摘要
信息系统可信运行是保障其安全的关键,然而传统安全机制并不能有效保障其可信运行.为保障关键信息系统的可信运行,研究国产可信计算体系,建立自我防护、主动免疫保护框架,构建纵深防御的信息安全保障体系的核心技术是我国目前亟待解决的问题.本文提出一个基于国产密码算法的多层可信体系,该体系结构以国产密码体系为基础,以可信平台控制模块为信任根,以可信主板为平台,以软件为核心,通过可信网络作为纽带整合各种可信应用.该体系架构在各个层面都有自己的创新:在密码体系层面采用非对称和对称相结合的密码机制,在可信平台控制模块层面集成主动度量模块和总线控制器,在可信主板层面由可信根实现先于平台启动的可信度量,在可信软件层面构建了宿主软件系统加可信基础软件的双体系结构,并依托双体系结构实施对系统的主动度量,在网络连接层面采用三元三层的可信连接机制,实现对系统的集中控管,防范了合谋攻击等攻击手段.这一自主可控的可信体系结构具有积极防御和主动免疫的功能,可以从根本上对重要信息系统实施保护,对我国信息安全领域的研究和产业化具有重要的战略指导意义.
The trusted operation is the key factor for the information systems, but the traditional security mechanisms cannot effectively guarantee the trusted operation of the information systems. In order to guarantee the trusted operation of the key information systems, there are a series of problems to solve, including studying the domestic trusted computing architecture, establishing self-protection, active immunization protection framework, and building the core information security technology system. This paper presents an independent and controllable trusted architecture. Based on the domestic cryptography system, the architecture uses the trusted platform control module as the trusted root, the trusted motherboard is the platform, the software is the core, the trusted network is a link which integrates a variety of trusted applications. The architecture has its own innovation at every level: the asymmetric and symmetric combination mechanism is used in the cryptologic system level, initiative measure modules and bus controllers are combined in the trusted platform control module. At the trusted board level, the trusted root achieves the trust measurement before the start of platform. At the trusted software level, dual host software system architecture and trusted basic software are constructed, and relying on dual-architecture, the system of active measurement is implemented. At the network connection level, the trusted connection mechanism is used to achieve the centralized management system, it can resist the collusion attacks. The architecture has the active defense function and the active immune function, it can fundamentally protect the key information systems, and it has the important strategic significance for the information security research and industrialization of China.
出处
《密码学报》
CSCD
2015年第5期381-389,共9页
Journal of Cryptologic Research
基金
国家自然科学基金(61501007)
关键词
信息安全
可信计算
自主可控
国产密码
information security
trusted computing
autonomous control
domestic cryptography
