移动存储介质安全管理技术研究

发布时间：2018-04-05 11:01

本文选题：移动存储介质　切入点：接入认证　出处：《南京师范大学》2013年硕士论文

【摘要】：随着计算机技术的高速发展和网络技术的迅速普及,信息的存储、处理和传输方式发生了根本变化,信息化、数字化、网络化已经成为信息系统的发展趋势。作为信息传输和数据交换的重要载体,移动存储介质在党政机关、军队、科研院所和企事业单位等内网中得到了广泛应用。移动存储介质在带给我们方便的同时,也带来了安全隐患。由移动存储介质引发的信息安全事件时常见诸报端,给移动存储介质用户造成了巨大的经济损失、不良的社会影响甚至威胁到了国家安全。本文对目前的移动存储介质安全管理技术及产品进行了总结和分析,分析了目前移动存储介质在接入认证、风险评估、权限管理等方面存在的问题。在此基础上,本文从系统性的角度出发,提出了移动存储介质全生命周期安全管理方案,将移动存储介质接入可信内网的过程分为注册阶段、认证阶段、风险评估阶段和动态授权阶段,并对各个阶段进行实时的行为审计和日志记录,该方案能够对移动存储介质的使用进行系统化安全管理。为了提高接入认证的安全性,本文分析了目前仅依据移动存储介质唯一性标识,以及仅依据用户名或密码对移动存储设备进行接入认证面临的安全风险,提出了“用户-移动存储介质”绑定的移动存储介质安全接入认证新方案。当用户将一个存有认证信息的移动存储介质连接到可信内网的可信终端时,终端接收用户的账户及口令信息,并将移动存储设备中的认证信息加密发送到网络中的认证服务器进行认证,只有通过合法性认证的移动存储设备才能接入系统。文章分析了新方案的正确性、安全性和完备性,并通过实验验证了新方案的实用性和高效性。新方案可以解决已有的认证机制可能会面临的用户改变攻击、截获攻击、移动存储介质伪造攻击和重放攻击等问题。本文设定了移动存储介质接入内网的风险评估指标,建立了基于FCE-AHP的风险评估综合评判模型。依据行业标准和移动存储介质的具体问题,对移动存储介质接入内网的风险因子进行了分析,并采用基于FCE-AHP的方法进行综合风险评估计算。设计了依据风险评估结果对移动存储介质进行动态授权的方案,将用户身份信息变更和内网安全状态变化等情况纳入权限分配的依据之内。将实时获取的风险评估结果与移动存储介质用户的初始权限相结合,对移动存储介质实施动态的权限分配,并将所有的操作行为和报警信息等录入日志中。最后通过实例测试,证实了风险评估模型和动态授权方案的科学性、合理性。
[Abstract]:With the rapid development of computer technology and the rapid popularization of network technology, the storage, processing and transmission of information have undergone fundamental changes. Information, digitization and networking have become the development trend of information system.As an important carrier of information transmission and data exchange, mobile storage media has been widely used in the intranets of the Party and government organs, the army, scientific research institutes and enterprises and institutions.Mobile storage medium brings us convenience, but also brings security risks.The information security events caused by the mobile storage medium are often reported in the news, causing huge economic losses to the mobile storage media users, and even threatening the national security due to the adverse social impact.This paper summarizes and analyzes the current security management technology and products of mobile storage media, and analyzes the problems existing in access authentication, risk assessment and privilege management of mobile storage media.On this basis, this paper puts forward a whole life cycle security management scheme for mobile storage media from a systematic point of view. The process of mobile storage media access to trusted intranet is divided into registration stage and authentication stage.In the risk assessment stage and dynamic authorization stage, real-time behavior audit and logging are carried out in each phase. The scheme can systematically manage the use of mobile storage media.In order to improve the security of access authentication, this paper analyzes the security risks faced by the authentication of mobile storage devices only based on the unique identity of mobile storage media and only according to user name or password.A new secure access authentication scheme for mobile storage media is proposed.When a user connects a mobile storage medium containing authentication information to a trusted terminal of a trusted intranet, the terminal receives user account and password information.The authentication information in the mobile storage device is encrypted and sent to the authentication server in the network for authentication. Only the mobile storage device that passes the legitimacy authentication can access the system.The correctness, security and completeness of the new scheme are analyzed, and the practicability and efficiency of the new scheme are verified by experiments.The new scheme can solve the problems existing authentication mechanism may face, such as user change attack, interception attack, forgery attack of mobile storage media and replay attack.In this paper, the risk assessment index of mobile storage media access to intranet is set up, and the comprehensive evaluation model of risk assessment based on FCE-AHP is established.According to the industry standards and the specific problems of mobile storage media, the risk factors of mobile storage media access to the intranet are analyzed, and the comprehensive risk assessment calculation based on FCE-AHP is carried out.According to the results of risk assessment, the scheme of dynamic authorization for mobile storage media is designed. The changes of user identity information and the security state of the intranet are included in the basis of authority allocation.The risk assessment results obtained in real time are combined with the initial permissions of mobile storage media users to implement dynamic privilege allocation to mobile storage media and all operation behaviors and alarm information are recorded in the log.Finally, the feasibility and rationality of the risk assessment model and the dynamic authorization scheme are verified by an example.
【学位授予单位】：南京师范大学
【学位级别】：硕士
【学位授予年份】：2013
【分类号】：TP333

【参考文献】