Current location - Quotes Website - Personality signature - Detailed explanation of computer network security
Detailed explanation of computer network security
Computer Network Security Overview Shanghai Lexiang Network.

Shanghai enjoys the Internet.

Internet originated from ARPANet in 1969, and was originally used for military purposes. In 1993, it began to be used in commercial applications and entered a stage of rapid development. So far, the Internet has covered tens of millions of computers in 175 countries and regions, with more than 1 100 million users. With the popularization of computer network, the application of computer network is developing in depth and breadth. Through enterprises, governments and schools surfing the Internet and shopping, the embryonic form of a networked society has appeared in front of us. The network brings great convenience to people, but it also brings some problems that cannot be ignored, and the security and confidentiality of network information is one of them. Shanghai enjoys the Internet.

Shanghai enjoys the Internet.

First, the meaning of network information security Shanghai enjoys the network.

Network information includes both information resources stored in network nodes, that is, static information, and information spread between network nodes, that is, dynamic information. Some of these static information and dynamic information are open, such as advertisements and public information. Others are confidential, such as private communications, government and military departments, trade secrets, etc. Network information security generally refers to the confidentiality, integrity, availability and authenticity of network information. The confidentiality of network information means that the content of network information will not be known by unauthorized third parties. The integrity of network information means that information will not be modified or destroyed during storage or transmission, and there will be no packet loss or disorder, that is, it cannot be modified by unauthorized third parties. The integrity of information is the basic requirement of information security, and destroying the integrity of information is a common means to affect information security. At present, protocols running on the Internet (such as TCP/IP) can guarantee the integrity of information at the packet level, that is, the packet is not lost or repeatedly received during transmission, but it cannot prevent unauthorized third parties from modifying the packet. The availability of network information includes the availability and operability of static information and the visibility of dynamic information content. The authenticity of network information refers to the credibility of information, mainly refers to the confirmation of the identity of the information owner or sender. Shanghai enjoys the Internet.

Not long ago, American computer security experts put forward a new security framework, including confidentiality, integrity, usability, authenticity, practicality and possession, that is, on the original basis, practicality and possession, which can explain various network security problems: the practicality of network information means that the encryption key of information cannot be lost (can not be leaked), and the information with lost key will lose its practicality and become garbage. Possession of network information refers to stealing information carriers such as nodes and disks that store information, resulting in the loss of the right to possess information. Methods to protect information ownership include using copyright, patents and trade secrets, and providing physical and logical access restrictions; Maintain and check the audit records of stolen documents, use labels, etc. Shanghai enjoys the Internet.

Shanghai enjoys the Internet.

2. Types of Internet security attacks Shanghai enjoys the Internet.

Attacks on the Internet include static data attacks and dynamic data attacks. Attacks on static data mainly include: Shanghai enjoys the Internet.

Password guessing: search the password space exhaustively, test one by one, get the password, and then illegally invade the system. Shanghai enjoys the Internet.

IP address spoofing: An attacker sends a packet disguised as coming from an internal host at an external location. These packets contain the source IP address of the internal system, impersonating others and stealing information. Shanghai enjoys the Internet.

Designated route: The sender specifies the route for the packet to reach the destination site, which is carefully designed to bypass the route with security control. Shanghai enjoys the Internet.

According to different forms of attacks on dynamic information, attacks can be divided into active attacks and passive attacks. Shanghai enjoys the Internet.

Passive attack mainly refers to the attacker listening to the information flow transmitted on the network, so as to obtain the content of the information (interception), or just want to obtain the information flow length, transmission frequency and other data. This attack is called traffic analysis. The schematic diagram of passive attack and eavesdropping is as shown in figure 1 and figure 2: Shanghai enjoys the Internet.

Shanghai enjoys the Internet.

Shanghai enjoys the Internet.

Shanghai enjoys the Internet.

Shanghai enjoys the Internet.

Shanghai enjoys the Internet.

Shanghai enjoys the Internet.

Shanghai enjoys the Internet.

In addition to passive attacks, attackers can also use active attacks. Active attack refers to an attacker who selectively modifies, deletes, delays, confuses, copies and inserts a data stream or a part of the data stream to achieve illegal purposes. Active attacks can be summarized as interruption, tampering and forgery (see Figure 3). Interruption refers to blocking the flow of information from the sender to the receiver, making it impossible for the receiver to obtain information, which is an attack on the availability of information (Figure 4). Tampering means that the attacker modifies and destroys the information flow from the sender to the receiver, so that the receiver can get the wrong information, thus destroying the integrity of the information (Figure 5). Forgery is an attack on the authenticity of information. The attacker either records a piece of information flow between the sender and the receiver, and then plays back the information to the receiver or sender at an appropriate time, or completely forges a piece of information flow and sends it to the receiver as a trusted third party. (Figure 6) Enjoy the Internet in Shanghai.

Shanghai enjoys the Internet.

Shanghai enjoys the Internet.

Shanghai enjoys the Internet.

Shanghai enjoys the Internet.

Shanghai enjoys the Internet.

Shanghai enjoys the Internet.

Shanghai enjoys the Internet.

Shanghai enjoys the Internet.

Three. Functions of network security mechanism.

Due to the existence of the above threats, it is necessary to take measures to protect network information in order to minimize the threat of attacks. A network security system should have the following functions: Shanghai enjoys the Internet.

1. Identification: Identification is the most basic function that a security system should have. This is an effective means to verify the identities of both parties. When users request services from their system, they should show their own identities, such as entering user ID and password. The system should have the ability to check the user's identity certificate, and for the user's input, it can clearly judge whether the input comes from a legitimate user. Shanghai enjoys the Internet.

2. Access control: Its basic task is to prevent illegal users from entering the system and legal users from illegally using system resources. In an open system, some rules should be formulated for the use of online resources: one is to define which users can access which resources, and the other is to define which users can access the read, write and operate permissions. Shanghai enjoys the Internet.

3. Digital signature: that is, through some mechanism, such as RSA public key encryption algorithm, the information receiver can make a judgment that "the information comes from a certain data source and can only come from that data source". Shanghai enjoys the Internet.

4. Protect data integrity: We can find out whether the information has been illegally modified through certain mechanisms, such as adding a message digest to prevent users or hosts from being deceived by false information. Shanghai enjoys the Internet.

5. Audit trail: By recording logs and counting some relevant information, the system can trace the reasons when security problems occur. Shanghai enjoys the Internet.

Key management: Information encryption is an important way to ensure information security. By transmitting information in the form of ciphertext in a relatively secure channel, users can use the network with confidence. If the key is leaked or someone with ulterior motives increases the chance of deciphering ciphertext by accumulating a large number of ciphertext, it will pose a threat to communication security. Therefore, it is also very important to effectively control the generation, storage, transmission and periodic replacement of keys and introduce key management mechanism to increase the security and anti-attack of the network. Shanghai enjoys the Internet.

Shanghai enjoys the Internet.

Four. Common technologies of network information security Shanghai enjoys the network.

Generally, there are two ways to ensure the security of network information: passive defense based on firewall technology and open network security technology based on data encryption and user authorization confirmation mechanism. Shanghai enjoys the Internet.

1. firewall technology: the security technology of "firewall" is mainly to protect the internal network of the enterprise or a single node connected to the Internet. Simple and practical, with high transparency, it can meet certain security requirements without modifying the original network application system. On the one hand, the firewall screens out the information and structure of the protected network or node from the external network as much as possible by checking, analyzing and filtering the IP packets flowing out of the internal network, on the other hand, it screens out some dangerous addresses from the external network internally to protect the internal network. Shanghai enjoys the Internet.

2. Data encryption and user authorization access control technology: Compared with firewall, data encryption and user authorization access control technology are more flexible and more suitable for open networks. User authorization access control is mainly used to protect static information, which requires system-level support and is generally implemented in the operating system. Data encryption is mainly used to protect dynamic information. As mentioned earlier, attacks on dynamic data can be divided into active attacks and passive attacks. We notice that active attacks can be effectively detected, although they are inevitable. Although passive attacks can't be detected, they can be avoided, and the basis of all this is data encryption. Data encryption is essentially a conversion algorithm, which is used to move and replace symbol-based data. This conversion is controlled by a series of symbols called keys. In the traditional encryption algorithm, the encryption key and decryption key are the same, or the other can be inferred from one of them. This algorithm is called symmetric key algorithm. Such a key must be kept secret and can only be known by authorized users, who can use this key to encrypt or decrypt information. DES (Data Encryption Standard) is the most representative symmetric encryption algorithm. It was successfully developed by W.tuchman and C.meyer of IBM from 197 1 to 1972, and was released as a data encryption standard by the American National Bureau of Standards in May, 1977. DES can encrypt data of any length, the key length is 64 bits, and the actual available key length is 56 bits. When encrypting, the data is first divided into 64-bit data blocks, and one of the modes such as ECB (Electronic Codebook), CBC(Ciper Block Link) and CFB(Ciper Block Feedback) is adopted to convert the input 64-bit plaintext into 64-bit ciphertext each time. Finally, all the output data blocks are merged to realize data encryption. If there are irrelevant keys in the encryption and decryption process to form an encryption and decryption key pair, this encryption algorithm is called asymmetric encryption algorithm or public key encryption algorithm, and the corresponding encryption and decryption keys are called public key and private key respectively. Under the public key encryption algorithm, the public key is public, and anyone can encrypt information with the public key and then send the ciphertext to the owner of the private key. The private key is secret and used to decrypt the information encrypted by the received public key. Typical public key encryption algorithms such as RSA (Ronald Foest, adi shamir, Leonard Aderman) are widely used at present. The algorithm is used for secure data transmission on the Internet, such as Netscape Navigator and Microsoft Internet Explorer. RSA algorithm is based on the complexity of factorization of large numbers. To put it simply, first, choose two prime numbers P and Q, which generally require both numbers to be greater than the power of 100, then calculate n=p*q, z=(p- 1)*(q- 1), and choose a sum. The secrecy of RSA lies in the difficulty of decomposing n. If n is decomposed successfully, (d, z) can be inferred, and there is no secrecy at all. Shanghai enjoys the Internet.

With the help of information encryption, we can take protective measures for dynamic information. In order to prevent the disclosure of information content, we can encrypt the transmitted information and transmit it on the network in the form of ciphertext. In this way, even if the attacker intercepts the information, it is only ciphertext and cannot know the content of the information. In order to detect that the attacker tampered with the message content, the authentication method can be adopted, that is, either the whole message is encrypted, or a message authentication code is generated by some message authentication functions (MAC functions), and then the message authentication code is encrypted and sent with the message. The attacker's modification of the information will lead to the inconsistency between the information and the message authentication code, thus achieving the purpose of detecting the integrity of the message. In order to detect the forged information of the attacker, encrypted message authentication code and timestamp can be added to the information, so that if the attacker sends the information generated by himself, the corresponding message authentication code will not be generated, and if the attacker replays the legitimate information before, the receiver can identify it by checking the timestamp. Shanghai enjoys the Internet.

Shanghai enjoys the Internet.

Five. Prospect of network information security Shanghai enjoys the network.

With the development of network and the progress of technology, network security faces more and more challenges. On the one hand, there are endless attacks on the network: 1996 reported 400 attacks, 1997 reported 4000 attacks, and 1998 reported 4000 attacks, a tenfold increase in two years. The increase of attacks means the increase of threats to the network; With the development of hardware technology and parallel technology, the computing power of computers has improved rapidly, and the encryption methods that were originally thought to be safe may fail. For example, on April 26th, 1994, 1994, people cracked a mathematical puzzle put forward by RSA inventor 17 years ago: a secret word contained in the number 129. When the problem was put forward, it was predicted that it would take 8.5 million years for the computer to decompose it successfully. Attacks on secure communication measures have also made continuous progress. For example, on June 20th, 1990, American scientists discovered a large number factorization method of 155, which made "American encryption system threatened". On the other hand, with the continuous expansion of the application scope of the network, people's dependence on the network increases, and the destruction of the network will cause greater losses and confusion than before. These put forward higher requirements for network information security protection, and also make the status of network information security discipline more important. Network information security will inevitably develop with the development of network applications. Shanghai enjoys the Internet.