身份认证和数字签名在某银行安全信息系统中的应用
|
摘要
本论文研究了金融安全现状和风险控制问题,提出并构建了银行安全体系架构。作者首先分析了金融安全的需求,阐述了安全建设的重要性,为解决安全控制的问题,提出开发基于PKI体系的安全信息系统;然后,将安全信息系统分为安全服务系统和安全应用系统分别加以系统阐述,通过身份认证和数字签名技术成功的构建了安全信息系统;最后,描述了安全信息系统运行情况。
安全信息系统作为银行金融服务应用软件构架中的基础应用技术系统,采用PKI技术与相关产品解决了银行各种业务应用系统的安全控制问题。该银行通过建立统一认证系统、统一权限系统、柜面业务安全认证管理系统、安全应用系统,在银行计算机信息系统中,实现了有效保护数据在传输和存储过程中的秘密性和完整性、有效鉴别访问银行信息系统的对象身份、有效控制访问对象的访问权限。
该系统主要解决了两个问题:
一、利用数字证书进行柜员身份认证以解决柜员密码口令保护脆弱,交易身份无法确认等问题,保证任何人不能仿冒别人的身份进行相关操作。
二、使用数字签名作为密押以解决密押易泄漏、操作效率低、存在伪造交易风险等问题,满足帐务集中需求。
目前该系统已经累计发放数字证书47万余张,所有柜员使用数字证书进行身份认证,关键业务交易使用数字签名作为密押。该系统的推行有利于防范银行的系统风险、操作风险和道德风险,有利于杜绝事故和案件的发生,对于保障和促进全行各应用系统的健康、稳定、持续发展具有重要的意义。
This paper studies the actualities of financial security and risk control, brings forward the framework of bank secure system. Firstly, paper analyzed the importance and demands of secure construction in financial security system. To solve the security control problem, paper proposed the exploitation of security information system based on PKI. Secondly, paper elaborated the security information system as security service system & security application system respectively, and constructed the security information system successfully with the technologies of identity authentication & digital signature. Finally, paper described the running instance of security information system at present.
As a basal application technical system of the application software framework in bank financial service, security information system use PKI and related products to solve the security control problems in different operation application systems. Based on unified authentication platform & privileged system, counter operating security authentication administering system, security application system, the bank may effectively achieve the privacy & integrality of those data during the delivery & storage process, and effectively distinguish the identity of the visitors and control the accessed privilege when the bank information system are being visited.
This system mainly solve two problems as below:
Using the digital certificate to solve the problems on frail protection of counter password & unable affirming the identity on dealing, thus no one can imitate others' identities to carry through relating operations.
Using the digital signature as telegraphic test key to solve the problems on telegraphic test key easily being divulged, operating efficiency lowness, forge dealing risk existence, and so on, to meet the demands of account centralized.
At present, the system has already granted more than 470,000 certificates totally. All counter-staffers in bank use it to progress ID authentication and some core bank's trade encryption use the digital signature as telegraphic test key. In this mode, it is benefit to keep the system risk, operation risk and moral risk away, stop accidents and unlawful cases. Moreover, it may have a vital significance on ensuring and promoting the healthy, persistent and fast development of application systems.
安全信息系统作为银行金融服务应用软件构架中的基础应用技术系统,采用PKI技术与相关产品解决了银行各种业务应用系统的安全控制问题。该银行通过建立统一认证系统、统一权限系统、柜面业务安全认证管理系统、安全应用系统,在银行计算机信息系统中,实现了有效保护数据在传输和存储过程中的秘密性和完整性、有效鉴别访问银行信息系统的对象身份、有效控制访问对象的访问权限。
该系统主要解决了两个问题:
一、利用数字证书进行柜员身份认证以解决柜员密码口令保护脆弱,交易身份无法确认等问题,保证任何人不能仿冒别人的身份进行相关操作。
二、使用数字签名作为密押以解决密押易泄漏、操作效率低、存在伪造交易风险等问题,满足帐务集中需求。
目前该系统已经累计发放数字证书47万余张,所有柜员使用数字证书进行身份认证,关键业务交易使用数字签名作为密押。该系统的推行有利于防范银行的系统风险、操作风险和道德风险,有利于杜绝事故和案件的发生,对于保障和促进全行各应用系统的健康、稳定、持续发展具有重要的意义。
This paper studies the actualities of financial security and risk control, brings forward the framework of bank secure system. Firstly, paper analyzed the importance and demands of secure construction in financial security system. To solve the security control problem, paper proposed the exploitation of security information system based on PKI. Secondly, paper elaborated the security information system as security service system & security application system respectively, and constructed the security information system successfully with the technologies of identity authentication & digital signature. Finally, paper described the running instance of security information system at present.
As a basal application technical system of the application software framework in bank financial service, security information system use PKI and related products to solve the security control problems in different operation application systems. Based on unified authentication platform & privileged system, counter operating security authentication administering system, security application system, the bank may effectively achieve the privacy & integrality of those data during the delivery & storage process, and effectively distinguish the identity of the visitors and control the accessed privilege when the bank information system are being visited.
This system mainly solve two problems as below:
Using the digital certificate to solve the problems on frail protection of counter password & unable affirming the identity on dealing, thus no one can imitate others' identities to carry through relating operations.
Using the digital signature as telegraphic test key to solve the problems on telegraphic test key easily being divulged, operating efficiency lowness, forge dealing risk existence, and so on, to meet the demands of account centralized.
At present, the system has already granted more than 470,000 certificates totally. All counter-staffers in bank use it to progress ID authentication and some core bank's trade encryption use the digital signature as telegraphic test key. In this mode, it is benefit to keep the system risk, operation risk and moral risk away, stop accidents and unlawful cases. Moreover, it may have a vital significance on ensuring and promoting the healthy, persistent and fast development of application systems.
引文
[1]冯登国.公开密钥基础设施.概念、标准和实施.北京:清华大学出版社2001∥ P5-36
[2]卿斯汉.密码学与计算机网络安全.北京:清华大学出版社2001#P65.72
[3]萨奇.金融全球化条件下的金融稳定.国际金融研究1998∥P09
[4]史东明.经济一体化下的金融安全.北京:中国经济出版社1999∥P34-38
[5]William Stallings.密码学与网络安全:原理与实践(第2版)(影印版).北京:清华大学出版社2002,730205537∥P67-88
[6]杨波.网络安全理论与应用.北京:电子工业出版社2002∥P145-160
[7]Quinlan.J.R.Induction of Decision Trees[J].Machine Learning 1986∥P81-106
[8]李涛.网络安全概论.北京:清华大学出版社/北京交通大学出版社第二版2004∥P25-28
[9]赵安军.网络安全技术与应用.人民邮电出版社2006∥P120-123
[10]刘克强.电子商务平台建设.人民邮电出版社2005/∥P288-289
[11](美)康弗瑞著.王迎春、谢琳等译.网络安全体系结构.人民邮电出版社2005∥P56-67
[12]陆永宁.非接触IC卡原理与应用.电子工业出版社2006∥P55-60
[13]孟鲁生.银行柜员管理规范.中国财经出版社2004∥P55-64
[14]赵泽茂.数字签名理论.科学出版社2004/01/P40-65
[15]薛质等.信息安全技术基础和安全策略.清华大学出版社2006∥P120-123
[16]沈亮等.GA/T695-2007-信息安全技术网络通讯安全审计数据留存功能要求.中国标准出版社2005∥P1-2
[17]关振胜.公钥基础设施PKI与认证机构CA.电子工业出版社2002∥P105-136
[18]Chidanand Apte.Sholom Weiss.Data mining with decision trees and decision rules[J].Future Generation Computer Systems 1997∥P 197-210.
[2]卿斯汉.密码学与计算机网络安全.北京:清华大学出版社2001#P65.72
[3]萨奇.金融全球化条件下的金融稳定.国际金融研究1998∥P09
[4]史东明.经济一体化下的金融安全.北京:中国经济出版社1999∥P34-38
[5]William Stallings.密码学与网络安全:原理与实践(第2版)(影印版).北京:清华大学出版社2002,730205537∥P67-88
[6]杨波.网络安全理论与应用.北京:电子工业出版社2002∥P145-160
[7]Quinlan.J.R.Induction of Decision Trees[J].Machine Learning 1986∥P81-106
[8]李涛.网络安全概论.北京:清华大学出版社/北京交通大学出版社第二版2004∥P25-28
[9]赵安军.网络安全技术与应用.人民邮电出版社2006∥P120-123
[10]刘克强.电子商务平台建设.人民邮电出版社2005/∥P288-289
[11](美)康弗瑞著.王迎春、谢琳等译.网络安全体系结构.人民邮电出版社2005∥P56-67
[12]陆永宁.非接触IC卡原理与应用.电子工业出版社2006∥P55-60
[13]孟鲁生.银行柜员管理规范.中国财经出版社2004∥P55-64
[14]赵泽茂.数字签名理论.科学出版社2004/01/P40-65
[15]薛质等.信息安全技术基础和安全策略.清华大学出版社2006∥P120-123
[16]沈亮等.GA/T695-2007-信息安全技术网络通讯安全审计数据留存功能要求.中国标准出版社2005∥P1-2
[17]关振胜.公钥基础设施PKI与认证机构CA.电子工业出版社2002∥P105-136
[18]Chidanand Apte.Sholom Weiss.Data mining with decision trees and decision rules[J].Future Generation Computer Systems 1997∥P 197-210.