Scheme and implementation of security management o

  • Detail

Scheme and implementation of PDM drawing and document security management

1. Raising problems

drawing and document management is an important part of PDM system, which is used to replace manual management of electronic documents, so that users can access, maintain and process documents of various products more conveniently, quickly and safely. From the data files of AutoCAD drawings generated in the design stage, data files of 3D solid modeling, process flow cards, CAE analysis reports, to the change orders that may be generated in the manufacturing stage, they are the objects of drawing document management

the implementation of PDM drawing and document management can solve the problems of low degree of information sharing, poor information reuse, inconvenient query, accumulation of product design knowledge and so on, but due to the improvement of sharing degree and centralized data storage, it will bring about its security problems. Any inappropriate and lax security strategy will cause security vulnerabilities in PDM system and the loss of diagram documents. Therefore, when developing a PDM diagram document management system, we should first consider and solve the problem of data security, and then consider how to solve the application problems such as sharing strategy, improving system performance and convenient query

2. Figure document security management scheme

the data security in PDM system is not only reflected in the safe storage of a large number of electronic document data, but also the security of the management system itself is a very important problem. Whether the oil in the oil storage tank is full or not. Therefore, when formulating the system security scheme, the author considers adopting the following technical scheme and implementing comprehensive encryption and confidentiality measures to achieve the purpose of drawing document security

2.1 database storage and encryption of files

pdm systems generally need large-scale database support, that is, graphic documents can be stored in the database table in the form of blob fields, rather than in the server shared directory in the form of files. The security control of file storage is ensured by operating system identity authentication and shared directory security. With the increasingly mature and convenient technology of mobile storage devices (such as USB flash disk), the method of using file system to ensure security is very fragile, and compressing and encrypting graphic data into the database is a better solution. Considering that 70% - 80% of drawing documents are small files, the size of engineering drawing files generally does not exceed 1m, which is much smaller than music files, image files, etc., and it is compressed before being stored in the database, so it will not have a great impact on the access performance

2.1.1 encryption scheme selection

in PDM system, files are mainly encrypted and decrypted. File encryption can be realized by hardware and software. The hardware encryption strength is high, but it needs the support of equipment (such as encryption card), and the cost of encryption card is high. For PDM system, the strength of soft encryption is enough, which is difficult for ordinary users to crack

2.1.2 selection of encryption algorithm

the encryption algorithm must be able to ensure the security of PDM system files, at least for ordinary users, it should be difficult to crack. DES algorithm has high security. So far, no more effective method has been found except to attack DES algorithm with exhaustive search method. The exhaustive space of the 56 bit long key is 3, and the thickness difference of the test piece is 256, which means that if the speed of a computer is to detect onemillion keys per second, it will take nearly 2285 years to search all the keys. It can be seen that this is difficult to achieve. Encryption and decryption efficiency is also a factor to be considered, that is, the speed of encryption and decryption should be acceptable to users. DES algorithm is efficient, and the file is compressed before encryption, so the efficiency is basically acceptable. Based on the above considerations, the author decided to use DES algorithm in PDM system to realize file encryption and decryption

2.1.3 encryption and decryption process

⑴ file saving process: ① compress plaintext files, that is, the compressed files are small, which can significantly improve the efficiency of encryption; ② Use DES algorithm to encrypt the compressed file, that is, the key uses the time when the file is imported into the database + the file ID number to disrupt the byte order; ③ Import the encrypted compressed file into the database big field

⑵ file opening process: ① export encrypted files from the database; ② Decrypt the compressed file using DES algorithm - the key adopts the time when the file is imported into the database + the file ID, and then scrambles the byte order; ③ Unzip to generate clear text file

2.2 user authority control

the traditional user authorization method is unified authorization by the system administrator. In this way, the system member has supreme power. In order to avoid over centralization of power, the scheme adopts the authorization system of the project team leader, that is, the drawings and documents are only allowed to be accessed by the users in the project team, not the users for the purpose of the project according to China's new energy vehicle development plan, and even the system administrator cannot access the documents of other project teams; The document viewing, check-in, check-out, import, export, deletion and other operations between users in the project team also need the authorization of the project team leader

2.3 database password security

in order to prevent illegal intruders from finding the database password from the binary code through decompilation (strings are generally stored in the executable file in the form of resources, which is easy to find), the author undoubtedly has a huge business opportunity, and adopts the method of automatically calculating and generating the password when the system runs again, so that intruders cannot obtain the database password through static or dynamic analysis. In addition, users can change the database password at any time without affecting the normal operation of the system

2.4 system user password security

database password and user password are independent. The password of the database user is not used as the password of the system user, and vice versa. The password of the system user is stored in the database table in an encrypted manner. Even if you open the database after obtaining the database password and find the record of the system user, you cannot find the password of the specified user

2.5 processing of temporary files

when viewing files normally, the system needs to decompress and decrypt the files from the database and take them out. For smaller files, memory files can be used. The files are only stored in memory and will be released immediately after exiting the program; For larger files, randomly named temporary files can be used, and other irrelevant information can be written and deleted after use to ensure security

2.6 log tracking

the sensitive operations of project users to the system will be recorded by the system, and the user's operation behavior can be tracked and traced

3. Feasibility of security scheme

there are generally two ways for a cracker to get files: ① directly open the database, decompress and decrypt the data after finding it; ② Enter the system as a PDM system user to get appropriate file access rights and access files

⑴ if the first method is used to obtain documents, the following five steps must be completed, and the previous step must be completed before the next step can be carried out. In view of these five steps, the countermeasures taken by the author are: ① through database password encryption and dynamic acquisition measures, prevent intruders from finding the database password and entering the database; ② Use a large database, establish a complex system table structure, and adopt the method of data compression before encryption to prevent intruders from exporting the database; ③ No special key data table is set, so that intruders cannot find the key storage place; ④ The key is not stored explicitly, but calculated according to some rules, which makes it difficult for intruders to analyze and combine the key; ⑤ You need to have a deep understanding of DES algorithm before you can decrypt files with decryption algorithm

⑵ if the second method is used to obtain documents, the following two steps must be completed, and the previous step must be completed before the next operation procedure can be carried out. In view of these two steps, the countermeasures taken by the author are: ① adopt the encrypted user's password, strictly verify the system user name and password, and ensure that even if the system administrator identity is obtained, the password of the project team members cannot be obtained, so that non project team members cannot log in to the PDM system; ② The document data of the drawing is strictly separated by the project team, and the members of the project team can only access the file within a certain range after being authorized; If non project team members want to join the project team, they must be authorized by the project leader; When accessing the documents of other members in the project team, the project leader also needs to give appropriate authorization before it is feasible. Through the above preventive measures, the intruders are set up with layers of barriers to achieve the purpose of making them unable to obtain information in a short time

4. Conclusion

this paper introduces the scheme and implementation of PDM diagram document security management, analyzes the possible loopholes in diagram document management, and gives the corresponding solutions, which can ensure the safety and reliability of PDM diagram documents. The software developed by this method has been applied in a hydraulic component factory and achieved good results. (end)

Copyright © 2011 JIN SHI