一种Linux登录认证安全增强方案的设计与实现

发布时间：2018-02-16 11:12

本文关键词： 可信输入 Linux操作系统登录认证插件式认证模块(PAM)　出处：《北京交通大学》2014年硕士论文　论文类型：学位论文

【摘要】：随着互联网的迅速发展,信息安全的重要性日益突出,其中操作系统用户登录认证作为系统安全的第一道防线,其重要性不言而喻。一方面,由于操作系统本身并不安全,恶意用户很可能利用这些脆弱点截获系统用户的登录口令：另一方面,系统用户为了口令易记性,会长期使用相同的登录口令,甚至将不同用途的账号口令设置为同一个,因此,就算清除了恶意程序,安全威胁依然存在,口令的丢失可能会给用户带来巨大损失。论文主要基于Linux操作系统,针对特定的操作系统安全威胁,对该系统原有的登录认证方案进行了改进。方案主要利用PAM(插件式认证模块)机制,并结合迪菲—赫尔曼密钥交换(DH密钥交换)协议,将口令输入的处理过程从原有的登录认证系统中分离出来,并通过专用芯片对输入过程进行加密及封装处理,从而达到对口令输入过程的保护,防止操作系统的不安全性对口令的输入过程造成影响。论文的主要工作有：(1)设计了Linux操作系统登录认证安全增强方案,主要模块有安全输入模块、登录认证模块和口令更新模块;(2)针对上述三个模块,从它们各自的设计、接口函数、开发流程等方面对方案进行了详细说明；(3)实现了Linux安全登录认证方案中的安全输入模块、登录认证模块、以及口令更新模块,并在国产的计算机软硬件平台上对该原型系统进行测试。图23幅,表2个,参考文献36篇。
[Abstract]:With the rapid development of the Internet, the importance of information security is becoming more and more prominent. As the first line of defense of system security, the user login authentication of operating system is self-evident. On the one hand, because the operating system itself is not secure, Malicious users are likely to take advantage of these vulnerabilities to intercept system users' login passwords: on the other hand, system users will use the same login password for a long period of time, even setting the password for different purposes to the same account, for the sake of easy to remember the password. Therefore, even if the malicious program is cleared, the security threat still exists, and the loss of password may bring huge losses to the user. This paper mainly based on Linux operating system, aiming at the specific operating system security threat, has carried on the improvement to the original login authentication scheme of this system, the scheme mainly uses the pam (plug-in authentication module) mechanism. Combined with the Diffee-Herman key Exchange (DH) protocol, the process of password input is separated from the original login authentication system, and the input process is encrypted and encapsulated by a special chip. In order to achieve the protection of password input process and prevent the operating system insecurity from the password input process. The main work of this paper is to design a security enhancement scheme for login authentication of Linux operating system. The main modules include security input module, login authentication module and password update module. Interface function, development flow and other aspects of the scheme are described in detail. (3) the security input module, login authentication module and password update module of Linux security login authentication scheme are implemented. The prototype system is tested on the computer software and hardware platform made in China. There are 23 figures, 2 tables and 36 references.
【学位授予单位】：北京交通大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】