The ebridge project

In many organizations and government administrations, electronic documents are opening the way to faster and more efficient ways of doing business. In fact, electronic information exchange, far from being considered a luxury, is increasingly seen as a staple requirement for survival in today's competitive environment. The increasing use of EDI is a good example of this reality. Another is the development over the past few years of an increasing variety of pan-European information services. The growth in these services is being driven in part by the increasing globalization of trade and by the needs of the Single Market within the European Union. However, the provision of information services on a pan-European basis raises many issues from a security perspective. This article provides an overview of one of these pan-European information services and the steps that have been taken to improve its operational security within the context of the EC-sponsored ebridge project.     

Secure provision of patient-centered health information technology services in public networks—leveraging security and privacy features provided by the German nationwide health information technology infrastructure

Patient-centered health information technology services (PHS) provide personalized electronic health services to patients. Since provision of PHS entails handling sensitive medical information, a special focus on information security and privacy aspects is required. We present information security and privacy requirements for PHS and examine how security features of large-scale, inter-organizational health information technology networks, like the German health information technology infrastructure (HTI), can be used for ensuring information security and privacy of PHS. Moreover, we illustrate additional security measures that complement the HTI security measures and introduce a guideline for provision of PHS while ensuring information security and privacy. Our elaborations lead to the conclusion that security features of health information technology networks can be used to create a solid foundation for protecting information security and privacy in patient-centered health information technology services offered in public networks like the Internet.     

Securing E-business in a Wireless Environment

The provision of end-to-end security is increasingly important for service providers offering M-commerce services over the wireless Internet. Purchasing online is increasingly becoming common and accepted but trust and security is fundamental for future growth. Throughout history, successful business relationships have been fundamentally based on trust, so naturally a comprehensive and trusted mobile security infrastructure is essential to the future success of the M-commerce market.     

On the design of secure ATM networks

Asynchronous Transfer Mode (ATM) is seen to be a technology that allows flexibility, efficiency and manageable bandwidth on demand to be achieved in high-speed networks. ATM is able to support a variety of applications including voice, video, image and data with different quality of service requirements. This paper addresses the design and implementation of security services and mechanisms in ATM networks. The paper examines the various design options for the placement of security services within the ATM protocol reference model and considers their advantages and disadvantages. The option of placing the security layer between the ATM Adaptation Layer (AAL) and the ATM layer is selected and the design of security services such as confidentiality, integrity and data origin authentication services in the user plane are described. The paper then presents an authentication scheme and key establishment protocol. This protocol is integrated with the existing ATM signaling protocols as part of the call setup procedures in the control plane. Then the paper discusses a public key infrastructure for the ATM environment and considers the design of public key management protocols between ATM nodes and Certification Authority for initializing, retrieving and distributing public key certificates. Finally, the paper considers the design of access control service for ATM networks and discusses the issues involved in the provision of access control mechanisms both at the connection setup phase and during the user data transfer phase. It seems that the developed security design can be transparently integrated to secure ATM networks.     

Galileo系统BOC（1，1）信号码跟踪算法研究

对Galileo系统BOC(1,1)信号码跟踪问题进行了针对性研究,首先分析了已有的ASPeCT BOC(n,n)信号码跟踪技术的性能,然后对ASPeCT的相关函数做线性拟合处理,在不增加软硬件资源开销的前提下得到了新的比例鉴相器,从而改善了跟踪环路的性能。仿真结果表明,相对于ASPeCT技术的EMLP鉴相器,新的鉴相器保持了码跟踪环不存在误跟踪现象的特点,扩大了码跟踪环路的稳定域,并且提高了环路抗噪声的性能。     

Stand and deliver

Poor service provision within the global software services industryis contributing to a profound rethink in many firms that offerinformation and technology services. Recent press reports suggestthat all but a few software providers are willing to committhe organisation and its resources to high volume high riskservice provision.     

Performance evaluation of user applications in the ITS scenario: An analytical assessment of the NeMHIP

Internet connectivity in the ITS context is a flourishing demand that has to be covered by efficient information and communication technologies. Thanks to the provision of this connectivity, not only end users will profit from communication services, but also services for controlling the operation of the vehicle will benefit from the Internet connectivity. Services related to the operation and control of the vehicles exchange sensitive data, so strong security properties have to be ensured for this type of services. In addition, because of the privacy concerns related to the end users, it is desired to provide this kind of services with an adequate security level. From the communication point of view, a vehicle can be regarded as a mobile network where nodes onboard obtain continuous and optimal Internet connectivity, so, its mobility has to be managed. In the same way, network mobility management protocols should not only avoid security leaks, but also they have to ensure an adequate security level. It is needless to say that the introduction of security properties cannot render not fulfilling service performance requirements. In fact, the trade-off between security and application performance is a must. ITS standardisation bodies have adopted the NEtwork MObility Basic Support (NEMO BS) protocol to manage the mobility of networks. However, it still presents shortcomings like lack of security support and routing problems, which leads to a bad performance. One of the most promising design approaches is to consider a base mobility management protocol that provides out of the box security and route optimisation support like the Host Identity Protocol (HIP). Different solutions based on HIP can be found to solve network mobility in the literature, but none of these solutions aim at solving securely and efficiently network mobility management. That is, the provision of security properties to the network mobility management itself and to the end-to-end data communications while not increasing the signalling overhead and the manageability level remains unsolved. In this paper, we present the NeMHIP. NeMHIP is a secure and efficient network mobility management protocol which is based on HIP. In order to demonstrate its feasibility, we have carried out a study by means of analytical modelling to assess the performance of user applications with stringent QoS requirements like VoIP. Results demonstrate that the introduction of the NeMHIP in the ITS context is feasible because security properties are ensured while application performance requirements are satisfied. Therefore, we successfully achieve the trade-off between security and performance.     

Live digital,remember digital: State of the art and research challenges

The so called trend “live digital, remember digital” is acquiring higher relevance within the international research community, due to its several appealing challenges in a multitude of different fields within the Information and Communication Technologies. Today, many people live daily connected to the Internet through their mobile phones, laptops, tablets, etc. and the need to audit or log every single digital interaction emerges in many environments. By seamlessly recording those digital interactions and storing them in a privacy-preserving fashion, a number of benefits are brought to end users, like the provision of user-tailored services, amongst many others. In this paper we will particularly focus on the study of the security and privacy challenges within this field, as well as on the analysis of the currently existing solutions addressing these issues and we will propose an architecture for the so called live digital systems.     

Increased domain security through application of local security and monitoring

This paper presents a model for increasing security within a security domain through the use of localised security services and continuous monitoring. The model divides security services between three logical structures Local Security Units, Local Security Servers and Domain Management Centres. The localisation of security allows the functional divisions within organisations to implement modified security dependent upon their individual needs.     

使用手机一次性密码更安全的验证身份

越来越多的安全事件,大都是由于密码被盗造成,这也阻碍了网络银行和在线交易的发展。因此,不少国家甚至已经立法规定网上银行、金融机构等需向其用户加强网上安全保护,例如提供双因素认证服务等。     

IaaS云安全研究综述

目前,在新一代大规模互联网迅猛发展的背景下,产生的数据量也随之持续增长,这就导致用户的本地设备难以满足海量数据的存储和计算需求。与此同时,云计算作为一种经济高效且灵活的模式,具有易于使用、随用随付、不受时间和空间限制的优势,彻底改变了传统IT基础设施的提供和支付方式,可以有效解决无限增长的海量信息存储和计算问题。因此,在没有昂贵的存储成本和计算资源消耗的情况下,资源有限的用户可以采用云服务提供商（CloudServiceProvider,CSP）为用户提供所期望的服务。其中,基础设施即服务（Infrastructure as a Service, IaaS）作为云计算的三种服务类型之一,将虚拟化、分布式计算和网络存储等技术结合,可以在互联网上提供和租用计算基础设施资源服务（如计算、存储和网络）。故云计算依靠Iaa S层提供的计算基础设施资源,使用户不再需要购买额外设备,从而大大降低使用成本,同时也为上层服务奠定基础。然而,随着云计算服务的不断发展,基于IaaS的安全问题引起人们的关注。为了系统了解Iaa S的安全研究进展和现状,本文对IaaS的安全问题以及学术界和工业界的解决方案进行了...     

Smart Proactive Caching Scheme for Fast Authenticated Handoff in Wireless LAN

Handoff in IEEE 802.11 requires the repeated authentication and key exchange procedures, which will make the provision of seamless services in wireless LAN more difficult. To reduce the overhead, the proactive caching schemes have been proposed. However, they require too many control packets delivering the security context information to neighbor access points. Our contribution＇ is made in two-fold： one is a significant decrease in the number of control packets for proactive caching and the other is a superior cache replacement algorithm.     

安全服务管理层(CSSM)的功能和实现

通用数据安全框架CDSA（Common Data Security Architecture)是一个多层的安全平台，它向应用程序提供动态和全面的安全服务。安全服务管理层CSSM（Common Security Services Manager)是CDSA中最关键的一层，CSSM通过不同类别的组件管理器管理着不同类别的安全服务提供组件。本文将着重探讨在WINDOWS环境中利用COM＋技术实现CSSM的基本功能。     

A system for the provision of medical diagnostic and treatment advice in home care environment

Healthcare is an increasingly collaborative enterprise, involving broad range of healthcare services provided by many individuals and organizations. Apart from the provision of healthcare services to patients during hospitalization, the ability to assist people who have healthcare needs at their homes (e.g., the elderly) has become an increasingly critical issue. Provision of such personalized medical care services to patients requires readily access to integrated healthcare services ubiquitously. The integration of mobile and wireless devices with Grid technology can provide ubiquitous and pervasive access to Grid services. This article presents MASPortal, a Grid portal application for the assistance of people who are in need of medical advice at their homes. MASPortal is designed for use with wireless Personal Digital Assistants (PDAs) and provides remote access to an automated medical diagnostic and treatment advice system via an adaptive and easy to use interface. MASPortal has been implemented with a multi-layered security infrastructure in order to ensure secure access to healthcare processes and sensitive patient data.     

Edge Provisioning and Fairness in VPN-DiffServ Networks

Customers of Virtual Private Networks (VPNs) over Differentiated Services (DiffServ) infrastructure are most likely to demand not only security but also guaranteed Quality-of-Service (QoS) in pursuance of their desire to have leased-line-like services. However, expectedly they will be unable or unwilling to predict the load between VPN endpoints. This paper proposes that customers specify their requirements as a range of quantitative services in the Service Level Agreements (SLAs). To support such services Internet Service Providers (ISPs) would need an automated provisioning system that can logically partition the capacity at the edges to various classes (or groups) of VPN connections and manage them efficiently to allow resource sharing among the groups in a dynamic and fair manner. While with edge provisioning a certain amount of resources based on SLAs (traffic contract at edge) are allocated to VPN connections, we also need to provision the interior nodes of a transit network to meet the assurances offered at the boundaries of the network. We, therefore, propose a two-layered model to provision such VPN-DiffServ networks where the top layer is responsible for edge provisioning, and drives the lower layer in charge of interior resource provisioning with the help of a Bandwidth Broker (BB). Various algorithms with examples and analyses are presented to provision and allocate resources dynamically at the edges for VPN connections. We have developed a prototype BB performing the required provisioning and connection admission.     

IT convergence security

A recent emerging issue in information technology is the convergence of different kinds of applications. Convergence brings a user-centric environment to provide computing and communication services. In order to realize IT advantages, it requires the integration of security and data management to be suitable for pervasive computing environments. Security convergence refers to the convergence of two historically distinct security functions—physical security and information security—within enterprises; both are integral parts of any coherent risk management program. In this special issue, we have discussed current IT-Converged security issues, security policy and new security services which will lead to successful transfer smart space which is a new paradigm of future.     

Saudi cloud infrastructure: a security analysis

The growing demand and dependence upon cloud services have garnered an increasing level of threat to user data and security. Some of such critical web and cloud platforms have become constant targets for persistent malicious attacks that attempt to breach security protocol and access user data and information in an unauthorized manner. While some of such security compromises may result from insider data and access leaks, a substantial proportion continues to remain attributed to security flaws that may exist within the core web technologies with which such critical infrastructure and services are developed. This paper explores the direct impact and significance of security in the Software Development Life Cycle (SDLC) through a case study that covers some 70 public domain web and cloud platforms within Saudi Arabia. Additionally, the major sources of security vulnerabilities within the target platforms as well as the major factors that drive and influence them are presented and discussed through experimental evaluation. The paper reports some of the core sources of security flaws within such critical infrastructure by implementation with automated security auditing and manual static code analysis. The work also proposes some effective approaches, both automated and manual, through which security can be ensured through-out the SDLC and safeguard user data integrity within the cloud.     

一种基于访问控制的安全Web服务发现机制

当前的Web服务发现机制大多依赖集中式的统一描述、发现和集成注册中心,但组织机构出于安全和地域的考虑,倾向于构建私有的分布式注册中心,只有注册且可信的请求者才能浏览到他们有权限访问的服务信息。该文给出Web服务发现阶段基于角色的访问控制模型RBAC4WSD,发现代理依照服务提供者指定的安全策略对请求者实施访问控制,并以跨国公司内部的文档服务为例介绍原型系统的实现。     

Safeguarding Cloud Computing Infrastructure: A Security Analysis

Cloud computing is the provision of hosted resources, comprising software, hardware and processing over the World Wide Web. The advantages of rapid deployment, versatility, low expenses and scalability have led to the widespread use of cloud computing across organizations of all sizes, mostly as a component of the combination/multi-cloud infrastructure structure. While cloud storage offers significant benefits as well as cost-effective alternatives for IT management and expansion, new opportunities and challenges in the context of security vulnerabilities are emerging in this domain. Cloud security, also recognized as cloud computing security, refers to a collection of policies, regulations, systematic processes that function together to secure cloud infrastructure systems. These security procedures are designed to safeguard cloud data, to facilitate regulatory enforcement and to preserve the confidentiality of consumers, as well as to lay down encryption rules for specific devices and applications. This study presents an overview of the innovative cloud computing and security challenges that exist at different levels of cloud infrastructure. In this league, the present research work would be a significant contribution in reducing the security attacks on cloud computing so as to provide sustainable and secure services.