中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 中科院软件所  > 中科院软件所
题名:
利用双代理系统访问内部WEB服务器
作者: 张航进
答辩日期: 2001
专业: 计算机应用技术
授予单位: 中国科学院软件研究所
授予地点: 中国科学院软件研究所
学位: 博士
关键词: 双代理系统 ; 远程访问 ; 内部www ; 身份认证
摘要: 在很多情况下,例如公司员工出差,需要在外部网访问内部www服务器上的敏感信息,这种访问通过非安全的公开网络进行。我们的目标就是要保障这种远程访问的安全,也就是只有经过身份认证的合法用户才能进行访问,并且合法访问的数据在非安全的公开网络上传输是保密的,攻击者不能通过窃听合法用户的访问来获得敏感数据。虽然有许多方案可以达到这两个安全目标,但是我们希望安全方案对已有的系统尽量少作改动。尤其是对外部用户而言,我们必须考虑到易用性,不能为了实现安全远程访问而对原有的系统大动干戈,从而影响其正常的工作。我们也不希望外部用户的工作站上安装一大堆的配置文件、参数文件、密钥文件等等。同时,我们也不希望引入认证中心或可信第三方来保障远程访问的安全。本文提出一种基于SRP认证的双代理体系结构——E-Proxy和I-Proxy,分别作为外部代理和内部代理。客户端浏览器直接与E-Proxy通信,内部web服务器直接与I-Proxy通信,E-Proxy与I-Proxy之间采用安全通道进行通信,浏览器与web server之间的通信必须通过两个代理服务器来转发。在E-Proxy和I-Proxy建立起安全通道之前,必须先完成用户身份认证。完成身份认证后,才能进行HTTP数据的转发,并且转发的数据是加密的。身份认证和加密,正是实现两个安全目标的关键。双代理系统采用SRP作为身份认证手段,它只需要用户记住自己的口令字,就能进行安全的身份认证,而不必担心象其他基于口令的认证方式那样,容易遭受诸如字典攻击之类的攻击。本文还讨论了双代理系统的软件设计和代码实现。
英文摘要: Under certain circumstance, we need to remotely access internal sensitive data from outside network, for example, when we are in trip. That means the sensitive data is pass through insecure public network. Our goal is to secure that kind of access, that is, access permission is only granted to those who pass the authentication, and date passing through the public keeps confidential. We should protect the date from eavesdropping. Many systems achieve these goals, however, we prefer to the original network framework keeping untouched or only suffering minor modification. Especially for remote users, the security-enhanced subsystem must not destroy their owns systems. They hate to install piles of configuration files, parameter files or secret key files. Also, the trusted-third-parties or CAs are not in high priority to consider. This thesis presents a novel SRP-based dual-proxies authentication scheme to fit the security goals. The dual-proxies consist of an E-Proxy and an I-Proxy, which means external proxy and internal proxy respectively. The external browsers communicate with E-Proxy directly, while the internal web server communicate with I-Proxy directly. The two proxies themselves establish a secure channel to exchange data. The secure channel is the only path over which HTTP traffic can flow from the web server to browser. Before the secure channel is setup, an authentication process must be executed first. The authentication process also generates a secure session key shared by the two proxies. Afterwards, the HTTP traffic can be transported over the insecure public network securely, because all of the traffic is encrypted with the session key. Authentication and encryption are the essential technology to guarantee the security. The SRP protocol, which is adopted by the dual-proxies system, is an ease-to-use secure password-based authentication method. It demands only a user password to authenticate remotely. It differs from other password-based systems that it is immune to dictionary attack. This thesis also describes the design and implementation of the dual-proxies system.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/5754
Appears in Collections:中科院软件所

Files in This Item:
File Name/ File Size Content Type Version Access License
LW004445.pdf(1041KB)----限制开放-- 联系获取全文

Recommended Citation:
张航进. 利用双代理系统访问内部WEB服务器[D]. 中国科学院软件研究所. 中国科学院软件研究所. 2001-01-01.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[张航进]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[张航进]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace