| 网络安全等级保护下的区块链评估方法 |
| |
| 作者姓名: | 朱岩 张艺 王迪 秦博涵 郭倩 冯荣权 赵章界 |
| |
| 作者单位: | 1.北京科技大学计算机与通信工程学院,北京 100083 |
| |
| 基金项目: | 国家科技部重点研发计划资助项目(2018YFB1402702);国家自然科学基金资助项目(61972032);北京市经济和信息化局资助项目(HTBH_20200901_573) |
| |
| 摘 要: | 等级保护(简称等保)是我国信息安全的基本政策,随着区块链技术在各行业中的应用日趋广泛,有必要同步推进区块链系统的等级保护测评工作,这将有利于推动该技术在我国的持续健康发展。有鉴于此,依据等保第三级的应用和数据安全要求,给出了区块链系统中对等网络、分布式账本、共识机制和智能合约等核心技术的具体测评要求及实施方案,并从等保2.0规定的控制点出发,分别对当前区块链系统运行数据与基于日志流程的安全审计机制进行了归纳与分析。通过上述评估与分析可知区块链系统在软件容错、资源控制和备份与恢复等方面满足等保要求,而在安全审计、身份鉴别、数据完整性等方面则有待进一步改进。
|
| 关 键 词: | 区块链 网络安全等级保护 对等网络 共识机制 评估与分析 |
| 收稿时间: | 2019-12-17 |
Research on blockchain evaluation methods under the classified protection of cybersecurity |
| |
| Affiliation: | 1.School of Computer and Communication Engineering, University of Science and Technology Beijing, Beijing 100083, China2.Institute of Software Chinese Academy of Sciences, Beijing 100190, China3.School of Mathematics Sciences, Peking University, Beijing 100871, China4.Beijing Information Security Test and Evaluation Center, Beijing 100101, China |
| |
| Abstract: | A blockchain is a cryptographic distributed database and network transaction accounting system. In the current era of major technological changes, blockchain technology, with its cryptographic structure, peer-to-peer (P2P) network, consensus mechanism, smart contract and other mechanisms, is decentralized, tamper-proof, and traceable and has become a hot spot in the development of informatization. Classified protection is one of the basic policies of information security in China. The implementation of the information security level protection system can not only guide various industries in performing security management in accordance with the equivalent security standards, but also ensure that supervision and evaluation institutions follow the laws and regulations, which is of significance to network security. As the application of blockchain technology in various industries is becoming more extensive, it is necessary to simultaneously promote the national classified protection of blockchain security assessment, which contributes to the sustainable and healthy development of blockchains in China. According to the revised assessment methods of grade protection, in addition to the status of universality requirements, evaluation specifications should be formulated for specific technologies and fields (such as cloud computing, mobile Internet, Internet of Things, industrial control, and big data). In view of the particularity of blockchain technology, China has initiated the formulation of blockchain evaluation specifications, but has not applied the level protection standards to the formulation of blockchain evaluation specifications. Therefore, the assessment requirements and enforcement proposals are specified for the blockchain’s core technologies, such as P2P network, distributed ledger, consensus mechanism, and smart contracts, according to the application and data security layer requirements at Level 3. Moreover, the current running data of blockchains and their security audit mechanism based on the log workflow were summarized and analyzed respectively in compliance with the control points specified in classified protection 2.0. Our investigation indicates that blockchains can satisfy the requirements of evaluation items in three aspects, namely, software fault tolerance, resource control, and backup and recovery. However, further improvements are needed for other aspects, including security audit, access control, identification and authentication, and data integrity. |
| |
| Keywords: | |
|
| 点击此处可从《》浏览原始摘要信息 |
|
点击此处可从《》下载全文 |
|
