改进的基于离散对数的代理签名体制

基于离散对数的代理签名方案,一般分为需要可信中心和不需要可信中心两种。但在现实中,许多特定的应用环境下,一个完全可信的第三方认证中心并不存在,而且在第三方认讧中心出现问题时。吞易对信息的安全性造成直接影响。因此,构造一个不需要可信中心的代理签名方案显得非常重要。它通过对代理授权信息的盲化,加强了信息的安全性,使得授权信息可以在公共信道中传输。这样不但保证了方案在授权阶段的信息保密性,还在一定程度上提高了方案的性能。     

Partially blind proxy re-signature scheme with proven security

In order to solve the problem of anonymity and controllability of blind proxy re-signature,the concept of partially blind proxy re-signature was introduced by using the idea of partially blind signature.Furthermore,the security definition of partially blind proxy re-signature was also given.Based on the improved Shao scheme,a partially blind proxy re-signature scheme in the standard model was proposed.The proposed scheme allows proxy to add some public information negotiated by delegatee and proxy to re-signature.The scheme not only can achieve the transparent signature conversion from delegatee to proxy and protect privacy of message re-signed by proxy,but also prevented illegal use of re-signature.Analysis results show that the proposed scheme is correct,multi-use,partially blind and existentially unforgeable.It is more suitable for e-government data exchange system,cross-domain authentication system and so on.     

基于DAI中间件的异构数据库集成

在研究异构数据库中数据集成的基本原理基础上,提出了数据库集成模型实现策略,即在异构数据库之间构建了一个中间层软件--"虚拟数据库系统",经授权认证的合法用户通过"虚拟数据库系统"提供的标准访问接口及统一数据格式对环境中各种分布的、异构的、不同种类的数据资源进行动态访问和集成.     

Proxy re-encryption based multi-factor access control scheme in cloud

Cloud computing is one of the space-ground integration information network applications.Users can access data and retrieve service easily and quickly in cloud.The confidentiality and integrity of the data cloud have a direct correspondence to data security of the space-ground integration information network.Thus the data in cloud is transferred with encrypted form to protect the information.As an important technology of cloud security,access control should take account of multi-factor and cipher text to satisfy the complex requirement for cloud data protection.Based on this,a proxy re-encryption based multi-factor access control (PRE-MFAC) scheme was proposed.Firstly,the aims and assumptions of PRE-MFAC were given.Secondly,the system model and algorithm was defined.Finally,the security and properties of PRE-MFAC were analyzed.The proposed scheme has combined the PRE and multi-factor access control together and realized the multi-factor permission management of cipher text in cloud.Meanwhile,it can make the best possible use of cloud in computing and storing,then reduce the difficulty of personal user in cryptographic computing and key managing.     

支持多种访问控制方法和策略继承的授权系统

分布式计算环境下访问控制技术的一种发展趋势是采用集中式的身份与权限管理,即由一专门的系统为企业、机构的各类计算机系统、应用服务系统提供集中的身份与授权策略管理,但这种集中式的授权管理系统在实际应用中也面临一些技术问题,论文提出了一种集中式的授权系统,它通过Manager-Provider（管理者-提供者）架构支持、扩展多种不同的访问控制方法,基于资源策略树定义可继承的授权策略,并提供面向不同访问控制方法的在线授权决策服务。     

Design,implementation and performance evaluation of a proactive overload control mechanism for networks of SIP servers

The extent and diversity of systems, provided by IP networks, have made various technologies approach integrating different types of access networks and convert to the next generation network (NGN). The session initiation protocol (SIP) with respect to facilities such as being in text form, end-to-end connection, independence from the type of transmitted data, and support various forms of transmission, is an appropriate choice for signalling protocol in order to make connection between two IP network users. These advantages have made SIP be considered as a signalling protocol in IP multimedia subsystem (IMS), a proposed signalling platform for NGNs. Despite having all these advantages, SIP protocol lacks appropriate mechanism for addressing overload causing serious problems for SIP servers. SIP overload occurs when a SIP server does not have enough resources to process messages. The fact is that the performance of SIP servers is largely degraded during overload periods because of the retransmission mechanism of SIP. In this paper, we propose an advanced mechanism, which is an improved method of the windows based overload control in RFC 6357. In the windows based overload control method, the window is used to limit the amount of message generated by SIP proxy server. A distributed adaptive window-based overload control algorithm, which does not use explicit feedback from the downstream server, is proposed. The number of confirmation messages is used as a measure of the downstream server load. Thus, the proposed algorithm does not impose any additional complexity or processing on the downstream server, which is overloaded, making it a robust approach. Our proposed algorithm is developed and implemented based on an open source proxy. The results of evaluation show that proposed method could maintain the throughput close to the theoretical throughput, practically and fairly. As we know, this is the only SIP overload control mechanism, which is implemented on a real platform without using explicit feedback.     

办公自动化系统中基于RBAC的授权模型

在基于角色的访问控制(RBAC)中,只给角色分配权限,用户必须成为角色中的一员才能取得相应的访问权限。基于角色授权的基本思想是:系统中某个成员将自己所拥有的权限授予另外一个成员,使之代表自己完成一定的工作。由于授权特征的多样性,授权模型有多种不同的状态。首先归纳出与授权有关的几种基本特征,然后根据办公自动化系统的具体业务情况将授权特征的组合进行精简,找出一组合适的状态,从而建立起办公自动化系统的授权模型。     

Enhanced binary exponential backoff algorithm for fair channel access in the ieee 802.11 medium access control protocol

The medium access control protocol determines system throughput in wireless mobile ad hoc networks following the ieee 802.11 standard. Under this standard, asynchronous data transmissions have a defined distributed coordination function that allows stations to contend for channel usage in a distributed manner via the carrier sensing multiple access with collision avoidance protocol. In distributed coordination function, a slotted binary exponential backoff (BEB) algorithm resolves collisions of packets transmitted simultaneously by different stations. The BEB algorithm prevents packet collisions during simultaneous access by randomizing moments at stations attempting to access the wireless channels. However, this randomization does not eliminate packet collisions entirely, leading to reduced system throughput and increased packet delay and drop. In addition, the BEB algorithm results in unfair channel access among stations. In this paper, we propose an enhanced binary exponential backoff algorithm to improve channel access fairness by adjusting the manner of increasing or decreasing the contention window based on the number of the successfully sent frames. We propose several configurations and use the NS2 simulator to analyze network performance. The enhanced binary exponential backoff algorithm improves channel access fairness, significantly increases network throughput capacity, and reduces packet delay and drop. Copyright © 2013 John Wiley & Sons, Ltd.     

Multiuser access control searchable privacy‐preserving scheme in cloud storage

Searchable encryption scheme‐based ciphertext‐policy attribute‐based encryption (CP‐ABE) is a effective scheme for providing multiuser to search over the encrypted data on cloud storage environment. However, most of the existing search schemes lack the privacy protection of the data owner and have higher computation time cost. In this paper, we propose a multiuser access control searchable privacy‐preserving scheme in cloud storage. First, the data owner only encrypts the data file and sets the access control list of multiuser and multiattribute for search data file. And the computing operation, which generates the attribute keys of the users' access control and the keyword index, is given trusted third party to perform for reducing the computation time of the data owner. Second, using CP‐ABE scheme, trusted third party embeds the users' access control attributes into their attribute keys. Only when those embedded attributes satisfy the access control list, the ciphertext can be decrypted accordingly. Finally, when the user searches data file, the keyword trap door is no longer generated by the user, and it is handed to the proxy server to finish. Also, the ciphertext is predecrypted by the proxy sever before the user performs decryption. In this way, the flaw of the client's limited computation resource can be solved. Security analysis results show that this scheme has the data privacy, the privacy of the search process, and the collusion‐resistance attack, and experimental results demonstrate that the proposed scheme can effectively reduce the computation time of the data owner and the users.     

Secure‐aware and privacy‐preserving electronic health record searching in cloud environment

Cloud storage has become a trend of storage in modern age. The cloud‐based electronic health record (EHR) system has brought great convenience for health care. When a user visits a doctor for a treatment, the doctor may be necessary to access the history health records generated at other medical institutions. Thus, we present a secure EHR searching scheme based on conjunctive keyword search with proxy re‐encryption to realize data sharing between different medical institutions. Firstly, we propose a framework for health data sharing among multiple medical institutions based on cloud storage. We explore the public key encryption with conjunctive keyword search to encrypt the original data and store it in the cloud. It ensures data security with searchability. Furthermore, we adopt the identity‐based access control mechanism and proxy re‐encryption scheme to guarantee the legitimacy of access and the privacy of the original data. Generally speaking, our work can achieve authentication, keyword privacy, and privacy preservation. Moreover, the performance evaluation shows that the scheme can achieve high computational efficiency.     

基于SOA技术的分布式视频检索系统的设计

提出了一种在现有媒体资产管理系统的基础上构建基于网络的分布式视频素材检索系统,通过面向服务的体系结构,以标准数据模型构建统一数据接口和协议实现异构、异地媒体资产数据检索处理,并采用轮询请求/答复的异构响应结构实现与各媒体资产管理系统的检索数据异步通信。为改善广电传媒机构媒资系统分块建设、孤岛运营现状,共享视音频媒体资源做了一种有益的尝试。     

基于可信计算和主动防御的等级保护在电厂的应用

针对广州蓄能发电厂相关信息系统的现状,结合信息安全等级保护测评存在问题,依据国家等级保护的有关标准和规范,进行重新规划和合规性整改,提出了基于可信计算和主动防御的等级保护体系模型,在可信计算技术和主动防御技术理念的指引下,利用密码、代码验证、可信接入控制等核心技术,在“一个中心三重防御”的框架下实现对信息系统的全面防护,旨在建立一个完整的安全保障体系,有效保障其系统业务的正常开展,保护敏感数据信息的安全.     

基于隐含格结构 ABE 算法的移动存储介质情境访问控制

摘 要：研究了如何增强可信终端对移动存储介质的访问控制能力,以有效避免通过移动存储介质的敏感信息泄露。首先在隐含密文策略的属性加密方法的基础上,提出了基于格结构的属性策略描述方法。将每个属性构成线性格或子集格,属性集构造成一个乘积格,并利用基于格的多级信息流控制模型制定访问策略。证明了新方法的正确性和安全性。新方法在保持已有隐藏访问策略属性加密算法优点的同时,还能有效简化访问策略的表达,更符合多级安全中敏感信息的共享,能够实现细粒度的访问控制。进一步地,通过将移动存储设备和用户的使用情境作为属性构建访问策略,实现了动态的、细粒度的情境访问控制。最终设计了对移动存储介质进行接入认证、情境访问控制的分层安全管理方案。分析了方案的安全性和灵活性,并通过比较实验说明了应用情境访问控制的方案仍具有较好的处理效率。该方案同样适用于泛在环境下敏感信息的安全管理。     

基于VPE的可信虚拟域构建机制

针对现有可信虚拟域构建方式无法满足云计算灵活配置等特性的问题,结合云计算企业内部敏感数据的防泄漏需求,提出了基于VPE的可信虚拟域构建方法TVD-VPE。TVD-VPE利用分离式设备驱动模型构建虚拟以太网VPE,通过后端驱动截获数据分组,并进行边界安全策略检查,最后对满足策略的数据帧进行加密。同时,还设计了可信虚拟域加入/退出协议确保用户虚拟机安全加入/退出,为边界安全策略的部署设计了面向可信虚拟域的管理协议,同时为高特权用户的跨域访问设计了跨域访问协议。最后,实现了原型系统并进行了功能测试及性能测试,测试结果证明本系统可以有效地防止非法访问,同时系统对Xen的网络性能的影响几乎可以忽略。     

云存储环境下的密文安全共享机制

With the convenient of storing and sharing data in cloud storage environment,the concerns about data security arised as well.To achieve data security on untrusted servers,user usually stored the encrypted data on the cloud storage environment.How to build a cipertext-based access control scheme became a pot issue.For the access control problems of ciphertext in cloud storage environment,a CP-ABE based data sharing scheme was proposed.Novel key generation and distribution strategies were proposed to reduce the reliance on a trusted third party.Personal information was added in decryption key to resistant conclusion attacks at the same time.Moreover,key revocation scheme was proposed to provide the data backward secrecy.The security and implement analysis proves that proposed scheme is suit for the real application environment.     

公检法基于区块链和大数据共建证据链

电子设备跟人们的生活密切相关,电子数据已经被列为八大证据之一。电子数据通常采用集中存储的方式,容易被篡改和破坏,难于保证数据的真实性。而且公安局、检察院和法院对于电子证据走线下投递的模式,工作效率低且过程中存在不安全的因素。为此,基于区块链技术和边缘存储技术,在公安局、检察院、法院之间打造一个联盟链,利用区块链的多方存证、不可篡改、可追溯、不可抵赖、CA认证、数字签名和边缘存储的去中心化分布式存储、就近存取、弹性扩容等特点,实现电子证据的上链和存证,提高工作效率和保障数据安全。     

安全高效的分布式加密存储系统设计

Proxy Re-encryption (PRE) is greatly concerned by researchers recently. It potentially has many useful applications in network communications and file sharing. Secure distributed cryptographic file system is one of its applications. But the practical applications of PRE are few. And even fewer of them are tested by systematically designed experiments. Appling a couple of representative algorithms proposed by BBS, Ateniese, Shao, et al., a distributed file system is designed. In the system, some substitute mechanisms such as data dispersal, dynamic file sharing, are well-applied. A lot of features such as flexible authorization and data redundancy are embraced in the system. The comparison evaluation justified that the system is more practical and efficient.     

校园综合门禁管理平台的设计

针对当前高校门禁管理建设中多系统多卡、门禁流水数据分散、扩展性能差等问题,在分析已有系统架构的基础上,提出了以感知层、传输层、应用层为核心的校园综合门禁管理平台三层框架设计,通过统一校园卡介质及授权、实施分级管理及门禁联网、全面规范接入标准、集中存储数据流水等手段,实现基于校园卡门禁应用数据的统一处理。该设计方案不仅能方便高校门禁应用的管理,而且为开展基于门禁数据挖掘及支撑领导决策奠定基础。     

基于TPM的可信集群系统设计与实现

集群系统既有分布式系统的特点,又有单一系统的特征。由于传统集群计算节点缺少可信计算平台的支持,集群作为一个单一的系统缺少可信安全技术的支持。作为一个分布式系统,其可信安全机制和信任链传递机制又很不同于单机系统。在TCG可信计算的规范和可信链的基础之上,提出了可信集群的构架,构建了基于TPM的可信集群,实现了基于可信集群架构的可信集群系统。针对集群中的应用,对所实现的可信集群系统如何解决集群中的可信安全问题作了探讨和研究。     

EasyCar: Location-Aware Assistance System Based on Smartphone in Automotive Aftermarket

Cloud databases provide facilities for large scale data storage and retrieval of distributed data. However, the current access control techniques provided in database systems for maintaining security are not sufficient to secure the private data stored in public cloud databases. In this paper, a new secured data storage algorithm for effective maintenance of confidential data is proposed. To perform storage and retrieval operations of data in the cloud data storage effectively, map reduce algorithms are developed in this work which performs data reduction and fast processing. In order to consider the temporal nature of documents to be retrieved, we propose a new algorithm called Temporal Secured Cloud Map Reduced Algorithm which integrates temporal constraints with map reduce algorithms and also the chaining Hill Cipher encryption algorithms which is proposed newly in this work. The main advantages of the proposed algorithm is that they reduce the processing time and maintains security effectively. The experimental results obtained from this work depict that the proposed model is optimizing cost and it ensures data security.