With the rapid development of information technology applications, the continuous popularization of Internet applications, the development of network-based business activities and the acceleration of global economic integration, people are enjoying the huge benefits brought by information. , are also facing the severe test of information security. According to the "2009 Survey Report on the Network Information Security Situation of Chinese Netizens" jointly released by the China Internet Network Information Center and the National Internet Emergency Center, in 2009, 71.9% of netizens found that their browser configurations had been modified, and 50.1% of netizens found that the network system could not Using it, 45.0% of netizens found that data files were damaged, 41.5% of netizens found that the operating system crashed, and 32.3% of netizens found that QQ, MSN passwords, and email accounts had been stolen. In 2009, netizens spent a total of 15.3 billion yuan in service fees to deal with security incidents; among those who actually incurred expenses, the per capita cost was approximately 588.90 yuan.
Therefore, how to effectively protect information security is an important research topic and an urgent need for national security now and in the future. As people's awareness of information security increases, information system security issues have attracted more and more attention. Therefore, how to build an information and network security system has become an urgent issue to be solved in information construction. Computer networking and scale have become trends, but computer information systems are facing more new problems and challenges.
Information systems are composed of network systems, host systems and application systems. Each of these elements has various vulnerabilities that can be attacked, and network lines are at risk of being eavesdropped; network connection equipment, operations The various software systems and application systems rely on have security weaknesses and vulnerabilities in all aspects of system design, protocol design, system implementation, and configuration, and are at risk of being exploited and attacked. Facing an increasingly complex information security environment, we need to understand information security dynamically and developmentally and take corresponding safeguard measures.
7.1.1 Information and Information Security
"Security" in the "Advanced Chinese Dictionary" means "no threat, no danger, harm, or loss". Security is defined as: protection from dangerous conditions or characteristics, measures taken to prevent espionage or sabotage, crime, attack, or escape. When it comes to the word "security", it is often associated with networks, computers, information and data, and has different emphasis and meanings. Its basic meaning is "the state or characteristic of being far away from danger" or "subjectively no threat, subjectively no fear". Security issues exist in every field, and security is a ubiquitous problem. The scope of information and data security is broader than network security and computer security. It includes the entire process from the generation of information to the application of information in the information system. There are a lot of data that we come into contact with in our daily life, such as test scores, bank deposits, age of personnel, inventory of goods, etc., which are collected according to certain needs or certain rules, and then processed and sorted through different classifications, calculations, and processing. Form information that has guiding value and tendency explanation for management decision-making.
Literally, information security can be understood as "information security is to protect information from threats and losses." However, it is not easy to define information security comprehensively and completely.
Information security as defined by the International Organization for Standardization (ISO) is "the technical and managerial security protection established for data processing systems to protect computer hardware, software and data from accidental and malicious reasons. to damage, alteration and disclosure”. This concept focuses on measures taken.
The European Union defined information security in the 1991 "Information Security Assessment Standard (Version 1.2)" as: "Under established confidentiality level conditions, networks and information systems resist unexpected events that endanger stored or transmitted data. The ability to defend the availability, authenticity, integrity and confidentiality of data and services provided through these networks and systems.”
Academician Shen Changxiang, an expert on information security in my country, defines information security as: Protect information and information systems from unauthorized access, use, disclosure, modification and destruction, and provide confidentiality, integrity, availability, controllability and non-repudiation for information and information systems.
Information security means that the hardware, software and data in the system of the information network are protected from being damaged, altered or leaked by accidental or malicious reasons, and that the system operates continuously, reliably and normally. Information services will not be interrupted. The essence of information security is to protect information resources in information systems or information networks from various types of threats, interference and destruction, that is, to ensure the security of information. But information security is relative. It can be seen that the security community has not reached a consensus on the concept of information security, and the understanding of information security has also deepened with the expansion of information technology and its applications. In 1996, the U.S. Department of Defense defined information assurance (IA) as follows: to protect and defend information and information systems to ensure their availability, integrity, confidentiality, certifiability, non-repudiation and other characteristics. This includes incorporating protection, detection, response functions into information systems, and providing information system recovery functions.
This definition expands the definition of information security to include information assurance, highlighting the multiple security capabilities of the information security assurance system and its supporting role in the organization's business functions.
There are two main purposes for using the word "guarantee" to replace safety: first, to use the wording in this quality field to reflect the safety connotation of a highly information-based society, that is, to incorporate concepts such as reliability and service quality; Starting from the needs, the content of security prevention has been expanded from external defense to internal and external defense, which shows that its perspective on information security issues is no longer limited to a single dimension, but abstracts information security issues into one consisting of information system, information content, and information. A multi-dimensional problem space composed of multiple factors such as system owners and operators, information security rules, etc. These changes reflect people's continuous thinking and practice on the meaning, content, and implementation methods of information security.
The world-famous hacker Kevin Mitnick once said when being consulted by a U.S. Senate security expert group: As long as a person has time, money and motivation, he can enter any computer in the world. computer. Mitnick's words are not alarmist. At the age of 15, he hacked into the North American Air Protection Command System, and successively hacked into the computer systems of the Pentagon, the FBI, and almost all computer companies in the United States.
Mitnick's words reflect the fact that there is no absolute security in the online world. From the repeated news that the U.S. Pentagon has been hacked, we can also draw this conclusion: the heavily guarded Pentagon is inevitably hacked, so how can other computer systems ensure security? In fact, it is unrealistic to provide 100% security guarantee, both theoretically and technically.
Therefore, information security is a dynamically changing concept. To fully understand information security, we need to start from both the attributes and content of information security.
In relevant literature on the U.S. National Information Infrastructure (NII), five attributes of security are given: confidentiality (Confidentiality), availability (Availability), integrity (Integrity), and controllability. (Controllability) and non-repudiation (Non repudiation). Among them, availability, confidentiality, and integrity are the three basic attributes of information security that people have summarized in the process of continuous practice and exploration. With the development and application of information technology, controllability and non-repudiation as attributes of information security have also been recognized by most scholars.
Confidentiality of information means ensuring that only those who have been granted specific permissions have access to the information. It is a characteristic that information security has had since its birth, and it is also one of the main research contents of information security. More generally, it means that unauthorized users cannot obtain sensitive information. The confidentiality of information varies according to the number of objects that are allowed to access the information. Generally, information can be divided into different confidentiality levels according to the importance of the information and confidentiality requirements. For example, information that can be accessed by all personnel is public information, and information that requires restricted access is classified as public information. Sensitive information or secret information is divided into different confidentiality levels according to the importance of the information and confidentiality requirements. For example, internal military documents are generally divided into three levels: secret, secret and top secret. Authorized users can operate on confidential information based on the granted operation permissions. Some users can only read information, and some users can perform both reading and writing operations.
Integrity of information refers to ensuring the correctness and completeness of information and processing methods, that is, the information in the network will not be accidentally or deliberately deleted, modified, forged, inserted, etc., to ensure that Information provided to authorized users is true. The integrity of information includes two aspects: on the one hand, it means that in the life cycle of information, no tampering, loss of information, wrong information, etc. will occur during the use, transmission, and storage of information; on the other hand, it means to ensure that information The correctness of the processing method ensures that the processed information is required by the system and obtains correct and applicable information. Improper operations may cause the loss of important files or even paralysis of the entire system.
The availability of information refers to the ability of authorized subjects to receive timely services when they need information. It refers to ensuring that authorized users can indeed access the required information when they need it, that is, information and related information assets can be obtained immediately when the authorizer needs it. For example, communication line interruptions and network congestion will cause information to be unavailable for a period of time, affecting normal business operations. This is the destruction of information availability due to excessive server load and the failure of authorized users to respond to normal operations in a timely manner, or Due to the disconnection of network communication lines, information cannot be obtained, etc. These are all damages to the availability of information. Systems that provide information must be able to appropriately withstand attacks and recover from failures.
The controllability of information refers to the implementation of security monitoring and management of information and information systems to prevent illegal use of information and information systems. For the subject of sensitive information resources in the information system, if any subject can access, tamper with, steal and maliciously spread the information, the security system will obviously lose its effectiveness. Effectively controlling the use of people or subjects who access information resources is an inevitable requirement for information security. From a national level, the controllability of information security not only involves the controllability of information, but also relates to security products, security markets, security The controllability of manufacturers and security R&D personnel is closely related.
Strictly controlling and regulating the rights of the subject who obtains the information to modify, update, delete, copy, transmit and other operations on the information is the main way and method to improve the controllability of the information.
The non-repudiation of information, also known as non-repudiation and non-repudiation, means that in a network environment, both parties to the information exchange cannot deny their behavior of sending or receiving information during the exchange process. It is an extension of traditional undeniable needs in the information society. In daily life, people solve the problem of non-repudiation of information through seals or signatures on paper media. However, in e-government and e-commerce application systems, traditional seals or signatures can no longer be used. Currently, only digital signature technology is relied upon to solve the problem of non-repudiation of information. All kinds of business and government affairs in human society are based on trust. Traditional official seals, stamps, signatures and other means are the main mechanisms to achieve non-repudiation. The same as the non-repudiation of information, it also prevents entities from Deny the behavior that has occurred. The non-repudiation of information is divided into original non-repudiation (also called original non-repudiation) and receiving non-repudiation (also called receiving non-repudiation). The former is used to prevent the sender from denying the data and data content it has sent; the latter prevents the sender from denying the data and data content it has sent. The recipient denies the received data and data content. Technical means to achieve non-repudiation generally include digital certificates and digital signatures.
7.1.2 The main research content of information security
Information security is a discipline involving computer science, network technology, communication technology, cryptography technology, information security technology, applied mathematics, number theory, A comprehensive subject of various disciplines such as information theory. Its research content mainly includes the following two aspects: on the one hand, the security of the information itself, mainly to ensure the confidentiality, integrity, legality and non-repudiation of personal data or corporate information during the storage and transmission process, and to prevent information from being compromised. Leakage and destruction, preventing unauthorized access to information resources; on the other hand, the security of information systems or network systems, mainly ensuring the normal use of network resources by legitimate users and avoiding security threats such as viruses, denial of service, remote control and unauthorized access, Discover security vulnerabilities in a timely manner and stop attacks, etc.
Regarding the content of information security, Latham, chairman of the National Telecommunications and Information Systems Security Committee (NTISSC), head of the US C3I, and former deputy secretary of defense, believes that information security should include the following six aspects: Communications Security (COMSEC), computer security (COMPUSEC), compliance with transient electromagnetic pulse radiation standards (TEMPEST), transmission security (TRANSEC), physical security (Physical Security), personnel security (Personnel Security). In our country, information security generally recognized by scholars includes four aspects: physical security, operational security, data security and management security.
The core issue of information security in modern information systems is cryptography theory and its application, the basis of which is the construction and evaluation of trusted information systems. In general, the current focus of people's attention in the field of information security mainly includes the following aspects:
(1) Cryptography theory and technology. Cryptozoology theory and technology mainly include two parts, namely, mathematics-based cryptography theory and technology (including public key cryptography, block cipher, sequence cipher, authentication code, digital signature, Hash function, identity recognition, key management, PKI technology, etc.) and Non-mathematical cryptography theory and technology (including information invisibility, quantum cryptography, and biometric-based identification theory and technology). Cryptographic technology, especially encryption technology, is the core technology in information security technology. It is impossible to introduce or adopt other people's encryption technology in national critical infrastructure and can only develop it independently. At present, there is still a certain gap between my country and foreign countries in the application level of cryptography technology.
(2) Security protocol theory and technology. The research on security protocols mainly includes two aspects, namely, research on security analysis methods of security protocols and research on the design and analysis of various practical security protocols. There are two main types of security analysis methods for security protocols: one is attack detection methods, and the other is formal analysis methods. Among them, the formal analysis methods of security protocols are one of the most critical research issues in security protocol research. Research began in the early 1980s and is currently in a flourishing and dynamic stage. The involvement of many first-class universities and companies has made this field a research hotspot. With the continuous emergence of various effective methods and ideas, this field is becoming theoretically mature. In the research of security protocols, in addition to theoretical research, the general trend of practical security protocol research is towards standardization. Although Chinese scholars have done some work in theoretical research and analysis of existing international agreements, there is still a certain gap between practical application and the international advanced level.
(3) Security architecture theory and technology. Security architecture theory and technology mainly include: establishment of security system models and their formal description and analysis, research on security strategies and mechanisms, establishment of scientific methods and guidelines for testing and evaluating system security, and compliance with these models, strategies and guidelines Development of systems (such as secure operating systems, secure database systems, etc.). There is a big gap between my country and advanced countries and regions in the research and application of system security. In recent years, our country has conducted research on secure operating systems, secure databases, and multi-level security mechanisms. However, because the independent security kernel is controlled by humans, it is difficult to ensure that there are no loopholes.
(4) Information countermeasures theory and technology. Information countermeasures theory and technology mainly include: hacker prevention system, information camouflage theory and technology, information analysis and monitoring, intrusion detection principle and technology, counterattack method, emergency response system, computer virus, artificial immune system in anti-virus and anti-intrusion system applications, etc. This field is in the developing stage, and the theory and technology are both immature and fragmented. But it is indeed a research hotspot. The results seen so far are mainly products (such as IDS, prevention software, anti-virus software, etc.), attack programs and successful hacker attacks. The most eye-catching issue currently in this field is cyber attacks. The United States is an international leader in cyber attacks, and many official and private organizations are conducting research on attack methods.
(5) Network security and security products. Network security is one of the important research contents in information security and is also a research hotspot in the current field of information security. Research contents include: design and analysis of overall network security solutions, research and development of network security products, etc. Network security includes physical security and logical security. Physical security refers to the physical protection of communication, computer equipment and related facilities in the network system from damage, loss, etc. Logical security includes information integrity, confidentiality, non-repudiation and availability. It involves all aspects of network, operating system, database, application system, personnel management, etc., and must be considered comprehensively.
7.1.3 The emergence and development of information security
In the information society, on the one hand, information has become an important asset of mankind, and its reliance on computer technology is getting deeper and deeper. Information technology has penetrated into almost every aspect of social life. On the other hand, because information is easy to disseminate, diffuse, and be damaged, information assets are more fragile and susceptible to damage than traditional physical assets. Therefore, as people's dependence on information systems increases, information security issues are also increasingly protrude.
The history of information security development is divided into three stages: communication security development stage, computer security development stage and information assurance development stage.
7.1.3.1 Communication security development stage
The communication security development stage began in the 1940s, and its era was marked by Shannon's "Information Theory of Security Systems" published in 1949. The theory brought the study of cryptography into scientific orbit for the first time. The main security threats faced at this stage are wire eavesdropping and cryptanalysis, and the main protection measure is data encryption.
Before the 1940s, communication security, also called communication confidentiality, was a need for war. Electronic security was also added in the 1940s, which was actually electronic communications security. In the 1950s, European and American countries collectively referred to communication security and electronic security as signal security, including modulation and encryption. Cryptography was an important technology at this stage and became a technology owned by the military, which was controlled like weapons. At this stage, although computers had appeared, they were very fragile. In addition, because the computer speed and performance were relatively backward at that time, the scope of use was limited. Therefore, the focus of this stage was to solve the problem of communication confidentiality through cryptography technology.
7.1.3.2 Computer security development stage
In the 1960s, the use of computers became increasingly popular, and computer security was put on the agenda. At this time, threats to computer security are mainly illegal access, fragile passwords, malicious codes (viruses), etc. The problem that needs to be solved is to ensure the confidentiality, integrity, and availability of hardware, software, and applications in the information system. During this period, cryptography also developed rapidly. The two most influential events were: one was the paper "New Directions in Cryptozoology" published by Diffiee and Hellman in 1976, which led to the development of cryptography. A revolution in which they proved for the first time that confidential communication without key transmission between the sender and the receiver was possible, thereby ushering in a new era of public-key cryptography; the other was the data encryption enacted by the United States in 1977 Standard DES. These two events marked the birth of modern cryptography and were a major event in information security. The publication of the U.S. Department of Defense's Trusted Computer System Security Evaluation Criteria (TCSEC) in 1985 meant that the research and application of information security issues reached a new level.
Due to the participation and promotion of the military, computer security has made great progress in two aspects: cryptographic algorithms and their applications, and information system security models and evaluations. The main cryptographic algorithms developed include the 1977 U.S. National The block encryption algorithm DES (Data Encryption Standard) adopted by the Bureau of Standards; the dual-key public key system RSA, which was developed by Rivest, Shamir, and Adleman based on the seminal paper "New Directions in Cryptozoology" by Diffie and Hellman in 1976 Created by the proposed idea; in 1985, N.Koblitz and V.Miller proposed the Elliptic Curve Discrete Logarithmic Cryptosystem (ECC). The advantage of this system is that it can use smaller-scale software and hardware to achieve the same results as similar systems in finite fields. security.
Starting from the TCSEC in the United States, four countries including the United Kingdom, France, Germany, and the Netherlands have issued information technology security assessment guidelines. Canada also issued trustworthy computer product evaluation guidelines in 1993, and the United States also issued Federal standards were formulated, and finally six countries and seven parties proposed a Common Criteria for information technology security assessment in the mid-1990s. After nearly 10 years of development, the standard has now basically matured.
7.1.3.3 Information Assurance Development Stage
Information Assurance (IA) is “protecting information by ensuring the availability, integrity, verification, confidentiality and non-repudiation of information” and information system measures, including restoring information systems through protection, detection, response and other functions."
Source: "Information Assurance" Department of Defense Order issued by the U.S. Department of Defense on October 24, 2002. Since the 1990s, computer networks have developed rapidly, and the demand for security has continued to expand to all areas of society. Security threats at this time are mainly manifested in hacker intrusions, virus destruction, computer crimes, intelligence theft, etc. in the network environment. People need to protect information from illegal access or modification during storage, processing, transmission, and utilization, ensure that legitimate users receive services and deny services to unauthorized users. But people soon discovered that computer security or communication security alone could not protect information security during the storage, processing and system conversion stages. Information system security came into being and gave information assurance a broader meaning. In response to this demand, information assurance (IA) technology has been developed to ensure the security of information transmission, processing, and storage in complex or distributed communication networks, so that the received information is consistent with the original sent one. At this stage, due to increasingly frequent attacks on information systems and the development of e-commerce, information security is no longer limited to the protection of information. People need to protect and defend the entire information and information system, including protection, detection, response and recovery capabilities. .