军工系统保密工作的评价体系

<正>保密资格审查认证工作成效显著由国家保密局、原国防科工委、总装备部共同建立并实施的武器装备科研生产单位保密资格审查认证制度至今已走过了10年时间,许多从事武器装备科研生产的企事业单位已先后完成了两轮保密资格审查认证。在现场审查中,依据保密资格审查认证的评分标准,对从事武器装备科研生产的企事业单位的保密工作给出了基本评价,有力地推动了这些单位的保密工作,提升了在武器装备研制生产过程中对国家秘密的保护能力,保障了我军武器装备更新和升级换代任务的完成。通过保密资格审查认证的企事业单位,在保密组织机构建设、保密制度体系建设、保密监督管理水平、载体与信息安全保密防护能力建设等诸多方面取得了长足的进步,主     

保密管理专业的建设和培养方法

保密管理专业涉及的知识体系范围很广,覆盖文理工诸多学科,是一门典型的综合性交叉学科。目前保密管理教学的主要内容侧重保密行政管理、保密技术和保密法规。与之密切相关的学科包括管理学、信息安全学和法学。保密管理在本质上属于信息管理,可以分为涉密人员管理和秘密信息管理两个方面。涉密人员管理主要包括涉密人员的保密教育、岗位管理、流动管理以及脱密管理。秘密信息管理主要包括：秘密信息产生过程和流动管理,涉密载体存放和销毁管理,以及涉密信息系统建设和运维管理等。     

涉密信息系统安全保密管理人员的职责要求与权限划分

涉密信息系统的安全保密管理人员包括系统管理员、安全保密管理员和安全审计员。本文分别对国家保密标准中所规定的这三类安全保密管理人员进行研究,分析各自职责。并以涉密信息系统用户账号和授权管理流程为例,说明了安全保密管理人员的权限划分原则。以此促进涉密信息系统建设使用单位对标准要求的理解和落实,同时也为涉密信息系统内业务应用系统和安全保密产品的设计开发提出了相应的功能要求。     

涉密应用系统安全保密功能要素

文中从涉密应用系统安全保密重要性出发,紧扣国家保密相关标准,阐述了涉密应用系统在研发设计过程中实现安全保密功能需要考虑的几个要素,并通过本单位应用系统部署的实践经验叙述了实现涉密应用系统安全保密功能的经验和体会。     

可信办公自动化系统设计

文中通过分析当前涉密单位的办公现状,针对这些单位存在的没有办公自动化系统可用、办公效率低、信息安全保密形势严峻等实际问题,采用无盘工作站+信息中心的设计模式,利用加密设备对数据传输和涉密信息进行加密,将难以控制的网络安全问题变成已经成熟解决的加解密问题,结合数据安全存储技术、网络安全技术和成熟的办公自动化软件系统,建立一套可信办公自动化系统,实现涉密单位的办公自动化。     

基于涉密计算机网络安全保密解决方案的分析

涉密系统的安全保密工程非常复杂,不管是改造现有的计算机信息安全保密系统,还是新建的系统,都需要设计安全保密部分,制定涉密系统的安全保密方案。文中基于对涉密计算机网络安全的探讨,完成了安全保密系统方案的设计,最后对方案设计中存在的问题及加强涉密网络安全保密的措施进行了阐述。     

基于残差网络的线上考试防替考系统设计

在线上考试的场景中,无法像传统考试一样做到人工对每位考生的身份逐一进行核实,因此在线考试的有效性无法确认。为了解决这一问题,得到更为完善的在线学习系统,文中结合离线训练,在线调用模型的思路设计了一个在线实时进行考生人脸认证的系统,部署在网络考试中,实现了在线考试系统中的防替考功能。该模型在模拟场景测试中能够达到98%的识别率,满足线上考试系统要求。     

无线电监测技术演练在线考试学习平台系统构建

当前大部分无线电行业的知识利用效率低下,无线电管理工作中欠缺知识管理与综合利用,个人经验没有交流、共享导致知识资产流失,行业知识经验流转效率低,无线电监测技术演练人员的学习方式较为松散,且考核成绩相关信息不易留存,无法与学员历史成绩对比,进行更深入的分析。构建1套无线电在线考试学习平台,包括网页端与移动端,具备题库习题练习、学习数据查询、学习成果评估等功能模块,为无线电行业人员提供便捷、完善的在线学习、考试场所。系统可按照国家相关政策,组织省内监测技术人员按年度完成监测业务学习培训,提高技术能力,有利于提炼经验和做法,梳理问题和不足,补短板、强弱项,全面提高监测人员的知识水平。     

保密与内网安全管理系统研究

办公自动化系统是政府机关、企事业单位信息化的基础。完善办公自动化系统,可以使企业内部人员方便快捷地共享信息,高效地协同工作,实现迅速、全方位的信息采集、信息处理。同时,办公自动化系统作为涉密电子信息的关键载体,承担着非常重要的安全保密责任。文章分析了传统办公自动化系统存在信息丢失和泄密问题,设计了一套保密与内网安全的办公自动化系统,对整套系统的硬件配置和软件策略进行了详细的阐述。     

TIPTOP涉密文档违规处理系统的解决案锣

计算机网络技术的高速发展大幅提高了人们的工作效率和信息获取量,但在提供便利的同时也隐藏着安全隐患。各地保密部门始终高度重视涉密文件、机密数据及个人隐私的安全防护,以防患于未然。因此针对堵截涉密信息泄露扩散的最佳时机研制出监测涉密文档监控系统。系统可通过安装在外网客户端上的监控程序,对客户机上文档的编辑工作进行监控,将编辑的文档标题自动发送给监视控制台或保密局等主管单位,并对编辑的文档自动进行涉密分析,一旦发现该文档可能包含有涉密信息,即刻屏蔽该机的网络连接,并立即报警。     

Design and specification of cryptographic capabilities

Cryptography can be used to provide data secrecy, data authentication, and originator authentication. Non-reversible transformation techniques provide only the last. Cryptographic check digits Provide both data and originator authentication, but no secrecy. Data secrecy, with or without data authentication, is provided by block encryption or data stream encryption techniques. Total systems security may be provided on a linkby-link, node-by-node, or end-to-end basis, depending upon the nature of the application.     

基于Agent的认证与网络访问控制系统

身份认证与网络访问控制验证用户的合法身份,授权网络资源的访问.针对目前相关系统的缺陷,设计并实现了基于Agent技术的多因素认证与粗、细粒度网络访问控制系统.通过分析和设计Agent软件的通信安全性、认证和访问控制的关键环节和流程,结合硬件特征属性密钥和用户信息,实现多因素认证,并根据网络服务资源的敏感和保密程度,划分不同密级的用户.以Windows XP为例,具体论述Agent软件利用HOOK技术实现以上关键功能.实验结果表明,该系统效率高,可扩展性、通用性好.     

Co op erative Secrecy to Resist Authentication Error in Two-Hop Wireless Networks

The authentication error in two-hop wire-less networks is considered without knowledge of eaves-dropper channels and location. The wireless information-theoretic security has attracted considerable attention re-cently. A prerequisite for available works is the precise distinction between legitimate nodes and eavesdroppers. However it is unrealistic in the wireless environment. Error is always existing in the node authentication process. Best of our knowledge, there are no works focus on solving this problem in the information-theoretic security. This paper presents a eavesdropper model with authentication error and two eavesdropping ways. Then, the number of eaves-droppers can be tolerated is analyzed while the desired secrecy is achieved with high probability in the limit of a large number of relay nodes. Final, we draw two conclu-sions for authentication error: 1) The impersonate nodes are chosen as relay is the dominant factor of the transmit-ted message leakage, and the impersonation attack does seriously decrease the number of eavesdroppers can be tol-erated. 2) The error authentication to legitimate nodes is almost no effect on the number of eavesdroppers can be tolerated.     

Secure anonymous authentication scheme without verification table for mobile satellite communication systems

An authentication scheme is one of the most basic and important security mechanisms for satellite communication systems because it prevents illegal access by an adversary. Lee et al. recently proposed an efficient authentication scheme for mobile satellite communication systems. However, we observed that this authentication scheme is vulnerable to a denial of service (DoS) attack and does not offer perfect forward secrecy. Therefore, we propose a novel secure authentication scheme without verification table for mobile satellite communication systems. The proposed scheme can simultaneously withstand DoS attacks and support user anonymity and user unlinkability. In addition, the proposed scheme is based on the elliptic curve cryptosystem, has low client‐side and server‐side computation costs, and achieves perfect forward secrecy. Copyright © 2013 John Wiley & Sons, Ltd.     

Energy-efficient and intrusion-resilient authentication for ubiquitous access to factory floor information

Linking factory floors to the Internet, coupled with the rapid deployment of wireless access networks, is initiating a new paradigm for factory automation-a corporate employee with a handheld computing device can have anytime, anywhere access to the latest factory floor information. Authentication between a factory database and a remote user is crucial for such paradigm; however, existing authentication protocols are inadequate to defend against strong adversaries with break-in capabilities. In this paper, we design and implement the Energy-Efficient and Intrusion-Resilient Authentication (ERA) protocol. Through a novel combination of hash chain,pin, and message authentication code (MAC), ERA can achieve the security self-recovery when strong adversaries compromise either a user's handheld device or a factory authentication server to obtain the authentication secrets. The technique of mutual MAC is proposed to defend against online pin-guessing attacks launched by strong adversaries. Furthermore, an optimization of tuning hash chain iteration is introduced to reduce energy consumption of a handheld device. Analytical and experimental results show that ERA provides a better security guarantee and incurs much less computation and communication overhead than the existing authentication protocols.     

Biometric Inspired Mobile Network Authentication and Protocol Validation

This paper pioneers an experimentation on assessing security and performance of a well-established biometric authentication protocol. Using the gold standard in software reliability, a path-oriented software quality control tool, the work exploits the attack surface leveraging path analysis. The test not only identifies security vulnerabilities in a system but also pinpoints those vulnerabilities at real security risk to optimize resource allocation. The automated holistic examination of the authentication process reveals a weakness in the biometric authentication protocol at study. The attack map generated from the analysis directs its improvement. Reexamination validates the security of the protocol. The work also studies the computational complexity of the protocol, thereby, recommends the key length suitable to biometric authentication for wireless body area networks.     

A secure and enhanced elliptic curve cryptography‐based dynamic authentication scheme using smart card

In remote system security, 2‐factor authentication is one of the security approaches and provides fundamental protection to the system. Recently, numerous 2‐factor authentication schemes are proposed. In 2014, Troung et al proposed an enhanced dynamic authentication scheme using smart card mainly to provide anonymity, secure mutual authentication, and session key security. By the analysis of Troung et al's scheme, we observed that Troung et al' s scheme does not provide user anonymity, perfect forward secrecy, server's secret key security and does not allow the user to choose his/her password. We also identified that Troung et al's scheme is vulnerable to replay attack. To fix these security weaknesses, a robust authentication scheme is proposed and analyzed using the formal verification tool for measuring the robustness. From the observation of computational efficiency of the proposed scheme, we conclude that the scheme is more secure and easy to implement practically.     

几种新的认证码构造方法

本文研究认证码的构造问题,给出一种在不增加编码规则数量的情况下将Cartesian认证码改变成完备安全认证码的方法,同时给出一种由小的公开认证矩阵构造具有很高安全性的认证码的方法,探讨了认证码的实用性问题。     

3G移动通信系统的安全体系与防范策略

3G技术的发展对移动通信系统的安全性能提出更高的要求,本文介绍了3G移动通信系统安全的主要威胁来源,并对3G系统的安全体协进行了阐述,同时对3G系统中所采用的身份保密、实体认证与密钥协商以及数据完整性等的安全策略进行了深入的研究和探讨,以期对3G移动通信系统中安全技术的发展方向提供借鉴.     

网络教学平台中基于改进SGA的在线考试的研究与设计

首先介绍了网络教学平台结构及在线考试功能,然后针对在线考试系统组卷时使用传统遗传算法产生的早熟问题,提出了一种改进的遗传算法SGA。该改进遗传算法在染色体编码、染色体库新个体引入机制等方面作了改进。最后介绍了在线考试阅卷方法及技术。通过系统测试和学生考试实用,结果表明基于改进遗传算法的在线考试系统避免了早熟的产生,缩短了组卷时间,提高了组卷质量和组卷效率。