节点文献

语义远程认证的研究

Research on Semantic Remote Attestation

【作者】 单晓波

【导师】 彭新光;

【作者基本信息】 太原理工大学 , 计算机应用技术, 2007, 硕士

【摘要】 在计算机技术与网络通信技术飞速发展的今天,政府机构、企事业单位、各种组织以及个人对计算机和网络的依赖变得越来越强,计算机与网络的应用已经渗透到政治、经济、社会、教育和军事等几乎所有领域的各种业务流程之中。但与此同时,计算机病毒、木马和黑客的攻击也使我们认识到现有计算机网络系统是十分脆弱的,而且这种脆弱性可能造成的损失也是不可估量的。各种网络应用尤其是电子商务的发展对安全提出了更高的要求,需要系统能够在极高程度上保证其真实性、完整性、保密性、有效性和拒绝否认性等。现有的计算机安全思想只是通过在PC机与外界网络之间增加一些安全层次,如口令、加密等等,但这些都属于一种被动的方案,而且这些层次的基础如操作系统和硬件等可能本身就存在致命的漏洞。事实证明,这种思路只能是临时解决部分问题,并且解决的程度无法令人满意。因此,TCG(Trusted ComputingGroup,可信计算组织)提出了可信计算的概念,这是一种新的计算平台,在软硬件上都做出了相应的规定,其目标是在整个计算设施中建立起一个比较完善的验证体系,来提升整个计算体系的安全性。在这个验证体系中,确保每个端点机的安全之后,不可避免的要在端点机之间进行网络连接以便完成网络行为,此时便需要使用计算平台中的远程认证。然而,传统的远程认证方法存在很多的显而易见的问题,它们是静态的、只进行一次性的认证,而且它们可能仅仅针对身份进行验证,这种方法其实是基于信任而不是基于行为。谁也无法确信拥有合法身份的端点就不会做出危害系统的行为,因为端点的程序很可能已经被篡改,而且这个合法的身份也很可能早已被恶意的实体所窃取。针对传统远程认证所存在的这些问题,参考了TCG所定义的关于网络连接的TNC架构(TCG Network Connect Architecture,TCG网络连接架构),设计出了一个基于客户/服务器模式的认证模型,这个模型当中的认证是动态的,它要进行持续的认证而并不是仅仅在初次连接时认证一次,而且它还对客户端的各个方面都进行安全性的评估,还时刻监视端点的行为,称之为语义远程认证。为了实现其通用的特性,采用当前最流行的独立于各种操作系统的Java虚拟机来作为平台。而且,这个模型虽然是参考自可信计算中的TNC架构,但其不仅仅可以运用于可信计算平台,而也可以应用于当前仍占主流的非可信计算平台。

【Abstract】 With the rapid development of computer technologies and network communications, the government, enterprises, institutions, various organizations and the individuals depend on the network more and more frequently, the applications of computer and network have been permeated into all kinds of fields such as politics, economy, society, education and military affairs. Meanwhile, all kinds of attacks such as computer virus, Trojan Programs and hackers attacks have made current computer network systems very vulnerable. And the loss caused by malicious behavior is immeasurable.The development of network application especially in electronic commerce has challenging network security mechanism. It becomes very necessary to keep network systems authentic, integrated, confidential, valid, rejecting-negative and so on. The current computer security ideology belongs to a kind of static mechanism which joins some security layers between PC and external networks such as password and encryption. The foundations of those security layers like operation systems and hardware systems are very vulnerable. It has been proved that the current security mechanism which couldn’t solve all kinds of security problems permanently is not very satisfying. So TCG(Trusted Computing Group) advances the conception of Trusted Computing and constitutes relevant regulations about software implementation and hardware platform. Trusted Computing belongs to a kind of computer platform and its objective is that building up a perfect verification system to enhance the security of computer system.In this verification system, remote communication between two hosts is necessary to implement network connections besides ensuring each host secure. Considering the communication security among hosts, remote authentication will be needed. Traditional remote authentication possesses of many obvious problems. For example, the authentication will be done only to identity and only once. And it belongs to a kind of static authentication and is implemented based on trust in hosts rather than in behavior. Because it is very possible that the programs in terminal hosts have been juggled and the legitimate identity has been filched by malicious entity, making sure that terminal hosts with legitimate identity will never damage to target systems becomes very impossible.In order to make up the defect of traditional authentication, an authentication structure based on client/server is produced according to network connection TNC defined by TCG. In this authentication structure, all authentications are dynamic and consistent. Other than verifying once at the beginning of connections, it will evaluate each aspect of terminal host related to security and monitor the behaviors of terminal host. This new authentication structure is called Semantic Remote Authentication. In order to make it universal, the most popular Java Virtual Machine is adopted as the development platform which is independent to operation system. Moreover, Semantic Remote Authentication is not only useful on the platform of Trusted Computing but also useful on the platform of Untrusty Computing.

  • 【分类号】TP393.08
  • 【被引频次】3
  • 【下载频次】63
节点文献中: