With the widespread adoption of the TCP/IP protocol group on the Internet, information technology and network technology have developed rapidly. Along with this comes a dramatic increase in security risk issues. In order to protect the national public information network as well as corporate intranet and extranet information and data security, to vigorously develop information network-based security technology.
The goal of information and network security technology
Because of the openness, connectivity and freedom of the Internet, users enjoy all kinds of **** have information resources, but there is also the danger that their own secret information may be infringed upon or maliciously damaged. The goal of information security is to protect confidential information that may be infringed upon or damaged from the control of outside illegal operators. Specifically to achieve: confidentiality, integrity, availability, controllability and other objectives.
Network security architecture
The International Organization for Standardization (ISO), on the basis of the Open Systems Interconnection Reference Model (OSI/RM), formulated in 1989 rules to address network security in the OSI environment: security architecture. It expands the basic reference model to include all aspects of security issues, providing a conceptual, functional and consistent approach to secure communication in open systems.The OSI security architecture contains seven layers: the physical layer, the data link layer, the network layer, the transport layer, the session layer, the representation layer and the application layer. The security mechanisms carried out between the layers are:
1. Encryption Mechanisms
Measuring the reliability of an encryption technique depends mainly on the difficulty of the decryption process, which depends on the length of the key and the algorithm.
1) Symmetric key encryption regime Symmetric key encryption technology uses the same key to encrypt and decrypt data, with the same key for the sender and receiver. The typical algorithm of symmetric key encryption technology is DES (Data Encryption Standard). the key length of DES is 56bit, and its encryption algorithm is public, and its confidentiality depends only on the confidentiality of the key. Advantages: simple encryption processing, fast encryption and decryption speed. Disadvantages: key management is difficult.
2) Asymmetric key encryption system Asymmetric key encryption system, also known as public and private key system. It is characterized by the use of different keys for encryption and decryption.
(1) The key to the asymmetric encryption system is to find the corresponding public and private keys, and use some kind of mathematical method to make the encryption process an irreversible process, that is, the information encrypted with the public key can only be decrypted with the public key paired with the private key; and vice versa.
(2) The typical algorithm for asymmetric key encryption is RSA, which is based on Euler's law of number theory, and its security is based on the difficulty of decomposing large numbers.
Advantages: (1) solves the problem of key management, through the unique key distribution system, so that when the number of users increased significantly, the key will not be spread outward; (2) because the key has been distributed in advance, there is no need to transmit the key during the communication process, the security has been greatly improved; (3) has a very high encryption strength.
Disadvantage: the speed of encryption and decryption is slow.
2, security authentication mechanism
In e-commerce activities, in order to ensure that business, transactions and payment activities are real and reliable, there is a need for a mechanism to verify the true identity of the parties in the activity. Security authentication is to maintain the normal conduct of e-commerce activities to ensure that it involves security management, encryption processing, PKI and authentication management and other important issues. At present, there is a complete set of technical solutions can be applied. Adopting the internationally recognized PKI technology, X.509 certificate standards and X.500 information dissemination standards and other technical standards can safely issue certificates for secure authentication. Of course, the authentication mechanism also needs legal and regulatory support. The legal issues needed for secure authentication include credit legislation, electronic signature law, electronic transaction law, authentication management law and so on.
1) digital summary
Digital summary using a one-way Hash function on the information for some kind of transformation algorithm to get a fixed-length summary, and in the transmission of information will be added to the file together with the receiver; the receiver receives the file, with the same method of transformation algorithms to get another summary; and then their own algorithms to get the summary with the summary of the sent over for comparison. This method can verify the integrity of the data.
2) digital envelopes
Digital envelopes use encryption to ensure that only specific recipients can read the contents of the letter. The specific method is: the sender of the information to encrypt the information using a symmetric key, and then use the receiver's public key to encrypt this symmetric key (this part is called the digital envelope), and then send it and the information together to the receiver; the receiver first use the corresponding private key to open the digital envelope, get the symmetric key, and then use the symmetric key to unlock the information.
3) Digital Signature
A digital signature is a message or document signed electronically by the sender, indicating that the signer is responsible for the content of the message or document. Digital signatures use a combination of digital digests and asymmetric encryption to ensure data integrity while guaranteeing the authenticity of the data.
4) Digital Time Stamping
Digital Time Stamping Service (DTS) is a network security service that provides authentication of the time of publication of electronic documents. It is provided by a specialized agency (DTS).
5) digital certificates
Digital certificates (Digital ID) contains the certificate holder's relevant information, is on the network to prove the identity of the certificate holder of the digital identity, which is issued by the authoritative certification center (CA). CA is a specialized verification of the identity of the parties to the transaction of the authoritative body, it is involved in the transaction of the entity issued a digital certificate. The digital certificate is digitally signed by the CA, and no third party can modify the contents of the certificate. The parties to the transaction prove their identity by presenting their digital certificates.
In e-commerce, digital certificates are mainly client certificates and merchant certificates. Client certificates are used to prove the identity of the client in e-commerce activities, and are generally installed on the client's browser. Merchant certificates are issued to merchants who provide services to clients, and are generally installed on the merchant's server to prove the legitimate identity of the merchant to the client.
3, access control policy
Access control is the main strategy for network security prevention and protection, and its main task is to ensure that the network resources are not illegal to use and very accessible. It is also an important means of maintaining network system security and protecting network resources. Various security strategies must cooperate with each other to truly play a protective role. Below we distinguish between several common access control policies.
1) Access control
Access control provides the first level of access control for network access. It controls which users can log on to the server and gain access to network resources, as well as when and where users enter the network.
User admission access control can be divided into three steps: identification and verification of the user name, identification and verification of the user password, and checking the default limits of the user account. Only after passing the various hurdles can the user enter the network successfully.
Verification of user name and password is the first line of defense against illegal access. When a user logs in, he or she first enters a username and password, and the server verifies that the username entered is legitimate. If the verification is legitimate, only then continue to verify the password entered, otherwise, the user will be rejected out of the network. The user password is the key to user access to the network. In order to ensure the security of the password, the password can not be displayed on the display screen, the length of the password should be not less than 6 characters, the password characters should preferably be a mixture of numbers, letters and other characters, the user password must be encrypted, encryption of a number of methods, of which the most common methods are: based on a one-way function of the password encryption, based on the test mode of the password encryption, based on the password encryption of public key encryption scheme, based on the square residual password encryption, password encryption based on polynomial **** enjoyment, password encryption based on digital signature scheme, etc. Users can also use a one-time user password or a portable authenticator (e.g., smart card) to verify the user's identity.
2) Privilege control of the network
Privilege control of the network is a security measure proposed for the illegal operation of the network. Users and user groups are given certain privileges. The network controls which directories, subdirectories, files, and other resources users and user groups can access. It is possible to specify what operations users can perform on these files, directories, and devices. We can classify users into the following categories according to their access privileges: (1) special users (i.e., system administrators); (2) general users, to whom the system administrator assigns operating privileges according to their actual needs; and (3) auditing users, who are responsible for the security control of the network and auditing of the use of resources. The access rights of users to network resources can be described by an access control table.
3) Directory-level security control
The network should allow control of user access to directories, files, and devices. The permissions specified by the user at the monthly directory level are valid for all files and subdirectories, and the user can further specify permissions for subdirectories and files under the directory. There are generally eight types of access privileges to directories and files: system administrator privileges (Supervisor), read privileges (Read), write privileges (Write), create privileges (Create), delete privileges (Erase), modify privileges (MOdify), file search privileges (FileScan), and access control privileges (AccessControl). AccessControl.) A user's effective permissions to a file or object depend on two factors: the user's trustee assignment, the trustee assignment of the user's group, and the user's permissions that are revoked by the inherited privilege block. A network system administrator should assign appropriate access rights to users that control their access to the server. An effective combination of eight access rights allows users to do their jobs efficiently while effectively controlling user access to server resources, thus strengthening network and server security.
With the development of computer technology and communications technology, computer networks will increasingly become an important means of information exchange in industry, agriculture and national defense, penetrating all areas of social life. Therefore, recognize the vulnerability of the network and potential threats, to take a strong security strategy to protect the security of network information transmission will become very important.