【作者】 庄小君；

【导师】 吴昊；

【作者基本信息】 北京交通大学 ， 通信与信息系统， 2008， 硕士

【摘要】 随着Internet的不断发展,网络逐渐成为工业和国防等领域中重要信息交换、处理的手段,所以必须保证网络具有足够的可信性、安全性,才能发挥出它的重要作用。但是,随着信息化的加快实施以及电子商务、电子政务的迅速发展,网络安全问题日益突出,病毒泛滥、黑客猖獗,导致网络可信度严重降低。通过研究,我们认为:目前导致安全事件的主要原因是主机软、硬件结构存在设计漏洞并且对用户没有进行严格的认证和授权控制。传统安全防范的重点放在对服务器和网络的保护上,而忽略终端接入者本身的安全。但大多数的攻击事件都是由终端接入者本身不安全而引起发的,所以只有从终端接入的源头就建立起安全体系,内外共防来构造真正安全可信的网络环境。本文在参考现有认证技术和可信计算的特点的基础上,提出了一种可信网络接入认证模型。该模型的基本思想是通过评估接入终端的安全状态信息来实施网络访问控制,将“隐患终端”摈弃在网络之外,构建一个“干净的”、“可信赖”的网络,从而减少网络安全事件发生的频率,提高网络应对安全威胁的能力。本文将安全评估与传统的接入认证方法结合起来,设计了一个基于安全评估的接入认证系统。该系统不仅支持802.1x、VPV等现有接入技术,还支持我国第一个无线局域网认证协议WAPI。本文的主要内容如下:1.分析了当前网络面临的问题以及现有安全系统的不足,并介绍了本文涉及到的相关技术;2.对WAPI进行了改进,避免了“中间人攻击”的漏洞,并用BAN逻辑对改进后的协议安全性进行了形式化分析验证;3.提出了一种可信网络接入认证方法的模型,并对该模型的体系层次结构和消息交互流程进行了描述;4.描述了本文中可信网络接入认证方法在移动终端和移动数据网络中的实现,并对组件的功能结构进行了设计;5.对全文进行了总结,并指出了缺点和下一步工作。总之,本文对可信网络接入认证技术进行了一些探索、研究,希望本文能够对可信网络技术的发展以及构建有中国自主产权的可信网络接入架构做出一定的贡献。更多还原

【Abstract】 With development of Internet, the network has become the major mean of information exchanging in every field. However, it also brings more threats to the network due to the insufficient trust and security. Espacially, the fast development of E-commerce and E-government also makes the security problems of the network increasingly severe with too many viruses and Hackers. All of these lead to the decline of the credibility of the network. Through the study, we learn: The shortcoming in the design of software and hardware architecture, and without strict authentication and authorization to users, which are the main cause of security incidents. The traditional security safeguards focus on the protection of the server and the network, but ignore security of the terminal device itself. However, most of attacks arise from unsafe terminal devices. Only setting up security architecture from the source of terminal device, and combining with internal and external factors which can construct a trust and safe network environment. Refering to the existing authentication technology and the trusted computing technologies, this paper designs a model of the trusted network access authentication. The basic theory is to control network access privileges of endpoints by evaluating their security posture information through which unhealthy endpoints will be excluded. By prevent the unhealthy endpoints from accessing the network, the network is trusted and healthy, which doesn’t have any weakness that can be used by hackers. Such a trusted network can effectively defend against threats and reduce frequency of attack.Refering to security posture assessment and traditionary access authentication mechanism, this paper designs an access authentication model which based on security posture assessment. This model supports current access mechanism such as 802.1x, VPN, but also supports the authentication protocol WAPI contrived by CHINA. The mainly tasks are as follows: 1. analyzed the security problems and the shortages in the current network and the security system, and introduced the related technologies in the paper; 2. Improved WAPI and avoided "the-middle-man" attack, and used BAN logic to analyze the security of the improved protocol; 3. Particularly described the model, the system framework, the layer model structure of the trusted network access authentication mechanism; 4. Described the deployment of the trusted network access authentication model which located in the mobile terminal and mobile data netework; 5. Summarized the paper, and explained the shortage and following research works.To sum up, based on the current trusted network access technologies, this paper searched and studed the trusted network access technology, and I hope this paper will do great contribution to the development of the trusted network access and might be contributed the future China self-owned trusted network access technology.更多还原