本文選題：移動存儲介質(zhì)　切入點：接入認證　出處：《南京師范大學》2013年碩士論文

【摘要】：隨著計算機技術(shù)的高速發(fā)展和網(wǎng)絡(luò)技術(shù)的迅速普及,信息的存儲、處理和傳輸方式發(fā)生了根本變化,信息化、數(shù)字化、網(wǎng)絡(luò)化已經(jīng)成為信息系統(tǒng)的發(fā)展趨勢。作為信息傳輸和數(shù)據(jù)交換的重要載體,移動存儲介質(zhì)在黨政機關(guān)、軍隊、科研院所和企事業(yè)單位等內(nèi)網(wǎng)中得到了廣泛應用。移動存儲介質(zhì)在帶給我們方便的同時,也帶來了安全隱患。由移動存儲介質(zhì)引發(fā)的信息安全事件時常見諸報端,給移動存儲介質(zhì)用戶造成了巨大的經(jīng)濟損失、不良的社會影響甚至威脅到了國家安全。 本文對目前的移動存儲介質(zhì)安全管理技術(shù)及產(chǎn)品進行了總結(jié)和分析,分析了目前移動存儲介質(zhì)在接入認證、風險評估、權(quán)限管理等方面存在的問題。在此基礎(chǔ)上,本文從系統(tǒng)性的角度出發(fā),提出了移動存儲介質(zhì)全生命周期安全管理方案,將移動存儲介質(zhì)接入可信內(nèi)網(wǎng)的過程分為注冊階段、認證階段、風險評估階段和動態(tài)授權(quán)階段,并對各個階段進行實時的行為審計和日志記錄,該方案能夠?qū)σ苿哟鎯橘|(zhì)的使用進行系統(tǒng)化安全管理。 為了提高接入認證的安全性,本文分析了目前僅依據(jù)移動存儲介質(zhì)唯一性標識,以及僅依據(jù)用戶名或密碼對移動存儲設(shè)備進行接入認證面臨的安全風險,提出了“用戶-移動存儲介質(zhì)”綁定的移動存儲介質(zhì)安全接入認證新方案。當用戶將一個存有認證信息的移動存儲介質(zhì)連接到可信內(nèi)網(wǎng)的可信終端時,終端接收用戶的賬戶及口令信息,并將移動存儲設(shè)備中的認證信息加密發(fā)送到網(wǎng)絡(luò)中的認證服務器進行認證,只有通過合法性認證的移動存儲設(shè)備才能接入系統(tǒng)。文章分析了新方案的正確性、安全性和完備性,并通過實驗驗證了新方案的實用性和高效性。新方案可以解決已有的認證機制可能會面臨的用戶改變攻擊、截獲攻擊、移動存儲介質(zhì)偽造攻擊和重放攻擊等問題。 本文設(shè)定了移動存儲介質(zhì)接入內(nèi)網(wǎng)的風險評估指標,建立了基于FCE-AHP的風險評估綜合評判模型。依據(jù)行業(yè)標準和移動存儲介質(zhì)的具體問題,對移動存儲介質(zhì)接入內(nèi)網(wǎng)的風險因子進行了分析,并采用基于FCE-AHP的方法進行綜合風險評估計算。設(shè)計了依據(jù)風險評估結(jié)果對移動存儲介質(zhì)進行動態(tài)授權(quán)的方案,將用戶身份信息變更和內(nèi)網(wǎng)安全狀態(tài)變化等情況納入權(quán)限分配的依據(jù)之內(nèi)。將實時獲取的風險評估結(jié)果與移動存儲介質(zhì)用戶的初始權(quán)限相結(jié)合,對移動存儲介質(zhì)實施動態(tài)的權(quán)限分配,并將所有的操作行為和報警信息等錄入日志中。最后通過實例測試,證實了風險評估模型和動態(tài)授權(quán)方案的科學性、合理性。
[Abstract]:With the rapid development of computer technology and the rapid popularization of network technology, the storage, processing and transmission of information have undergone fundamental changes. Information, digitization and networking have become the development trend of information system.As an important carrier of information transmission and data exchange, mobile storage media has been widely used in the intranets of the Party and government organs, the army, scientific research institutes and enterprises and institutions.Mobile storage medium brings us convenience, but also brings security risks.The information security events caused by the mobile storage medium are often reported in the news, causing huge economic losses to the mobile storage media users, and even threatening the national security due to the adverse social impact.This paper summarizes and analyzes the current security management technology and products of mobile storage media, and analyzes the problems existing in access authentication, risk assessment and privilege management of mobile storage media.On this basis, this paper puts forward a whole life cycle security management scheme for mobile storage media from a systematic point of view. The process of mobile storage media access to trusted intranet is divided into registration stage and authentication stage.In the risk assessment stage and dynamic authorization stage, real-time behavior audit and logging are carried out in each phase. The scheme can systematically manage the use of mobile storage media.In order to improve the security of access authentication, this paper analyzes the security risks faced by the authentication of mobile storage devices only based on the unique identity of mobile storage media and only according to user name or password.A new secure access authentication scheme for mobile storage media is proposed.When a user connects a mobile storage medium containing authentication information to a trusted terminal of a trusted intranet, the terminal receives user account and password information.The authentication information in the mobile storage device is encrypted and sent to the authentication server in the network for authentication. Only the mobile storage device that passes the legitimacy authentication can access the system.The correctness, security and completeness of the new scheme are analyzed, and the practicability and efficiency of the new scheme are verified by experiments.The new scheme can solve the problems existing authentication mechanism may face, such as user change attack, interception attack, forgery attack of mobile storage media and replay attack.In this paper, the risk assessment index of mobile storage media access to intranet is set up, and the comprehensive evaluation model of risk assessment based on FCE-AHP is established.According to the industry standards and the specific problems of mobile storage media, the risk factors of mobile storage media access to the intranet are analyzed, and the comprehensive risk assessment calculation based on FCE-AHP is carried out.According to the results of risk assessment, the scheme of dynamic authorization for mobile storage media is designed. The changes of user identity information and the security state of the intranet are included in the basis of authority allocation.The risk assessment results obtained in real time are combined with the initial permissions of mobile storage media users to implement dynamic privilege allocation to mobile storage media and all operation behaviors and alarm information are recorded in the log.Finally, the feasibility and rationality of the risk assessment model and the dynamic authorization scheme are verified by an example.
【學位授予單位】：南京師范大學
【學位級別】：碩士
【學位授予年份】：2013
【分類號】：TP333

【參考文獻】

相關(guān)期刊論文 前10條

1 鄭曉輝;王紅勝;陳軍廣;;移動存儲設(shè)備安全防護系統(tǒng)的研究與設(shè)計[J];四川兵工學報;2009年07期

2 陳尚義;馬劍;;防信息泄漏技術(shù)和產(chǎn)品現(xiàn)狀[J];計算機安全;2006年02期

3 周翠蓮;張明和;;檔案管理信息化環(huán)境下移動存儲介質(zhì)的安全使用對策[J];計算機安全;2010年12期

4 李家望;柴煒;王麗麗;劉寧;韓微;;淺析USB移動存儲設(shè)備存在的安全問題[J];計算機光盤軟件與應用;2012年12期

5 劉一;;對我軍移動存儲介質(zhì)安全保密管理的思考[J];信息安全與技術(shù);2012年10期

6 王穎;;移動存儲介質(zhì)權(quán)限管理和認證方法的研究[J];電腦知識與技術(shù);2012年18期

7 楊芹;;移動存儲介質(zhì)安全管理存在的難點及建議[J];華南金融電腦;2010年06期

8 閆春龍;桑林瓊;;移動存儲介質(zhì)安全管理系統(tǒng)設(shè)計與實現(xiàn)[J];后勤工程學院學報;2009年01期

9 孫國梓;陳丹偉;吳登榮;;一種安全移動存儲系統(tǒng)的研究與實現(xiàn)[J];計算機工程;2009年11期

10 曹成龍;傅德勝;曹鳳艷;;基于文件過濾驅(qū)動的移動存儲控制方法[J];計算機應用;2011年06期

，

本文編號：1714476