高级检索

    安全域间信息资源访问的协议和方法

    Security Protocol and Scheme for Inter-Realm Information Accessing

    • 摘要: 为了保护内部网络的安全,必须设置应用边界安全设备. Internet上不同的应用安全域间要实现信息资源的安全访问,首先需要认证. Kerberos是目前比较常用的认证协议,一般的应用边界安全设备(如Socks5)中就应用了该认证协议,但应用该协议存在一定的缺陷:在应用边界安全设备链的认证过程中,资源域中的应用边界安全设备认证对象是主体域中的应用边界安全设备,而不是真正发起资源请求的客户端,因此资源域中的应用边界安全设备审计的对象是主体域中的应用边界安全设备,而不是真正的客户端.在Kerberos域间认证的基础上,给出了新的域间认证协议以及身份传递协议,使用新的协议不仅能够提供应用边界安全设备对用户访问请求的安全审计而且只需要两次域间的网络连接,这两次域间网络连接不需要主体和客体直接进行,而是通过应用边界安全设备完成的,提高了系统的通信效率,扩大了该系统的应用范围,适合于现有的企业网环境,能有效地解决企业网与企业网之间的信息安全传输.

       

      Abstract: In order to improve the security of Intranet, application boundary security devices must be set. In order to access resources in different application areas on Internet in a security way,authentication is the first key step. Kerberos is an authentication protocol that is widely used. It is applied in application boundary security devices such as socks5. But there exists some limitation. In the processing of authentication between application boundary security devices, the object authenticated by application boundary security device at resource realm is not client which requests the resource, but application boundary security device at principal realm. So the object audited by application boundary security device at resource realm isn't the really one. A new inter-realm authentication protocol and a new identity-passing protocol based on Kerberos v5 inter-realm authentication protocol are presented in this paper. The proposed protocols can not only supply the security audit for user's access requests at application boundary security devices but also improve the efficiency of communication system because it needs only two connections between realms and the connection is setup not by subjects and objects but by application boundary security device. The proposed scheme can solve the problem of security information transferring between enterprise networks which will expand its application boundary including current enterprise network.

       

    /

    返回文章
    返回