【摘要】：伴隨網(wǎng)絡(luò)和計(jì)算機(jī)技術(shù)的飛速發(fā)展,新的安全挑戰(zhàn)不斷涌現(xiàn),而傳統(tǒng)安全防護(hù)機(jī)制將防護(hù)重點(diǎn)放在網(wǎng)絡(luò)和服務(wù)器上,忽略了接入終端自身的安全問(wèn)題,較難達(dá)到理想的防護(hù)效果。可信計(jì)算組織TCG為從安全威脅產(chǎn)生的源頭解決網(wǎng)絡(luò)安全問(wèn)題,提出可信網(wǎng)絡(luò)連接TNC體系,通過(guò)驗(yàn)證入網(wǎng)終端的完整性狀態(tài)實(shí)現(xiàn)可信的網(wǎng)絡(luò)接入,已成為網(wǎng)絡(luò)安全與可信的研究熱點(diǎn)。論文在對(duì)現(xiàn)有成熟接入認(rèn)證體系、協(xié)議以及可信網(wǎng)絡(luò)相關(guān)理論進(jìn)行研究的基礎(chǔ)上,為實(shí)現(xiàn)終端可信狀態(tài)的量化評(píng)估,參考EAP可擴(kuò)展認(rèn)證協(xié)議和802.1X體系,設(shè)計(jì)了基于可信度的網(wǎng)絡(luò)接入補(bǔ)救機(jī)制。本文完成的主要工作包括:首先提出一種加強(qiáng)和改進(jìn)的可信網(wǎng)絡(luò)接入方案,即基于可信度的網(wǎng)絡(luò)接入補(bǔ)救機(jī)制,包括框架、協(xié)議、流程和策略的設(shè)計(jì);然后提出可信度相關(guān)概念并詳細(xì)闡述其算法;接著形式化分析了可信接入機(jī)制的健壯性和正確性;最后設(shè)計(jì)了接入補(bǔ)救系統(tǒng)并進(jìn)行了應(yīng)用分析和應(yīng)用試驗(yàn),證明接入補(bǔ)救機(jī)制的實(shí)用性。論文的創(chuàng)新點(diǎn)為:提出了用于分析終端可信賴(lài)程度的可信度的概念并設(shè)計(jì)其詳細(xì)算法;設(shè)計(jì)了可信接入及補(bǔ)救的實(shí)現(xiàn)機(jī)制,包括框架體系、協(xié)議封裝、實(shí)現(xiàn)流程和策略制定;設(shè)計(jì)了可信接入補(bǔ)救應(yīng)用系統(tǒng)的實(shí)體功能模塊,有助于進(jìn)一步驗(yàn)證接入補(bǔ)救機(jī)制的實(shí)用性。專(zhuān)用網(wǎng)絡(luò)中,終端安全接入系統(tǒng)是確保內(nèi)部網(wǎng)絡(luò)的安全運(yùn)行,是減少安全事件發(fā)生的重要手段。在各種安全事件中由于非法終端接入網(wǎng)絡(luò)后產(chǎn)生的安全事件占了很大比例,因此,對(duì)局域網(wǎng)內(nèi)主機(jī)終端的接入認(rèn)證和授權(quán)就顯得十分必要。基于可信度的網(wǎng)絡(luò)接入補(bǔ)救機(jī)制可以實(shí)現(xiàn)入網(wǎng)終端可信程度的量化評(píng)估,并結(jié)合終端身份信息實(shí)施不同的接入補(bǔ)救策略,阻止不符合接入策略要求的終端接入網(wǎng)絡(luò),允許具備合法身份權(quán)限的終端通過(guò)補(bǔ)救操作實(shí)現(xiàn)自身的可信增強(qiáng)以滿足接入要求,既保證了網(wǎng)絡(luò)的安全性,也提高了網(wǎng)絡(luò)的實(shí)用性。
[Abstract]:With the rapid development of network and computer technology, new security challenges emerge constantly, while the traditional security protection mechanism focuses on the network and server, neglecting the security problems of the access terminal itself. It is difficult to achieve ideal protective effect. In order to solve the network security problem from the source of the security threat, TCG, a trusted computing organization, proposes a trusted network connection TNC system, which can realize trusted network access by verifying the integrity of the network access terminal. It has become the research hotspot of network security and trustworthiness. Based on the research of the existing mature access authentication system, protocols and related theories of trusted network, in order to realize the quantitative evaluation of terminal trusted state, the paper refers to EAP extensible authentication protocol and 802.1X system. A network access remedy mechanism based on credibility is designed. The main work of this paper is as follows: firstly, we propose an enhanced and improved trusted network access scheme, that is, the credit-based network access remedy mechanism, including framework, protocol, process and policy design; Secondly, the concept of credibility is proposed and its algorithm is described in detail, and then the robustness and correctness of trusted access mechanism are formalized. Finally, the access remedy system is designed, and the application analysis and application experiment are carried out to prove the practicability of the access remedy mechanism. The innovations of this paper are as follows: the concept of reliability of terminal reliability is proposed and its detailed algorithm is designed, and the implementation mechanism of trusted access and remedy is designed, including framework architecture, protocol encapsulation, implementation process and policy formulation. The entity function module of trusted access remedy application system is designed, which is helpful to verify the practicability of the access remedy mechanism. In the private network, the terminal security access system is an important means to ensure the safe operation of the internal network and to reduce the occurrence of security incidents. In all kinds of security incidents, the security incidents caused by the illegal terminal access to the network account for a large proportion. Therefore, it is necessary to authenticate and authorize the access of the host terminal in the LAN. The network access remedy mechanism based on credibility can realize the quantitative evaluation of the trust degree of the terminal entering the network, and combine with the terminal identity information to implement different access remediation strategies to prevent the terminal from accessing the network which does not meet the requirements of the access policy. Allowing terminals with legitimate identity rights to achieve their own trusted enhancement through remedial operations to meet the access requirements not only ensures the security of the network but also improves the practicability of the network.
【學(xué)位授予單位】：電子科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類(lèi)號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前1條

1 馬忠澤;端點(diǎn)準(zhǔn)入防御解決方案[J];中國(guó)新通信;2005年10期

，

本文編號(hào)：2343377