Scalable solutions for secure group communications

With the advent of digital technologies and widening Internet bandwidth in recent years there has been a marked rise in new multimedia services, including teleconferencing, pay-per-view TV, interactive simulations, software updates and real-time delivery of stock market information. Multicast data distribution has been used in controlled environments to deliver such services. However, the lack of secure, accountable multicast data distribution has prevented its use in general Internet environments. Proposals for multicast security solutions so far are complex and often require trust in intermediate components or are inefficient. A secure multicast protocol suite must provide data confidentiality and multicast packet source authentication. In this paper we present a robust, simple and efficient multicast key management protocol based on proxy encryption and a multicast data source authentication mechanism based on symmetric message authentication codes. The solutions are analyzed and compared to previously published schemes. The results show that the proposed schemes are efficient and scalable relative to existing schemes.     

适用于分布式系统的多级安全访问控制策略

针对分布式信息系统的资源共享及安全互操作问题,在多级安全模型基础上加入管理平台和中间件模块,提出一种适用于分布式系统的多级安全访问控制策略,保证数据机密性和访问过程安全可控。用XACML语言对安全策略进行标准化描述,并对策略进行安全性和灵活性分析。     

Uplink access control for machine-type communications in LTE-A networks

Internet of things (IoT) has been considered as one of the most promising technologies over the next decade. One of the basic requirements of IoT is the global communication connectivity between smart objects. LTE-A has been considered as the main communication channel for connecting devices. For this reason, the machine-type communication (MTC) has been defined in the 3GPP LTE-A specification. With the rapid growth of the IoT devices, MTC in LTE-A faces many challenges. The primary design of a LTE-A network is to support the human-type communication (HTC). However, MTC and HTC have different characteristics, such as packet size, traffic arrival rate, and delay tolerance. How to accommodate a large amount of MTC traffic without affecting the grade of service of the HTC is challenging. More specifically, before accessing the LTE-A network, a random access (RA) procedure needs to be performed by a device to synchronize in the uplink of an eNB. Since the number of MTC devices is expected to be much greater than the HTC devices, without suitable access control, the success rate of the RA requests from the HTC devices can be significantly degraded. Therefore, this research aims to design an appropriate RA procedure to relieve this problem. The authors propose an Adaptive RACH Resource Allocation (ARRA) which integrates several control schemes, including a Resource Allocation scheme, an Access Class Barring scheme, and a Priority Device Setting scheme. Simulation results show that the proposed ARRA is able to achieve a higher access success rate and a lower latency for HTC devices while providing a different quality of service to different types of MTC devices.     

A novel access control protocol for secure sensor networks

Nodes in a sensor network may be lost because of power exhaustion or malicious attacks. Therefore, new node deployment is necessary. Based on elliptic curve cryptography (ECC), this paper presents a new access control protocol for secure wireless sensor networks. The authentication procedure and common key generation are very simple and efficient. It is quite adequate for power and resource constrained sensor nodes. In addition, the proposed scheme can be easily implemented as a dynamic access control because all the old secret keys and broadcasting information in existing nodes should not be updated once a new node is added.     

基于角色的工作流多层访问控制安全模型

随着工作流技术的发展,工作流管理系统对访问控制权限管理也提出了更高的要求.针对实际应用的需求和工作流管理系统的特点,结合已有的基于角色访问控制模型,提出了基于角色的工作流多层访问控制安全模型,并将该模型成功应用到汽车零配件业质量监管流程中.该模型在该质量监管系统中较好地运用了基于角色的访问控制策略,并且考虑到系统整体和实时授权的因素,通过将工作流模型层次分为工作流层、控制层、数据层3层分层授权,从而使模型的安全性得到进一步提高.     

Fully secure fuzzy identity-based encryption for secure IoT communications

How to securely transmit data is an important problem in Internet of Things (IoT). Fuzzy identity-based encryption (FIBE) is a good candidate for resolving this problem. However, existing FIBE schemes suffer from the following disadvantages: rely on random oracle models, merely secure in selective-ID model, long public parameters, and loose security reduction. In this paper, we propose a new FIBE scheme. Our scheme is secure in the full model without random oracles, and at the same time has a tight security reduction and short public parameters. This means that our scheme is quite suitable for secure transmitting data in IOT.     

Overload control of massive random access for machine-type communications

Traditional cellular systems may not be appropriate to support machine-type communications (MTC) due to a large number of devices and relatively small, infrequent data transmissions. The 3GPP has identified the MTC as an important area of the LTE system and has discussed several mechanisms that control random access (RA) overload caused by massive MTC devices. In this paper, we show that a retransmission mechanism of RA may lead to performance degradation in an overload situation, and propose two RA solutions that relieve the RA overload. Since the RA success probability is closely related with the number of simultaneous RA attempts, the first solution adjusts the maximum number of RA retransmissions to control the amount of RA attempts. The second solution separates the RA resources into two subsets that MTC devices can access according to the number of consecutive RA failures and distributes the RA traffic over the two subsets. The two proposed solutions are analyzed by a mathematical model assuming a simplified operation, and a more realistic environment is considered by protocol-level simulations. Since the performance of the proposed solutions depends on the system configurations and parameters, the base station may adaptively adjust them for an optimal operation.     

Design of access control system for telemedicine secure XML documents

XML can supply the standard data type in information exchange format on a lot of data generated in running database or applied programs for a company by using the advantage that it can describe meaningful information directly. Accordingly since there are increasing needs for the efficient management and telemedicine security of the massive volume of XML data, it is necessary to develop a secure access control mechanism for XML. The existing access control has not taken information structures and semantics into full consideration due to the fundamental limitations of HTML. In addition, access control for XML documents allows read operations only, and there are problems of slowing down the system performance due to the complex authorization evaluation process. To resolve this problem, this paper designs and builds a XACS (XML Access Control System), which is capable of making fined-grained access control. This only provides data corresponding to its users’ authority levels by authorizing them to access only the specific items of XML documents when they are searching XML documents in telemedicine. To accomplish this, XACS eliminates certain parts of the documents that are inaccessible and transmits the parts accessible depending on the users’ authority levels. In addition, it can be expanded to existing web servers because XML documents are used based on the normal web sites. The telemedicine secure and the guidelines are provided to enable quick and precise understanding of the information, and thus the safety enhancement gets improved. Ultimately, this paper suggests an empirical telemedicine application to confirm the adequacy and validity using the proposed method.     

Efficient access control labeling scheme for secure XML query processing

We propose an efficient access control labeling scheme for secure query processing under dynamic Extensible Markup Language (XML) data streams. In recent years, XML has become an active research area. In particular, the needs for an efficient and secure query processing method for dynamic XML data in a ubiquitous data stream environment has become very important. The proposed access control labeling scheme supports the efficient processing of dynamic XML data, eliminating the need for re-labeling and secure query processing. Our proposal has the advantage of having an adaptable access control scheme for an existing XML labeling method.     

一种基于LKH的分层式安全组播密钥管理方案

安全组播是组播技术走向实用化必须解决的问题。在组成员动态变化时,设计一个高效的密钥管理方案是安全组播研究的主要问题。该文提出了一种基于LKH模型的分层式组播密钥管理方案。该方案基于分层机制将一个组播分为几个小组,并且采用了指数函数和随机密钥,使得在组成员离开组播时,具体的密钥更新由组成员自己完成。该方案比传统方案减少了密钥更新开销量,提高密钥更新效率,并缩减了密钥存储量。     

Business requirements for secure electronic communications

This article presents the experience gained over many years by Shell in the use of electronic business communications which have resulted in carefully developed strategies for maintaining control and security of sensitive electronic messages. These ideas include accreditation and certification schemes, the use of digital signatures, and the introduction of TTPs.     

基于RBAC策略的网格安全访问控制模型

针对网格环境下访问控制的特性,分析了现有网格安全访问控制方案的缺陷,提出了GRBAC-DM模型,该模型以虚拟组织为基础,采用RBAC策略,实现了分布式管理和跨信任域授权;通过将访问控制模块和策略资源管理模块分离,满足了资源动态性和策略自主性的要求,适应了网格环境的固有特点。给出了该模型的形式化描述、角色分类和资源分组规则以及访问控制和资源管理模块的具体结构。     

安全数据库隐私保护和访问控制集成研究*

数据库数据的合法使用和隐私保护是现代安全数据库系统面临的新挑战。针对目前单方面考虑隐私保护或访问控制技术难以同时满足数据库信息安全和处理性能需求的不足,提出一种集成访问控制和隐私保护技术的安全数据库模型,通过建立查询审计隐私保护模型中的查询可疑性与授权视图访问控制模型中查询有效性之间的关系,形成统一的查询判断方法,并给出多项式时间复杂度的审计算法和集成的安全检查框架,以同时实现数据库系统隐私保护和访问控制的安全功能。     

安全访问控制系统的设计和实现

访问控制是现代企业信息系统设计的核心,它控制用户行为,保护系统资源的安全。传统的访问控制模块的设计与应用系统紧密耦合,使其无法得到很好的复用。本文介绍了轻量级目录访问控制协议(LightweightDirectoryAccessProtocol,简称LDAP)和基于角色的访问控制基于角色的访问控制(Role-basedAccessControl,简称RBAC)模型,基于它们设计了一个高效、安全的访问控制系统。该系统在省邮政综合服务平台中的到应用,有效解决了原有系统设计中的一些弊端。     

Cryptographically-enforced hierarchical access control with multiple keys

Hierarchical access control policies, in which users and objects are associated with nodes in a hierarchy, can be enforced using cryptographic mechanisms. Protected data is encrypted and authorized users are given the appropriate keys. Lazy re-encryption techniques and temporal hierarchical access control policies require that multiple keys may be associated with a node in the hierarchy. In this paper, we introduce the notion of a multi-key assignment scheme to address this requirement. We define bounded, unbounded, synchronous, and asynchronous schemes. We demonstrate that bounded, synchronous schemes provide an alternative to temporal key assignment schemes in the literature, and that unbounded asynchronous schemes provide the desired support for lazy re-encryption.     

A novel two-level secure access control approach for blockchain platform in healthcare

International Journal of Information Security - The advent of blockchain technology has ushered a paradigm shift in storage of healthcare data from conventional to online mode. As public ledgers,...     

Key management for content access control in a hierarchy

The need for content access control in hierarchies (CACH) appears naturally in all contexts where a set of users have different access rights to a set of resources. The hierarchy is defined using the access rights. The different resources are encrypted using different keys. Key management is a critical issue for scalable content access control. In this paper, we study the problem of key management for CACH. We present main existing access control models, and show why these models are not suitable to the CACH applications, and why they are not implemented in the existing key management schemes. Furthermore, we classify these key management schemes into two approaches, and construct an access control model for each approach. The proposed access control models are then used to describe the schemes in a uniform and coherent way. A final contribution of our work consists of a classification of the CACH applications, a comparison of the key management schemes, and a study of the suitability of the existing schemes to the CACH applications with respect to some analytical measurements.