specification Version 1.1[S].https://www.trustedcomputinggroup.org/groups/network/TNC_IFINCCS_vl_0_r3.pdf.February 2007
[21]TCG.TCG TNC IF-T:Protocol Bindings for Tunneled EAP Methods Specification Version 1.0[s].
https://www.trustedcomputinggroup.org/groups/network/TNC_IFT_vl.pdf.
May 2006
[22]TCG.TCG TNC IF-PEP:Protocol Bindings for Tunneled RADIUS Specification Version 1.0[S].https://www.trustedcomputinggroup.org/groups/network/TNC_IFPEP_vl.pdf.May 2006
[23]李鸿培.可信网络架构概述[EB/OL].http://www.icics2005.org/Framework%20of%20a%20Trusted%20Network.pdf 2005年12月
[24]L.Mamakos,K.Lidl,J.Evarts.RFC2516:A Method for Transmitting PPP Over Ethernet(PPPoE).http://www.ietf.org/rfc/rfc2516.txt
[25]PPP over Ethernet:A Comparison of Altematiyes for PC2to2xESL Modem Connectivity [EB/OL].http://www.redback.com/en2US/whitepp/pdf/wp pppoe comparison.pdf,2002 20 71
[26]乐德广,郭东辉,吴伯僖.PPPoE技术及其在宽带接入系统中的应用[J]。计算机应用研究。2003,3:130---132,136
[27]可信计算在VPN中的应用 刘宏伟 卫国斌 计算机应用 2006年26卷12期
[28]IEEE Std 802.1x-2001.IEEE standards for local and metropolitan area network:Port based network access control[S].2001.
[29]RADIUS在2802.1x中的应用 黄永锋 王滨 许晓东 计算机工程与设计 2006年3月第27卷第5期
[30]中华人民共和国国家标准GB 15692.11-2003.北京:中国标准出版社,2003
[31]基于国家标准GB 15629011的无线局域网鉴别技术 陈寿齐 曹秀英 无线通信技术2005年第2期
[32]TPM Main Part1 Design Principles Specification Version 1.2[Z].TCG Specification,2004-07.
[33]IBM.The Role of TPM in Enterprise Security[R].www.Trustedcomputinggroup.org,2004-10.
[34]冯登国.网络安全原理与技术.北京.科学出版社.2003.190-222
[35]杨义先,忸心忻.无线通信安全技术.北京.北京邮电大学出版社.2005-05.74-300
[36]姜楠,王健.移动网络安全技术与应用.北京.电子工业出版社.2004.2-79
[37]基于BAN逻辑的密码协议分析 缪祥华 高性能计算技术 2005年02月
[38]B.Aboba,L.Blunk,J.Vollbrecht,J.Carlson,H.Levkowetz,Ed."Extensible Authentication Protocol(EAP)",Interact Engineering Tast Force RFC3748,June,2004
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |