证书撤销机制的分析与研究

数字证书是实现电子政务和电子商务中实体的信任及信任验证的关键元素.CA实际可能会根据不同的情况而导致证书的意外作废或撤销,那么应使要使用证书的用户尽可能获知最新的证书情况,这对于实现PKI系统的可信性至关重要.通过分析国内外通常采用的CRL和OCSP这两种基本的证书撤销、查询方法,总结了它们的优缺点以及在实际应用过程中遇到的难点.最后提出了相应的改进措施,使用户能及时获得最新的证书状况,为电子政务和电子商务提供更可靠的安全性.     

Using OGRO and CertiVeR to improve OCSP validation for Grids

Authentication and authorization in many distributed systems rely on the use of cryptographic credentials that in most of the cases have a defined lifetime. This feature mandates the use of mechanisms able to determine whether a particular credential can be trusted at a given moment. This process is commonly named validation. Among available validation mechanisms, the Online Certificate Status Protocol (OCSP) stands out due to its ability to carry near real time certificate status information. Despite its importance for security, OCSP faces considerable challenges in the computational Grid (i.e. Proxy Certificate’s validation) that are being studied at the Global Grid Forum’s CA Operations Work Group (CAOPS-WG). As members of this group, we have implemented an OCSP validation infrastructure for the Globus Toolkit 4, composed of the CertiVeR Validation Service and our Open GRid Ocsp (OGRO) client library, which introduced the Grid Validation Policy. This paper summarizes our experiences on that work and the results obtained up to now. Furthermore we introduce the prevalidation concept, a mechanism analogous to the Authorization Push-Model, capable of improving OCSP validation performance in Grids. This paper also reports the results obtained with OGRO’s prevalidation rules for Grid Services as a proof of concept.

一个基于快表的PMI+PKI访问控制框架

提出了一种基于快表机制的PMI＋PKI安全访问控制模型。该方案通过使用带有缓冲功能的快表机制,使应用PMI＋PKI技术的Web站点自身具有验证证书状态和分配权限的功能,从而使大量的验证工作可以就地进行,避免证书多级认证造成的网络瓶颈和减轻了CA的负担。     

A middleware solution for integrating and exploring IoT and HPC capabilities

Even with the considerable advances in the development of middleware solutions, there is still a substantial gap in Internet of Things (IoT) and high-performance computing (HPC) integration. It is not possible to expose services such as processing, storage, sensing, security, context awareness, and actuating in a unified manner with the existing middleware solutions. The consequence is the utilization of several solutions with their particularities, thus requiring different skills. Besides that, the users have to solve the integration and all heterogeneity issues. To reduce the gap between IoT and HPC technologies, we present the JavaCá&Lá (JCL), a middleware used to help the implementation of distributed user-applications classified as IoT-HPC. This ubiquity is possible because JCL incorporates (1) a single application programming interface to program different device categories; (2) the support for different programming models; (3) the interoperability of sensing, processing, storage, and actuating services; (4) the integration with MQTT technology; and (5) security, context awareness, and actions services introduced through JCL application programming interface. Experimental evaluations demonstrated that JCL scales when doing the IoT-HPC services. Additionally, we identify that customized JCL deployments become an alternative when Java-Android and vice-versa code conversion is necessary. The MQTT brokers usually are faster than JCL HashMap sensing storage, but they do not perform distributed, so they cannot handle a huge amount of sensing data. Finally, a short example for monitoring moving objects exemplifies JCL facilities for IoT-HPC development.     

Design and implementation of S-MARKS: A secure middleware for pervasive computing applications

As portable devices have become a part of our everyday life, more people are unknowingly participating in a pervasive computing environment. People engage with not a single device for a specific purpose but many devices interacting with each other in the course of ordinary activity. With such prevalence of pervasive technology, the interaction between portable devices needs to be continuous and imperceptible to device users. Pervasive computing requires a small, scalable and robust network which relies heavily on the middleware to resolve communication and security issues. In this paper, we present the design and implementation of S-MARKS which incorporates device validation, resource discovery and a privacy module.     

Exploiting the European Union trusted service status list for certificate validation in STORK: design,implementation, and lessons learnt

Since December 2009, the European Union Trusted Service Status Lists (TSLs) have been specified and adopted across European Union countries in order to enable the verification of digital signatures with legal values. This paper deals with the exploitation of TSLs in real digital services, other than electronic signatures, that is for certificate validation service. In particular, we used such lists in the service provided by the pan‐European Secure identTities acRoss boRders linKed identity management infrastructure in order to validate X.509 public key certificates. In addition, we propose an XML data structure to be used in conjunction with a TSL, in the form of a Trust Service Association (TrSA) file, to hold trust relationships between different services in a TSL. The TrSA file in conjunction with the TSLs may be used directly by the service providers or users to validate certificates. For the generation of the TSLs, we propose also a tool for automatic generation of the TSLs, named TSLGenerator. Copyright © 2014 John Wiley & Sons, Ltd.     

一个安全高效的学生综合管理系统

为了解决学生管理系统的安全性和效率问题,分析了已有系统的不足,提出了一个安全高效的学生综合管理系统的解决方案。该方案利用C/S结构安全中间件,进行SQL Server 2000安全设置弥补TDS(TabularData Stream)协议漏洞、与已有数据库系统数据共享等方法,保证了管理系统的可用性和有效性,克服了已有系统存在的安全性不高、效率低下的不足。基于PowerBuilder的前端和SQL SERVER 2000的后台的系统运行结果表明,该方案可行有效。     

A robust and flexible digital rights management system for home networks

A robust and flexible Digital Rights Management system for home networks is presented. In the proposed system, the central authority delegates its authorization right to the local manager in a home network by issuing a proxy certificate, and the local manager flexibly controls the access rights of home devices on digital contents with its proxy certificate. Furthermore, the proposed system provides a temporary accessing facility for external devices and achieves strong privacy for home devices. For the validation of delegated rights and the revocation of compromised local managers, a hybrid mechanism combining OCSP validation and periodic renewal of proxy certificates is also presented.     

A novel solution approach and protocol design for bio-telemetry applications

In this contribution a novel model-based solution approach is introduced for medical networks and biotelemetric applications. Medical networks are communication networks that serve for the purpose of monitoring and protecting human health. These networks are designed to use biotelemetric ways to transmit the vital data to health observers such as doctors, nurses, first-aid teams, hospitals, and health agencies. These networks are also used in collective damages that may occur in situations such as flood, earthquake, war and terror and for treatments and follow-up of patients and to organize health teams more effective and efficiently. Implementations using this model presented here provides a reference design. In addition MCP (Medical Communication Protocol) and MMP (Medical Management Protocol) are designed to reveal how communications between modules designed. In this way, communication rules explained clearly on developed solution based on the model.     

基于空域加扰的保密无线通信统一数学模型及其窃密方法

基于空域加扰的方法如人工噪声、天线阵列随机加权等可以在物理层保障无线通信的安全.二者有着共同的物理实质,即在期望用户方向上传递保密信息,而在其正交方向上发射人工干扰.但由于发射天线个数的限制,该人工干扰在空域并非白噪声,窃听用户可以借助接收多天线技术抑制干扰进而解调秘密信息.本文为上述空域加扰的两种方法建立了一致的数学模型,并且在此基础上,利用通信符号的有限码集特性,提出了一种MUSIC-like窃听算法.仿真结果表明,当窃听者比发射端有更多的天线时,该窃听算法可以有效截获保密信息.     

SIMCAN: A flexible, scalable and expandable simulation platform for modelling and simulating distributed architectures and applications

In this paper we propose a new simulation platform called SIMCAN, for analyzing parallel and distributed systems. This platform is aimed to test parallel and distributed architectures and applications. The main characteristics of SIMCAN are flexibility, accuracy, performance, and scalability. Thence, the proposed platform has a modular design that eases the integration of different basic systems on a single architecture. Its design follows a hierarchical schema that includes simple modules, basic systems (computing, memory managing, I/O, and networking), physical components (nodes, switches, …), and aggregations of components. New modules may also be incorporated as well to include new strategies and components. Also, a graphical configuration tool has been developed to help untrained users with the task of modelling new architectures. Finally, a validation process and some evaluation tests have been performed to evaluate the SIMCAN platform.