基于 ECC算法的TLS协议设计与优化

为解决TLS协议存在的握手交互次数多、密钥计算开销大等诸多性能问题,在对TLS协议进行分析的基础上,设计了一种基于ECC算法的TLS协议,用ECC算法代替原协议中的RSA算法,充分发挥ECC算法的优越性,提高协议的性能。使用缓存握手参数的方法对协议交互过程进行优化,通过SVO逻辑对优化后的协议进行形式化证明,证明协议是安全的。通过实验将改进后的协议与原协议进行了比较分析,结果表明,随着协议安全等级的提高,改进后的协议在性能上具有明显的优越性。     

针对SSL/TLS协议会话密钥的安全威胁与防御方法

分析安全套接层/安全传输层(SSL/TLS)协议在客户端的具体实现,利用浏览器处理SSL/TLS协议会话主密钥和协议握手过程中传递安全参数存在的漏洞与缺陷,结合Netfilter机制进行会话劫持,提出一种针对SSL/TLS协议的安全威胁方案(SKAS)并对其进行安全研究,给出随机数单向加密、双向加密及保护会话主密钥安全的3种防御方法。经过实验验证了SKAS威胁的有效性,其攻击成功率达到90%以上且攻击范围广、威胁程度高,提出的3种防御方法均能抵御SKAS威胁,保证了客户端和服务器间SSL/TLS协议的数据通信安全。     

TLS协议认证测试模型与形式化分析

TLS协议是一种重要的传输层安全协议,得到了广泛的应用。在结合串空间理论和方法的基础上,通过构造TLS握手协议的认证测试模型,提出了TLS协议的DH参数签名认证测试方案,分析和证明了协议的保密性和认证性等关键属性。结果表明TLS协议满足其安全性说明。     

基于RSA签名的优化公平交换协议

公平性是电子商务协议的基本安全要求.RSA是应用最为广泛的公钥密码体制之一.公平交换协议可以使得参与交换的双方以公平的方式交换信息,这样,要么任何一方都可以得到对方的信息,要么双方都得不到对方的信息.分析了现有的公平交换协议构造方法、体系结构及其在实用性和效率方面存在的问题.在此基础上,利用精心构造的扩环中可公开验证的、加密的RSA签名,提出了一种完全基于RSA签名方案的优化公平交换协议,并对其安全性和效率进行了证明和分析.分析表明,提出的方案是简洁、高效、安全的.     

强安全模型下TLS1.3协议的形式化分析与优化

TLS协议在TCP/IP体系中的传输层和应用层之间工作,通过提供机密性、完整性、必选的服务器认证以及可选的客户端认证等一系列安全服务,有效保护了传输层的安全.TLS1.3协议为了降低网络延迟,增加了对0-RTT数据的支持,通过客户端缓存服务器的长期公钥,在第1条消息中,直接利用该长期公钥生成一个会话密钥发送部分应用层数据.针对3种0-RTT模式,使用Scyther工具对其进行了形式化分析,得出了在CK安全模型下,0-RTT数据的两种攻击,并基于其中的1-RTT semi-static模式提出了一种优化协议.通过安全性证明和形式化分析,证明了该优化协议在CK安全模型下能够抵抗针对0-RTT数据的KCI攻击和重放攻击.     

无线网络中身份认证协议选择方法

无线网络中通常存在多种身份认证协议可供选择,如何选择一个能够满足用户个性化需求的协议是个尚未解决的问题。从用户的角度出发,针对无线网络的特点,在综合考虑了用户最为关心的几个要素,如协议的安全性、能量消耗、认证时间以及用户偏好的基础上,提出了解决方案。将能量消耗定义为用户发送、接收消息能量消耗以及交互过程中密码操作所涉及的能量消耗之和。其中,密码操作包括Hash算法、RSA密钥交换、数字签名以及对称加解密算法。实验部分对EAP‐PEAP ,EAP‐TLS ,EAP‐TTLS‐MD5和EAP‐TTLS‐MSCHAPV2这4种最为常用的协议进行比较,结果表明不管用户如何设置权值,EAP‐TTLS/MSCHAPV2和EAP‐TTLS/MD5总是优于EAP‐PEAP ,EAP‐TLS 。该方案通过考虑用户对身份认证协议的安全性以及性能方面的要求,按照用户的个性化需求进行了协议方案的选择。     

基于标识密码的数据报传输层安全协议

TLS作为目前应用最为广泛的安全传输协议,只能保证可靠传输TCP上数据的安全性.DTLS（datagram TLS）在TLS协议架构上进行了修改,能够为UDP提供安全保护.但DTLS在会话建立过程中仍然需要依赖第三方认证中心和证书完成通信双方的认证,连接建立过程时间长,安全开销大,不能满足物联网等资源受限的网络通信环境.将标识密码引入DTLS中,避免了握手协议中处理证书所带来的各种开销,在计算会话密钥的同时完成通信双方的认证;并使用新的密钥协商协议重新设计DTLS的握手协议,减少交互次数和消息数量,缩短连接建立时间.实验结果表明,基于标识密码的DTLS在不降低安全性的同时,将通信建立时间缩短了近50%.     

一种可证安全的基于浏览器的联合身份管理双向认证协议

提出了一种基于浏览器的联合身份管理双向认证协议, 在TLS会话中采用人类可感知认证码验证身份权威服务器, 通过绑定客户端证书结合加强同源策略达到双向保护令牌的目的。最后用形式化模型分析了其安全性, 证明了协议能够提供安全的认证。     

用BAN逻辑方法分析TLS协议

密码协议的形式化正在成为国际上研究的热点，通过形式化分析密码协议来判断密码协议是否安全可靠。BAN逻辑是最早提出、最为重要的一种安全协议分析方法，被广泛地用于密码协议的安全性证明。文章介绍了BAN逻辑和TLS协议，用BAN逻辑分析TLS协议，从而证明TLS协议的双方认证协议是完整的、没有漏洞的。     

传输层安全协议的安全性分析及改进

基于一次一密、访问控制和双证书机制对TLS(transport layer security)协议进行了安全性分析,并针对分析结果,对TLS协议的消息流程以及消息的内容进行了扩展,改进后的协议更具有安全性和实用性.     

User requirements-aware security ranking in SSL protocol

The primary goal of the secure socket layer protocol (SSL) is to provide confidentiality and data integrity between two communicating entities. Since the most computationally expensive step in the SSL handshake protocol is the server’s RSA decryption, it is introduced that the proposed secret exchange algorithm can be used to speed up the SSL session initialization. This paper first points out that the previous batch method is impractical since it requires multiple certificates. It then proposes a unique certificate scheme to overcome the problem. The optimization strategy, which is based on the constrained model considering the user requirements-aware security ranking, focuses on the optimal result in different public key sizes. It is also introduced that the parameter is optimized when integrating user requirements for Internet QoS, such as the stability of the system and the tolerable response time. Finally, the proposed algorithm is evaluated to be practical and efficient through both analysis and simulation studies.     

An Enhanced tabu search algorithm to minimize a bi-criteria objective in batching and scheduling problems on unrelated-parallel machines with desired lower bounds on batch sizes

This paper addresses a sequence- and machine-dependent batch scheduling problem on a set of unrelated-parallel machines where the objective is to minimize a linear combination of total weighted completion time and total weighted tardiness. In particular, batch scheduling disregards the group technology assumptions by allowing for the possibility of splitting pre-determined groups of jobs into batches with respect to desired lower bounds on batch sizes. With regard to bounds on batch sizes, the MILP model is developed as two integrated batching and scheduling phases to present the problem. A benchmark of small-size instances on group scheduling shows the superior performance of batch scheduling up to 37% reduction in the objective function value. An efficient meta-heuristic algorithm based on tabu search with multi-level diversification and multi-tabu structure is developed at three levels, which moves back and forth between batching and scheduling phases. To eliminate searching in ineffective neighborhoods and thus enhance computational efficiency of search algorithms, several lemmas are proposed and proven. The results of applying lemmas reflect up to 40% reduction in computational times. Comparing the optimal solutions found by CPLEX and tabu search shows that the tabu search algorithm could find solutions, at least as good as CPLEX but in incredibly shorter computational time. In order to trigger the search algorithm, two different initial solution finding mechanisms have been developed and implemented. Also, due to lack of a qualified benchmark for unrelated-parallel machines, a comprehensive data generation mechanism has been developed in a way that it fairly reflects the real world situations encountered in practice. The machine availability times and job release times are considered to be dynamic and the run time of each job differs on different machines based upon the capability of the machines.     

SSL握手协议中客户端平衡密钥交换算法

SSL协议的基本设计目标是为两个通信实体之间提供数据的保密性和完整性。由于在SSL握手协议中最耗费计算资源和造成客户端与服务器端计算不平衡的步骤是服务器端解密运算,提出了客户端平衡的密钥交换算法,用来加速SSL会话的初始化和承担服务器端的解密的预运算。对算法中的同时对多个客户的请求进行解密的粒度的估计策略进行了阐述。模拟实验表明所提出的方案是有效的。     

Scheduling hybrid flowshop with parallel batching machines and compatibilities

This paper considers a two-stage hybrid flowshop problem in which the first stage contains several identical discrete machines, and the second stage contains several identical batching machines. Each discrete machine can process no more than one task at time, and each batching machine can process several tasks simultaneously in a batch with the additional feature that the tasks of the same batch have to be compatible. A compatibility relation is defined between each pair of tasks, so that an undirected compatibility graph is obtained which turns out to be an interval graph. The batch processing time is equal to the maximal processing time of the tasks in this batch, and all tasks of the same batch start and finish together. The goal is to make batching and sequencing decisions in order to minimize the makespan. Since the problem is NP-hard, we develop several heuristics along with their worst cases analysis. We also consider the case in which tasks have the same processing time on the first stage, for which a polynomial time approximation scheme (PTAS) algorithm is presented.     

基于OpenSSL的SM2与RSA自动切换算法的设计

为了SSL/TLS协议的安全性与性能能同时满足用户的需求,基于国家商用密码算法（国密算法）的安全性强于通用密码算法、性能弱于通用密码算法的现状,在OpenSSL基础上设计一种SM2与RSA自动切换的算法以满足在性能达标的前提下提高系统的安全性。SSL/TLS握手协议在性能满足需求的前提下,优先使用国密SM2算法,当每秒新建连接数达到一定峰值时,SM2的性能满足不了需求,则系统自动切换到RSA算法,满足更高每秒新建连接数的性能需求。该算法在OpenSSL的数据结构和函数上进行扩展,经过测试实现了在每秒新建SSL/TLS连接数达到一定数值时,SM2算法与RSA算法的自动切换。该算法在满足性能需求的前提下能有效提高系统的安全性。     

Simulated-annealing heuristics for the single-machine scheduling problem with learning and unequal job release times

In scheduling of batch processing machines in the diffusion and oxidation areas of a wafer fabrication facility, it can be found that the processing times of these batching operations can be extremely long (10 h) when compared to other operations (1-2 h) in a wafer fab. Moreover, the jobs to be processed may have different priorities/weights, due dates and ready times. In the presence of unequal ready times, it would be better to wait for future job arrivals in order to increase the fullness of the batch. On the other hand, repeated processing of similar tasks improves workers’ skills. Motivated by these observations, we consider a single-machine problem with the sum of processing times based learning effect and release times. The objective is to find a schedule to minimize the total completion times. We first develop a branch-and-bound algorithm for the optimal solution. Then we propose a simulated-annealing heuristic algorithm for a near-optimal solution. Finally, we conduct a computational experiment to evaluate the performances of the proposed algorithms. The results show that the branch-and-bound algorithm can solve instances up to 24 jobs, and the average error percentage of the simulated-annealing algorithm is less than 0.1482%.     

基于区块链的高透明度PKI认证协议

公钥基础设施（PKI）作为互联网空间安全基础设施的重要组成部分,为互联网的信息传输提供必要的真实性、完整性、机密性和不可否认性。现有的公钥基础设施存在证书颁发机构权力过大、吊销查询困难等问题。随着区块链技术的发展,可以利用区块链技术去中心化、透明度高、结构扁平等优点来解决上述公钥基础设施存在的问题,提高整个互联网建立信任关系的能力和效率。因此,提出基于区块链的高透明度PKI认证协议。该协议通过加入门限签名技术提出了改进的实用拜占庭容错共识算法（TS-PBFT）。TS-PBFT算法降低了原有实用拜占庭容错（PBFT,practical Byzantine fault tolerance）共识算法的通信复杂度,减少了通信开销;TS-PBFT 算法在视图切换协议的主节点选举引入了外界监督机制,增加了可监管性;TS-PBFT 算法在快速一致性协议中引入了批处理机制,提升了共识过程的性能。该协议一方面在提出的PBFT 算法的基础上引入了区块链技术,提升了证书吊销查询的安全性,并引入了计数布隆过滤器,提升了证书查询的效率;另一方面,该协议在证书的生命周期管理中增加了证书审计流程,对证书颁发机构的行为做出监管,促使其提高安全标准,达到限制其权力的目的。安全性分析和效率实验分析表明,所提协议系统具有抵抗伪装申请证书攻击等安全属性,与已有PKI协议相比在TLS/SSL握手耗时上具有优势。     

Scheduling a batching machine with convex resource consumption functions

In various industries jobs undergo a batching, or burn in, process where different tasks are grouped into batches and processed simultaneously. The processing time of each batch is equal to the longest processing time among all jobs contained in the batch. All to date studies dealing with batching machines have considered fixed job processing times. However, in many real life applications job processing times are controllable through the allocation of a limited resource. The most common and realistic model assumes that there exists a non-linear and convex relationship between the amount of resource allocated to a job and its processing time. The scheduler?s task when dealing with controllable processing times is twofold. In addition to solving the sequencing problem, one must establish an optimal resource allocation policy. We combine these two widespread models on a single machine setting, showing that both the makespan and total completion time criteria can be solved in polynomial time. We then show that our proposed approach can be applied to general bi-criteria objective comprising of the makespan and the total completion time.     

基于批量化密钥重分配的SSL握手协议*

SSL(安全套接层)握手协议利用公开密钥体制(RSA)保护通信实体之间传输信息的机密性和完整性,其存在信息处理速度过慢的缺点,基于batch RSA的SSL握手协议能较好地解决这一问题,但当服务器收到大量客户端请求或遭受DoS攻击时,易导致服务器性能下降。为此,提出一种基于批量化密钥重分配 (batch key redistribution)的改进协议。协议将密钥分解成两个密钥序列分支,并将一个密钥序列分支发送至客户端,由客户端来部分解密,以减少服务器的计算开销,从而克服服务器性能下降的问题。分析和实验结果表明,协议能很好地保证信息传输的安全,且有效提高了信息处理的速度。     

Family scheduling with batch availability in flow shops to minimize makespan

This paper addresses a batch scheduling problem in flow shop production systems, where job families are formed based on setup similarities. In order to improve setup efficiency, we consider batching decisions in our solution procedure. Due to its high practical relevance, the batch availability assumption is also adopted in this study. In the presence of sequence-dependent setup times, it is proved that a permutation flow shop is generally not optimal. Therefore, our objective is to determine solutions with inconsistent batches, which essentially lead to non-permutation schedules, to minimize makespan. After examining structural properties, we develop a tabu search algorithm with multiple neighbourhood functions. Computational results confirm the remarkable benefits of batching decisions. Our algorithm also outperforms some well-known and well-performing approaches.