基于认证加密的NoC安全防护研究

片上网络的敏感信息在传输过程中可能会遭到窃取,针对这一安全威胁,提出了基于认证加密的No C安全防护技术。把执行同一应用、需要交换敏感信息的IP核划分在一个安全域内,安全域内的IP核用Diffie-Hellman协议协商密钥,密钥协商完成以后,用GCM认证加密算法对携带敏感信息的数据包进行加密和认证运算,从而有效保护数据包的机密性和完整性。仿真综合结果表明,该安全防护方案造成的传输延时小、资源消耗少,提高了No C的安全性和可靠性。     

基于格式保留的敏感信息加密方案

格式保留加密具有加密后数据格式和数据长度不变的特点,不会破坏数据格式约束,从而降低改造数据格式的成本。分析现有敏感信息格式保留加密方案,均基于对称加密体制,存在密钥传输安全性低和密钥管理成本较高等问题。提出了身份密码环境下基于格式保留的敏感信息加密方案,与现有的格式保留加密方案相比,通信双方不需要传递密钥,通过密钥派生函数来生成加密密钥和解密密钥,利用混合加密的方式提高了敏感信息传输的安全性。并且证明了该方案满足基于身份的伪随机置换安全,在适应性选择明文攻击下具有密文不可区分性。     

一个单方加密-多方解密的公钥加密方案

以Shamir的门限秘密共享方案和对称密码算法为基础,基于椭圆曲线上的双线性变换提出了一个具有多个解密者的单方加密-多方解密公钥加密方案.在该方案中,消息发送者具有一个唯一的加密密钥,而每个消息接收者都具有不同的解密密钥.使用加密密钥所加密的密文可以被任意解密密钥所解密,得到同样的明文信息.分析发现,该加密方案不仅安全有效,同时,它还具备前向保密性,即使加密者的主密钥泄露,也不会影响之前加密信息的安全性.文中方案具有非常重要的应用价值,尤其可以用来实现安全广播/组播和会议密钥的安全分发.     

多主密钥功能加密:基于LMSSS的M-KP-ABE方案

功能加密极大地拓宽了秘密信息的共享方式,但支持多主密钥功能性函数加密方案的构造问题仍未解决,多主密钥功能加密具有更强的表达能力和更广义的特性.在功能加密的一个子类密钥策略属性基加密上,首次提出了多主密钥形式的安全模型M-KP-ABE.利用线性多秘密共享方案,设计了该安全模型下的一个支持多主密钥功能性函数的加密方案.基于DBDH假设,在标准模型下证明方案在适应性选择挑战和自适应选择明文攻击下是安全的.该方案加密数据的访问策略更为灵活,可退化为单主密钥的加密方案,可构造具有精细访问树的方案,其计算量与单主密钥方案相等,具有较高的效率.     

基于KAD网络的加解密分析

针对KAD网络的去中心化,没有服务器协调的特点,介绍了KAD网络中密钥的生成与加密数据包的格式以及加解密流程。分析并解释了如何在没有服务器协调的情况下,使用已有信息生成密钥与获取密钥,并且能够通过网络传输,安全地发送数据报文。不仅保证接收方能正确获取加密数据包中的数据,而且确保不被监控与拦截。     

基于Android的密钥分存方案

针对Android客户端密钥安全存储问题,利用门限法和拉格朗日插值多项式提出一种基于Android的密钥分存方案。该方案通过口令动态推导出密钥,利用AES对信息进行加密,加密完成后将口令分存在Android手机的多个位置并销毁原始口令和密钥。解密时利用部分分存信息重组口令并生成密钥从而完成解密工作。方案降低了密钥泄漏的风险,提高了鲁棒性,可以应用于一般的商用软件加密方案中。     

基于证书的抗泄露的安全加密方案

近期实践表明密码系统容易受到各种攻击而泄漏密钥等相关秘密信息, 泄漏的秘密信息破坏了以前的已证明安全的方案, 因此设计抗泄漏的密码学方案是当前密码研究领域的一个热点研究方向。设计一个基于证书的加密方案, 总的设计思想是使用一个基于证书的哈希证明系统, 这个证明系统包含一个密钥封装算法, 用这个密钥封装算法结合一个提取器去加密一个对称加密所用的密钥, 那么得到的加密方案就是可以抵抗熵泄漏并且是安全的。对方案的安全性分析和抗泄漏性能分析, 表明本方案在抵抗一定量的密钥泄漏和熵泄漏时可以保持安全性。     

基于OpenPGP的安全邮件系统的研究与设计

研究了OpenPGP加密原理、加密密钥和密钥环、数据包、信任关系模型以及OpenPGP使用的几种主要算法,提出一种基于OpenPGP协议的客户端设计方法,保证了邮件安全.     

抗主密钥泄露和连续泄露的双态仿射函数加密

抗密钥泄露安全的加密系统保证在攻击者获得(主)密钥部分信息的情况下仍具有语义安全性.文中设计了一个抗密钥泄露的双态仿射函数加密方案,该方案中加密策略和解密角色定义为仿射空间,并且具有再次委托能力.在双系统加密模型下,实现了自适应安全的抗有界的主密钥泄露和用户密钥连续泄露的加密方案,在标准模型下基于静态子群判定假设证明了该方案的安全性.同时,分析了方案中的主密钥和用户密钥的泄露界和泄露率,通过参数调整可以达到接近73%的泄露率,具有较好的抗泄露性质.     

密钥弹性泄漏安全的通配模板层次委托加密机制

传统的密码方案假定密钥对可能的攻击者来说是完全隐藏的(只有算法是公开的),敌手无法获得有关密钥的任何信息.但在实际系统中,攻击者可在噪声信道或由侧信道攻击获得有关密钥的部分信息.密钥弹性泄漏安全的加密方案通过改进密码算法达到在密钥存在可能部分泄漏情况下的语义安全性.设计了一个抗密钥弹性泄漏的可委托层次模板加密方案.在该方案中,用户身份关联到含有通配符的身份模板,并可以实现再次密钥委托.该方案是抗泄漏的层次身份加密方案(hierarchical identity-based encryption,简称HIBE)和隐藏向量加密方案(hidden vector encryption,简称HVE)的一般扩展,可有效地抵抗密钥弹性泄漏,并达到自适应语义安全性.同时给出该方案的安全性证明和系统抗泄漏性能,分析显示,该方案具有较好的密钥泄漏容忍性.     

Preserving key in XML data transformation

Transformation of XML data is an important task in data exchange, data publishing and data integration. Specifically in data integration, data in XML sources is transformed to match the target schema. Some of these sources have XML keys defined. When the data is transformed, the keys also need to be transformed for constraint comparisons, consistency checking and unification in the target schema. Thus, how the keys are transformed, and whether the transformed keys are valid and preserved to the target schema are important problems in XML data transformation and integration. Towards this problem, we firstly define XML keys and their satisfactions. We then study how keys are transformed and whether transformed keys are valid when a source schema is transformed to a target schema. Finally we show whether the transformed keys are satisfied by the transformed document.     

基于访问控制和中国剩余定理的数据库密钥管理方案的研究

针对密文数据库中数据项加密时会出现数据项密钥量大和安全需求高的问题,通过引入中国剩余定理来管理数据项密钥,提出了一种新的基于访问控制和中国剩余定理的密钥管理方案。当用户申请用户密钥时,密文数据库可以将用户u_i能够访问的大量数据项对应的密钥K_i"合成"用户密钥uki并保存;当用户ui提供用户密钥uk_i和密文查询请求CQR访问密文数据库时,系统会根据系统表和中国剩余定理将用户密钥uk_i再分解成数据项密钥K_i,用户就可以解密数据。该方案不仅实现了对用户访问权限的管理,还解决了大量数据项密钥带来的数据处理时间长、占用系统资源多等问题,提高了密文数据库中密钥管理的效率和安全性。论文最后实现了该密钥管理方案,并对比分析了该方案的安全性。     

一种新颖的水印密钥系统

水印技术作为一种有效的信息隐藏方法,发展得非常迅速.大部分水印系统都只具有一把私钥,而且不能公开,但是在某些应用中需要公钥来恢复水印.如何保证公钥的产生不会影响私钥的性能,是水印密钥系统的关键问题.构造了一种水印密钥系统,提出了一种新颖的公钥生成方法.无须原始数据即可利用公钥恢复嵌入的标识符.由于公钥的产生只涉及部分水印信息,从而成功地解决了公钥生成与私钥之间的矛盾.实验结果表明,该系统是安全、有效的.     

Sharing your privileges securely: a key-insulated attribute based proxy re-encryption scheme for IoT

Attribute based proxy re-encryption (ABPRE) combines the merits of proxy re-encryption and attribute based encryption, which allows a delegator to re-encrypt the ciphertext according to the delegatees’ attributes. The theoretical foundations of ABPRE has been well studied, yet to date there are still issues in schemes of ABPRE, among which time-bounded security and key exposure protection for the re-encryption keys are the most concerning ones. Within the current ABPRE framework, the re-encryption keys are generated independently of the system time segments and the forward security protection is not guaranteed when the users’ access privileges are altered. In this paper, we present a key-insulated ABPRE scheme for IoT scenario. We realize secure and fine-grained data sharing by utilizing attribute based encryption over the encrypted data, as well as adopting key-insulation mechanism to provide forward security for re-encryption keys and private keys of users. In particular, the lifetime of the system is divided into several time slices, and when system enters into a new slice, the user’s private keys need are required to be refreshed. Therefore, the users’ access privileges in our system are time-bounded, and both re-encryption keys and private keys can be protected, which will enhance the security level during data re-encryption, especially in situations when key exposure or privilege alternation happens. Our scheme is proved to be secure under MDBDH hardness assumptions as well as against collusion attack. In addition, the public parameters do not have to be changed during the evolution of users’ private keys, which will require less computation resources brought by parameter synchronization in IoT.     

基于可信计算平台的加密文件系统

普通的加密文件系统能够对文件内容进行安全保护,加密文件与密钥被绑定在一起。但是,密钥仅仅通过弱口令来进行安全保护,这对系统来说是一个安全隐患,因此密钥保护是迫切需要解决的问题.通过运用TPM密钥树对整个文件系统中的密钥进行加密保护,将加密密钥同TPM所在平台进行绑定,从而实现密钥的安全保护,增强了整个系统的安全性。通过采用基于HMAC的数据检验,在保证安全性的同时,又提高了完整性校验的性能。     

Mathematical analysis and simulation of multiple keys and S-Boxes in a multinode network for secure transmission

The requirement of data security is an important parameter for all organizations for their survival in the world. Cryptography is the best method to avoid unauthorized access to data. It involves an encryption algorithm and the keys that are being used by the users. Multiple keys provide a more secure cryptographic model with a minimum number of overheads. There are various factors that affect the security pattern such as the number of keys and their length, encryption algorithm, latency, key shifting time, and users. In this paper, a new approach is proposed for generating keys from the available data. The analysis of various times, such as encryption, decryption, key setup, processing, and key shifting times, has been done. The model takes minimum time to replace the faulty keys with the fresh keys. In this paper, we consider all the above-mentioned factors and suggest an optimized way of using them.     

An automatic key discovery approach for data linking

In the context of Linked Data, different kinds of semantic links can be established between data. However when data sources are huge, detecting such links manually is not feasible. One of the most important types of links, the identity link, expresses that different identifiers refer to the same real world entity. Some automatic data linking approaches use keys to infer identity links, nevertheless this kind of knowledge is rarely available. In this work we propose KD2R, an approach which allows the automatic discovery of composite keys in RDF data sources that may conform to different schemas. We only consider data sources for which the Unique Name Assumption is fulfilled. The obtained keys are correct with respect to the RDF data sources in which they are discovered. The proposed algorithm is scalable since it allows the key discovery without having to scan all the data. KD2R has been tested on real datasets of the international contest OAEI 2010 and on datasets available on the web of data, and has obtained promising results.     

基于MQTT的数据加密传输算法

提出了一种改进MQTT协议的数据传输加密算法MQTT-EA （MQTT Encryption Algorithms）.该算法中,物联网设备端与服务器端随机生成自己的私钥,然后相互通知对方自己的私钥并通过算法组合成最终的会话主密钥,通过DES加密、解密,传输安全数据.模拟了敌手A、B对数据传输过程进行攻击,验证了在会话密钥生成算法没有泄露的前提下MQTT-EA是安全的.     

A Secured MultiParty Computational Protocol to Protect Cyber Space

ABSTRACT

In this paper, we show how our secured multiparty computation (SMC) protocols protect the data of an organization during the war from the cyberspace war when a large number of defense units interact with one another, while hiding the identity and computations done by them. SMC is a problem of information security when large organizations interact with one another for huge data sharing and data exchange. It is quite possible that during sharing and exchange, the private data also get hacked. In order to protect and secure the private data, the protocols of SMC need to be deployed in the large computer networks on which the organizations work. The protocols work at the micro-level in terms of cryptography with which the data are encrypted and then shared, while allowing the keys to be used for sharable data while also keeping the keys untouched for private data. At the macro level, multilevel architectures are used for different types of security to be achieved. The computation part of the secured multiparty computation is based on the algorithmic complexity theory. The algorithms realize the protocols in such a way that it is tedious to break (decrypt) the keys to hack the private data.