Simplified security notions of direct anonymous attestation and a concrete scheme from pairings

Direct Anonymous Attestation (DAA) is a cryptographic mechanism that enables remote authentication of a user while preserving privacy under the user’s control. The DAA scheme developed by Brickell, Camenisch, and Chen has been adopted by the Trust Computing Group for remote anonymous attestation of Trusted Platform Module, which is a small hardware device with limited storage space and communication capability. In this paper, we provide two contributions to DAA. We first introduce simplified security notions of DAA including the formal definitions of user controlled anonymity and traceability. We then propose a new DAA scheme from elliptic curve cryptography and bilinear maps. The lengths of private keys and signatures in our scheme are much shorter than the lengths in the original DAA scheme, with a similar level of security and computational complexity. Our scheme builds upon the Camenisch–Lysyanskaya signature scheme and is efficient and provably secure in the random oracle model under the LRSW (stands for Lysyanskaya, Rivest, Sahai and Wolf) assumption and the decisional Bilinear Diffie–Hellman assumption.     

分布式网络环境下的跨域匿名认证机制

TPM计算和存储能力的制约以及直接匿名认证（DAA）的复杂性,导致现有的DAA方案只适用于单可信域,针对此局限,提出了一种适合分布式网络并行、高性能及计算机协同工作特点的跨域匿名认证机制。该机制引入可信第三方——证书仲裁中心（CAC）完成跨域示证者的平台真实性验证,为身份真实的示证者颁发跨域认证证书,该证书一次颁发,多次使用,提高跨域匿名认证效率,同时防止CAC成为系统瓶颈。该模型具有高效、安全、可信等特点,且达到可控的匿名性,并通过通用可组合安全模型分析表明该机制安全地实现了跨域匿名认证。     

On the security enhancement for anonymous secure e-voting over computer network

Mu and Varadharajan proposed an electronic voting system which can be utilized in large-scale elections in 1998. Recently, Lin et al. showed that Mu and Varadharajan's scheme has a weakness. That is, voters can successfully vote more than once without being detected. To avoid this weakness, Lin et al. proposed a modified scheme. However, this paper shows that the Lin et al.'s modification allows the Authentication Server to identify the voters of published tickets so that voters will lose their privacy. An improved scheme is further proposed to solve this problem and thus enhance the security.     

Improving security of the ping-pong protocol

A security layer for the asymptotically secure ping-pong protocol is proposed and analyzed in the paper. The operation of the improvement exploits inevitable errors introduced by the eavesdropping in the control and message modes. Its role is similar to the privacy amplification algorithms known from the quantum key distribution schemes. Messages are processed in blocks which guarantees that an eavesdropper is faced with a computationally infeasible problem as long as the system parameters are within reasonable limits. The introduced additional information preprocessing does not require quantum memory registers and confidential communication is possible without prior key agreement or some shared secret.     

Improving the security level of the FUSION@ multi-agent architecture

The use of architectures based on services and multi-agent systems has become an increasingly important part of the solution set used for the development of distributed systems. Nevertheless, these models pose a variety of problems with regards to security. This article presents the Adaptive Intrusion Detection Multi-agent System (AIDeMaS), a mechanism that has been designed to detect and block malicious SOAP messages within distributed systems built by service based architectures. AIDeMaS has been implemented as part of FUSION@, a multi-agent architecture that facilitates the integration of distributed services and applications to optimize the construction of highly-dynamic multi-agent systems. One of the main features of AIDeMaS is that is employs case-based reasoning mechanisms, which provide it with great learning and adaptation capabilities that can be used for classifying SOAP messages. This research presents a case study that uses the ALZ-MAS system, a multi-agent system built around FUSION@, in order to confirm the effectiveness of AIDeMaS. The preliminary results are presented in this paper.     

基于主机的安全审计系统研究

文章综合入侵检测、访问控制等技术,以P2DR安全模型为基础,提出了一种适用于涉密局域网中UNIX主机的主机(服务器)安全审计系统的原型系统,其可行性基本得到了验证。模型以多级安全策略为基础,以全面增强主机安全。     

Improving cloud network security using the Tree-Rule firewall

This study proposes a new model of firewall called the ‘Tree-Rule Firewall’, which offers various benefits and is applicable for large networks such as ‘cloud’ networks. The recently available firewalls (i.e., Listed-Rule firewalls) have their limitations in performing the tasks and are inapplicable for working on some networks with huge firewall rule sizes. The Listed-Rule firewall is mathematically tested in this paper to prove that the firewall potentially causes conflict rules and redundant rules and hence leads to problematic network security systems and slow functional speed. To overcome these problems, we show the design and development of Tree-Rule firewall that does not create conflict rules and redundant rules. In a Tree-Rule firewall, the rule positioning is based on a tree structure instead of traditional rule listing. To manage firewall rules, we implement a Tree-Rule firewall on the Linux platform and test it on a regular network and under a cloud environment respectively to show its performance. It is demonstrated that the Tree-Rule firewall offers better network security and functional speed than the Listed-Rule firewall. Compared to the Listed-Rule firewall, rules of the Tree-Rule firewall are easier to be created, especially on a large network such as a cloud network.     

采用SELinux增强远程容灾系统的安全性

该文分析了基于自主访问控制机制的远程容灾系统存在的安全性问题。设计了一套基于SELinux的安全策略,采用强制类型访问控制,实现了最小权限和权责分离的安全原则,增强了远程容灾系统数据的安全性,并解决了容灾系统服务使用的合法性问题。     

Improving the security of arbitrated quantum signature against the forgery attack

As a feasible model for signing quantum messages, some cryptanalysis and improvement of arbitrated quantum signature (AQS) have received a great deal of attentions in recent years. However, in this paper we find the previous improvement is not suitable implemented in some typical AQS protocols in the sense that the receiver, Bob, can forge a valid signature under known message attack. We describe the forgery strategy and present some corresponding improved strategies to stand against the forgery attack by modifying the encryption algorithm, an important part of AQS. These works preserve the merits of AQS and lead some potential improvements of the security in quantum signature or other cryptography problems.     

Improving the security of industrial networks by means of formal verification

Computer networks are exposed to serious security threats that can even have catastrophic consequences from both the points of view of economy and safety if such networks control critical infrastructures, such as for example industrial plants. Security must then be considered as a fundamental issue starting from the earlier phases of the design of a system, and suitable techniques and tools should be adopted to satisfy the security-related requirements. The focus of this paper is on how formal methods can help in analysing the standard cryptographic protocols used to implement security-critical services such as authentication and secret keys distribution in critical environments. The analysis of the 802.11 shared key authentication protocol by S³A, a fully automatic software tool that is based on a formal approach, is illustrated as a case study, which also highlights the peculiarities of analysing protocols based on wireless channels.     

基于微服务架构的网络安全等级保护实践

近年来,微服务架构成为最流行的应用软件实现模式之一,它支持将应用的每个模块进行单独部署,将业务功能进行解耦。文章将微服务架构与传统的单体架构应用进行对比,并在安全方面对微服务架构在设计、编码、部署等环节进行详细阐述,从信息安全等级保护角度,提出了提高接口安全性、服务节点内部以及服务节点之间安全性的措施。     

利用智能手机控制主机安全登录系统的研究

利用智能手机控制主机安全登录是一项智能终端与密码机制相结合的新一代登录技术。首先简要介绍了Winlogon和GINA相互关系及Windows系统交互式登录的基本原理,然后提出了Windows平台下利用智能手机（基于Android平台）控制主机安全登录系统的研究并阐述了该系统所使用到的关键技术及其优势。利用智能手机应用界面的强大功能及蓝牙通信基础,实现了结合手机和PIN的双因子认证机制,极大地提高了系统登录的安全性,同时也避免了额外的投资和携带的不便。     

Improving the security of image manipulation detection through one-and-a-half-class multiple classification

Multimedia Tools and Applications - Protecting image manipulation detectors against perfect knowledge attacks requires the adoption of detector architectures which are intrinsically difficult to...     

非传统信息安全下的搜索引擎

搜索引擎已成为当今人们上网获取信息所不可缺少的一种手段,在得到自己所需要信息的同时也在暴露着自己的行踪,从而引出了保护个人隐私的大讨论。本文利用社会工程学原理从非传统信息安全角度分析,以通过QQ号入手,利用现有的搜索引擎的例子,来揭示搜索引擎在非传统信息安全下带来的危害,阐明社会工程学原理对非传统信息安全的重大影响,并提出相应的防范对策。     

Network security under siege: the timing attack

Although most encryption algorithms are theoretically secure and remain impervious to even the most sophisticated cryptanalytic techniques, new attacks like the timing attack exploit the engineering side of network security. A timing attack is basically a way of deciphering a user's private key information by measuring the time it takes to carry out cryptographic operations. Factors such as branching and conditional statements, RAM cache hits, processor instructions that run in nonfixed time, as well as performance optimizations to bypass unnecessary operations, all contribute to predictability and therefore to the probability of key decryption     

计算机网络媒介下的安全问题分析

计算机问世不过是上世纪的事情,而计算机技术发展十分迅速,新旧世纪之交就出现了互联网技术,步入新世纪以来的十几年里,互联网技术发展速度令人瞠目结舌,目前,互联网已经将整个世界变成地球村,人与人的交往变得十分方便快捷,然而由于网络世界存在一定的虚拟性,而这种虚拟并不是完全的,其中还包括网民的个人信息,因此保护这些个人信息,维护自己的隐私权就成了网络时代非常重要的任务。本文从计算机网络媒介的安全问题开始论述,重点讲述网络时代的常见危险和威胁,并对这些危险提出保护措施。     

Improving security of quantization-index-modulation steganography in low bit-rate speech streams

In this study, we mainly concentrate on quantization-index-modulation (QIM) steganography in low bit-rate speech streams, and contribute to improve its security. Exploiting the characteristics of codebook division diversity in the complementary neighbor vertices algorithm, we first design a key-based codebook division strategy, which follows Kerckhoff’s principle and provides a better security than the previous QIM approach. Further, to resist the state-of-the-art steganalysis, following a general belief that fewer and smaller cover changes are less detectable and more secure, we present an improved QIM steganography, which introduces random position selection to adjust the embedding rate dynamically, and employs matrix encoding strategy to enhance the embedding efficiency. The proposed approach is evaluated with ITU-T G.723.1 as the codec of cover speech and compared with the previous work. The experimental results demonstrate that the proposed approach outperforms the traditional QIM approach on both steganographic transparency and steganalysis resistance. Moreover, it is worth pointing out that our approach can effectively work in conjunction with not only G.723.1 codec but also all other parametric speech coders, and be successfully applied into Voice-over-Internet-Protocol systems.