安全子网的双向认证访问控制研究

【作者】 卿利；

【导师】 李晓东；

【作者基本信息】 电子科技大学 ， 应用数学， 2003， 硕士

【摘要】 在开放的互联网络中，构建逻辑安全子网必须要实现三种安全机制：数据保密性机制、身份认证机制和访问控制机制。而安全的访问控制系统可以防止计算机系统中存储的信息受到非授权用户的破坏、篡改、泄漏和复制，任何访问控制系统都要对访问双方进行身份认证。因此，安全的带双向认证的访问控制机制已成为保证子网安全的核心，也是网络安全研究中的热点。本文的目的是研究安全子网的双向身份认证和访问控制机制，及其实现方案。针对基于Harn数字签名双向认证访问控制实现方案中所存在的问题，运用密码技术改进了原方案的双向认证协议，并作为对原访问控制方案的改进，基于整数二进制表示的唯一性，提出了一种新的单钥-锁对访问控制方案。新的双向认证访问控制方案克服了原方案的缺陷。本文主要包括三部分内容：一. 理论概述。简要介绍了开放系统互连安全体系结构，叙述了本文研究所使用的现代密码学的关键技术。二. 安全子网双向认证访问控制机制的研究。首先以“虚拟专用网络”（VPN）隧道模型和企业级安全子网结构模型为基础，提出安全子网的抽象模型，然后详细讨论了安全子网的双向认证访问控制机制。三. 双向认证访问控制实现方案研究。详细分析了基于Harn数字签名的双向认证访问控制方案的安全漏洞，并对原方案做了改进。在第五章和第六章给出了本文的主要结果。作为对原双向认证访问控制方案的改进，改进后的双向身份认证协议可以很好的抵抗中间人攻击和重放攻击，经过严密的BAN逻辑形式分析和论证，结果表明该协议是安全的；改进后的访问控制方案用单钥-锁对方案实现，除保持了一般单钥-锁对方案的良好动态特性外，在不需要访问权限递增假设下，实现了用户对文件的多种访问控制权限，并大大减小了溢出问题的发生可能更多还原

【Abstract】 Under the open Internet environment, three security mechanisms, including data confidentiality, identity authentication, and access control mechanism, must be realize when constructing logic secure subnet. Access control can prevent data from being destroyed, altered, disclosed, or copied by unauthorized accesses. And every access control system needs to authenticate the identity of user. Secure access control mechanism is key technique that keeps security of subnet, and also the hotspot in the field of network security. The aim of the thesis is to research identity authentication and access control mechanism of secure subnet, and realizeing scheme. To overcome the shortcoming of the double-way authentication access control scheme based on Harn’s digital signature, a new double-way authentication protocol is proposed to improve the old one. A new single-key-lock-pair access control scheme is proposed as a improved access control scheme, based on the property that a integer can be denoted into only one binary digital. This thesis is composed of three parts:Firstly, summarize of theoretics. The security framework of open connecting systems is introduced in charpter one. Key technology of modem cryptology used in the thesis is described in charpter two.Secondly, researchs of identity authentication and access control mechanism in secure subnet. An abstract model of secure subnet is put forward based on channel model of VPN and secure subnet model of enterprise in charpter three. And double-way authentication access control mechanism of secure subnet is analyzed in detail in charpte four.Thirdly, researchs of the double-way authentication access control scheme. The insecurity of the double-way authentication access control scheme based on Harn’s digital signature is analyzed in charpter five. A new scheme is proposed to improve the old one in charpter six.An improved shceme for the old double-way authentication access control scheme based on Harn’s digital signature is proposed. The new double-way authentication protocol of the improved access control scheme can prevent man-in-the-middle attack and replay attack. After strict formal analysis with BAN logic, the result have proved that the authentication protocol is secure. The improved access control scheme is realized by the mode of single-key-lock-pair. Under new access control scheme, user can own several kinds of access right upon one file under the new scheme without the supposition that the access rights is increase by degrees, and the possibility of overflow problem is significantly reduced by our new method更多还原