New Senior Editor Appointed to Network Security

Network Security is delighted to welcome Sarah Gordon, the acclaimed computer security and virus expert to its international editorial board as Senior Editor.This is a short news story only. Visit www.compseconline.com for the latest computer security industry news.     

计算机网络的一实体安全体系结构

提出了计算机网络的一种实体安全体系结构（ESA）。文中描述了计算机网络的组成实体,并讨论了各实体的安全功能分配。基于ESA,提出了基于政策的安全管理（PBSM）的概念,其中包括三层安全政策的定义：组织抽象安全政策、全局自动完全政策、局部可执行安全政策,并提出了PBSM的三个管理环节：制定、实施与验证,把网络作为一个整体来管理,实现安全管理的系统化和自动化。应用实体安全体系结构,分析了现有网络安全服务的不足和安全管理中存在的问题,指出了实现ESA的进一步研究工作。     

Minimizing TTP's involvement in signature validation

A digital signature applied on a message could serve as irrefutable cryptographic evidence to prove its origin and integrity. However, evidence solely based on digital signatures may not enforce strong non-repudiation. Additional mechanisms are needed to make digital signatures as valid non-repudiation evidence in the settlement of possible disputes. Most of existing mechanisms for maintaining the validity of digital signatures rely on the supporting services from trusted third parties, e.g., time-stamping and certificate revocation. Obviously, this is less efficient for on-line transactions. In this paper, we propose two new schemes for validating digital signatures as non-repudiation evidence that minimize the trusted third party's involvement. Major results have been published at ACISP'02 [21] and ISC'03 [22]. Jianying Zhou is a lead scientist at Institute for Infocomm Research (I2R), and heads the Internet Security Lab. He is also an adjunct professor in University of Science and Technology of China and an adjunct senior scientist in University of Malaga. Dr. Zhou worked in China, Singapore, and USA before joining I2R. He was a security consultant at the headquarters of Oracle Corporation, and took an architect role on securing e-business applications. He was a project manager at Kent Ridge Digital Labs, and led an R&D team to develop network security technologies. He was a post-doctoral fellow in National University of Singapore, and involved in a strategic research programme on computer security funded by National Science and Technology Board. He was formerly employed in Chinese Academy of Sciences, and played a critical role in a couple of national information security projects. Dr. Zhou obtained PhD degree in Information Security from University of London (sponsored by UK government and K C Wong Education Foundation), MSc degree in Computer Science from Chinese Academy of Sciences, and BSc degree in Computer Science from University of Science and Technology of China. His research interests are in computer and network security, cryptographic protocol, digital signature and non-repudiation, mobile communications security, public-key infrastructure, secure electronic commerce, and virtual private network. Dr. Zhou is actively involved in the academic community, serving on international conference committees and publishing papers at prestigious technical conferences and journals. He is a world-leading researcher on non-repudiation, and authored the book Non-repudiation in Electronic Commerce which was published by Artech House in 2001. He is a director in the board of International Communications and Information Security Association. He is a co-founder and steering committee member of International Conference on Applied Cryptography and Network Security, and served as program chair of ACNS 2003 and general chair of ACNS 2004. He received National Science and Technology Progress Award from State Commission of Science and Technology in 1995 in recognition of his achievement in the research and development of information security in China.     

C~2NI可适应性安全管理模型

安全问题并不是一个简单的技术问题,而是一个多方面,多角度的,基于密码安全、计算机安全、网络安全和信息安全的融合问题。仅仅依靠某一单项的技术并不能够解决所有的安全问题,因此在这里提出了C2NI(codesecurity,computersecurity,networksecurity&informationsecurity)可适应性安全管理模型,并由此来实现安全的动态管理。     

安全处理器研究进展

信息安全已经影响到一个国家的政治、军事、经济和文化等诸多领域。信息一般在计算机系统上存储和处理。计算机系统的核心器件是处理器,所以处理器的安全是计算机系统安全的基础,也是信息安全的基础。在可信计算、工业控制、身份识别、网络通信、电子支付等许多行业,都要用到安全处理器。文章对安全处理器发展过程进行了梳理,并根据应用场景、功能进行了分类,结合具体安全处理器架构,分析了各主要安全处理器的技术特点和不足之处,找出安全处理器研究中的规律。最后,总结全文,对安全处理器的研究进行了展望。     

Interview: Silver Bullet Speaks to Marcus Ranum

In the third episode of the Silver Bullet Security Podcast, Gary talks with Marcus Ranum, who is an acclaimed security guru widely credited with inventing the proxy firewall. Marcus and Gary discuss why Marcus thinks we're not making progress in the computer security field, how common sense would help computer security, and Richard Feynman.     

社保卡的安全体系研究

IC卡作为一种微型智能产品,目前广泛应用于各行各业。社保卡采用的是IC卡其中的一种,即CPU卡。社保卡作为在劳动保障领域办理有关事务的身份验证和交易消费的唯一电子凭证．安全性尤为重要。通过对社保卡内部结构和安全体系的设计要求的分析,在着重探讨社保卡的安全体系划分（安全状态、安全属性、安全机制、密码算法和密钥管理）、如何通过卡内操作系统COS来管理卡内软硬件资源以及如何通过安全通道与外界交换信息来保证用户数据安全的传输的基础上,以达到社保卡安全应用的目的。     

计算机网络安全中的防火墙技术应用研究

防火墙技术是计算机网络安全维护的主要途径,发挥高效的保护作用。随着计算机的应用与普及,网络安全成为社会比较关注的问题。社会针对计算机网络安全,提出诸多保护措施,其中防火墙技术的应用较为明显,不仅体现高水平的安全保护,同时营造安全、可靠的运行环境。因此,该文通过对计算机网络安全进行研究,分析防火墙技术的应用。     

WLAN环境下EAP-TLS认证机制的分析与实现

认证是计算机网络安全中的核心内容,是实现计算机网络安全的基础,在无线网络安全中同样占有非常重要的地位。在研究了无线局域网(WLAN)的认证机制基础上,其中扩展认证协议-传输层安全(EAP-TLS)是目前安全性能较高的认证方式,在实际网络平台中对其进行分析与实现。     

海量存储系统安全方案设计

安全是海量存储系统必须要考虑的重要问题。针对基于证书的安全模型存在的缺陷,本文提出一种基于身份的海量存储系统安全模型,并详细阐述了安全架构各部分的功能。测试结果表明基于身份的海量存储系统安全机制的效率比基于证书的安全机制有了较大的提高。     

安全处理器体系结构的现状与展望

安全处理器(Security Processor,SP)是处理器的一个重要分支,体系结构对其性能有重要的影响.介绍了各种不同的安全处理器的体系结构以及它们的优缺点,并根据它们各自的特点进一步介绍了它们的性能优化方法.通过对比研究发现,随着集成电路集成度提高,在安全处理器功耗水平和芯片面积维持较低增长的情况下,其可以逐步实现较以前更多、更难的功能,同时,其加解密速度、灵活性、可升级性等性能都获得较大的提升.另外,通过本文介绍,可以清晰地了解不同种类安全处理器的异同点和优缺点以及安全处理器发展的脉络,指导更好地设计和使用安全处理器.     

NSA providing computer security services to civilian sector

According to several documents provided to the Electronic Privacy Information Center (EPIC) in Washington, DC, USA the National Security Agency (NSA) is encouraging civilian agencies of the US Government to utilize its computer security services, including risk and threat assessments. According to knowledgeable officials in Washington, this is in blatant contravention of the Computer Security Act, which assigns such responsibilities to the National Institute of Standards and Technology (NIST).     

基于AHP理论的信息系统安全评估方法

文章基于《信息系统安全等级保护测评准则》,对其原子规则适用XML语言进行规则化表述,使用AHP理论,对准则层的规则量化其权重,建立了基于AHP理论的信息系统安全评估模型,克服了以往信息系统评测只定性分析,无定量计算的问题,量化的结果便于系统管理者全面地了解系统风险,以便加固系统。     

打造安全的网络环境之“云安全”

近来,国际和国内的安全专家和厂商纷纷提出了“云安全”的概念和基于“云安全”的计算机安全解决方案,并把“云安全”应用到各自的杀毒软件中。文中用通俗的语言讲解了“云安全”的思路、技术、难点及应用：     

计算机网络与信息安全系统的搭建研究

计算机网络对社会的影响日益增大,包括社会经济、国防教育以及很多的社会活动都离不开网络。计算机网络与信息系统的安全建立和系统的安全技术已经备受关注,计算机网络对信息安全的要求很高。介绍了计算机网络与信息安全存在的诸多问题,通过介绍如何搭建计算机网络与信息安全系统．让读者了解有关这方面的知识,并且使读者了解到计算机网络与信息安全系统的关键枝术问题。     

信息泄露防护技术在边防部队屏蔽机房建设中的应用

随着科学技术的迅速发展,部队信息化建设日新月异,计算机系统网络建设遍布各个角落,随之而来的系统安全问题也提到议事日程上来,机房屏蔽就是保证系统安全要求解决的问题之一。现在各级边防部队,特别是涉密部门对网络安全越来越重视,为防止信息泄露或系统被干扰,对屏蔽机房的建设也提出了更高的要求。本文对边防部队屏蔽机房建设采用信息泄露防护技术进行了系统阐述,提出了建设性指导意见。     

An enhanced encryption algorithm for video based on multiple Huffman tables

Encryption is one of the fundamental technologies that is used in the security of multimedia data. Unlike ordinary computer applications, multimedia applications generate large amount of data that has to be processed in real time. This work investigates the problem of efficient multimedia data encryption. A scheme known as the Randomized Huffman Table scheme was recently proposed to achieve encryption along with compression. Though this scheme has several advantages it cannot overcome the chosen plaintext attack. An enhancement of this Huffman scheme is proposed in this work which essentially overcomes the attack and improves the security. The proposed encryption approach consists of two modules. The first module is the Randomized Huffman Table module, the output of which is fed to the second XOR module to enhance the performance. Security analysis shows that the proposed scheme can withstand the chosen plaintext attack. The efficiency and security of the proposed scheme makes it an ideal choice for real time secure multimedia applications.     

数据信息安全保密技术浅析

计算机数据信息的安全保密措施可分为技术性和非技术性两类。技术性安全措施是指通过与系统直接相关的技术手段防止泄密的发生。非技术性安全措施主要是指行政管理、规章制度保证和其他物理措施等,它不受计算机系统控制,是施加于计算机系统之上的。     

A comment on the ‘basic security theorem’ of Bell and LaPadula

Many claim that the security model developed by Bell and LaPadula and used as a basis for numerous prototype military computer systems is superior to others partly because its authors prove a ‘Basic Security Theorem’ that applies to it. This paper shows that the theorem does not support such claims since it can be proven for security models that are obviously not secure. Further, the theorem provides little help to those who design and implement secure systems.