基于无线UKey的群认证系统研究与实现

发布时间：2018-10-08 16:08

【摘要】：目前在党政机关中,为了保证敏感文件信息的安全,普遍使用专控计算机作为存储和管理的工具。然而,保密文件在专控计算机的存储和调用过程也存在-定的安全隐患。特别是近几年来,随着网络技术的发展,各种信息安全的问题愈加显著。对于党政机关使用的专控计算机,由于存储的是敏感文件,信息的安全显得更为重要。敏感文件存储在专控计算机当中,通常都是加密保存,而文件的操作权限如何获得,操作人的身份如何确定,就是要解决的关键问题。目前,普遍的身份验证方法是基于智能卡的认证方式。通过智能卡中存储秘密信息,只有持卡人才能被认证。但是,这种方式存在的不安全因素在于如果攻击者知道了智能卡密码并且获得了智能卡,那么攻击者就可以冒充用户。与此同时另一个不安全因素在于,这种方式有可能出现单个人的权限过大问题,如果出现内部人攻击,则没有好的防范措施。基于以上身份认证系统的不足,本文提出一种新型的基于无线UKey的群认证系统。即当有人想要对保密文件进行操作时,需要多个人进行操作权限的授予。围绕这个系统的研究与实现,本文主要做了硬件和软件两方面的工作：(1)在硬件方面,自主研制了新型的无线UKey。由于群认证系统需要在UKey上实现密码算法的运算、密钥的存储等需求,市面上的UKey已不能满足条件,所以本系统使用的是自主研制的UKey。该UKey具有较快的处理芯片,较高安全系数存储模块。另外,由于党政机关中使用的专控计算机都采取了与互联网物理隔离的方法,群认证过程中不同用户之间没有通信的途径,所以设计的UKey具有无线数传模块,能够进行信息的无线传输。(2)在软件方面,主要是编写了UKey的内部密码算法,专控计算机客户端以及群认证系统的协议。群认证系统实现分为两步：个人身份认证和群授权,两步都成功后才可以获得保密文件的操作权。在设计过程中,个人身份认证使用了对称加密算法AES、MD5,群授权则使用了非对称加密算法RSA。对于群认证系统,个人身份认证对于最终的安全与否至关重要,所以认证过程使用的为自主设计的新型认证协议。
[Abstract]:At present, in order to ensure the security of sensitive document information, special computer is widely used as a storage and management tool in the Party and government organs. However, secret files in the storage and call process of the computer also exist-fixed security risks. Especially in recent years, with the development of network technology, all kinds of information security problems become more and more prominent. For the special control computer used by the Party and government, the security of information is more important because of the storage of sensitive files. Sensitive files are stored in a special computer, which is usually stored in encryption. However, the key problem to be solved is how to obtain the operating rights of the files and how to determine the identity of the operators. At present, the universal authentication method is based on smart card authentication. Secret information is stored in a smart card, and only the cardholder can be authenticated. However, the insecurity in this way is that if the attacker knows the password of the smart card and obtains the smart card, the attacker can impersonate the user. At the same time, another unsafe factor is that this approach may have the problem of individual authority too large, if there is an insider attack, there is no good precautions. This paper proposes a new group authentication system based on wireless UKey because of the deficiency of the above authentication system. That is, when someone wants to operate on confidential documents, they need to grant permission to operate more than one person. Focusing on the research and implementation of this system, this paper mainly does two aspects of hardware and software: (1) in terms of hardware, we have developed a new wireless UKey.. Because the group authentication system needs to realize the operation of the cryptographic algorithm and the storage of the key on the UKey, the UKey in the market can not meet the requirements, so the system uses the self-developed UKey.. The UKey has fast processing chip and high safety factor storage module. In addition, because the specialized control computers used in the Party and government organs have adopted the method of physical isolation from the Internet and there is no communication between different users in the process of group authentication, the UKey designed has a wireless data transmission module. (2) in the aspect of software, we mainly write the internal cryptographic algorithm of UKey, the protocol of computer client and group authentication system. The implementation of group authentication system is divided into two steps: personal identity authentication and group authorization. In the design process, personal identity authentication uses symmetric encryption algorithm AES,MD5, group authorization and asymmetric encryption algorithm RSA.. For group authentication system, personal identity authentication is very important to the final security or not, so the authentication process uses a new authentication protocol designed independently.
【学位授予单位】：西安电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP309;TN918.4

【参考文献】