TRSF:一种移动存储设备主动防护框架

 移动存储设备属于被动设备,其安全防护往往依赖于终端系统的安全机制,在提供安全性的同时会降低系统可用性.本文提出了一种基于可信虚拟域的移动存储设备结构框架TRSF(Trusted Removable Storage Framework)实现存储设备的主动防护.TRSF将智能卡芯片和动态隔离机制绑定到存储设备中,并由片上操作系统构建从底层可信平台模块到隔离运行环境的可信数据通道,从而为移动存储设备在非可信终端系统中被非可信进程访问和使用提供一个可信虚拟环境.最后基于TRSF实现了一款主动安全U盘UTrustDisk.与没有增加主动防护机制相比,增加该机制导致平均读写性能开销分别增加了7.5%和11.5%.     

区块链架构下高效的车联网跨域数据安全共享研究

为了解决车联网环境下跨信任域数据共享中跨域数据泄露严重、跨域共享不可控、跨域访问效率低的问题，提出了一种区块链架构下高效的车联网跨域数据安全共享方案。不同信任域的可信机构构成区块链，采用改进的密文策略属性基加密算法加密数据，结合区块链和星际文件系统进行存储，构建了基于区块链的跨域数据细粒度、安全共享方案；设计了基于混淆布隆过滤器的跨域访问验证方法，智能合约基于链上访问策略进行快速的解密测试，提高大量跨域密文的访问效率；设计了基于外包解密的跨域数据获取方法，可信机构为跨域访问请求进行密文转换，并执行包含复杂双线性配对运算的外包解密，减少了车辆在解密过程的时间开销。实验结果表明，所提方案有效提高了跨域密文转换和车辆解密的效率，与现有方案相比，跨域数据访问效率平均提升了60%。     

通用可组合安全的WLAN Mesh网络可信接入认证协议

现有的WLAN Mesh网络接入协议和可信网络接入协议在性能和安全性方面不能很好的满足WLAN Mesh网络可信接入的要求.针对这一情况,提出了一种高效的可证明安全的WLAN Mesh网络可信接入协议MN-TAP,该协议仅需4轮交互就能实现访问请求者,策略执行点和策略决策点三者之间的用户认证和密钥确认,同时在第一轮交互中就实现了策略决策点对访问请求者平台身份的认证和平台完整性的校验,提高了协议执行的效率,降低了服务器端的负载.利用通用可组合安全模型对新协议进行了安全性证明,并对协议性能进行了对比分析.结果表明:新协议达到通用可组合安全,且与现有协议相比性能优势明显.     

基于ARM的云终端视频硬件加速

通过虚拟化技术和远程桌面连接协议可以实现用户对云计算资源的访问,然而传统的瘦客户机无法满足虚拟桌面视频播放性能要求。所以文章提出一种通过使用ARM嵌入式SOC片上硬件解码器加速的办法,明显地提升了虚拟桌面视频播放效果。     

云计算中动态可信平台模块的实现

针对目前在云计算环境中用户虚拟计算环境不可信的问题,利用可信平台模块虚拟化技术,在云服务器端为用户构造一个虚拟可信平台模块,然后以虚拟可信平台模块为基石,为用户在云服务器端构造了一个虚拟的可信计算环境,从而使现有的云计算用户中虚拟计算环境的可信情况获得了有效保障。通过与现有的可信平台模块虚拟化方案作对比发现,所提方案不仅周全地考虑了在云计算中虚拟机效率损耗的相关问题,而且相较显著提高了它的安全性和执行效率,更加适合被应用于用户虚拟计算环境。     

一种应用于数字版权管理的可信等级跨域认证模型研究

数字版权管理存在跨域认证问题上仍有些技术难题,针对现有的问题设计了更为合理的模型,以提升数字版权管理的科学性和有效性。对现有的跨域认证模型中未考虑用户平台环境因素的问题,提出了一种基于可信等级的跨域认证模型。通过给定平台可信等级、用户可信等级和域可信等级,并依据可信等级评估值动态地建立域间信任关系。安全性分析表明,使用该认证方法进行跨域认证可以有效地保护用户及平台环境的隐私。     

基于椭圆曲线密码体制的高效虚拟企业跨域认证方案

针对虚拟企业的敏捷、动态、低成本、组织模式多样等特点利用无可信中心椭圆曲线门限签名和可变多方协议提出一个基于虚拟桥CA的高效的广义虚拟企业跨域认证方案.方案借助虚拟桥CA的分布式创建和运行提供了灵活的跨域认证策略并避免实体桥CA的维护成本,可适应虚拟企业不同的组织模式及其动态变化,具备比特安全性高、计算量和通信量小、信任链短、抗合谋攻击等优点,能更好的满足虚拟企业盟员间(特别是终端计算资源或通信带宽受限情况下)的跨域认证需求.     

可信网络连接安全协议与访问控制体系设计

针对现阶段可信网络在连接与控制方面存在问题,分析现有可信网络实体功能、结构层次和接口协议,提出包含完整度量收集器在内的全新可信网络连接体系架构,重新设计以EAP-TNC数据包为核心的安全网络协议及访问控制体系。通过设置网络带宽、终端状态和可信等级等多项指标,对体系访问控制和连接性能进行实验测试。结论表明,可信网络连接安全协议和访问控制体系可使终端以安全可控的方式访问网络,具备良好的安全性和可用性。     

基于SOA的跨域访问控制研究

在如今以服务为导向的各种信息系统中,跨域访问已经变得越来越普及,现存的一些跨域访问模型要么不实用,要么不适合Web Service。通过提出一种易于扩展的轻量级跨域访问控制框架实现RESTful Web服务构架的跨域访问控制和代理,达到了跨域访问交互双方无需预定义信任关系,该框架还结合已有的Web安全技术实现扩展安全策略执行,并以微小系统开销实现跨域交互的隐私保护。最后实现了一个原型演示系统证实了该框架在SOA构架中跨域访问的可行性。     

基于云计算平台设计的一种安全体系架构

随着云计算技术的深入应用,云计算具有的按需服务、快速弹性架构、多用户等特征为信息系统带来了新的安全威胁。本文基于云计算的处理平台,构建设计了具备跨域、虚拟安全网关的信息安全体系架构。     

一种基于EAP的可信网络接入机制

入网终端的可信状态对整个网络的安全具有十分重要的影响,可信计算组织TCG的可信网络连接TNC正是为解决可信接入的问题提出,已成为一个研究热点。基于TNC体系和EAP协议设计了可信网络接入机制。该机制利用接入控制协议交换量化的终端可信度、身份等信息,并根据接入策略确定是否允许终端入网。通过对接入控制协议的健壮性分析,表明该机制能有效实现终端的入网控制,从源头保障网络安全。     

Endogenous trusted network architecture for intelligent sharing

To address the needs of intelligent sharing of network resources,blockchain and artificial intelligence were integrated with the network,and an endogenous trusted resource intelligent sharing network architecture was proposed to make network asset sharing have endogenous trust.Based on distributed alliance blockchain,an integration mechanism of on-chain identification and off-chain resource was proposed to achieve credible management of network resources.Security and trusted sharing protocols for network data was designed to synchronize data consensus within the network.Based on smart contract,network resource scheduling and service composition methods were presented to achieve trusted service sharing.Finally,the proposed architecture was applied to decentralized scenarios such as domain name resolution,cross domain authentication,and virtual network operation.The proposed architecture realizes the integration of blockchain and network and supports the endogenous trusted sharing of network assets.     

基于PKI的IPSec-VPN的研究与设计

虽然将IPSec用在虚拟专用N（VPN）是一种很好的网络安全解决方案,极大地改进了传统IP协议缺乏安全机制的问题,但因其身份鉴别不完善而影响到在复杂环境下的网络安全。PKI是由公开密钥密码技术、数字证书、证书认证机构等基本成分组成的一套安全平台,可提供身份认证和角色控制服务。该文分析了IPsec和PKI在安全上的技术特点,提出了一种如何将PKI证书机制应用到IPsec-VPN中,实现强身份认证和访问控制机制,进而完善VPN安全的方案。     

Security and performance enhancement of AODV routing protocol

A mobile ad hoc networks (MANET) is a decentralized, self‐organizing, infrastructure‐less network and adaptive gathering of independent mobile nodes. Because of the unique characteristics of MANET, the major issues to develop a routing protocol in MANET are the security aspect and the network performance. In this paper, we propose a new secure protocol called Trust Ad Hoc On‐demand Distance Vector (AODV) using trust mechanism. Communication packets are only sent to the trusted neighbor nodes. Trust calculation is based on the behaviors and activities information of each node. It is divided in to trust global (TG) and trust local (TL). TG is a trust calculation based on the total of received routing packets and the total of sending routing packets. TL is a comparison between total received packets and total forwarded packets by neighbor node from specific nodes. Nodes conclude the total trust level of its neighbors by accumulating the TL and TG values. The performance of Trust AODV is evaluated under denial of service/distributed denial of service (DOS/DDOS) attack using network simulator NS‐2. It is compared with the Trust Cross Layer Secure (TCLS) protocol. Simulation results show that the Trust AODV has a better performance than TCLS protocol in terms of end‐to‐end delay, packet delivery ratio, and overhead. Next, we improve the performance of Trust AODV using ant algorithm. The proposed protocol is called Trust AODV + Ant. The implementation of ant algorithm in the proposed secure protocol is by adding an ant agent to put the positive pheromone in the node if the node is trusted. Ant agent is represented as a routing packet. The pheromone value is saved in the routing table of the node. We modified the original routing table by adding the pheromone value field. The path communication is selected based on the pheromone concentration and the shortest path. Trust AODV + Ant is compared with simple ant routing algorithm (SARA), AODV, and Trust AODV under DOS/DDOS attacks in terms of performance. Simulation results show that the packet delivery ratio and throughput of the Trust AODV increase after using ant algorithm. However, in terms of end‐to‐end delay, there is no significant improvement. Copyright © 2014 John Wiley & Sons, Ltd.     

基于TPM联盟的可信云平台管理模型

以可信计算技术为基础,针对可信云平台构建过程中可信节点动态管理存在的性能瓶颈问题,提出了基于TPM联盟的可信云平台体系结构及管理模型。针对TPM自身能力的局限性,提出了宏TPM和根TPM的概念。针对可信云中节点管理时间开销大的问题,引入时间树的概念组织TPM联盟,利用TPM和认证加密技术解决数据在TPM联盟内节点间的可信传输问题,提出了一种基于时间树的TPM联盟管理策略,包括节点配置协议、注册协议、注销协议、实时监控协议、网络管理修复协议和节点更新协议,阐述了时间树的生成算法,分析了建立可信节点管理网络的时间开销和节点状态监控的有效性。最后,通过仿真实验说明了模型具有较好的性能和有效性。     

Efficient QoS support in a slotted multihop WDM metro ring

A novel distributed access protocol for a slotted wavelength-division-multiplexing (WDM) metro ring employing all-optical packet switching and supporting quality-of-service (QoS) classes is presented and analyzed. Since we assume that there are more nodes than available wavelengths in the network, we obtain a scalable multihop WDM ring as underlying network architecture. By dividing each channel into several time slots and further applying destination release and slot reuse, data packets can be efficiently transmitted and received in a statistically multiplexed manner. In our architecture, each node is equipped with one tunable transmitter and one fixed-tuned receiver. Furthermore, as we generally consider so-called a posteriori access strategies, different packet selection schemes are proposed and compared. An analytical model based on the semi-Markov process methodology is developed to quantify the performance of one of these schemes. As a key element of the protocol, an efficient QoS support access mechanism is proposed and its performance is evaluated. The new QoS control scheme adopts a frame-based slot reservation strategy including connection setup and termination, which only slightly increases the signaling and node processing overhead. Thus, an efficient hybrid protocol combining connectionless and connection-oriented packet transmissions is proposed     

云计算环境下可信虚拟机管理模型

为了解决云计算环境下虚拟机管理存在的管理域特权过于集中和用户策略易被恶意篡改等问题,提出了一种可信虚拟机管理模型。模型首先对虚拟机管理域进行了细粒度的划分,赋予管理员和用户不同的管理特权,防止管理员随意访问用户的数据;利用可信计算技术建立可信通道分发用户策略,防止管理员恶意篡改用户策略。安全性分析与实验测试表明,该模型可以有效保护用户数据和用户策略的安全性。     

A distributed media access protocol for packet radio networks and performance analysis. Part 1: Network capacity

A distributed time-slot assignment protocol is developed for a mobile multi-hop broadcast packet radio network, using time division multiple access channel access and virtual circuit switching. The protocol eliminates the single point failure mode of centralized network management and the delays of centralized processing. It is applicable to the user-to-user communications functions of such systems as the U. S. Army's enhanced position location and reporting system (EPLRS). The important functions of the distributed protocol, including time-slot assignment, virtual circuit set-up, and network synthesis, are identified, and implementing algorithms are presented and verified. The performance analysis of the protocol is divided into two parts. In this paper, Part 1 of the performance analysis, the capacity of a network using this protocol is studied and a tool is developed to design the network capacity by trading off among the network area, the transmission range, and the number of packet radio units. Since these results are not in closed form, numerical results provide insight into these parameters. In Part 2 the network set-up time and network data rate are analysed and a hierarchical architecture for the distributed protocol is proposed and analysed.     

Design and Analysis of a Channel Access Protocol for WDM-Based Single-Hop Optical Networks*

We propose a channel access protocol for single-hop wavelength division multiplexing (WDM) optical networks. Each node is equipped with a fixed-tuned transmitter, a tunable transmitter, a fixed-tuned receiver, and a tunable receiver. The proposed protocol alleviates the drawbacks of a previous protocol [1], e.g., invalid data transmissions that follows receiver collisions and possible acknowledgment packet collisions with header/data packets, while retaining many advantages. As a result, the network performance in terms of throughput and packet delay is improved. Analytical models based on the timing diagram analysis, the continuous-time Markov chain, and the randomization technique are developed to assess the proposed protocol, and are validated through event-driven simulation. The performance is evaluated in terms of channel utilization, mean packet delay, and packet delay distribution with variations in the number of nodes, the offered traffic, the size of data packets, and the network propagation delay. Through numerical results and simulation studies, we show that the proposed protocol achieves better channel utilization and incurs lower packet delays.