A DRM system based on mobile agent for digital rights redistribution

We propose a digital rights management （DRM） system based on mobile agent to protect the copyrights of content providers. In the system, the content provider creates a time limited blackbox out of an original agent and dispatches it to the user end to enforce DRM functions. The blackbox is an agent that can resist the attacks from the malicious user in a certain time interval. Owing to digital rights redistribution support, the user whose rights belong to redistribution category can transfer his rights to other users. Moreover, by introducing public key infrastructure （PKI） and certificate authority （CA） role, the security of the session can be ensured. An analysis of system security and performance and a comparison with traditional DRM system is given.     

Security Considerations Based on PKI/CA in Manufacturing Grid

In the manufacturing grid environment, the span of the consideration of security issues is more extensive, and the solutions for them are more complex, therefore these problems in manufacturing grid can＇t longer be addressed by existing security technologies. In order to solve this problem, the paper first puts forward the security architecture of manufacturing grid on the basis of the proposal of the security strategies for manufacturing grid; then the paper introduces key technologies based on public key infrastructure-certificate authority （PKI/CA） to ensure the security of manufacturing grid, such as single sign-on, security proxy, independent authentication and so on. Schemes discussed in the paper have some values to settle security problems in the manufacturing grid environment.     

One-way quantum identity authentication based on public key

Based on public key, a quantum identity authenticated （QIA） system is proposed without quantum entanglement. The public key acts as the authentication key of a user. Following the idea of the classical public key infrastructure （PKI）, a trusted center of authentication （CA） is involved. The user selects a public key randomly and CA generates a private key for the user according to his public key. When it is necessary to perform QIA, the user sends a sequence of single photons encoded with its private key and a message to CA. According to the corresponding secret key kept by CA, CA performs the unitary operations on the single photon sequence. At last, the receiver can judge whether the user is an impersonator.     

基于移动Ad Hoc网络的分布式RSA密钥生成机制

移动Ad Hoc网络(MANET)是一种具有全新概念的无线网络,不依赖于任何固定物理基础设施和集中式组织管理机构,通过无线信道实现移动节点之间的通信.然而Ad Hoc网络的固有特性使其更易遭受各种安全威胁,在基于分布式PKI/CA体制的安全解决方案中如何生成和分发CA密钥将是一个具有挑战性的问题.对现有的几种方案进行了分析讨论,指出了其中存在的问题,并就此提出了一种基于门限RSA密码体制的分布式CA密钥共享生成机制,提高了系统的安全性和鲁棒性.     

Analysis and Application for Integrity Model on Trusted Platform

To build a trusted platform based on Trusted Computing Platform Alliance (TCPA)‘s recommendation, we analyze the integrity mechanism for such a PC platform in this paper. By combinning access control model with information flow model, we put forward a combined process-based lattice model to enforce security. This model creates a trust chain by which we can manage a series of processes from a core root of trust module to some other application modules. In the model,once the trust chain is created and managed correctly,the integrity of the computer‘s hardware and sofware has been mainfained, so does the confidentiality and authenticity. Moreover, a relevant implementation of the model is explained.     

An Improved Grid Security Infrastructure by Trusted Computing

Current delegation mechanism of grid security infrastructure （GSI） can＇t satisfy the requirement of dynamic, distributed and practical security in grid virtual organization. To improve this situation, a TC-enabled GSI is discussed in this paper. With TC-enabled GSI, a practical delegation solution is proposed in this paper through enforcing fine granularity policy over distributed platforms with the emerging trusted computing technologies. Here trusted platform module is treated as a tamper-resistance module to improve grid security infrastructure. With the implement of Project Daonity, it is demonstrated that the solution could gain dynamic and distributed security in grid environment.     

Trust Based Pervasive Computing

Pervasive computing environment is a distributed and mobile space. Trust relationship must be established and ensured between devices and the systems in the pervasive computing environment. The trusted computing （TC） technology introduced by trusted computing group is a distributed-system-wide approach to the provisions of integrity protection of resources. The TC＇s notion of trust and security can be described as conformed system behaviors of a platform environment such that the conformation can be attested to a remote challenger. In this paper the trust requirements in a pervasive/ubiquitous environment are analyzed. Then security schemes for the pervasive computing are proposed using primitives offered by TC technology.     

Design and Implementation of a Bootstrap Trust Chain

The chain of trust in bootstrap process is the basis of whole system trust in the trusted computing group （TCG） definition. This paper presents a design and implementation of a bootstrap trust chain in PC based on the Windows and today＇s commodity hardware, merely depends on availability of an embedded security module （ESM）. ESM and security enhanced BIOS is the root of trust, PMBR （Pre-MBR） checks the integrity of boot data and Windows kernel, which is a checking agent stored in ESM. In the end, the paper analyzed the mathematic expression of the chain of trust and the runtime performance compared with the common booring process. The trust chain bootstrap greatly strengthens the security of personal computer system, and affects the runtime performance with only adding about 12% booting time.     

Fault Tolerant Approach for Data Encryption and Digital Signature Based on ECC System

An integrated fault tolerant approach for data encryption and digital signature based on elliptic curve cryptography is proposed. This approach allows the receiver to verify the sender‘s identity and can simultaneously deal with error detection and data correction. Up to three errors in our approach can be detected and corrected. This approach has atleast the same security as that based on RSA system, but smaller keys to achieve the same level of security. Our approach is more efficient than the known ones and more suited for limited environments like personal digital assistants (PDAs), mobile phones and smart cards without RSA coprocessors.     

A mobile accessible closed multi-part group communication scheme in IPv6 network

To solve the problems of current IP multicast which includes poor inter-domain many-to-many group support, security vulnerabilities and dependency to specific multicast infrastructure, a mobile accessible closed multi-part group （MACMPG） communication protocol in IPv6 network is proposed. By extending the single source multicast protocol, the communication channel for multi-part group communication across domains is established. Based on lPv6 CGA, the secure closed group communication scheme is designed. The access to the multicast traffic only confined to the authorized senders and receivers and only trusted routers are allowed to be the branch points of MACMPG tree. By tunneling mechanism, the MACMPG traffic can be transmitted across non-MACMPG routing area, and the mobile nodes can join the group remotely and roam freely between domains, which eliminates the dependency on specific IP multicast routing.     

BBACIMA： A Trustworthy Integrity Measurement Architecture through Behavior-Based TPM Access Control

Two limitations of current integrity measurement architectures are pointed out： （1） a reference value is required for every measured entity to verify the system states, as is impractical however; （2） malicious user can forge proof of inexistent system states. This paper proposes a trustworthy integrity measurement architecture, BBACIMA, through enforcing behavior-based access control for trusted platform module （TPM）. BBACIMA introduces a TPM reference monitor （TPMRM） to ensure the trustworthiness of integrity measurement. TPMRM enforces behavior-based access control for the TPM and is isolated from other entities which may be malicious. TPMRM is the only entity manipulating TPM directly and all PCR （platform configuration register） operation requests must pass through the security check of it so that only trusted processes can do measurement and produce the proof of system states. Through these mechanisms malicious user can not enforce attack which is feasible in current measurement architectures.     

一种安全高效的入侵容忍CA方案

CA是PKI中的关键设施。CA的私钥一旦泄漏,该CA签发的所有证书就只能全部作废;因此,保护在线CA私钥的安全是非常重要的。将CA的私钥以门限密码技术分享在n个部件中,不仅保证了CA私钥的机密性和可用性,同时使CA具备了入侵容忍性。所提出的CA方案,私钥以Shamir的拉格朗日多项式方式分享,更适合实际需求,实验表明具有良好的性能。     

基于PKI/PMI的移动代理安全访问

移动代理应用需要解决的首要问题是安全性．本文在分析移动代理系统安全需求及PKI、PMI特点的基础上,提出了一种以PKI／PMI和RBAC为基础的移动代理安全策略．利用PKI实现移动代理安全认证,将PMI属性证书与RBAC相结合．实现移动代理访问权限分配和代理服务器资源访问控制．同时详细阐述了其实现的基本过程。     

网格安全模型中关键策略的研究

给出了一个独立于平台的网络安全模型,并对网络安全模型中的认证和授权等关键策略作了分析。这些关键策略包括:基于桥接CA(认证中心)的PKI(公钥基础设施)管理方式、基于虚拟组织的认证策略、网络环境中委托授权的访问控制策略等。采用这些策略有利于不同PKI管理策略的虚拟组织之间认证,简化了网格的安全认证,能够对网络资源进行动态有效地管理。     

A Method of Homomorphic Encryption

0 IntroductionWittahliz tahtieo nde,vtehloepi mmepnotrt oanfc ien foofr tmhaet isoenciuzraittiyo nan adnsdec driegciy-of informationis increasingly recognized. Ordinary encryptioncan’t compute the ciphertext data, however , homomorphicencryption scheme can doit andfurthermore encrypt operationvalue automatically. Therefore, homomorphic encryptionscheme can be widely used in multi-party computation,elec-tronic voting,and mobile cryptography[1-3].Inthis paper ,theinterrelated technology of homo…     

The Reliability Design and Availability Analysis of a Distributed Storage System

Current distributed parallel file systems and database systems can not satisfy the demands of data-intensive applications, such as storage capacity, access performance, reliability, scalability, and so on. Cluster-based storage sys tems have some shortcomings, too. To solve this kind of problems, a novel PC storage cluster solution is proposed, a distributed storage system based on 3-tiered agent architecture is designed, the system reliability model based on the masterslave backup mode is built, and the system availability is analyzed with the Markov model. According to the system availability formula and the values of the system parameters, the novel system can provide higher reliability and availability to satisfy users＇ requirements,     

Methods for Increasing Creditability of Anomaly Detection System

Based on Bayes‘ theorem we point out that the false positive rate must be lower than the intrusion base rate in order to make the Alarm Credibility Probability of the intrusion detection system exceed 50%. We present the methods that have been used in our developing intrusion detection system AIIDS (artificial immune intrusion detection systems) to increase the creditability of anomaly detection system. These methods include increasing the regularities of the system call trace by use of Hidden Markov Model (HMM), making every antibody or detector has finite lifetime, offering the detector a co-stimulate signal to illustrate whether there is damage in the system according to the integrity, confidentiality, or availability of the system resource.     

Design of PKI-based mobile bank security system

With the development of the wireless network technology, the wireless band becomes more and more wide, and the development of the microelec-tronic technology has also improved the computati-onal speed and memory capacity of the mobile devices. They brought the infinite prospects for the wireless mobile e-commerce. However security is key to lau-nching mobile e-business. Public key infrastructure(PKI) can satisfy mobile e-business security's requirement. The suitable asymmetrical encryption and signature algorithm were selected, and simply SSL so that PKI can provide better secure information between client and client server.     

异构信任域的跨域授权

针对跨IBE(基于身份加密)和PKI(公开密钥基础构架)异构域可信互联,提出一种实现跨域授权的解决方案.该方案将PKG和CA作为各自域TPKG和TCA内用户的代理,并把它们注册到对方域内成为特殊用户ClientPKG和ClientCA,借助映射后的ClientPKG和ClientCA构成跨异构域信任链,真实、客观地实现了PKI和IBE域内任意用户的跨域授权.