一种嵌入式数据库安全增强方案的设计与实现

由于嵌入式平台的开放性和智能化,嵌入式数据库面临的安全威胁日益增长。在此提出一种嵌入式数据库安全增强方案,融合多种安全技术,如指纹识别、访问控制、数据加密等,设计了一种基于嵌入式数据库的安全中间件,构造访问嵌入式数据库的安全通道,对嵌入式数据库系统进行安全增强。该安全方案在嵌入式数据库Berkeley DB系统上得到了应用,验证了嵌入式数据库安全方案的可行性,能够有效地增强嵌入式数据库的安全性。     

Joint optimization for secure ambient backscatter communication in NOMA-enabled IoT networks

Non-Orthogonal Multiple Access (NOMA) has emerged as a novel air interface technology for massive connectivity in Sixth-Generation (6G) era. The recent integration of NOMA in Backscatter Communication (BC) has triggered significant research interest due to its applications in low-powered Internet of Things (IoT) networks. However, the link security aspect of these networks has not been well investigated. This article provides a new optimization framework for improving the physical layer security of the NOMA ambient BC system. Our system model takes into account the simultaneous operation of NOMA IoT users and the Backscatter Node (BN) in the presence of multiple EavesDroppers (EDs). The EDs in the surrounding area can overhear the communication of Base Station (BS) and BN due to the wireless broadcast transmission. Thus, the chief aim is to enhance link security by optimizing the BN reflection coefficient and BS transmit power. To gauge the performance of the proposed scheme, we also present the suboptimal NOMA and conventional orthogonal multiple access as benchmark schemes. Monte Carlo simulation results demonstrate the superiority of the NOMA BC scheme over the pure NOMA scheme without the BC and conventional orthogonal multiple access schemes in terms of system secrecy rate.     

面向普适计算的动态多级安全访问控制方案

提出一种面向普适计算的动态多级安全访问控制新方案,形式化描述了访问控制的构成要素,定义了动态访问控制策略,最后给出了授权实现算法.方案既保证了授权的动态性,又增强了访问控制的安全性,更适合于普适计算环境.     

Ciphertext-Policy Attribute Based Encryption Supporting Any Monotone Access Structures Without Escrow

Ciphertext policy attribute-based encryp-tion (CP-ABE) is becoming a new primitive for fine-grained access control. It neither produces multiple en-crypted copies of the same data nor suffers from the severe burden of key distribution and management. The escrow problem that the central authority could decrypt any ci-phertexts addressed to all the specific users is still a chal-lenge for CP-ABE mechanism. One new CP-ABE scheme without escrow is proposed, and furthermore the proposed scheme achieves fully security in the standard model. The performance and security analysis results indicate that the proposed CP-ABE scheme is extremely appropriate for cloud storage system.     

协议组合逻辑安全的4G无线网络接入认证方案

针对4G无线网络中移动终端的接入认证问题,基于自证实公钥系统设计了新的安全接入认证方案,并运用协议演绎系统演示了该方案形成的过程和步骤,用协议组合逻辑对该方案的安全属性进行了形式化证明.通过安全性证明和综合分析,表明该方案具有会话认证性和密钥机密性,能抵御伪基站攻击和重放攻击,并能提供不可否认服务和身份隐私性,同时提高了移动终端的接入效率     

新的格上多机构属性基加密方案

针对基于双线性映射的属性基加密方案中无法抵抗量子攻击的问题,该文提出一种新的格上多机构属性基加密方案。先利用格上左抽样算法为用户生成密钥,使得用户私钥尺寸与级联矩阵的列数和用户属性个数相关,缩短用户私钥尺寸;然后采用Shamir门限秘密共享技术构造访问树,实现属性的与、或、门限3种操作,密文允许基于任意的访问结构生成,表达能力更加丰富,解决了大多方案中访问策略单一问题;方案证明可在标准模型下归约到判定性带误差学习问题的难解性。对比分析表明,方案系统公私钥、用户私钥和密文尺寸均有所优化,并较优于大多数单机构方案,此外方案存在多个属性机构,支持任意单调访问结构,安全性和实用性更满足云环境需求。     

新型自适应安全的密钥策略ABE方案

基于3维对偶正交基的技术,提出了一种新的密钥策略的基于属性的加密方案。该方案在素数阶群上构造,支持单调访问结构,具有自适应安全性。方案利用双重系统加密的证明方法将方案的自适应安全性归约到判定线性假设。与同样是自适应安全的密钥策略ABE方案相比,提出的方案在同等安全性上具有更高的效率。     

基于稳定匹配的认知无线网络协作物理层安全机制

在Underlay认知无线网络中,次用户被允许在主用户进行数据发送时接入主用户的频谱.此时,主用户将对次用户和窃听者造成干扰.利用协作干扰技术,主用户产生的干扰可以被用来改善次用户的物理层安全.基于此,本文针对包含多个主次用户的Underlay认知无线网络,提出了一种新的协作物理层安全机制.为了在保证主用户通信质量的前提下,最大化网络中次用户的总的安全容量,该机制将对次用户进行合理的频谱接入选择和功率控制.另外,考虑到个体理性和自私性对于频谱接入稳定性的影响,该机制利用稳定匹配理论将频谱接入选择问题建模为一对一的双边匹配问题,通过构建主次用户之间的稳定匹配来保证频谱接入的稳定性.仿真结果表明,使用本文所提安全机制,可以在保证主用户通信质量的前提下,稳定而又有效地改善网络中次用户获得的总的安全容量.     

基于零信任的私有云终端安全接入框架

近年来,企业陆续上云,基于安全、可控的因素,中大型企业、研发型企业逐步开展了私有云建设,依托私有云降本增效,赋能企业发展。在私有云环境下,各分支机构可以基于私有云应用开展工作,但各分支机构终端面临复杂的终端环境,如多种类型终端、终端接入多网络、终端在多区域使用、终端访问不同等级应用。文中针对传统终端安全解决方案、SDP解决方案在4种场景下的安全能力覆盖情况,分析了无法解决的场景,并依托零信任的思想进行了进一步研究,提出了基于沙箱的安全方案以及解决多终端接入私有云问题的新方法。     

AACS-compatible multimedia joint encryption and fingerprinting: Security issues and some solutions

In this paper, a new multimedia joint encryption and fingerprinting (JEF) scheme embedded into the advanced access content system (AACS) is proposed for multimedia transmission over networks. AACS is selected because it has been jointly developed by many famous companies and has been considered as the leading technology in content access control and multimedia distribution. In this framework, many attack points exist and can be exploited to defeat it. Furthermore, multiple attack points can be combined to form multi-point collusion attacks, which also endanger the proposed system. In this paper, we address the security concerns toward AACS-compatible JEF system in its entirety and propose solutions to cope with some security threats. The contributions of this paper include: (i) applying multimedia encryption at different points to resist some attacks points; (ii) proposing rewritable fingerprint embedding (RFE) to deal with some multi-point collusion attacks; (iii) designing a perceptual security spectrum metric (PSSM) to evaluate the degree of security when multiple encryptions are applied. The feasibility of the proposed AACS-compatible JEF method is further demonstrated through simulation results.     

Encrypted data sharing with multi-owner based on digital rights management in online social networks简

The online social networks（OSNs） offer attractive means for social interactions and data sharing, as well as raise a number of security and privacy issues. Although current solutions propose to encrypt data before sharing, the access control of encrypted data has become a challenging task. Moreover, multiple owners may enforce different access policy to the same data because of their different privacy concerns. A digital rights management（DRM） scheme is proposed for encrypted data in OSNs. In order to protect users＇ sensitive data, the scheme allows users outsource encrypted data to the OSNs service provider for sharing and customize the access policy of their data based on ciphertext-policy attribute-based encryption. Furthermore, the scheme presents a multiparty access control model based on identity-based broadcast encryption and ciphertext-policy attribute-based proxy re-encryption, which enables multiple owners, such as tagged users who appear in a single data, customize the access policy collaboratively, and also allows the disseminators update the access policy if their attributes satisfy the existing access policy. Security analysis and comparison indicate that the proposed scheme is secure and efficient.     

基于DiffServ的MIPv6安全接入方案

结合DiffServ网络QoS控制与AAA安全机制,文中设计了一种网络区域边界安全的MIPv6接入方案。方案采用AAA认证授权,实现MIPv6转交地址配置和应用层与网络层身份一一映射,为DiffServ区域提供了边界保护;采用应用层与网络层安全协同,减轻了边界路由安全负荷。     

基于事件的一次性口令双向认证的实现

针对静态口令身份认证技术易受攻击的安全缺陷,在事件同步一次性口令产生机制的基础上,结合公钥密码体制,设计并实现了一种新的一次性口令双向认证方案。与传统的挑战／响应双向认证方案相比,该方案实现简单、执行效率高,适用于电子商务过程中的身份认证,能够实现网络环境下用户和服务器的双向认证,避免各种攻击,可以大大提高用户访问的安全性,有效保护用户信息。     

A combined public-key scheme in the case of attribute-based for wireless body area networks

The wireless body area networks (WBANs) is a practical application model of Internet of things. It can be used in many scenarios, especially for e-healthcare. The medical data of patients is collected by sensors and transmitted using wireless communication techniques. Different users can access the patient’s data with different privileges. Access control is a crucial problem in WBANs. In this paper, we design a new security mechanism named combined public-key scheme in the case of attribute-based (CP-ABES) to address the user access control in WBANs. Our scheme combines encryption and digital signatures. It uses ciphertext-policy attribute-based encryption to achieve data confidentially, access control, and ciphertext-policy attribute-based signature to realize the identity authentication. The access policy used in our scheme is threshold. Based on this feature, the length of ciphertext and signature of our scheme is constant. Our scheme provides confidentiality, unforgeability, signer privacy and collusion resistance. We prove the efficiency of our scheme theoretically and analyze the security level and energy consumption of our scheme.

     

Maximal connected sets—application to microcell CDMA

Current trends in personal and data communication networks favour code division multiple access (CDMA) as a solution to spectral congestion. This is because of enhanced capacity, security, network flexibility, simplified protocol, and relative immunity to propagation induced errors such as multipath and interference, as compared with traditional frequency division multiple access (FDMA). Various CDMA schemes have been proposed and described in relation to VSAT systems, local area microcells,² and cellular telephones. Additionally, numerous product applications have emerged in the areas of modems, voice links and wireless local exchanges. These systems require inter- and intra-cell control. By contrast, the scheme presented in this paper places no reliance on intercell protocol. It enables new cells to be added to the network without any impact on the hardware. Network reconfiguration requires software changes only. Therefore, the scheme is appropriate to systems which demand flexibility with minimum overheads.     

基于二次剩余问题的证书撤销方案

证书撤销状态发布是PKI一个最为关键的环节.评价一个证书撤销状态发布方案的指标主要包含证书状态发布通信量、发布的实时性、访问平稳性、目录服务器安全要求、状态验证计算复杂度等五个方面.在对目前已有证书状态发布方案分析的基础上,本文提出基于二次剩余难解问题的证书撤销状态发布方案.该方案在状态发布的实时性、发布数据通信量、访问发生平稳性、对目录服务器的安全要求等方面都有十分理想的效果,其计算复杂度也小于OCSP、CRT和CRL.     

基于角色的域-类型增强访问控制模型研究及其实现

安全系统只有能够支持多种安全政策才能满足实际需求.基于角色的访问控制(Role-Based Access Control,RBAC)是一种政策中性(Policy Neutral)的新模型,已经实现了多种安全政策.域-类型增强(Domain and Type Enforcement,DTE)安全政策充分体现了最小特权(Least Privilege)和职责分离(Separation of Duty)的安全原则,但是,RBAC96不便于直接实现DTE.根据RBAC和DTE的思想,本文提出了"基于角色的域-类型增强访问控制"(Role-Based Domain and Type Enforcement Access Control,RDTEAC)模型.该模型继承了RBAC96的优点,又体现了DTE的安全思想,并易于实现DTE安全政策.此外,我们还在Linux上实现了RDTEAC模型的一个原型.     

Security, privacy, and accountability in wireless access networks - [Accepted from open call]

The presence of ubiquitous connectivity provided by wireless communications and mobile computing has changed the way humans interact with information. At the same time, it has made communication security and privacy a hot-button issue. In this article we address the security and privacy concerns in wireless access networks. We first discuss the general cryptographic means to design privacy-preserving security protocols, where the dilemma of attaining both security and privacy goals, especially user accountability vs. user privacy, is highlighted. We then present a novel authentication framework that integrates a new key management scheme based on the principle of separation of powers and an adapted construction of Boneh and Shacham's group signature scheme, as an enhanced resort to simultaneously achieve security, privacy, and accountability in wireless access networks.     

New entity authentication and access control scheme in satellite communication network

With the increasing global demand for satellite communications,the problem of entity authentication and access control of the satellite communication network needs to be solved urgently.To solve this problem,a new multiple center-based entity authentication and cross-domain access control scheme was proposed.The scheme divided the multiple centers into two layers for entity authentication,and maped the authorization of the multiple domains to achieve access control.Simulation experiments show that the proposed scheme support the entity authentication for 100 million users.Furthermore,it also allows 1 million users to access in parallel.     

基于用户概率分组模型的密钥分发方法研究

条件接收系统是付费电视系统的重要组成部分,而其中密钥分发的效率和安全性又是影响条件接收系统性能的关键因素.本文基于用户概率模型提出了用户霍夫曼树分组模型及相应密钥分发方法,该方法具有最优的分发效率.