节点文献
可信网络连接全生命周期接入与授权模型设计
【作者】 王佳慧;
【导师】 吴振强;
【作者基本信息】 陕西师范大学 , 计算机软件与理论, 2010, 硕士
【摘要】 随着嵌入式设备、消费电子数码产品以及传感器等设备的大量接入,互联网的规模和应用领域都在不断的拓展,网络在我们生活中的作用也日益增强,但随之而来的网络安全问题也更加突出,垃圾邮件、计算机病毒及木马程序等严重危害着我们的正常生活。现有的网络安全措施大多是从网络边界来防范的,对于网络边界内的终端却缺乏安全管理,这使得终端安全问题成了网络安全解决方案中的一个漏洞,严重影响了其实施效果。目前,从终端开始来解决网络安全问题已经得到了共识,相继出现了Cisco的NAC、Microsoft的NAP、TCG的TNC、天融信的TNA、华为的EAD等许多终端安全接入方案,意图从终端安全出发来解决信息安全问题。但是现有的方案大都仅仅关注终端接入网络时的完整性,对终端接入网络之后的行为则缺乏实时控制,这种情况是无法满足当前复杂的网络要求的。论文在深入研究了终端安全接入的各种方案后,针对目前存在的问题,主要在以下几个方面做了研究和改进:1)针对目前的终端防护机制缺乏接入后的管理,论文在TNC规范的基础上,结合使用控制模型提出了一种可信网络连接全生命周期接入与授权模型。该模型不但可以依据组织的安全策略保证终端接入可信网络时的完整性,而且可以通过属性和可信度等的变化来实时控制终端的行为。2)针对终端接入可信网络时完整性信息的综合处理较为复杂的现状,将完整性信息通过模糊综合评判的方法抽象成终端的可信度,并把它作为授权决策时的一个重要组成部分,便于实现终端接入可信网络的全生命周期管理。3)针对实体和组件之间缺乏相应的安全协议,提出终端接入可信网络的认证协议,通过身份认证、平台认证和完整性认证三方面的策略来判断终端的相应权限,并使用目前安全等级较高的通用可组合模型对协议的安全性进行了证明。4)通过研究和分析Linux操作系统下的开源软件TPM模拟器(TPM-emulator),基于Cent OS系统搭建该软件模拟器,开发了使用TPM模拟器的应用软件,使得用户可以通过图形化的界面使用TPM的功能,并对论文提出的认证协议和度量过程给出了部分原型实现和功能测试。
【Abstract】 With the increasing applications of embedded devices, consumer digital products, as well as a large number of sensors and other devices,the scale and applications of the Internet is continuing to expand, the influence and global role of the network in our lives is enhanced. But at the same time, the network also faces great security problems, spam, viruses and Trojan horse programs seriously endanger our lives. However, the existing network security measures are mostly aimed at the network perimeter to guard the terminal, the terminal lacks security management within the boundaries, bringing a serious impact on security solutions. Currently, solving network security issues from the endpoint have become a consensus. It has appeared in Cisco’s NAC, Microsoft’s NAP, TCG’s TNC, TNA of TOPSEC, Huawei’s EAD and many other terminal security access architecture, intending to solve the problems from the terminal. However, existing programs mostly focus on the integrity of the terminal when it accesses the network, the act after the terminal accesses network lack real-time control, this is not accordant with the actual situation of complex networks.The main contributions of this thesis are as follows after the solutions are researched in detail:1) Aiming at lack of management, an entire life cycle of Trusted Network access and authorization model is proposed, combining usage control model based on TNC specifications. This architecture not only ensure the integrity when the network terminal access the network based on the organization’s security policy, but also control the real-time behavior of the terminal through the changes of the properties and reliabilities.2) The integrity of the information is abstracted to the trusted level by fuzzy decision-making synthetic evaluation, and then the trusted level become a crucial part in the decision-making authority, realizing management of the entire life cycle when the terminal accesses the trusted network.3) A new authentication of accessing Trusted Network protocol is proposed. The identity authentication, platform authentication and integrity authentication are used to determine the corresponding permissions of the terminal, the security is proofed by Universally Composable Secure model.4) Application software is developed under the Linux operating system using a TPM simulator based on the model proposed in the thesis. Users can use TPM function through the graphical interfaces. The protocol authentication is proposed and tested in experimental platform.