PKCS#11中资源共享的设计和实现

随着信息化和信息安全技术的迅猛发展,PKCS#11标准的应用越来越广泛.资源共享是PKCS#11标准的两个设计目标之一,在PKCS#11标准中有着重要的地位和作用.在PKCS#11库的设计和实现过程中,资源共享也是设计和实现的难点和重点.为此,文中简要介绍了PKCS#11标准,分析了资源共享在PKCS#11中的重要性,提出了一种资源共享过程中同步机制的实现方式,给出了示例,并指出了程序设计过程中需要注意的事项,对PKCS#11库的开发人员有一定的借鉴作用.     

基于PKCS#11规范的公共安全平台

随着加密设备的广泛应用,国内上千家企业加密设备的互操作标准显得尤为重要。PKCS#11提供了一套统一规范的公共安全接口,该接口与平台、加密设备无关。本文首先介绍了PKCS#11规范的特点和目的,而后详细描述了PKCS#11的结构模型,最后给出了PKCS#11向用户提供的函数接口。     

基于PKCS#11的密码组件接口层次模型的优化与实现

文章分析了PKCS#11标准中所定义的密码组件接口，研究了其中各类函数在操作系统中的实现层次，设计了一种优化的层次模型，并在自行设计的某型数据加密卡的软件开发过程中实现，实验证明，按照该层次模型开发的软件降低了上层协议的复杂度，提高了在多用户多设备情况下系统的处理效率．增强了系统的稳定性。     

基于动态链接实现PKCS#11接口层次模型

PKCS#11是目前应用广泛的基于硬件加密设备的接口标准.文中简要介绍了PKCS#11通用模型,详细分析了密码组件接口层次模型,设计了该层次模型中具有树形结构的层次链接关系,使用配置文件和动态链接实现了该链接关系,最后针对动态库有可能被替换和反汇编等的安全性问题提出了解决方案.实验结果表明,在同时使用多种类型密码设备时,按照该层次模型开发的软件降低了层次间的耦合度,增强了系统的扩展性.     

用PKCS#11实现密码设备的密钥管理

在详细分析PKCS#11的对象(Object)的基础上,给出了实现通用密码设备密钥管理的新方法。     

两种密码中间件模块PKCS#11与CSP的对比分析

论文介绍了两种密码中间件模块PKCS#11与CSP,分析了它们各自的特点,并对它们进行了对比分析。     

PKCS#11会话机制的研究与实现

本文通过对PKCS#11的会话机制的研究,结合系统开发的实际情况,给出一种实现 会话机制的方法,并针对该方法的安全性,提出了改进意见。     

通信软件中定时器库的设计与实现

阐述了在通信软件中定时器库的需求以及现有定时器的缺陷，运用C＋＋高级编程技术STL和BOOST库，对系统底层的定时器库进行了设计与实现。     

基于瓦片技术的遥感影像库设计与实现

由于对海量遥感影像数据存储管理的迫切需求,研究了基础影像库组建过程、应用和关键技术。对遥感影像库管理应用系统的开发进行了论述,重点介绍了影像库的创建过程,包括数据库设计、类操作设计和软件模块设计;研究了影像数据批量导入图幅算法、影像数据更新策略、按范围导出策略和浏览策略;实现了标准的影像数据按库、层和图幅方式导出。对采用瓦片技术与采用不分块的遥感影像库中影像入库时间和读取时间进行了试验和比较。     

PBKDF2函数的一种快速实现

PBKDF2是公钥加密标准PKCS#5的一部分,它在各类加密软件和互联网中应用广泛.对基于口令的密钥导出函数PBKDF2的实现进行了分析,给出了该算法的一种快速实现的优化方案.对优化方案进行了理论分析,并针对802.11协议的WPA/WPA2-PSK认证进行了优化方案的实验,均表明优化方案的实现效率是优化前的两倍.通过进一步的分析还发现,依赖于PBKDF2的身份认证方案抵抗暴力攻击的能力最多只有预期的一半,因此应当增加其循环次数.     

The Hardware-based PKCS#11 Standard using the RSA Algorithm

In this paper, we have proposed and implemented a hardware-based security system, which executes RSA-based cryptography operations by using the PKCS#11 standard. It was implemented in C, VHDL and FPGAs and it is modular and easily adaptable to the future upgrades for the communication among machines and devices. Any cryptography algorithm can be used; however, in our project we only used the RSA as a case study. We did simulations and real tests that allowed verifying the correct behavior and execution of our project; we used the RSA with keys up to 512 bits. Real tests showed the transmission of ciphered data between our project (PKCS#11 and RSA) and a PC by using serial communication.     

The Implementation of a VHDL-AMS to SPICE Converter

The implementation of a VHDL-AMS to SPICE converter (Vhdl2Spice) to be inserted in a complete CAD environment [1] is described. Vhdl2Spice generates a SPICE netlist by tracing down the VHDL IIR parse tree available from the already existing VHDL analyzer. Corresponding to each VHDL design unit, the output of the converter is represented as a subcircuit in SPICE. By doing so, the hierarchical characteristic of VHDL is retained in the SPICE representation; hence future extension to both programs can be made in parallel. The Vhdl2Spice converter is also a demonstration of the extensibility of the AIRE [2] for a complete integration of VHDL-AMS with other CAD tools.     

The Implementation of a VHDL-AMS to SPICE Converter

The implementation of a VHDL-AMS to SPICE converter (Vhdl2Spice) to be inserted in a complete CAD environment [1] is described. Vhdl2Spice generates a SPICE netlist by tracing down the VHDL IIR parse tree available from the already existing VHDL analyzer. Corresponding to each VHDL design unit, the output of the converter is represented as a subcircuit in SPICE. By doing so, the hierarchical characteristic of VHDL is retained in the SPICE representation; hence future extension to both programs can be made in parallel. The Vhdl2Spice converter is also a demonstration of the extensibility of the AIRE [2] for a complete integration of VHDL-AMS with other CAD tools.     

A C-T filter compiler - from specifications to layout

This paper presents an analog Design Automation tool implemented within the Cadence Edge system, using the Cadence programming language Skill and other useful Cadence tools. Given standard filter specifications, the tool generates Continuous-Time filter blocks implementing the desired function. A numerical optimization technique is used to cancel response errors, introduced by the non-ideal circuit elements available for real filter realizations. Except for an operational amplifier which must be provided by the user, component layout is performed by dedicated module generators, and the final filter layout is assembled using the Cadence Edge place & route program. In the current version of the program, the only available filter topology is the MOSFET-C topology. However, an hierarchical, object oriented approach is adopted, in order to ensure reusability and extensibility of the tool. Each general aspect of a filter design is accessed through a uniform interface from the higher level of hierarchy, allowing dedicated procedures depending on the particular implementation to deal with the details, without affecting the workings of the tool at the higher level of hierarchy.     

High-level parameterizable area estimation modeling for ASIC designs

Architectural design space exploration and early area budgeting for ASIC and IP block development require accurate high level gate count estimation methods without requiring the hardware being fully specified. The proposed method uses hierarchical and parameterizable models requiring minimal amount of information about the implementation technology to meet this goal. The modeling process flow is to: (1) create a block diagram of the design, (2) create a model for each block, and (3) sum up estimates of all sub-blocks by supplying the correct parameters to each sub-model. We discuss the model creation for a few parameterized library blocks as well as three communication blocks and a processor core from real IC projects ranging from 22 to 250 kgates. The average relative estimation error of the proposed method for the library blocks is 3.2% and for the real world examples 4.0%. The best application of this method is early in the design phase when different implementation architectures are compared.     

电子 ID身份鉴别技术——卡技术及其应用

文章介绍了电子ID身份鉴别的主要密码技术,并简要介绍了有关基于IC卡的电子令牌应用规范,并描述了PKCS＃15电子令牌信息格式。     

Java implementation of policy‐based bandwidth management

We describe a Java implementation of a policy based bandwidth management system using the standard policy protocols and an interface to the Linux Diffserv implementation. The useful features, such as extensibility and object orientation, of the Java implementation is illustrated by directly referring to the relevant programming codes. Through two practical experiments, we demonstrate the capability of our implementation in supporting policy‐based dynamic resource allocations in enterprise networks. Copyright © 2003 John Wiley &Sons, Ltd.