【作者】 刘召晗；

【导师】 顾力栩； 王玉荣；

【作者基本信息】 上海交通大学 ， 计算机软件工程， 2008， 硕士

【摘要】 由于计算机网络具有开放性、多样性及操作系统和应用系统存在固有缺陷的原因,易受黑客、木马、病毒、恶意软件和其他非授权行为威胁和攻击。随着基于Internet电子政务、电子商务、网上购物等业务迅猛发展,网络安全问题越来越突出。公安信息系统实现异地联网,虽然不与Internet相联,也存在上述网络安全问题,能否彻底、有效地解决这些问题也就决定着公安信息系统建设是否成功。2004年,公安内部主管部门启动公安信息中心信息化建设项目,要求对省、市信息中心的原有网络、数据库系统及OA系统等进行改造,在安全可靠前提条件下实现应用系统互联,并逐步实现全国联网。本文基于“公安信息中心局域网改造及信息化建设”项目,对公安信息化基础理论进行系统探索和总结,从完善软件体系结构和保障应用安全出发,着力研究解决公安应用系统建设“信息孤岛”及安全保障问题。实现公安信息化必须在PKI/PMI技术框架下将原有各公安信息中心孤立的、不联网应用系统改造成互联应用系统,将原有基于用户名/口令登录方式应用系统改造成基于PKI/PMI工作模式、能够独立授权管理和访问控制的应用系统。本文重点研究应用系统中必不可少的用户身份认证、权限管理等问题,应用PKI/PMI组件技术。该组件基于PKI/PMI技术体系,实现X.509标准证书的发放和管理以及相关安全通信、信息加密、数字签名等,建立一个统一的相互信任体系。采用高度集中的用户身份管理和访问权限设定,以及多种审计技术,为复杂网络系统和应用提供可管理的复合安全技术,实现身份认证、访问控制和信息加密,保证应用系统运行安全。该组件基于各种应用服务和操作系统底层构造,为应用系统、应用服务器提供全面的安全服务。它可以适用多种操作系统和应用环境,提供标准应用接口,对上层应用系统完全透明,为公安信息化系统建设提供网络安全。本文结合在PKI/PMI安全组件基础上建成的一个公安信息系统子系统――办公自动化系统,阐述PKI/PMI组件在公安信息系统中具体应用及工作模式。本文设计并实现基于PKI/PMI技术框架的安全组件,建立公安信息系统安全与运行管理平台。通过该平台统一、规范接口,实现统一身份认证和访问授权控制,同时采取集中审计措施对涉及到系统安全的操作进行监控,保障应用系统、相关数据库资源、敏感信息资源的安全,实现可控、安全的访问。更多还原

【Abstract】 The computer network is vulnerable to hackers, Trojans, viruses, malicious software and other non-authorized acts because of its characteristics of openness, diversity and the inherent flaws of operating systems and application programs. With the rapid development of related industries, such as Internet-based e-government, e-commerce, online shopping, the security of network is becoming more and more important. The police network system is not connected with the Internet, but when it realizes remote networking, it also encounters the mentioned security problems of network. Whether these problems can be solved completely and effectively or not will directly determine whether the construction of police information system can succeed.In 2004 the internal governing department of the police starts up the construction of the police information center. These projects demand that all networks, database systems and OA systems in provincial and municipal information centers should be reconstructed and based on a safe and reliable condition. Then the realization of the applied systems connected with each other and nationwide networking will be gradually achieved.Based on the project of“The Reconstruction of the LAN of Police Information Center and The Construction of Information Systems”, this thesis systemically explores and summarizes the basic theories of the police information systems. As the main content of this thesis, the problems of security and“the isolated islands of information " in police application systems are studied and solved. The police information systems must be realized using the PKI and PMI technology. The original isolated application systems in each police information center are connected to form a connecting application system and the application systems which are based on user’s name/password also must be changed into one that is based on the mode of PKI/PMI which can be accessed and managed independently.This thesis focuses on the issues, such as the authentification of user and permission management, which are necessary for application system. The PKI/PMI subassembly technology is also applied in the present thesis. Based on the PKI/PMI technology it realizes the issuance and management of the X.509 standard certificate, the related safety communications, information encryption, digital signature, and so on. And it also establishes and maintains a unified system of mutual trust. By using the highly centralized management of user identities, the access rights settings, and a variety of audit technologies, it offers the manageable and complex security technology for complicated network system and its application, It can achieve authentication, accessed control and information encryption to ensure the safe operation of application systems. Based on a variety of applications and the underlying operating system structure, it can provide a full range of security services for applications system and application servers. It can be applied to a variety of operating systems and application environments, offer standard application interface, completely transparent for the upper application system, and provide network security for the construction of police information systems.Combined with the subsystem of the information system of police---office automation systems built on the basis of PKI/PMI secure component, this thesis describes the detailed applications and operation mode of the PKI/PMI secure components in the police information system.In this thesis the security units based on the framework of PKI/PMI technology is designed and implemented, and the management platform on which the police information system can safely run is established. Through the uniform and standardized interfaces the unification authorized authentication and access control is realized. At the same time, by using the concentrate and audit measures to monitor the operation which relate to the system security and protect applications, the relevant database resources, the security of sensitive information resources, and the controllable and safe access can be realized.更多还原