【作者】 赵勇；

【导师】 沈昌祥；

【作者基本信息】 北京交通大学 ， 计算机应用技术， 2008， 博士

【摘要】 重要信息系统是指国家信息系统安全等级保护体系中三级以上的系统,当其安全性受到破坏后,将严重影响社会秩序、公众利益甚至国家的安全和稳定,因此它是国家信息安全保障体系中的重点保护对象。国内信息安全专家沈昌祥院士提出以终端安全为核心来解决重要信息系统安全的思路。TCG提出的“可信计算”概念也不谋而合,同样主张从终端安全入手,通过提高终端平台的安全性,来确保信息系统的安全。然而,纵观信息系统安全,尤其是重要信息系统安全的发展历程,目前依然存在如下几个较为突出的安全问题:1)缺乏适合于重要信息系统的安全体系结构。众所周知,信息系统的安全防护强度取决于“马奇诺防线”中最为薄弱的环节,如果没有合理的安全体系结构作为指导,信息系统中各安全部件就难以相互协调、有序工作,就很容易出现“安全短板”现象,从而导致信息系统安全防护不堪一击,所有的努力功亏一篑。2)可信计算和安全机制相脱节。重要信息系统的复杂性和异构性,增加了可信计算实施的难度,导致可信计算难以为上层安全机制提供良好的保障服务。同时,当前的大部分安全操作系统仍然沿用可信计算问世之前的系统安全机制,没有充分利用可信计算提供的可信功能来增强自身的安全性,使得可信计算形同虚设,没有起到应有的作用。3)系统的安全性和易用性不够。安全性和易用性在某种程度上是一对矛盾,为了提高系统的安全性,有时需要降低系统的易用性。如为了减小系统机密性安全被破坏的风险,当前大部分重要信息系统都禁止用户使用移动存储设备,禁止终端接入公共网络,从而导致系统的易用性遭到严重影响。于是在不降低系统易用性的前提下,提高系统的安全性是极其必要的。本文紧紧围绕当前重要信息系统存在的上述安全问题,以“三纵三横两中心”保障体系为基础,从信息系统应用环境安全的角度出发,系统全面地研究了重要信息系统的安全体系结构和实用模型,取得了如下几方面的成果:第一,提出了由可信应用环境、可信边界控制、可信网络传输组成的重要信息系统安全体系结构。并在此基础上对可信应用环境的安全体系结构进行了细化,充分体现了可信计算和安全有机融合的思想,即可信计算是安全的基础保障,安全机制协助可信计算为上层提供更良好的服务。第二,提出了面向可信应用环境的隔离模型,为屏蔽和消除任务之间的有害干扰,维持任务行为的动态可信提供了理论指导。模型根据信息系统中应用的行为特征,通过对信息系统中的资源进行划分,建立起了应用与其运行过程中有密切关系的资源之间的对应关系。模型假设可信的任务不会发出干扰其它任务正常运行的信息流,在此基础上,不仅限制任务只能以主动读取其他应用对应资源的方式和外界进行通信,而且规定信息流的源头任务必须是可信的,从而消除了任务之间的有害干扰。显然,模型将识别任务之间的有害干扰转化为度量源头任务的可信性,实用性更高。第三,给出了一个基于可信应用环境的系统安全模型,该模型采用“三实体”模式,通过定义用户能够启动的应用来限制用户的权限,通过限制应用启动后能够访问的资源来限制任务的权限。模型利用信任链传递机制的保障作用,将系统TCB扩展到应用服务平台层,确保访问控制机制能够充分利用任务运行时的语境,对信息流进行安全检查,以求做出更准确的访问控制决策。除此之外,模型还定义任务的完整性级别和用户可信度、应用可信度以及任务运行时的可信状态相关,从而改变了传统BLP和BIBA模型中实体机密性级别和完整性级别相等的局面,有利于信息的双向流动。最后,提出了一个适用于重要信息系统的密钥管理方案。该方案具有安全性强、容易使用、易于更新等特点。方案充分利用了基于身份密码体制的优势,将身份认证和存储保护有效衔接起来,从而可以弥补身份认证模块存在的安全漏洞。同时方案借鉴了数字信封的思想,将存储保护的真正密钥用合法用户的公钥信息封装起来,只有合法用户通过自己的私钥才能计算而得,这一思想使得方案中的存储保护密钥不直接暴露给用户,从而降低了该密钥被泄露给非授权用户的风险。另外,方案充分利用了可信计算提供的保密存储功能,将存储保护密钥的封装信息存储在TPM中,使得只有出示了合法的授权数据后才能得到该信息,从而增强了方案的安全性。更多还原

【Abstract】 A system is defined as an important information system when its security grade is above the third grade in the national classified information system protection in China. Any security destroying has an impact on social order, public benefit, even the national security and stability. Thus, the important information system must be protected in a high level. In China, Professor Shen Changxiang, a famous information security expert who is the academic member of Chinese Academy of Engineering, proposed the idea of using the platform security as the key to solve the security problem in important information system. This idea is consistent with "trusted computing", which was put forward by TCG. Trusted computing assures the information system security by improving platform security.However, the information system security evolution shows that there still exists some important security problems: 1) lacking a security architecture that is fit for important information system. It is known that the security defense intensity of the information system depends on the weakest part of Maginot line. If there is no appropriate security architecture as a guide, it is difficult for the various security components in the information system to coordinate with each other and to work in order. Then, it often appears the "safety shortcomings" phenomenon, resulting in the vulnerability in the security and all the protection efforts in the information system are in vain. 2) Trusted computing and security mechanisms come apart. The complexity of important information system increases the difficulty in implementing trusted computing. As a result, it is difficult to provide a good assurance service for upper applications. At the same time, most of the current secure operating systems are still using the traditional security architecture before trusted computing. Thus, the current OSes do not take full advantage of the credible function provided by trusted computing to enhance their own safety, making the trusted computing exist in name only. 3) Security and usability are insufficient. To some extent, security and usability are contradictory, and sometimes it’s necessary to reduce the usability to enhance the security. For example, in order to reduce the risk of destroying system confidentiality, most of the current important information systems prohibit using mobile storage devices and prohibit terminals from accessing the public network, which reducing the seriously. Therefore it’s extremely necessary to enhance the system’s security without reducing its usability. With the guideline of "three vertical and three horizontal safeguard system" architecture, from the information system application environment security angle, this dissertation tightly focuses on the problems mentioned above and studies the security architecture and practical models of important information system systematically and comprehensively, and made the following contributions:Firstly, a security architecture for important information system is proposed, which is composed of trusted application environment, trusted boundary control and trusted network transmission. On this architecture, the trusted application environment architecture is refined, fully reflecting the idea of organic integration for trusted computing and security, namely the trusted computing is the basic assurance for security, and security mechanism is helpful for trusted computing in providing better service for upper application.Secondly, an isolation model based on trusted application environment is proposed, which provides a theoretical guidance for shielding and eliminating the harmful interference among tasks, and therefore maintaining the task behavior’s dynamic trust ability. According to the behavior characters of applications in information system, this model sets up a correlation between the application and resource, which are strongly related to each other, through the partition of resources in information system. Also, the model assumes that it is impossible for a trusted task to send out information flows to interfere with other task’s normal operation. Thus, in the model the task can only communicate with the environment by reading the other application’s correlative resource and the first task in the information flow must be trusted, eliminating harmful interference among tasks. Then the model is more practical.Thirdly, the thesis proposes a system security model based on trusted application environment. The model takes the mode of "three entities", which restricts the user’s permission by defining what application he can run, and to restrict the task’s permission by limiting the resources it can accesses. In order to make sure that an access control mechanism can take full use of the context task running in to check the safety of information flow and to give more accurate access control decision, this model has extended the system TCB to application level with the support of trust train transmission mechanism. In addition, the model defines that the task integrity level is related to user confidence level, application confidence level and the task’s running state. This avoids the disadvantage that the confidential level is equal to the integrity level of entity in traditional BLP and BIBA model, making it easy for two-way information flow.Finally, this thesis proposes a key management scheme for important information system, which is especially secure and easy to use and update. Taking full advantage of the identity-based code system, this scheme effectively integrates identification authentication with storage protection and avoides the security flaws existing in the authentication module. In addition, the scheme uses the idea of digital envelope to get the real storage protection key encapsulated with valid user’s public key. Only the authenticated users in terminal can get the correct key with their own private key. This idea does not expose the storage protection key to user, which reduces the risk of leaking storage protection key to unauthenticated users. The scheme makes full use of the encryption storage functions provided by trusted computing to store the encapsulated key in TPM. Thus, only after providing the valid authentication information, the user can get the proper key, which improves the security of this scheme.更多还原