基于SPI和PKI的网络安全传输方案的研究
摘要
如今,计算机网络的规模迅速发展,基于网络的通信成为网络应用中最重要的组成部份,几乎所有的组织、机构和个人都依赖诸如电子邮件一类的网络通信工具进行信息交流。随着网络通信应用的不断扩大,在网络通信中也涉及到越来越多的敏感信息,诸如决策信息、商业数据、技术文件等,这些信息在网络传输中的安全问题也由此引起了广泛关注。加强网络信息传输的安全性,对进一步扩展网络通信应用具有非常重要的现实意义。
在现有的网络结构下,对网络通信工具传递的数据进行保密处理是一种行之有效的解决办法。利用有效的手段对进入网络的通信信息进行机密性、完整性、不可否认性等多方位的保密处理,保证数据在网络中难以被窃取或替换。
为了研究解决上述问题,课题通过对网络安全理论,信息安全理论,SPI技术和PKI技术的研究,将SPI技术与PKI技术综合应用在一起,提出了一种针对网络通信应用的信息安全传输方案。
首先利用SPI技术,通过改变网络协议栈访问顺序的方法对TCP/IP通信数据进行截取;接着对实际网络应用中的数据进行分析及鉴别,针对网络应用的特点进行数据保密处理的策略设计;最后在实验室搭建的PKI平台基础上,利用权威机构CA发放的证书,采用数字信封和数字签名技术对信息进行加解密处理。综合上述手段,保证了网络信息在数据链路中的机密性和合法性,达到信息在网络中有效、安全传输的目标。
本课题在电子邮件安全系统中得到实际应用。利用课题提出的安全传输模式,根据电子邮件系统和邮件客户端软件的特点,设计电子邮件安全传输方案。方案在SPI层截获SMTP,POP3协议数据,找出邮件体数据进行保密处理,以保证电子邮件的机密性;同时通过对MIME格式的重设计,以保证电子邮件在传输中的合法性。电子邮件安全传输方案在电子邮件安全系统中的应用,验证了所研究课题的有效性与可行性。
Nowadays, the scale of the computer network is growing rapidly. Communication based on network becomes the most important part of the network applications. Almost all the organizations and persons use network communication tools such as email to communicate with others. Meanwhile, there are more and more private information in the network with the expanding of the network applications, e.g. decision-making, business data, and technical document and so on. The safety of the information in the network transmission brings on broad attention. To strengthen the safety of the network information transmission is very meaningful to extend the network communication application.
Under the present network structure, it's an effective solution of making the network transmission safe to encrypt the data of the network communication tools. Using safety treatment like confidentiality, integrality and undeniableness by some measure makes sure the data cannot be stolen or replaced.
In order to solve the unsafe problem of network transmission, this subject researched the theory of the network security, information security, SPI and PKI. This subject synthesized SPI and PKI and brought forward a solution of information transmission security aimed at network communication applications.
At first, SPI was used to obtain the TCP/IP data by changing the accessing sequence of the network protocol stack. Second, to analyze and distinguish the data of the network application and then to design the strategy of data encryption follows the characteristic of the network application. Finally, to encrypt and decrypt the information by digital envelop and digital signature using the certificate handed out by an authoritative CA based on the PKI which was built by the laboratory. The above processes ensured the confidentiality and the validity so that the target of transporting network information availably and safely was hit.
The subject has been applied in an email security system. The email transmission security solution based on the subject was designed against the specialty of the email system and the email client. This solution obtained the SMTP data and POP3 data by SPI in order to find out the mail body to handle to make the email confidential. At the same time, the solution re-designed the MIME form so that the email is legal in the transmission. The validity and the feasibility of this subject are validated by applied in the email security system.
在现有的网络结构下,对网络通信工具传递的数据进行保密处理是一种行之有效的解决办法。利用有效的手段对进入网络的通信信息进行机密性、完整性、不可否认性等多方位的保密处理,保证数据在网络中难以被窃取或替换。
为了研究解决上述问题,课题通过对网络安全理论,信息安全理论,SPI技术和PKI技术的研究,将SPI技术与PKI技术综合应用在一起,提出了一种针对网络通信应用的信息安全传输方案。
首先利用SPI技术,通过改变网络协议栈访问顺序的方法对TCP/IP通信数据进行截取;接着对实际网络应用中的数据进行分析及鉴别,针对网络应用的特点进行数据保密处理的策略设计;最后在实验室搭建的PKI平台基础上,利用权威机构CA发放的证书,采用数字信封和数字签名技术对信息进行加解密处理。综合上述手段,保证了网络信息在数据链路中的机密性和合法性,达到信息在网络中有效、安全传输的目标。
本课题在电子邮件安全系统中得到实际应用。利用课题提出的安全传输模式,根据电子邮件系统和邮件客户端软件的特点,设计电子邮件安全传输方案。方案在SPI层截获SMTP,POP3协议数据,找出邮件体数据进行保密处理,以保证电子邮件的机密性;同时通过对MIME格式的重设计,以保证电子邮件在传输中的合法性。电子邮件安全传输方案在电子邮件安全系统中的应用,验证了所研究课题的有效性与可行性。
Nowadays, the scale of the computer network is growing rapidly. Communication based on network becomes the most important part of the network applications. Almost all the organizations and persons use network communication tools such as email to communicate with others. Meanwhile, there are more and more private information in the network with the expanding of the network applications, e.g. decision-making, business data, and technical document and so on. The safety of the information in the network transmission brings on broad attention. To strengthen the safety of the network information transmission is very meaningful to extend the network communication application.
Under the present network structure, it's an effective solution of making the network transmission safe to encrypt the data of the network communication tools. Using safety treatment like confidentiality, integrality and undeniableness by some measure makes sure the data cannot be stolen or replaced.
In order to solve the unsafe problem of network transmission, this subject researched the theory of the network security, information security, SPI and PKI. This subject synthesized SPI and PKI and brought forward a solution of information transmission security aimed at network communication applications.
At first, SPI was used to obtain the TCP/IP data by changing the accessing sequence of the network protocol stack. Second, to analyze and distinguish the data of the network application and then to design the strategy of data encryption follows the characteristic of the network application. Finally, to encrypt and decrypt the information by digital envelop and digital signature using the certificate handed out by an authoritative CA based on the PKI which was built by the laboratory. The above processes ensured the confidentiality and the validity so that the target of transporting network information availably and safely was hit.
The subject has been applied in an email security system. The email transmission security solution based on the subject was designed against the specialty of the email system and the email client. This solution obtained the SMTP data and POP3 data by SPI in order to find out the mail body to handle to make the email confidential. At the same time, the solution re-designed the MIME form so that the email is legal in the transmission. The validity and the feasibility of this subject are validated by applied in the email security system.
引文
[1]周学广,刘艺.信息安全学[M].北京,机械工业出版社,2003.
[2]冯登国.计算机通信网络安全[M].北京:清华大学出版社,2001.
[3]方勇,刘家勇.信息系统安全导论[M].北京:电子工业出版社,2003.
[4]Bruce Schneier.应用密码学[M].北京:机械工业出版社,2000.
[5]杨义先,李名选.网络信息安全与保密[M].北京:清华大学出版社,1999.
[6]Nash A,Duane W.公钥基础设施(PKI)实现和管理电子安全[M].北京:清华大学出版社,2002.
[7]Adams C,Lloyd S.公开密钥基础设施:概念、标准和实施[M].北京:人民邮电出版社,2001.
[8]J.Anthony,O.Jim.Windows网络编程技术[M].北京:机械工业出版社,2000.
[9]苏玉洁,张鹏飞.基于透明POP3代理用SPI实现邮件接收监控[J].计算机安全,2006(05):6-8.
[10]朱雁辉.Windows防火墙与网络封包截获技术[M].北京:电子工业出版社,2002.
[11]王艳平,张越.Windows网络与通信程序设计[M].北京:人民邮电出版社,2006.
[12]李凌.Winsock 2网络编程实用教程[M].北京:清华大学出版社,2003.
[13]William Stalling.Cryptography and Network Security Principles and Practices[M].北京:电子工业出版社,2004.
[14]Richard Blum.开放源码邮件系统安全[M].北京:人民邮电出版社,2002.
[15]张海洲,车文刚,陈韬伟.用PGP加密保护电子邮件[J].昆明理工大学学报.2003(02):18-20.
[16]余志东,温钢,张申生.基于S/MIME的安全电子邮件系统[J].计算机工程.2001(05):18-20.
[17]王锦程,胡格祥.安全电子邮件标准发展分析[J].信息技术与标准化.2004(04):18-20.
[18]陈俊.向垃圾电子邮件开战[J].中国信息导报.2004(03):38-39.
[19]何玉菁.多媒体电子邮件技术及其应用实例[J].现代计算机.2003(07):76-78.
[2]冯登国.计算机通信网络安全[M].北京:清华大学出版社,2001.
[3]方勇,刘家勇.信息系统安全导论[M].北京:电子工业出版社,2003.
[4]Bruce Schneier.应用密码学[M].北京:机械工业出版社,2000.
[5]杨义先,李名选.网络信息安全与保密[M].北京:清华大学出版社,1999.
[6]Nash A,Duane W.公钥基础设施(PKI)实现和管理电子安全[M].北京:清华大学出版社,2002.
[7]Adams C,Lloyd S.公开密钥基础设施:概念、标准和实施[M].北京:人民邮电出版社,2001.
[8]J.Anthony,O.Jim.Windows网络编程技术[M].北京:机械工业出版社,2000.
[9]苏玉洁,张鹏飞.基于透明POP3代理用SPI实现邮件接收监控[J].计算机安全,2006(05):6-8.
[10]朱雁辉.Windows防火墙与网络封包截获技术[M].北京:电子工业出版社,2002.
[11]王艳平,张越.Windows网络与通信程序设计[M].北京:人民邮电出版社,2006.
[12]李凌.Winsock 2网络编程实用教程[M].北京:清华大学出版社,2003.
[13]William Stalling.Cryptography and Network Security Principles and Practices[M].北京:电子工业出版社,2004.
[14]Richard Blum.开放源码邮件系统安全[M].北京:人民邮电出版社,2002.
[15]张海洲,车文刚,陈韬伟.用PGP加密保护电子邮件[J].昆明理工大学学报.2003(02):18-20.
[16]余志东,温钢,张申生.基于S/MIME的安全电子邮件系统[J].计算机工程.2001(05):18-20.
[17]王锦程,胡格祥.安全电子邮件标准发展分析[J].信息技术与标准化.2004(04):18-20.
[18]陈俊.向垃圾电子邮件开战[J].中国信息导报.2004(03):38-39.
[19]何玉菁.多媒体电子邮件技术及其应用实例[J].现代计算机.2003(07):76-78.