面向新型关键基础设施的密码应用安全性评估技术综述

doi:10.11959/j.issn.2096-109x.2023079

网络与信息安全学报 ›› 2023, Vol. 9 ›› Issue (6): 1-19.doi: 10.11959/j.issn.2096-109x.2023079

• 综述 •

面向新型关键基础设施的密码应用安全性评估技术综述

李高磊¹, 李建华¹, 周志洪¹, 张昊²

¹ 上海交通大学电子信息与电气工程学院，上海 200240
² 中国信息安全测评中心，北京 100085

修回日期:2023-08-05 出版日期:2023-12-01 发布日期:2023-12-01
作者简介:李高磊（1992- ），男，河南开封人，博士，上海交通大学助理教授、博士生导师，主要研究方向为人工智能安全、隐私保护
李建华（1965- ），男，江西九江人，博士，上海交通大学教授、博士生导师，主要研究方向为网络安全、密码应用、内容安全
周志洪（1979- ），男，江西九江人，博士，上海交通大学讲师，主要研究方向为密码应用、网络靶场
张昊（1980- ），男，北京人，中国信息安全测评中心工程师，主要研究方向为信息安全、等保测评
基金资助:
国家自然科学基金(62202303);国家自然科学基金(U20B2048);上海市扬帆计划项目(21YF1421700);国防基础科研项目(JCKY2020604B004)

Review of cryptographic application security evaluation techniques for new critical infrastructures

Gaolei LI¹, Jianhua LI¹, Zhihong ZHOU¹, Hao ZHANG²

¹ School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, Shanghai 200240, China
² China Information Security Evaluation Center, Beijing 100085, China

Revised:2023-08-05 Online:2023-12-01 Published:2023-12-01
Supported by:
TheNational Nature Science Foundation of China(62202303);TheNational Nature Science Foundation of China(U20B2048);Shanghai Sailing Program(21YF1421700);Defence Industrial Technology Development Program(JCKY2020604B004)

摘要/Abstract

摘要：

随着5G/6G、人工智能、区块链等新型技术在各领域的深度融合发展，以高速率全时段信号覆盖、智能化精细化城市管理以及深空深海科学创新实验场为代表的新型关键基础设施建设迈进新阶段。作为保障国家信息、融合、创新基础设施安全的关键技术资源，密码应用安全性评估亟须深入数据生命周期内构建全方位、细粒度、自演进的密码安全性评估体系。结合近年来能源、医疗、交通等行业新型关键基础设施面临的典型 APT 攻击、勒索病毒攻击等，重点分析了在防范内生数据安全风险、实现差异化隐私保护、支撑可认证攻击溯源等新业态需求下日益增长的密码应用安全性评估需求。分析了新型信息基础设施（包括大数据、5G 通信、基础软件等）、融合基础设施（包括智能网联汽车、智能网联工业控制系统等）、创新基础设施（包括大数据、人工智能、区块链等）给密码应用安全性评估带来的新挑战，阐述了部署在高性能计算芯片、超高速通信模组、大容量存储介质上的国产密码算法与协议对密码应用安全性评估技术的新要求。对发展自动化、智能化密码应用安全性评估技术进行了展望。

关键词: 新型关键基础设施, APT攻击, 密码应用, 安全性评估, 国产化, 智能化

Abstract:

The construction of new critical infrastructure, represented by high-speed full-time signal coverage, intelligent and fine-grained urban management, and deep space and deep sea scientific innovation experimental fields, has entered a new stage with the deep integration and development of new technologies such as 5G/6G, artificial intelligence, and blockchain in various fields.The security evaluation of cryptography applications, as a key technological resource for ensuring the security of national information, integration, and innovation infrastructure, has risen to the level of international law and national development strategy.It is urgent to construct a comprehensive, fine-grained, and self-evolving cryptography security evaluation system throughout the data lifecycle.The typical APT attacks and ransomware attacks faced by new critical infrastructure in industries such as energy, medicine, and transportation in recent years were considered.And then the growing demand for security evaluation of cryptography applications was analyzed in the face of new business requirements such as preventing endogenous data security risks, achieving differentiated privacy protection, and supporting authenticated attack traceability.The new challenges were also examined, which were brought by new information infrastructure (including big data, 5G communication, fundamental software, etc.), integration infrastructure (including intelligent connected vehicles, intelligent connected industrial control systems, etc.), and innovation infrastructure (including big data, artificial intelligence, blockchain, etc.) to the security evaluation of cryptography applications.Furthermore, the new requirements were revealed about domestically produced cryptography algorithms and protocols deployed on high-performance computing chips, ultra-high-speed communication modules, and large-capacity storage media for cryptography application security evaluation technology.Finally, the development of automated and intelligent cryptography application security evaluation technology was explored.

Key words: new critical infrastructure, APT attack, cryptography application, security evaluation, domestication, intelligentization

中图分类号:

TP393

李高磊, 李建华, 周志洪, 张昊. 面向新型关键基础设施的密码应用安全性评估技术综述[J]. 网络与信息安全学报, 2023, 9(6): 1-19.

Gaolei LI, Jianhua LI, Zhihong ZHOU, Hao ZHANG. Review of cryptographic application security evaluation techniques for new critical infrastructures[J]. Chinese Journal of Network and Information Security, 2023, 9(6): 1-19.

图/表 12

图1

表1

图2

图3

图4

图5

表2

图6

图7

表3

图8

图9

参考文献 67

[1]	唐新华 . 新型基础设施在国家治理现代化建设中的功能研究[J]. 中国科学院院刊, 2021,36(1): 79-85.
	TANG X H . Research on the function of new infrastructure in the modernization of national governance[J]. Bulletin of Chinese Academy of Sciences, 2021,36(1): 79-85.
[2]	邱洁, 韩瑞, 魏志丰 ,等. 网络空间公共基础设施体系及安全策略研究[J]. 网络与信息安全学报, 2021,7(6): 56-67.
	QIU J , HAN R , WEI Z F ,et al. Research of public infrastructure system and security policy in cyberspace[J]. Chinese Journal of Network and Information Security, 2021,7(6): 56-67.
[3]	KHAN S , MADNICK S . Cybersafety:a system-theoretic approach to identify cyber-vulnerabilities ＆ mitigation requirements in industrial control systems[J]. IEEE Transactions on Dependable and Secure Computing, 2022,19(5): 3312-3328.
[4]	STEVENS M . New collision attacks on SHA-1 based on optimal joint local-collision analysis[C]// 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques. 2013: 245-261.
[5]	STEVENS M , BURSZTEIN E , KARPMAN P ,et al. The first collision for full SHA-1[C]// 37th Annual International Cryptology Conference. 2017: 570-596.
[6]	CAO H , ZHU P , LU X ,et al. A layered encryption mechanism for networked critical infrastructures[J]. IEEE Network, 2013,27(1): 12-18.
[7]	National Institute of Standards and Technology,Security Requirements for Cryptographic Modules,FIPS 140-3[S]. 2019.
[8]	SYLVAIN G , YOUSSEF S , ZHANG F ,et al. Post-quantum cryptography-having it implemented right[J]. Journal of Cryptologic Research, 2023,10(3): 650-666.
[9]	Global Research ＆ Analysis Team,Kaspersky Lab. Advanced threat predictions for 2022[R]. 2022.
[10]	GOPINATH M , SIBI C S . A comprehensive survey on deep learning-based malware detection techniques[J]. Computer Science Review, 2023(47): 100529.
[11]	王建华, 张岚 . 检测类型缺陷的形式化构造攻击方法[J]. 密码学报, 2021,8(6): 1058-1073.
	WANG J H , ZHANG L . A formal construction attack method for detecting type defects[J]. Journal of Cryptologic Research, 2021,8(6): 1058-1073.
[12]	陈华, 范丽敏 . 密码测评—信息安全领域的核心技术[J]. 中国科学院院刊, 2011,26(3): 297-302.
	CHEN H , FAN L M . Password evaluation:the core technology in the field of information security[J]. Bulletin of Chinese Academy of Sciences, 2011,26(3): 297-302.
[13]	HAN S , JAGER T . Authenticated key exchange and signatures with tight security in the standard model[C]// CRYPTO 2021. 2021: 670-700.
[14]	董建阔, 刘哲, 陆盛 ,等. 椭圆曲线密码高效软件实现技术研究进展[J]. 计算机学报, 2023,46(5): 909-928.
	DONG J K , LIU Z , LU S ,et al. Research progress on efficient software implementation of elliptic curve cryptography[J]. Chinese Journal of Computers, 2023,46(5): 909-928.
[15]	张跃宇, 徐东, 陈杰 . 白盒SM4的分析与改进[J]. 电子与信息学报, 2022,44(8): 2903-2913.
	ZHANG Y Y , XU D , CHEN J . Analysis and improvement of white Box SM4[J]. Journal of Electronics ＆ Information Technology, 2022,44(8): 2903-2913.
[16]	董玲, 陈克非, 来学嘉 . 密码协议分析的信任多集方法[J]. 软件学报, 2009,20(11): 3060-3076.
	DONG L , CHEN K F , LAI X J . Trust multiset method for cryptographic protocol analysis[J]. Journal of Software, 2009,20(11): 3060-3076.
[17]	LI G , ZHAO Y , LI Y . CATFL:certificateless authentication-based trustworthy federated learning for 6g semantic communications[C]// IEEE WCNC. 2023.
[18]	LEE T R , TEH J S , JAMIL N ,et al. Lightweight block cipher security evaluation based on machine learning classifiers and active S-boxes[J]. IEEE Access, 2021,(9): 134052-134064.
[19]	JALALI N A , CHEN H . Federated learning security and privacy-preserving algorithm and experiments research under internet of things critical infrastructure[J]. Tsinghua Science and Technology, 2023,29(2): 400-414.
[20]	姚前, 张大伟 . 区块链系统中身份管理技术研究综述[J]. 软件学报, 2021,32(7): 2260-2286.
	YAO Q , ZHANG D W . Survey on identity management in blockchain[J]. Journal of Software, 2021,32(7): 2260-2286.
[21]	王子园, 杜瑞忠 . 边缘环境下基于无证书公钥密码的数据完整性审计方案[J]. 通信学报, 2022,43(7): 62-72.
	WANG Z Y , DU R Z . Data integrity auditing scheme based on certificateless public key cryptography in edge environment[J]. Journal on Communications, 2022,43(7): 62-72.
[22]	DEVRAJ A , WANG L , REXFORD J . REDACT:refraction networking from the data center[J]. ACM SIGCOMM Computer Communication Review, 2021,51(4): 15-22.
[23]	杨国强, 丁杭超, 邹静 ,等. 基于高性能密码实现的大数据安全方案[J]. 计算机研究与发展, 2019,56(10): 2207-2215.
	YANG G Q , DING H C , ZOU J ,et al. Big data security scheme based on high-performance cryptography[J]. Journal of Computer Research and Development, 2019,56(10): 2207-2215.
[24]	DANG L , DONG M , OTA K ,et al. Resource-efficient secure data sharing for information centric e-health system using fog computing[C]// IEEE ICC. 2018: 1-6.
[25]	XIANG B , ZHANG J , DENG Y ,et al. Fast blind rotation for bootstrapping FHEs[C]// Crypto 2023. 2023.
[26]	LI G , WU J , LI J ,et al. Fog computing-enabled secure demand response for internet of energy against collusion attacks using consensus and ACE[J]. IEEE Access, 2018,(6): 11278-11288.
[27]	BOATENG G O , SUN G , MENSAH D A ,et al. Consortium blockchain-based spectrum trading for network slicing in 5G RAN:a multi-agent deep reinforcement learning approach[J]. IEEE Transactions on Mobile Computing, 2023,22(10): 5801-5815.
[28]	NGUYEN V L , LIN P C , CHENG B C ,et al. Security and privacy for 6G:a survey on prospective technologies and challenges[J]. IEEE Communications Surveys ＆ Tutorials, 2021,23(4): 2384-2428.
[29]	ZHOU Z , GAURAV A , GUPTA B B . A fine-grained access control and security approach for intelligent vehicular transport in 6G communication system[J]. IEEE Transactions on Intelligent Transportation Systems, 2022,23(7): 9726-9735.
[30]	徐子钧, 刘建伟, 李耕 . 面向5G mMTC的网络切片安全研究[J]. 网络与信息安全学报, 2022,8(1): 95-105.
	XU Z J , LIU J W , LI G . Research on network slice security for 5G mMTC[J]. Journal of Network and Information Security, 2022,8(1): 95-105.
[31]	BELLARE M , HOANG V T . Efficient schemes for committing authenticated encryption[C]// EUROCRYPT 2022. 2022: 845-875.
[32]	邓从政 . 基于公钥密码体制 RSA 算法的注册码生成器[J]. 成都大学学报 (自然科学版), 2015,34(1): 44-47.
	DENG C Z . Registration code generator based on RSA algorithm of public key cryptosystem[J]. Journal of Chengdu University (Science ＆ Technology Edition), 2015,34(1): 44-47.
[33]	EGELE M , BRUMLEY D . An empirical study of cryptographic misuse in android applications[C]// ACM CCS. 2013: 73-84.
[34]	FAHL S , HARBACH M . Why eve and mallory love android:an analysis of android SSL security[C]// ACM CCS. 2012: 50-61.
[35]	LYU M , HASSAN H.G , VIJAY S . A survey on DNS encryption:Current development,malware misuse,and inference techniques[J]. ACM Computing Surveys, 2022,55(8): 1-28.
[36]	TRIVIKRAM M . File packing from the malware perspective:techniques,analysis approaches,and directions for enhancements[J]. ACM Computing Surveys, 2022,55(5): 1-45.
[37]	HU Z , HAN J , PENG H ,et al. Locating sources in multiplex networks for linear diffusion systems[C]// IEEE Transactions on Network Science and Engineering, 2022,9(5): 3515-3530.
[38]	张磊 . 民航商用密码应用分析与安全体系研究[J]. 民航学报, 2022,6(3): 92-95.
	ZHANG L . Research on civil aviation commercial cryptography application analysis and security system[J]. Journal of Civil Aviation, 2022,6(3): 92-95.
[39]	唐士杰, 袁方, 李俊 ,等. 工业控制系统关键组件安全风险综述[J]. 网络与信息安全学报, 2022,8(3): 1-17.
	TANG S J , YUAN F , LI J ,et al. Review on security risks of key components in industrial control system[J]. Chinese Journal of Network and Information Security, 2022,8(3): 1-17.
[40]	ZHANG K . Impossible differential cryptanalysis and a security evaluation framework for AND-RX Ciphers[J]. IEEE Transactions on Information Theory, 2023.
[41]	李荣泰, 常瑞, 苗新亮 ,等. 异构平台设备安全启动机制研究[J]. 信息工程大学学报, 2022,23(2): 198-205.
	LI R T , CHANG R , MIAO X L ,et al. Secure boot mechanism of Heterogeneous Platform Devices, 2022,23(2): 198-205.
[42]	YOSHIZAWA T . A survey of security and privacy issues in v2x communication systems[J]. ACM Computing Surveys, 2023,55(9): 1-36.
[43]	董晓露, 黎妹红, 杜晔 ,等. 基于切比雪夫混沌映射和生物识别的身份认证方案[J]. 北京航空航天大学学报, 2019,45(5): 1052-1058.
	DONG X L , LI M H , DU Y ,et al. A biometric verification-based authentication scheme using chebyshev chaotic mapping[J]. Journal of Beijing University of Aeronautics and Astronautics, 2019,45(5): 1052-1058.
[44]	XUN Y , WEI G , LIU J . G-driverAUT:a growable driver authentication scheme based on incremental learning[J]. IEEE Transactions on Vehicular Technology, 2023.
[45]	郝敏, 叶东东, 余荣 ,等. 区块链赋能的6G零信任车联网可信接入方案[J]. 电子与信息学报, 2022,44(9): 3004-3013.
	HAO M , YE D D , YU R ,et al. Blockchain empowered trustworthy access scheme for 6G zero-trust vehicular networks[J]. Journal of Electronics ＆ Information Technology, 2022,44(9): 3004-3013.
[46]	智能网联汽车密码模块安全技术要求:T/GHDQ 79-2021[S]. 2021.
	Security technical requirements of intelligent connected vehicle password module:T/GHDQ 79-2021[S]. 2021.
[47]	CAO Y , LI S , LIU Y ,et al. A comprehensive survey of ai-generated content (AIGC):a history of generative AI from GAN to ChatGPT[J]. arXiv preprint arXiv:2303.04226, 2023.
[48]	WARNAT-HERRESTHAL S . Swarm learning for decentralized and confidential clinical machine learning[J]. Nature, 2021,594(7862): 265-270.
[49]	ABADI M , ANDERSEN D G . Learning to protect communications with adversarial neural cryptography[C]// International Conference on Learning Representations (ICLR). 2016.
[50]	ZEADALLY S , DAS A K , SKLAVOS N ,et al. Cryptographic technologies and protocol standards for internet of things[EB].
[51]	JKENNEY J B . Dedicated short-range communications (DSRC) standards in the United States[J]. Proceedings of the IEEE, 2011,99(7): 1162-1182.
[52]	LI G , WU J , LI S ,et al. Multitentacle federated learning over software-defined industrial internet of things against adaptive poisoning attacks[J]. IEEE Transactions on Industrial Informatics, 2023,19(2): 1260-1269.
[53]	蒋瀚, 刘怡然, 宋祥福 ,等. 隐私保护机器学习的密码学方法[J]. 电子与信息学报, 2020,42(5): 1068-1078.
	JIANG H , LIU Y R , SONG X F ,et al. Cryptographic method of Machine learning for privacy protection[J]. Journal of Electronics and Information Technology, 2020,42(5): 1068-1078.
[54]	MYUNGSUN K . Private compound wildcard queries using fully homomorphic encryption[J]. IEEE Transactions on Dependable and Secure Computing, 2017,16(5): 743-756.
[55]	GOMEZ A.N , HUANG S , ZHANG I ,et al. Unsupervised cipher cracking using discrete GANs[J]. arXiv:1801.04883v1, 2018.
[56]	HITAJ B , GASTI P , ATENIESE G ,et al. PassGAN:a deep learning approach for password guessing[C]// International Conference on Applied Cryptography and Network Security. 2019: 217-237.
[57]	宁晗阳, 马苗, 杨波 ,等. 密码学智能化研究进展与分析[J]. 计算机科学, 2022,49(9): 288-296.
	NING H Y , MA M , YANG B ,et al. Intelligent cryptography research progress and analysis[J]. Journal of Computer Science, 2022,49(9): 288-296.
[58]	KWON H , SIM M , SONG G ,et al. Novel approach to cryptography implementation using ChatGPT[R]. 2023.
[59]	ZHOU Z , BIN H , LI J ,et al. Malicious encrypted traffic features extraction model based on unsupervised feature adaptive learning[J]. Journal of Computer Virology and Hacking Techniques, 2022,18: 453-463.
[60]	王利朋, 关志, 李青山 ,等. 区块链数据安全服务综述[J]. 软件学报, 2023,34(1): 1-32.
	WANG L P , GUAN Z , LI Q S ,et al. Survey on blockchain-based security services[J]. Journal of Software, 2023,34(1): 1-32.
[61]	YANG Z , LI G , WU J ,et al. Propagable backdoors over blockchain-based federated learning via sample-specific eclipse[C]// IEEE GLOBECOM. 2022: 2579-2584.
[62]	SHI Y , LI G , XU X ,et al. PFCC:predictive fast consensus convergence for mobile blockchain over 5G slicing-enabled IoT[C]// IEEE GLOBECOM. 2021: 1-6.
[63]	朱岩, 张艺, 王迪 ,等. 网络安全等级保护下的区块链评估方法[J]. 工程科学学报, 2020,42(10): 1267-1285.
	ZHU Y , ZHANG Y , WANG D ,et al. Research on blockchain evaluation methods under the classified protection of cybersecurity[J]. Chinese Journal of Engineering, 2020,42(10): 1267-1285.
[64]	GUO F , GUSILO W . Optimal tightness for chain-based unique signatures[C]// EUROCRYPT 2022. 2022: 553-583.
[65]	唐飞, 甘宁, 阳祥贵 ,等. 基于区块链与国密 SM9 的抗恶意KGC 无证书签名方案[J]. 网络与信息安全学报, 2022,8(6): 9-19.
	TANG F , GAN N , YANG X G ,et al. Anti-malicious KGC certificateless signature scheme based on blockchain and domestic cryptographic SM9[J]. Chinese Journal of Network and Information Security, 2022,8(6): 9-19.
[66]	LI G , DONG M , YANG L T ,et al. Make edge intelligence immune:decentralized service orchestration for secure learning via blockchain[J]. IEEE Transactions on Engineering Management, 2023,(99): 1-12.
[67]	刘峰, 杨杰, 齐佳音 . 区块链密码学隐私保护技术综述[J]. 网络与信息安全学报, 2022,8(4): 29-44.
	LIU F , YANG J , QI J Y . Review of blockchain cryptography privacy protection technology[J]. Journal of Network and Information Security, 2022,8(4): 29-44.

发展阶段	时间	标志性文件
第一阶段：	2007.11—2016.08	《信息安全等级保护商用密码管理办法》
制度奠基期		《<信息安全等级保护商用密码管理办法>实施意见》
第二阶段：	2016.09—2017.04	《商用密码应用安全性评估管理办法（试行）》
再次集结期		《关于开展密码应用安全性评估试点工作的通知》
第三阶段：		《商用密码应用安全性测评机构管理办法（试行）》
体系建设期	2017.05—2017.09	《商用密码应用安全性测评机构能力评审实施细则（试行）》
		《信息安全技术信息系统密码应用基本要求》（GM/T 0054-2018）
		《信息安全技术信息系统密码应用基本要求》（GB/T 39786-2021）
第四阶段：		《关于规范商用密码应用安全性评估结果备案工作的通知》（国家密码管理局字[2021]392号）
密评试点开展期	2017.10—至今	《信息安全技术信息系统密码应用测评要求》（GM/T 0115-2021）
		《商用密码应用安全性评估管理办法》（2023.11）
		《信息安全技术信息系统密码应用测评过程指南》（GM/T 0116-2021）

技术类别	评估对象	参考标准	评估内容
			总体要求
密评	关键信息基础设施、网络安全保护第三级以	《商用密码应用安全性评估测评	密码功能要求
	上的系统、国家政务信息系统	过程指南》	技术应用要求
			密钥管理
			安全管理
			安全物理环境
			安全通信网络
			安全区域边界
		《信息安全技术网络安全等级	安全计算环境
等保测评	通信网络设施、信息系统、数据资源	保护测评过程指南》	安全管理中心
		（GB/T28449-2018）	安全管理制度
			安全管理机构
			安全管理人员
			安全建设管理
			安全运维管理
		《信息安全技术关键信息基础	合规检查
关基安全检测评估	关键信息基础设施	设施安全检查评估指南》	安全技术检测
			分析评估

AI模型	简介	挑战	机遇
DNN	深度神经网络，用于构建分类、预测等深度学习任务	依然无法对加密流、密文信息直接进行评测	可识别加密流类型、恶意软件家族等
GAN	对抗生成网络，用于数据去噪、数据生成等	仅能对模拟构建早期的加密算法实现加密传输通道	开辟了实现加密算法和加密协议的新途径
AIGC/ChatGPT	大模型，用于各领域构建生成式问答系统	辅助构建自动化密评工具，还需对大模型进行个性化微调	增强安全知识检索能力，有助于提升安全意识

面向新型关键基础设施的密码应用安全性评估技术综述

Review of cryptographic application security evaluation techniques for new critical infrastructures

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 12

参考文献 67

相关文章 1

Metrics

推荐阅读 0