SAML在Web SSO中的应用研究

SAML是由OASIS提出的基于XML规范用于网络应用间用户身份及授权等安全信息描述和交换的一个规范。基于SAML规范,可以在已建立信任关系的不同服务实体间进行认证、授权等信息的传递。该文主要针对以Identity Pmvider（IdP）发起模式实现Web SSO中对SAML的应用进行一定的研究。     

Identity-based strong designated verifier signature schemes: Attacks and new construction

A strong designated verifier signature scheme makes it possible for a signer to convince a designated verifier that she has signed a message in such a way that the designated verifier cannot transfer the signature to a third party, and no third party can even verify the validity of a designated verifier signature. We show that anyone who intercepts one signature can verify subsequent signatures in Zhang-Mao ID-based designated verifier signature scheme and Lal-Verma ID-based designated verifier proxy signature scheme. We propose a new and efficient ID-based designated verifier signature scheme that is strong and unforgeable. As a direct corollary, we also get a new efficient ID-based designated verifier proxy signature scheme.     

SAP系统安全机制研究

通过笔者在项目实践中对SAP系统的深入了解,对SAP系统采用的安全机制,包括身份管理、权限管理、数据库可靠性支持,数据交互完整性保护、数据传输安全以及日志审计等方面进行了阐述.     

一种改进的PGP安全电子邮件系统

USB安全锁是网络身份认证系统中常用的信息载体,具有较高的可靠性。该文引入N分法密钥概念,结合USB安全锁的认证协议,提出一种改进的PGP电子邮件系统。在安全通信时,利用USB安全锁进行身份认证和密钥管理,无须可信第三方的介入。实验结果证明,该系统可以有效地抵抗重放攻击和中间人攻击。     

基于E-RBAC模型的通用用户权限配置的实现

传统的用户权限配置虽然有些采用RBAC模型,但都是针对具体业务系统,成为信息系统的一个功能模块,灵活性差,且缺乏通用性.为此,提出基于E-RBAC模型策略和应用Web技术,实现Web型信息系统中用户权限配置的通用性.     

Secure communications for cluster-based ad hoc networks using node identities

Ad hoc networks are self-configurable networks with dynamic topologies. All involved nodes in the network share the responsibility for routing, access, and communications. The mobile ad hoc network can be considered as a short-lived collection of mobile nodes communicating with each other. Such networks are more vulnerable to security threats than traditional wireless networks because of the absence of the fixed infrastructure. For providing secure communications in such networks, lots of mechanisms have been proposed since the early 1990s, which also have to deal with the limitations of the mobile ad hoc networks, including high power saving and low bandwidth. Besides, public key infrastructure (PKI) is a well-known method for providing confidential communications in mobile ad hoc networks. In 2004, Varadharajan et al. proposed a secure communication scheme for cluster-based ad hoc networks based on PKI. Since the computation overheads of the PKI cryptosystem are heavy for each involved communicating node in the cluster, we propose an ID-based version for providing secure communications in ad hoc networks. Without adopting PKI cryptosystems, computation overheads of involved nodes in our scheme can be reduced by 25% at least.     

基于中国剩余定理的无线局域网安全方案

针对无线局域网中用户的不确定性,提出一种基于中国剩余定理的用户身份认证方案.该方案的优点是为每个用户分配私人密钥,并借助于简单模运算,便可判断该用户对AP的访问权;更新用户时,无需修改其他用户的私人密钥,管理方便、快捷.     

分布式认证系统浅析

随着应用系统的发展,单一的认证服务器负荷越来越大且安全性不高,分布式认证系统可以很好的解决这一问题,且可以达到对现有应用系统的良好集成。本文就对客户端/服务器（C/S）模式和浏览器/服务器（B/S）模式下两个典型的分布式认证系统进行了分析研究。     

基于身份的电子邮件系统

1984年,为了简化密钥管理并取消公钥证书的使用,Shamir提出了基于身份的密码学概念.在这种密码学模式下,用户的身份信息如用户的名字、Email地址或者IP地址可以直接用作用户的公钥.文章基于三个开放源码库:GNU Multiple Precision(GMP)、OpenSSL和IBE库,设计并实现了一个基于身份的电子邮件系统.该系统具有邮件加密、解密、签名、验证功能.     

海归派建筑师?

文章从探讨“海归派建筑师”这个外加的身份定义下,是否存在着某种行为方式的共性,是否存在一种有意识的社会身份和权力的自我建构等这一系列问题入手,认为由于缺乏主体的自我认同,“海归派建筑师”的身份在当代是难以成立的,在操作层面,比较突出的共性特征是非本土化,这与经济全球化的大环境的明显悖论,其社会根基,源自由于东西方社会落差而产生的市民大众心理深层的对西方榜样的需求,并且其异化而且虚设的话语权力是被社会赋予的。文章最终结论,在全球化环境下,地域身份划分方法的不可靠是产生“海归派建筑师”身份定义可疑的根本原因,因而对于“海归派建筑师”而言．正视地域身份模糊这一事实,或许能够带来基于社会立场的更深层次的思考,而这对检视当代中国建筑转型期的过程,无疑也是有益的。