基于PPTP协议和混沌理论认证的VPN的实现

PPTP协议可以较好地保证VPN中的数据在传输过程中的安全性,但是传统的静态密码在身份认证时依然存在不少安全隐患.针时VPN的安全需求,提出了基于混沌理论的一次一密动态密码,构造了基于混沌理论的用户身份"指纹"的认证算法以及身份认证双方的混沌同步算法,把演化、发展的混沌序列作为用户的身份"指纹",实现了身份"指纹"的无约定动态变化,增强了VPN的安全性.     

一个具有强授权特性的网格安全框架

网格安全技术主要解决网格环境中实体之间的认证和授权问题。Globus网格项目中的GSI(Grid Secudty Infrastmcture)主要基于X．509技术实现身份认证以及数据的机密性、完整性和抗否认性,重点解决了认证和消息保护问题,然而在授权问题上缺乏必要的技术支撑。在分析现有安全技术的基础上,提出了将基于X．509的PKI技术和PMI技术相结合的网格安全框架,旨在实现基于安全认证基础之上网格用户和虚拟群组实体间的安全授权机制,从而构建强认证、强授权的网格安全基础设施。     

基于区块链网络的医疗记录安全储存访问方案

针对在当前医疗系统中医疗记录授权流程繁琐、记录分享效率低下和身份验证困难问题，提出一种结合区块链技术与密码学的非对称加密技术的方法，将非对称加密技术的安全性高、多方协作简单等特性应用到区块链技术构成的点对点网络中，实现医疗记录跨域分享的可追踪、数据的不可篡改和身份验证的简化。首先，基于区块链技术的不可篡改性结合非对称加密技术，设计了文件同步合约和授权合约，其分布式储存优势保证了用户医疗信息隐私。其次，跨域获取合约的设计能够有效验证数据分享双方身份以及提高身份验证效率，不需要第三方公证机构便可安全过滤非合法用户。仿真实验结果显示，所提出的方案相比传统使用云计算方法解决医疗记录分享问题的方案，在数据防盗窃、多方身份验证和节约系统开销方面有明显优势。该方案对利用区块链的去中心化、可审计等优点解决数据分享过程中的安全问题提供了参考，为解决数据跨域分享、跨域身份验证问题提供了借鉴思路。     

一种车载mesh网络漫游匿名接入认证协议

无线mesh网络的特性使它面临着比传统无线网络更大的安全挑战。其安全解决方案必须兼顾安全性和应用环境等因素。用户节点的接入认证与密钥协商是节点漫游时最基本的安全协议,是安全路由等协议的实现基础。在多跳车载mesh网络用户节点接入认证中,用户身份信息的保护非常重要,然而有关车载mesh网络用户节点漫游时的匿名认证的研究较少,为此,在充分考虑无线mesh网络自身特点的基础上,结合基于Hash和Diffie-Hellman算法,提出一种高效的用户节点匿名接入认证与密钥协商协议。分析发现,该协议不仅可以满足安全性需求,在现实应用中也是可行的。     

REMUS: A Rerouting and Multiplexing System for Grid Connectivity Across Firewalls

The Grid provides unique opportunities for high-performance computing through distributed applications that execute over multiple remote resources. Participating institutions can form a virtual organization to maximize the utilization of collective resources as well as to facilitate collaborative projects. However, there are two design aspects in distributed environments like the Grid that can easily clash: security and resource sharing. It may be that resources are secure but are not entirely conducive to resource sharing, or networks are wide open for resource sharing but sacrifice security as a result. We developed REMUS, a rerouting and multiplexing system that provides a compromise through connection rerouting and wrappers. REMUS reroutes connections using proxies, ports and protocols that are already authorized across firewalls, avoiding the need to make new openings through the firewalls. We also encapsulate applications within wrappers, transparently rerouting the connections among Grid applications without modifying their programs. In this paper, we describe REMUS and the tests we conducted across firewalls using two Grid middleware case studies: Globus Toolkit 2.4 and Nimrod/G 3.0.     

基于虚拟组织的桌面云安全访问与共享机制研究

采用云计算技术实现托管式的虚拟桌面一般被称为桌面云。近年来桌面云被认为是云计算最为成熟的应用之一,本文着重研究桌面云安全访问与共享机制。我们使用基于PKI的证书认证建立了虚拟组织,在其上重点研究了虚拟机的创建,远程桌面访问,共享等应用。证书认证等机制可以使得访问更加安全可靠。而通过虚拟组织的信任关系,多个用户可以共享同一个虚拟机。为了确保远程通道的安全,我们采用了OpenVPN来构建虚拟专用网络,对虚拟机的使用者进行认证并对通信进行加密保护。     

关于网格计算授权机制的研究

分析了目前网格计算中最流行的安全机制GSI（Grid Security Infrastructure,网格安全基础设施）和基于GSI的CAS（Community Authorization Service,组织授权服务）,提出了一种基于本地角色授权的、能够解决大规模VO（Virtual Organization,虚拟组织）的授权问题的方案。同GSI和CAS不同的是,本方案中的用户只需要进行本地认证就能够根据其在本地组织的角色来访问VO。     

Virtual Organizations [Guest Editors' Introduction]

Today's organizations are no longer constrained by traditional time and place barriers. Instead, information technology supports virtual organizations: flexible networks of independent, globally distributed entities that share knowledge and resources and work toward a common goal. Resources aren't limited to computing power, but include elements as diverse as storage, network links, data sets, analysis tools, sensors, and scientific instruments. Sharing policies are highly diverse, given that sharing must be controlled, secure, flexible, and limited in time.     

网格环境下基于VO的统一认证授权研究

网格计算系统中的资源共享和协同工作建立在虚拟组织基础之上,各种资源的共享是受认证和授权控制的。可以说,认证授权是网格安全的本质,是网格计算系统成败的关键。因此,研究虚拟组织的认证授权模型具有重要意义。根据GSl模型提出了一种基于VO的统一认证与授权模型。     

一种Web应用环境下安全单点登录模型的设计

文章面向Web应用系统,提出了一种实现安全单点登录模型的设计思想。该模型基于Java平台设计,可提供本地及异地系统间的用户身份认证,确保用户在任意点安全登录并赋予相应访问权限,提高了Web应用系统整体安全性。     

开放式网格服务架构的安全设施

网格是一种开放的分布式系统环境,它的目标是实现分布的、异构的、动态的、虚拟组织之间的资源共享。安全性是网格环境中的关键因素之一,网格的安全性主要包括数据的一致性、私有性、认证、授权与审计。深入分析了开放式系统环境中的安全模型与认证、授权框架,讨论了开放式瞬格服务架构中的网格服务安全的协议与设施。     

A secure collaboration service for dynamic virtual organizations

Nowadays, various promising paradigms of distributed computing over the Internet, such as Grids, P2P and Clouds, have emerged for resource sharing and collaboration. To enable resources sharing and collaboration across different domains in an open computing environment, virtual organizations (VOs) often need to be established dynamically. However, the dynamic and autonomous characteristics of participating domains pose great challenges to the security of virtual organizations. In this paper, we propose a secure collaboration service, called PEACE-VO, for dynamic virtual organizations management. The federation approach based on role mapping has extensively been used to build virtual organizations over multiple domains. However, there is a serious issue of potential policy conflicts with this approach, which brings a security threat to the participating domains. To address this issue, we first depict concepts of implicit conflicts and explicit conflicts that may exist in virtual organization collaboration policies. Then, we propose a fully distributed algorithm to detect potential policy conflicts. With this algorithm participating domains do not have to disclose their full local privacy policies, and is able to withhold malicious internal attacks. Finally, we present the system architecture of PEACE-VO and design two protocols for VO management and authorization. PEACE-VO services and protocols have successfully been implemented in the CROWN test bed. Comprehensive experimental study demonstrates that our approach is scalable and efficient.     

TNC在等级保护中的应用研究

信息安全等级保护工作是维护基础信息网络与重要信息系统安全的根本保障,尤其对保护我国政府信息系统的安全具有重要意义。访问控制和身份鉴别在信息系统等级保护的基本技术要求中占有重要地位,针对传统网络接入控制机制的不足,文章提出了基于终端完整性度量的政府远程办公网络系统安全解决方案,设计了一种基于可信网络连接TNC（Trusted Network Connection）的安全接入认证协议。通过安全分析表明,该方案能够确保政府远程办公终端自身的完整性和安全性,从而构建政府远程办公网络系统的可信计算环境,保证整个政府办公网络系统应用环境的安全。     

Ad hoc网络节点安全认证机制综述

要达到网络通信无处不在目的,必须研究Ad hoc网络。在Ad hoc网络中,要保证Ad hoc网络各节点间的安全通信,必须对组成网络的各节点身份进行认证。对近几年Ad hoc网络安全研究中的组成网络各节点身份进行认证的机制进行了综述,归纳出基于对称密码算法和非对称密码算法的安全认证机制,并对这些机制进行评估。     

A group key agreement protocol for intelligent internet of things system

The application of intelligent computing in Internet of Things (IoTs) makes IoTs systems such as telemedicine, in-vehicle IoT, and smart home more intelligent and efficient. Secure communication and secure resource sharing among intelligent terminals are essential. A secure communication channel for intelligent terminals can be established through group key agreement (GKA), thereby ensuring the security communication and resource sharing for intelligent terminals. Taking into account the confidentiality level of the shared resources of each terminal, and the different permissions of the resource sharing of each terminal, a GKA protocol for intelligent IoTs is proposed. Compared with previous work, this protocol mainly has the following advantages: (1) The hidden attribute identity authentication technology can achieve the security of identity authentication and protect personal privacy from being leaked; (2) Only intelligent terminals satisfying the threshold required of the GKA can participate in the GKA, which increases the security of group communication; (3) Low-level group terminals can obtain new permissions to participate in high-level group communication if they meet certain conditions. High-level group terminals can participate in low-level group communication through permission authentication, which increases the flexibility and security of group communication; (4) The intelligent terminals in the group can use their own attribute permission parameters to calculate the group key. They can verify the correctness of the calculated group key through a functional relationship, and does not need to exchange information with other members in the same group. Under the hardness assumption of inverse computational Diffie-Hellman problem and discrete logarithm problem, it is proven that the protocol has high security, and compared with the cited literatures, it has good advantages in terms of computational complexity, time cost and communication energy cost.     

广播发射台统一认证系统的研究与设计

针对台内局域网中应用系统日益增多的情况,本文设计了一个基于指纹+USBKey双因素认证(2FA)模式的统一认证系统,实现用户的身份认证和资源授权.系统还兼有单点登录(SSO)的功能,用户只需要主动地通过系统进行一次身份认证,就可以无缝地访问所有被授权的网络应用系统资源.同时,管理员还可以通过统一认证系统对所有用户的身份...     

高安全度虚拟组织中动态防火墙的设计和实现

网格计算的本质含义是在动态变化的、拥有多个部门或者团体的复杂虚拟组织内,灵活安全地协同实现资源共享和问题求解[1]。建立安全、稳定、可扩充的虚拟组织是整个网格技术的基础。本文分析了在网格环境下组建高安全度虚拟组织时传统防火墙体制遇到的问题,设计了旨在保障虚拟组织高度安全性的新型动态防火墙模型,并给出了在Linux平台下这种防火墙的实现方法。     

基于Web服务的网格安全单点登录模型的设计

网格是近年来兴起的一种重要信息技术,它的目标是实现网络虚拟环境上的高性能资源共享和协同工作,消除信息孤岛和资源孤岛。本文首先简述了网格的基本概念,其次分析了网格环境特征以及网格所面临的特有的安全和策略要求,针对在网格环境中跨越多个可扩展的、动态的、分布式虚拟组织进行安全互访的问题,提出并设计了＂基于Web服务的网格安全单点登录模型＂,实现了网格安全认证机制,提高了网格系统的整体安全性。     

基于PKI的Web单点登录系统设计与实现

随着Web应用的不断普及,如何方便的认证用户身份,如何灵活的管理用户的访问权限,成为了一个日益重要的问题.单点登录(single sign-on)是一种解决不同系统之间一次登录,多系统访问的技术.设计并实现了一种Web环境下的单点登录模型,其安全性基于公开密钥基础设施,保证了多Web系统互连的安全性.系统在J2EE平台上实现,有效的解决了重放攻击、身份认证等安全问题;同时,该系统实现简单,保留了原有系统的权限管理模块,降低了系统集成成本的同时,也更灵活的实现了权限管理.     

An efficient two-factor user authentication scheme with unlinkability for wireless sensor networks

User authentication with unlinkability is one of the corner stone services for many security and privacy services which are required to secure communications in wireless sensor networks (WSNs). Recently, Xue et al. proposed a temporal-credential-based mutual authentication and key agreement scheme for WSNs, and claimed that their scheme achieves identity and password protection, and the resiliency of stolen smart card attacks. However, we observe that Xue et al.’s scheme is subject to identity guessing attack, tracking attack, privileged insider attack and weak stolen smart card attack. In order to fix the drawbacks, we propose an enhanced authentication scheme with unlinkability. Additionally, the proposed scheme further cuts the computational cost. Therefore, the proposed scheme not only remedies its security flaws but also improves its performance. It is more suitable for practical applications of WSNs than Xue et al.’s scheme.