【作者】 刘宏伟；

【导师】 范俊波；

【作者基本信息】 西南交通大学 ， 密码学， 2002， 硕士

【摘要】 本文首先介绍网络数据库安全的基础：即现代密码学和数据库安全，接着介绍了指纹特征在身份认证中的原理。论文着重对身份认证和基于角色的存取控制授权访问进行了深入研究，并提出新的身份认证协议和访问授权方法。秘密信息和指纹特征相结合的身份认证协议是一种适用于向数据库请求敏感信息所采用的新型身份认证协议，扩展这个协议能够实现通信数据的安全。根据用户与角色的映射关联来获得用户和角色的映射表，根据角色、数据库和数据库表映射关联来获得角色和数据库表的授权表，通过角色的标识数字，认证服务器动态采用不同安全级别的认证技术对用户进行认证，并能根据认证结果作出授权判断，这种方法使用应用程序来实现授权而不需依赖于具体数据库。应用服务器上的日志记录和具体数据库本身提供的日志记录综合在一起来获得简单有效的新型日志记录方法。将客户端密钥存储在一个用盐和口令算法加密的文件中，这种密钥存储方法既安全又方便。在最后，将上述功能模块应用于设计的安全数据库管理系统中，并在系统中详细介绍了这些模块的设计与实现。这个系统为增强安全性的数据库管理系统，它不依赖于任何具体的数据库，而是在已有C2级安全的DBMS之上来增强数据库的安全性，并可以与具体数据库所提供的原有安全功能结合在一起使用，能够提供身份认证、角色授权、日志记录、通信加密的功能。论文提出的协议和方案能充分、自主地保障网络数据库的安全。更多还原

【Abstract】 The thesis introduce the base of network database security, which includes modern cryptology and database security, and introduce principle of fingerprint characteristic in identity identification. The thesis emphasize further research on both identity identification and authorization access based on role access control. A new identity identification protocol and a new method of access authorization are presented. Identity identification protocol, which is union of confidential information and fingerprint characteristic, is a kind of new identity identification protocol used to request sensitive information to database . Extending the protocol can achieve the security of communication data. Mapping table of user and role is established through their relevance, and authorizing table of role and table is obtained in terms of map relevance among role, database, database table. By the role’s flag number, certification server dynamically applies different secure identification technique to give identification to users, and gives authorization decision according to result of identification. The method realizes authorization through program, and is not dependent on concrete database. New method of log records is achieved by integrating log records of application server into log records of database. Private key in client is stored in the file encrypted by salt and password algorithm, and the method of private key storage is both secure and convenient. At last, the foregoing function modules are applied to the Security Database Manage System, and the design and realization of these modules are introduced in detail in the system. The system can enhance security of database which has C2 class security, and it does not depend on any specific database. It can be combined with security function of specific database, and can provide functions such as identity identification, role authorization, log records and communication encryption. The protocol and the project, which the thesis present, can safeguard security of network database fully and freely.更多还原