无可信中心的门限匿名认证方案

现有的匿名认证方案中,大多存在可信中心,匿名的可控性比较随意,而采用基于离散对数方法求解困难。针对这个问题,提出了一个新的无可信中心的门限匿名认证方案。该方案不需要可信中心,借助群签名的思想,实现示证者身份的认证;采用安全多方计算协议,实现示证者身份的门限匿名追踪。方案中认证者的匿名性、示证者的可追踪性和身份的不可冒充性满足了匿名认证的安全需求,避免了可信中心存在时的权威欺骗。     

可信DRM中直接匿名认证的应用研究

数字版权管理(DRM)技术一直致力于数字内容的保护,特别是防止售后非法使用.而所依靠的密码学保护措施很容易被攻击和破解.为了在硬件方面加入保护,可信DRM引入了TPM安全芯片,借助TPM在身份认证、许可授权等方面加强保护.为了解决身份认证时用户隐私泄露的问题,可信DRM采用了直接匿名认证协议.在此基础上提出了基于零知识认证和ElGamal算法的双随机数签名的改进方案,并介绍了该方案在可信DRM中是如何应用的.最后经过分析得出该方案在安全性和匿名性方面都有所提高.     

基于P2P持久存储技术的P2P认证方案

分析了认证方式的安全性、易用性和代价,认为在P2P系统中引入基于密码的认证方式是必要的.利用持久存储技术、可信计算思想和虚拟系统思想,通过构造存储用户信息的分布式的用户数据库和用于认证的可信实体,解决基于密码的身份认证中的两个关键问题:用户的个人信息无法存储及缺乏客观可信的认证实体执行认证,实现基于密码的认证方式.理论分析和原型系统证明了方案的可行性.该方案对于完善P2P的认证方式是一次有益的尝试.     

一种新的可信修复网络模型及其实现

为解决目前缺乏一种可行的可信修复网络框架问题,提出了一种新的、可行性强的可信修复网络模型,详细说明了该模型提供的功能和工作流程,着重阐明了可信修复网络的通讯机制和认证方法.仿真实验表明,该框架在保证网络系统安全性和可信性的同时,实现了为不满足可信网络安全策略的终端用户提供及时可靠的修复服务.     

基于Diffie-Hellman的无线Mesh网络快速认证机制

为了保证无线Mesh网络中移动客户端能够安全快速通过认证,提出了基于Diffie-Hellman算法的快速接入认证和切换认证两种方案。在接入认证方案中,Mesh客户端通过预分发的标签经4次握手完成首次接入认证后,计算用于切换认证的共享密钥,并将密钥预分发给切换的目标接入点。客户端在后续的移动过程中,利用共享密钥经3次握手完成双向认证,认证过程无需认证服务器的参与。对上述两种方案的安全性和性能代价进行了分析,结果表明新提出的两种认证方案的通讯代价和计算代价更小,具有认证时延短、认证效率高的优点,且在网络合法用户可信的前提下是安全的。     

可信网络连接双向认证协议的设计与分析

针对可信网络连接认证协议的现有方案存在单向认证、平台身份和配置信息泄露、无法抵御伪装及重放攻击等安全问题,提出了一种新的认证协议。该协议通过引入可信第三方实现了双向用户身份和平台身份的认证,防止了伪装攻击。直接匿名证明方法和时间戳的应用,保护了平台身份和配置信息的安全,防止了重放攻击。采用BAN逻辑对协议进行形式化描述及分析,验证了本协议可以提高认证的安全性,具有较高的应用价值。     

基于USB接口的涉密数据传输可信监控系统研究

针对传统基于USB接口的监控系统存在的诸如缺乏介质身份认证手段,难以有效地对各等级进行隔离,可信度低等问题,一种基于可信机制的数据传输监控系统被提出以解决上述问题.系统应用动态口令与指纹识别相结合的双向身份认证方案及文件过滤驱动技术,以“可信构件”为根构建系统内部的可信链模型,通过驱动层与应用层相结合的多级安全策略加强...     

可信环境下的WLAN接入认证方案

在第3版WLAN鉴别基础设施(WAI)协议的基础上,提出了基于预共享密钥模式和基于证书模式的可信环境下的WLAN接入认证方案.实现了站(STA)和接入点(AP)之间的双向用户认证和平台认证,且与第3版WAI协议后向兼容,其中鉴别服务器(AS)负责STA和AP的用户证书验证、平台证明身份密钥(AIK)证书验证和平台完整性评估,STA和AP的存储完整性度量日志(SML)是利用数字信封技术加密传输给AS的,从而有效地解决了可信WAI(TWAI)所存在的问题.此外,利用针对于可信接入认证协议的串空间模型,证明了它们是安全的.     

基于自认证的多接收者签密方案

基于多接收者签密和自认证密码系统理论,使用双线性对提出了一个基于自认证的多接收者签密方案,并在ECDL问题和BDH问题的难解性下证明了其安全性.所提方案在验证公钥真实性时,不需要额外的证书;可信机构不知道用户的私钥.与已有方案相比,该方案具有计算效率高、通信成本低等优点,更适合于在实际中应用.     

一种可控量子隐形传态身份认证的方案

提出了一种实现可控量子隐形传态身份认证的方案.可信第三方Charlie利用纠缠交换原理对接收者Bob进行身份认证,在确定Bob的合法身份并将消息反馈给发送者Alice后,Alice再对量子信息进行传送.本方案能有效解决假冒身份攻击,从而保证量子信息传送的安全性.     

A Peer-to-Peer resource sharing scheme using trusted computing technology

Facing the increasing security issues in P2P networks, a scheme for resource sharing using trusted computing technologies is proposed in this paper. We advance a RS-UCON model with decision continuity and attribute mutability to control the usage process and an architecture to illustrate how TC technologies support policy enforcement with bidirectional attestation. The properties required for attestation should include not only integrity measurement value of platform and related application, but also reputation of users and access history, in order to avoid the limitation of the existing approaches. To make a permission, it is required to evaluate both the authorization and conditions of the subject and the object in resource usage to ensure trustable resources to be transferred to trusted users and platform.     

标准模型下基于属性的高效证明方案

针对可信计算环境下,传统平台认证中所带来的平台配置信息泄露的问题,提出了一个新型的基于属性的证明方案.建立了该方案的模型,给出了方案的具体构建,包括初始化、属性证书颁发、属性证明及验证、撤销等算法.与现有基于属性的证明方案相比,该方案的通信代价更小,计算效率更高.在标准模型下对该方案进行了安全性证明,结果说明了它的正确性、配置隐匿性及不可伪造性等.     

一种基于多可信属性的证据模型建立方法

可信远程证明是可信计算技术中非常重要的一部分,而可信证据又是可信远程证明的基础。但是,通过研究现有主要可信远程证明方法发现对于可信证据研究主要存在以下几个问题：首先,证据信息不充分,不能满足可信证明的需求;其次,证据信息组织不够合理;最后,由于可信性具有一定的主观性,与用户的预期相关,但现有方法中在收集证据时没有考虑用...     

Remote attestation-based access control on trusted computing platform

Existing remote attestation schemes based on trusted computing have some merits on enhancing security assurance level, but they usually do not integrate tightly with the classical system security mechanism. In this paper, we present a component named remote attestation-based access controller (RABAC), which is based on a combination of techniques, such as random number, Bell-La Padula (BLP) model, user identity combined with his security properties and so on. The component can validate the current hardware and software integrity of the remote platform, and implement access control with different security policy. We prove that the RABAC can not only improve the security of transferred information in remote attestation process but also integrate remote attestation and classical system security mechanism effectively.     

Trusted Attestation Architecture on an Infrastructure-as-a-Service

Trusted attestation is the main obstruction preventing large-scale promotion of cloud computing.How to extend a trusted relationship from a single physical node to an Infrastructure-as-a-Service(IaaS) platform is a problem that must be solved.The IaaS platform provides the Virtual Machine(VM),and the Trusted VM,equipped with a virtual Trusted Platform Module(vTPM),is the foundation of the trusted IaaS platform.We propose a multi-dimensional trusted attestation architecture that can collect and verify trusted attestation information from the computing nodes,and manage the information centrally on a cloud management platform.The architecture verifies the IaaS's trusted attestation by apprising the VM,Hypervisor,and host Operating System's(OS) trusted status.The theory and the technology roadmap were introduced,and the key technologies were analyzed.The key technologies include dynamic measurement of the Hypervisor at the process level,the protection of vTPM instances,the reinforcement of Hypervisor security,and the verification of the IaaS trusted attestation.A prototype was deployed to verify the feasibility of the system.The advantages of the prototype system were compared with the Open CIT(Intel Cloud attestation solution).A performance analysis experiment was performed on computing nodes and the results show that the performance loss is within an acceptable range.     

用于互联网多媒体通信的SIP安全方案

针对传统基于软件的SIP安全方案容易被盗用、欺骗和入侵的问题,结合可信计算技术,设计了对终端系统与用户身份的双层认证结构,提出了一种使用SIP进行互联网多媒体通信的安全方案.该方案利用可信平台模块和直接匿名证明算法设计了新的SIP注册协议,提高了多媒体通信系统的安全性.文中还利用可证明安全模型证明了注册协议的安全性,并对整个方案的特点进行了分析.     

基于可信计算的CSCW系统访问控制

针对现有的CSCW系统不能有效地保障终端平台的可信性以及安全策略和上层应用实施的完整性等问题,提出了基于可信计算技术的CSCW访问控制架构和协作站点间的基于角色的委托授权策略,分别描述了安全策略与共享对象密钥的分发协议、角色委托协议及策略完整性实施协议等.应用实例表明:该框架基于完整的协作实体-平台-应用信任链的构建,提供了可信的协作实体身份与访问控制平台,依赖平台远程证明和策略分发实现了在本地站点上的完整性实施;同时角色委托提高了协同工作能力,也减轻了服务器端集中式策略执行的负担.     

TPM context manager and dynamic configuration management for trusted virtualization platform

It is absolutely critical that trusted configuration management which significantly affects trust chain establishment, sealing storage and remote attestation, especially in trusted virtualization platform like Xen whose system configuration changes easily. TPM （trusted platform module） context manager is presented to carry out dynamic configuration management for virtual machine. It manages the TPM command requests and VM （virtual machine） configurations. The dynamic configuration representa- tion method based on Merkle hash tree is explicitly proposed against TCG （trusted computing group） static configuration representation. It reflects the true VM status in real time even if the configuration has changed, and it eliminates the invalidation of configuration representation, sealing storage and remote attestation. TPM context manager supports TCG storage protection, remote attestation etc, which greatly enhances the security on trusted virtualization platform.     

Study on security enhancement technology for disaster tolerant system

This paper proposes a security enhancement scheme for disaster tolerant system based on trusted computing technology which combines with the idea of distributed threshold storage. This scheme takes advantage of trusted computing platform with trusted computing module, which is provided with such excellent features as security storage, remote attestation, and so on. Those features effectively ensure trustworthiness of disaster tolerant point. Furthermore, distributed storage based on Erasure code not only disposes the storage problem about a great deal of data, but also preferably avoids one node invalidation, alleviates network load and deals with joint cheat and many other security problems. Consequently, those security enhancement technologies provide mass data with global security protection during the course of disaster tolerance. Foundation Items: Supported by the National High Technology Research and Development Program of China (863 Program) (2008AA01Z404), the Science and Technical Key Project of Ministry of Education (108087) and the Scientific and Technological Project of Wuhan City (200810321130)     

ePUF: A Lightweight Double Identity Verification in IoT

Remote authentication is a safe and verifiable mechanism.In the Internet of Things (loT),remote hosts need to verify the legitimacy of identity of terminal devices.However,embedded devices can hardly afford sufficient resources for the necessary trusted hardware components.Software authentication with no hardware guarantee is generally vulnerable to various network attacks.In this paper,we propose a lightweight remote verification protocol.The protocol utilizes the unique response returned by Physical Unclonable Function (PUF) as legitimate identity basis of the terminal devices and uses quadratic residues to encrypt the PUF authentication process to perform a double identity verification scheme.Our scheme is secure against middleman attacks on the attestation response by preventing conspiracy attacks from forgery authentication.