一种基于XML的数据库远程访问安全策略研究

上海交通大学硕士学位论文一种基于XML的数据库远程访问安全策略研究姓名：秦建丰申请学位级别：硕士专业：通信与信息系统指导教师：薛质20060101-1-XMLXML-2-XMLXMLXMLXML-3-RESEARCHONONEKINDOFXMLBASEDSECUREPOLICYOFREMOTEDATABASEACCESSABSTRACTNowadays,withthedevelopmentofcomputerapplicationandinformationtechnology,wealwaysfallbackonnetworktorealizetheshareofresource.However,thesecurityofdatabaseremoteaccesshasbecomeafocusproblemduringresourcesharing.Intheprocessofdatabaseremoteaccessing,itwillresultindatalosinganddatatamperingproblemsbyillegalaccessingdatabase.Thetransmitteddatacouldalsobefilched,holdup,andmanipulated.Inordertoavoidthosesecurityproblems,itisnecessarytofindoutanewsecuritypolicyfordatabaseremoteaccess.ThispapercomesoutonekindofsecuritypolicybasedonXMLfordatabaseremoteaccess.Thispolicydedicatesontheremotedatasetdataandthetransmitteddatainthenetwork.Itensuresthedifferentsecuritylevelfordifferentsecurityleveldatawhenitisaccessedortransmitted.-4-Thispapermainlyfocusesondiscussingtheproblemsconfrontedininformationsecurityfieldandtalksaboutthesecurityproblemshappenedinthedatabaseremoteaccessanddatatransmitting.Itthanexpatiatesthecommontechniquewhichtosolvesthoseproblems.Part2aimsatthesecurityproblemshappenedintheprocessofdatabaseremoteaccessanddatatransmitting,andcomeoutapolicymodelbasedonXML.Itanalysestheimplementofthispolicymodelbyusingrelatedsecuritytechnology.Part3emphasizestheapplicationofthemodeline-businessandbringsforwardthefutureresearchdirectionbasedonthismodel.Inconclusion,securitypolicybaseonXMLfordatabaseremoteaccesswillenforcethesecurityofdatabaseremoteaccess.Thismodelpolicycanbeusedasacommonresolventappliedine-businessande-shopping.Theproposedframeworkisgeneralandeasytoextend.Ithasgreatapplicationforeground.XML,XMLsecrutiy,authentication,authorization,encrypt,E-business-2-20060101-3-XML-3-Intranet/InternetPKIXMLPKIXMLXMLXMLXML-4-Internet70%XML-5-(1)1(2)(3)XML-6-(1)12(2)123/4//5XML-7-6(3)123TCP/IPIP4LotusNotesE-mail5SNMP(4)XML-8-1234567(1)(2)XML-9-(3)IT(4)(5)(6)(7)(8)(9)(10)(11)XML-10-(12)(13)ISO7498-2ISOISO7498-2(Authentication)(AcessControl)(DataConfidentiality)(DataIntegrity)(Non-reputation)1KerberosPGP2123434XML-11-5XML-12-WANModem+ISPISP“”????????????????????XML-13-3-1XML(1)(2)(3)(4)(5)(6)XML-14-(7)XML-15-IP(1)(2)QoSQualityofService/CoSClassofServiceQoS(3)PBNTCO(1)TCO(2)(3)XML-16-4.1.1CryptographyKeyKeyencryptionKeydecryptionalgorithmsXML-17-4.1.24.1.2.1DESAESDESAESC=P=k=E()/D()/C=E(P,k),P=D(C,k)64DES3-DESRC2RC5RC6RijndaelAESDES64bit56bitDESDESIDEA64bit128bitAES128bit128/192/256bitAESRCIDEAAES1DESDES(Confusion)(Diffusion)DES64646432L032R0DES566481624324048566416K1K16f(Ri,Ki)S1,S2...S86bit4bitL0R0R0L1R0K1FL0R116XML-18-R15L1564DES2AES19971NISTNationalInstituteofStandardandTechnologyDESAESAdvancedEncryptionStandardAESAESDESDES128128/192/256RijndaelAESRijndaelSquareAES128bit128/192/256bitr10/12/14AES(WideTrailStrategy)AES4.1.2.2RSA(KeyPair)()()XML-19-1/23(RSA)(ECC)(DSA)RSARSARSARSA1024RSA(1)(2)(3)XML-20-(4)4.2.1ID4.2.3token4.2.3.1PINXML-21-PINPINIDID4.2.3.2(Intelligentcard)2080(8CPU)RAMROMEEPROM250Byte4KByteEPROMPINISOXML-22-4.2.4PKI(PKI)PKI2080PKIPublicKeyInfrastructure4.2.4.1PKIPKIPKIInternetCACertificationAuthorityPKICAPKI/CAXML-23-PKI4.2.4.2PKIPKI1CAABBBBPKI“”CAsCAPKICAPKI2RACARAPKIRALRARACA3CAABBBAAPKIPKI4CAPKICAXML-24-CRLOCSPCA56“x”PKI“”“”PKIPKICAPKI7“”“”AAAAPKIPKIXML-25-8PKIPKIPKI“”PKIPKIPKIPKI9PKIAAPKI——PKI/PKIPKI10PKIPKI“”PKIBAPKIPKIPKI11PKIXML-26-“”PKIPKIPKIPKIPKI“”PKIPKI4.2.4.3PKIPKI1——PKI2——PKIMAC3——PKIABABBAB4.2.5KERBEROSKerberosMIT1985Athena3KerberosNeedhamSchroederXML-27-4.2.5.1KERBEROSKerberosMITAthenaKerberosV1V3V41988V5V41994InternetRFC1510Kerberos(1)Kerberos(2)KerberosKerberosKerberos(3)(4)4.2.5.2KERBEROSKerberos1TGSTGSTGSTGSTGS2TicketTGSTGSKerberosKerberosTGSXML-28-3KerberosKerberosKerberos4KerberosKerberos4.2.5.3KERBEROSKerberosTCP/IPKerberosKerberosKerberosKerberosCASVIDcCTGSIDvVIDtgsTGSADcCPcCKvTGSVKtgsASTGSKcvCVKctgsCTGSLifetimeTSiIKcASCKerberos1CASASCTickettgsCVKctgsKcTickettgs=EKtgs[Kctgs||IDc||ADc||IDtgs||TS2||Liftime2]2CTGSXML-29-KcKcKctgsIDtgsTS2Liftime2TickettgsTGSTGSKtgsKctgsIDcADc IDtgsTS2Liftime2IDcADcTS3CTicketvKcvAuthenticatorc=EKctgs[IDc||ADc||TS3]Ticketv= EKv[Kcv|| IDc|| ADc|| IDv|| TS4||Lifetime4]3/CCKctgsKcv IDvTS4TicketvVKvIDcADcIDvTS5KcvIDcADc IDvTS4Lifetime4CTS5+1CKcvTS5+1VCVKcvAuthenticatorc=EKcv[IDc||ADc|| IDv|| TS5]4.2.64.3.11SubjectXML-30-2Object/3AccessAccessSubjectObject4Access Permissions5Access rightPermission6Access level7ACLAccess Control List ACLAccess PermissionsACL4.3.2:XML-31-::4.3.3IT “”factor512+3++XML-32-4+++5++++ 1Password2TokenCOM3BiometricFacerecognitionFingerprintsHand GeometryIrisRecognitionPalmPrintsRetina pattern SignatureVoiceBody odors (Ear shape and structure )Keystroke dynamics  DNA  DNA DNADNADNA4Geography 5(User profiling)XML-33-profileout-of-character behavior 4.3.4ISOAAAAuthenticationAuthorizationAccountingAuthenticationAuthorizationXML-34-124.3.54.1Figure4.1threefamiliaraccesscontrolpolicyXML-35-11XML-36-2342XML-37-BellLaPadulaBellLaPadulaBellLaPadulaXML-38-3Role1)2)3)4):AccessContr