Secure remote access from office to home

When accessing IP-ready appliances at home from a remote site, security is a major concern. We address the seemingly common scenario of accessing IP-ready appliances behind a home firewall from a remote PC within a corporate intranet. The scenario reveals the complex nature of secure remote access. Various IP tunneling technologies can provide secure remote access without sacrificing the ubiquitous accessibility of the Internet; however, the problem of multiple authentication processes is evident in the framework. Digital certificate technology can simplify the authentication process required to establish multiple IP tunnels. However, IP tunneling technologies do not scale well, and become infeasible if the number of firewalls to traverse increases. Scalability and end-to-end security requirements call for the deployment of authenticated firewall traversal methods that use minimal or no IP tunnels. This article describes a meet-in-the-middle network model as a simple and practical method     

On optimizing firewall performance in dynamic networks by invoking a novel swapping window–based paradigm

Designing and implementing efficient firewall strategies in the age of the internet of things is far from trivial. This is because, as time proceeds, an increasing number of devices will be connected, accessed, and controlled on the internet. Additionally, an ever‐increasingly amount of sensitive information will be stored on various networks. A good and efficient firewall strategy will attempt to secure this information and to also manage the large amount of inevitable network traffic that these devices create. The goal of this paper is to propose a framework for designing optimized firewalls for the internet of things. This paper deals with 2 fundamental challenges/problems encountered in such firewalls. The first problem is associated with the so‐called rule matching time problem. Here, we propose a simple condition for performing the swapping of the firewall's rules; using which, we can guarantee the firewall's consistency and integrity and also ensure a greedy reduction in the matching time. Unlike the state of the art, our swapping condition considers rules that are not necessarily consecutive, using a novel concept referred to as a “swapping window.” The second contribution of our paper is a novel “batch”‐based traffic estimator that provides network statistics to the firewall placement optimizer. The traffic estimator is a subtle but modified batch‐based embodiment of the Stochastic Learning Weak Estimator. Further, by performing a rigorous suite of experiments, we demonstrate that both algorithms are capable of optimizing the constraints imposed for obtaining an efficient firewall.     

Information Theoretic Bounds on Authentication Systems in Query Model

Authentication codes provide message integrity guarantees in an information theoretic sense within a symmetric key setting. Information theoretic bounds on the success probability of an adversary who has access to previously authenticated messages have been derived by Simmons and Rosenbaum, among others. In this paper, we consider a strong attack scenario where the adversary is adaptive and has access to authentication and verification oracles. We derive information theoretic bounds on the success probability of the adversary and on the key size of the code. This brings the study of unconditionally secure authentication systems on a par with the study of computationally secure ones. We characterize the codes that meet these bounds and compare our result with the earlier ones.     

ERP系统IAM的网络安全设计

ERP系统的安全应用一直是企业面临的信息安全问题,为了保障ERP应用与信息访问的安全性,我们为ERP系统搭建了一套IAM（Identity and Access Management）网络安全方案.该方案为ERP应用提供了可靠、高效的指纹认证以及安全可靠的包过滤防火墙模块、实时的数据库进程监控模块;从而确保ERP系统信息的安全可靠.本文叙述了IAM系统;分析了IAM系统内部与ERP系统的交互过程;然后详述了基于Windows API包过滤技术的防火墙模块的设计以及相关的其它网络安全设计,使系统可根据IAM身份验证信息进行动态过滤的目的,弥补了一般防火墙规则难以与应用软件灵活互动的不足,为企业应用的信息安全访问提供了可靠的保障.     

Lightweight Chaos-Based Nonlinear Component of Block Ciphers

Chaos influence different fields of science and technology. The development of sciences is at peak expected to the rapid broadcast of information with the smart machine in constrained resources atmosphere. With the help of our smartphone, we can easily access the information within no time and with much ease. This ease makes our information open and can be accessed from the web or misuse by any person. To secure our information on the internet of things (IOTs), lightweight cryptographic algorithms were introduced. We offered an efficient lightweight confusion component scheme constructed on the composition of chaotic iterative maps. The proposed chaotic lightweight substitution box (S-box) offers decent cryptographic characteristics. The suggested chaotic S-box is used for adding a confusion layer in small lightweight block cipher algorithms. The outcome of cryptographic characteristics displays that the anticipated chaotic Substitution box is appropriate for the lightweight block cipher in a constrained source environment.

     

网络安全中防火墙技术的探讨

在互连网普及率极高的现在,网络对各种事物的影响也越来越大。伴随网络新兴业务兴起,使得安全问题愈发重要,因此网络安全成了互联网领域重点研究的一个方向,其技术的研究也形成了一个热点,人们的关注正在日益密切。防火墙是目前使用广泛的网络安全技术。在构建安全网络环境的过程中,防火墙作为第一道安全防线,正受到越来越多用户的关注。防火墙仍然起着最基本的预防作用,是保障在内部网络和外部网络之间进行安全信息传输的一种有效手段。     

Slight Homomorphic Signature for Access Controlling in Cloud Computing

With the popularity of cloud computing, how to securely authenticate a user while not releasing user’s sensitive information becomes a challenge. In this paper, we introduce a slight homomorphic signature, which is suitable to implement an access controlling service in cloud computing. In slight homomorphic signature, each user in cloud computing who have a set of identity attributes, firstly computes a full signature on all his identity attributes, and sends it to a semi-trusted access controlling server. The access controlling server verifies the full signature for all identity attributes. After then, if the user wants to require a cloud service, which may have a special requirement on one of the identity attributes, the user only needs to securely send the cloud service’s name to the access controlling server. The access controlling server which does not know the secret key can compute a partial signature on this special identity attribute, and then sends it to the cloud server for authentication. In the paper, we give a formal secure definition of this slight homomorphic signature, and construct a scheme from Boneh–Boyen signature. We prove that our scheme is secure under q-SDH problem with a weak adversary.     

A Security Framework for NoC Using Authenticated Encryption and Session Keys

Network on Chip (NoC) is an emerging solution to the existing scalability problems with System on Chip (SoC). However, it is exposed to security threats like extraction of secret information from IP cores. In this paper we present an Authenticated Encryption (AE)-based security framework for NoC based systems. The security framework resides in Network Interface (NI) of every IP core allowing secure communication among such IP cores. The secure cores can communicate using permanent keys whereas temporary session keys are used for communication between secure and non-secure cores. A traffic limiting counter is used to prevent bandwidth denial and access rights table avoids unauthorized memory accesses. We simulated and implemented our framework using Verilog/VHDL modules on top of NoCem emulator. The results showed tolerable area overhead and did not affect the network performance apart from some initial latency.     

A Security Model Based on Relational Model for Semantic Sensor Networks

This paper proposes a novel security model for secure query processing in semantic sensor networks. A semantic sensor network (SSN) is a sensor network including semantics of sensory data and context information, and relationships between the semantics by using Semantic Web technologies. Even though much research has been activated on SSN, there is little activity on how to securely access data in semantic sensor networks. Most of storages have been developed based on relational database model and the relational database model provides a secure and robust security support. Therefore, we need to devise a security model considering such a real environment. This paper proposes a new access control model for secure query processing in semantic sensor networks. The proposed security model is based on relational database security model. This paper shows the overall framework and definitions of the proposal, and the experiment and evaluation is described to show validity of our proposal. With the experiment and evaluation, it is clear that the proposed model provides a secure access control support for SSNs.     

Research status and development trends of security assurance for space-ground integration information network

Space-ground integration information network consists of space-based backbone network, space-based access network, the node net of foundation, Internet, mobile communication network, which has important significance for the realization of the target of national security strategy. Firstly, the characteristics of space-ground integration network, such as exposed channel, heterogeneous network integration, etc, were analyzed. Also, the corresponding threats from the physical layer, operation layer, data layer were introduced. Secondly, a comprehensive study on current status of surviv-ability, anti-jamming, secure access, secure routing, secure handoff, secure transmission and key management were made. Finally, combined with research status, the important trends were proposed.     

Your 80211 wireless network has no clothes

The explosive growth in wireless networks over the last few years resembles the rapid growth of the Internet within the last decade. To protect internal resources, organizations usually purchased and installed an Internet firewall. We believe that the currently deployed wireless access points present a larger security problem than the early Internet connections. A large number of organizations, based on vendor literature, believe that the security provided by their deployed wireless access points is sufficient to prevent unauthorized access and use. Unfortunately, nothing could be further from the truth. While the current access points provide several security mechanisms, our work combined with the work of others show that all of these mechanisms are completely ineffective. As a result, organizations with deployed wireless networks are vulnerable to unauthorized use of, and access to, their internal infrastructure. We present a novel solution that requires no changes or additions to any deployed wireless equipment, and is easily deployed and transparent to end users.     

An efficient image encryption scheme based on double affine substitution box and chaotic system

Privacy of information is one of the most important and unavoidable issues in our digitally advance era. A huge amount of information transmitted over different servers and networking protocols. The sphere of digitally advanced world is tied with information in different forms of facilitations, which includes online banking systems, ecommerce and many more. Providing the ease of access, anything online makes our confidential information open to different threats. Therefore, to enjoy ease of access and at the same time secure our digital information from theft, we need a robust information security system. In this article, we have designed a novel and an efficient security system, which provides secrecy to our digital information. The designed encryption scheme is fundamentally a combination of chaos and nonlinear confusion components. We have developed a new mechanism of adding confusion, namely S₈ permutation of double affine transformation to construct 40320 new substitution boxes (S-boxes) having nonlinearity 112 from a single S-box. Moreover, nonlinear Lorenz dynamical system is utilized to select any three S-boxes from 40320 newly generated nonlinear components. To add diffusion in our proposed algorithm, we have utilized Chirikov discrete iterative map. The excellence of an offered digital image encryption has been examined and evaluated with standard benchmarks. The simulation results reveal that the quality of the image encryption passes all these tests and is comparable to current benchmarks.     

Securing the global,remote, mobile user

Electronic commerce is inevitable and will reshape our lives, but before true electronic commerce environments can be realized, it will be necessary to secure your enterprise against outside attacks on its electronic information and provide controls for authorized access to that information. Copyright © 1999 John Wiley & Sons, Ltd.     

基于ABE算法的访问控制方法研究

访问控制是信息安全的一种重要技术,目前的主要方法是基于角色的访问控制方法,但在管理和安全性方面存在不足。在ABE算法发展史的基础上,给出了一种基于ABE算法的访问控制模型,模型将RBAC中的角色用一组可描述的属性标识。然后具体实现了基于CP-ABE算法的访问控制方法,从算法复杂度、安全性、函数实现等方面分析其性能,给出了相关性能测试。实验结果表明算法在这些方面有一定的优势,能有效抵抗联合攻击,体现了良好的安全性。最后根据实验结果提出几种算法优化方案,旨在设计出更高效安全的访问控制方法。     

云计算平台下基于属性加密的动态版权使用控制方案（英文）

In order to achieve fine-grained access control in cloud computing,existing digital rights management(DRM) schemes adopt attribute-based encryption as the main encryption primitive.However,these schemes suffer from inefficiency and cannot support dynamic updating of usage rights stored in the cloud.In this paper,we propose a novel DRM scheme with secure key management and dynamic usage control in cloud computing.We present a secure key management mechanism based on attribute-based encryption and proxy re-encryption.Only the users whose attributes satisfy the access policy of the encrypted content and who have effective usage rights can be able to recover the content encryption key and further decrypt the content.The attribute based mechanism allows the content provider to selectively provide fine-grained access control of contents among a set of users,and also enables the license server to implement immediate attribute and user revocation.Moreover,our scheme supports privacy-preserving dynamic usage control based on additive homomorphic encryption,which allows the license server in the cloud to update the users' usage rights dynamically without disclosing the plaintext.Extensive analytical results indicate that our proposed scheme is secure and efficient.     

云社交网络中安全高效的加密数据共享机制(英文)

Despite that existing data sharing systems in online social networks(OSNs)propose to encrypt data before sharing,the multiparty access control of encrypted data has become a challenging issue.In this paper,we propose a secure data sharing scheme in OSNs based on ciphertext-policy attributebased proxy re-encryption and secret sharing.In order to protect users' sensitive data,our scheme allows users to customize access policies of their data and then outsource encrypted data to the OSNs service provider.Our scheme presents a multiparty access control model,which enables the disseminator to update the access policy of ciphertext if their attributes satisfy the existing access policy.Further,we present a partial decryption construction in which the computation overhead of user is largely reduced by delegating most of the decryption operations to the OSNs service provider.We also provide checkability on the results returned from the OSNs service provider to guarantee the correctness of partial decrypted ciphertext.Moreover,our scheme presents an efficient attribute revocation method that achieves both forward and backward secrecy.The security and performance analysis results indicate that the proposed scheme is secure and efficient in OSNs.     

基于属性关联的客体聚合信息级别推演方法

 为解决客体关联性引起的泄密问题,本文对客体关联性进行了深入分析,提出了基于属性关联的客体聚合信息级别推演方法.该方法根据客体属性依赖关系,挖掘出高关联度的客体,通过客体关联属性级别模糊集可能性测度,推演出关联客体推导出更高级别信息的可能性,以此指导多级安全网络访问控制策略的制定,控制主体对关联客体的访问,降低系统失泄密的风险.