基于Docker容器的航天网络隐私数据安全防护控制研究

隐私数据嵌入量过大会导致航天网络主机信息参量提取时间延长,数据安全性下降,所以研究基于Docker容器的航天网络隐私数据安全防护控制方法。利用Docker容器收集航天网络负载数据,评估Docker容器实时负载量,联合目标防护信息实现对航天网络Docker容器的调度。根据Docker容器调度和Paillier同态加密结果,提取静态污点后完成航天网络隐私数据的训练与处理。根据所得到的数据,定义混沌映射关系,通过离散变换的方式生成安全性种子密钥,结合安全防护控制函数求解结果实现航天网络隐私数据安全防护控制。实验结果表明,所提方法能够将隐私数据实时嵌入量控制在5.5GB以下,保证网络主机提取信息参量的时间不超过0.7ms,能够有效保证航天网络隐私数据安全性。     

软件保护的分析与思考

该文在分析了以往的软件加密方法和对比研究之后,得出将软硬件结合进行软件保护的方案,于是提出了基于硬盘序列号进行软件加密保护的研究。将软硬件加密技术结合使用,硬件方面通过对比分析得出要使用硬盘序列号进行加密依据,基于计算机硬盘序列号具有唯一性特点,可以更好的实现一码一机制,并且在软件加密技术上进一步改进,使用对称加密算法与非对称加密算法结合,让软件的保护强度进一步提高。     

一种口令加密工具的设计与实现

在利用对称加密算法时,密钥管理是安全系统考虑的主要问题。现有保存密钥的方法大都需要借助物理介质来保存,给用户带来了不便。为了解决这个问题,该文提出了一种基于口令的加密方案,能很好的解决密钥保护问题．最后在．Net平台下编程实现了一个基于口令的加密工具：实现创建自提取的可执行加密文件,使得基于口令的加解密可以独立的进行。     

基于CY7C68013安全U盘的硬件设计

针对现存安全U盘的不足,提出了一款集数据加/解密、认证、抵抗攻击于一体的大容量安全U盘硬件设计方案,它能够较好地保护密算法和密钥的安全,在超期或非法操作超过一定次数时可自动销毁算法和存储的数据.从安全模型、结构模型等方面进行阐述,重点介绍了USB接口控制模块、数据加/解密、安全芯片操作等几个关键模块的开发,最后从策略、密钥安全等方面对此U盘的安全性进行了整体分析.     

Protecting location privacy in mobile geoservices using fuzzy inference systems

Mobile geoservices, especially location-based services (LBSs), are becoming more popular each day. The most important goal of these services is to use a user’s location to provide location-aware services. Because the user’s spatial information can be abused by organizations or advertisers, and sometimes for criminal purposes, the protection of this information is a necessary part of such services. There has been substantial research on privacy protection in LBSs and mobile geoservices; most studies have attempted to anonymize the user and hide his/her identity or to engage the user in the protection process. The major defects of these previous approaches include an increased complexity of system architecture, a decrease in service capabilities, undesirable processing times, and a failure to satisfy users. Additionally, anonymization is not a suitable solution for context-aware services. Therefore, in this paper, a new approach is proposed to locate users with different levels of spatial precision, based on his/her spatio-temporal context and a user’s group, through fuzzy inference systems. The user’s location and the time of the request determine the spatio-temporal context of the user. A fuzzy rule base is formed separately for each group of users and services. An interview is a simple method to extract the rules. The spatial precision of a user’s location, which is obtained from a fuzzy system, goes to a spatial function called the conceptualization function, to determine the user’s location based on one of the following five levels of qualitative precision: geometrical coordinates, streets, parish, region, and qualitative location, such as the eastern part of the city. Thus, there is no need to anonymize users in mobile geoservices or to turn the service off. The applicability and efficiency of the proposed method are shown for a group of taxi drivers.     

Single password authentication

Users frequently reuse their passwords when authenticating to various online services. Combined with the use of weak passwords or honeypot/phishing attacks, this brings high risks to the security of the user’s account information. In this paper, we propose several protocols that can allow a user to use a single password to authenticate to multiple services securely. All our constructions provably protect the user from dictionary attacks on the password, and cross-site impersonation or honeypot attacks by the online service providers.     

Public key encryption without random oracle made truly practical

In this paper, we report our success in identifying an efficient public key encryption scheme whose formal security proof does not require a random oracle. Specifically, we focus our attention on a universal hash based public key encryption scheme proposed by Zheng and Seberry at Crypto’92. Although Zheng and Seberry’s encryption scheme is very simple and efficient, its reductionist security proof has not been provided. We show how to tweak the Zheng-Seberry scheme so that the resultant scheme not only preserves the efficiency of the original scheme but also admits provable security against adaptive chosen ciphertext attack without random oracle. For the security proof, our first attempt is based on a strong assumption called the oracle Diffie-Hellman⁺ assumption. This is followed by a more challenging proof that employs a weaker assumption called the adaptive decisional Diffie-Hellman assumption, which is in alignment with adaptively secure assumptions advocated by Pandey, Pass and Vaikuntanathan.     

基于分存策略的软件保护博弈模型

软件保护技术普遍是通过完善代码和应用加密方案来达到保护软件的目的。针对软件代码的静态授权抗攻击能力以及软件加密的加密强度是否足够抵抗攻击的问题,提出一种基于分存策略的软件保护博弈模型。该模型采用分存策略对密钥进行分段,得到多个检验与抵抗软件破解者攻击的验证函数,把它们隐藏在程序中,使得软件运行时有多个不同的验证函数对程序进行保护。从博弈论的角度分析论证该模型,并将其应用于软件注册码验证的实例中,提高了软件代码的安全性。实验结果和分析表明了该模型的正确性和有效性。     

数字信息安全保护的关键技术

针对数字信息安全保护技术的研究现状,文章综述了数字信息安全保护的关键技术。在分析安全保护系统设计原则的基础上,重点讨论了数字信息安全保护中涉及到的加密、认证、密钥管理、证书吊销、数字水印、防篡改软硬件、权限描述语言规范等关键技术,进一步指出了发展趋势。     

CP2: Cryptographic privacy protection framework for online social networks

In Online Social Networks (OSNs), users interact with each other by sharing their personal information. One of the concerns in OSNs is how user privacy is protected since the OSN providers have full control over users’ data. The OSN providers typically store users’ information permanently; the privacy controls embedded in OSNs offer few options to users for customizing and managing the dissipation of their data over the network. In this paper, we propose an efficient privacy protection framework for OSNs that can be used to protect the privacy of users’ data and their online social relationships from third parties. The recommended framework shifts the control over data sharing back to the users by providing them with flexible and dynamic access policies. We employ a public-key broadcast encryption scheme as the cryptographic tool for managing information sharing with a subset of a user’s friends. The privacy and complexity evaluations show the superiority of our approach over previous.     

Design of DL-based certificateless digital signatures

Public-key cryptosystems without requiring digital certificates are very attractive in wireless communications due to limitations imposed by communication bandwidth and computational resource of the mobile wireless communication devices. To eliminate public-key digital certificate, Shamir introduced the concept of the identity-based (ID-based) cryptosystem. The main advantage of the ID-based cryptosystem is that instead of using a random integer as each user’s public key as in the traditional public-key systems, the user’s real identity, such as user’s name or email address, becomes the user’s public key. However, all identity-based signature (IBS) schemes have the inherent key escrow problem, that is private key generator (PKG) knows the private key of each user. As a result, the PKG is able to sign any message on the users’ behalf. This nature violates the “non-repudiation” requirement of digital signatures. To solve the key escrow problem of the IBS while still taking advantage of the benefits of the IBS, certificateless digital signature (CDS) was introduced. In this paper, we propose a generalized approach to construct CDS schemes. In our proposed CDS scheme, the user’s private key is known only to the user himself, therefore, it can eliminate the key escrow problem from the PKG. The proposed construction can be applied to all Discrete Logarithm (DL)-based signature schemes to convert a digital signature scheme into a CDS scheme. The proposed CDS scheme is secure against adaptive chosen-message attack in the random oracle model. In addition, it is also efficient in signature generation and verification.     

一种基于USBKey加解密技术的软件保护方案研究

长期以来,软件保护技术的研究越来越得到人们的重视。文章首先调研了针对软件攻击的破解和逆向机制,对市场上比较成熟的保护软件功能及特征进行了对比分析,在此基础上完成了一种基于USBKev和PE加壳的软件保护方案设计,实现了针对1）E可执行软件的加壳保护、反调试和反逆向的功能,并引入了USBKey硬件授权机制,提高了软件保护的可行性和安全性。最后,通过测试数据验证了系统的功能及安全性等特征。     

基于区块链的星间通信网络安全加密控制系统设计

目前设计的星间通信网络安全加密系统加密深度低,导致通信误码率高,无法保证星间通信网络安全;引入区块链技术设计一种新的星间通信网络安全加密系统;选择性能最优的LEO类型的卫星放置在中层的卫星网络通信轨道中,其他类型的LEO卫星则各个成为单独的卫星网络分体系,处理主体系中的杂乱通信信号;构建地面用户之间的链路关系及卫星网络链路,实现高阶层卫星通过无线电链路或光纤链路对下一阶层的卫星覆盖,完成系统硬件设计;引用区块链分布式数字化身份加密技术,通过用户使用密钥对公钥的加密保护结构图定位通信网络的状态以及通信网络的加密状态,在区块链公开性的基础上增添了用户的密钥,通过用户的独有密钥使用户使用公共的星间通信网络进行通信,实现星间通信网络安全加密;实验结果表明,基于区块链技术的星间通信网络安全加密系统能够有效提高网络安全加密系统加密深度,降低误码率。     

蜜罐加密技术在私密数据保护中的应用

针对传统加密技术脆弱性问题,将蜜罐加密技术应用到身份证号码、手机号码和银行卡密码的保护中以保证数据存储安全。首先,分析阐述了蜜罐加密技术原理,并设计了对蜜罐加密系统分布式转换加密器;然后,抽象了消息空间,对系统进行实现和性能评估,发现性能开销问题并提出增强型机制。在蜜罐加密设计与实现中,考虑到均衡分布和随机分布的消息空间,并将其运用到对称加密算法和公钥加密机制。通过所提设计、系统实现和实验结果得出以下结论：1）由于性能问题,蜜罐加密技术更适合小的消息空间;2）设计消息空间时需要考虑周全,不能带来指纹特征,否则不能解决暴力破解脆弱性问题;3）蜜罐加密的保护能力随应用的不同而不同;4）对于不同的应用,蜜罐加密技术的实现需要定制。     

基于RBAC的RFID安全认证协议

对于低成本RFID系统,其安全隐私问题一直是研究的热点。为了保护用户的隐私安全,现有的RFID安全认证协议主要采用Hash函数、传统加密算法等来保证标签信息的安全,虽然在一定程度上保证了信息的安全,然而这些协议却忽略了对非授权标签信息的保护。为了弥补以上缺陷和不足,提出了一种基于角色访问控制RBAC的RFID安全认证协议。通过引入RBAC机制,能够有效地确保非授权标签信息的安全性,并且可以抵抗重传攻击、内部阅读器攻击等攻击。同时,利用部分ID、位运算等方法降低系统对标签的硬件要求,更适合低成本RFID系统。     

Chaos-based image encryption scheme combining DNA coding and entropy

Information security has became more and more important issue in modern society, one of which is the digital image protection. In this paper, a secure image encryption scheme based on logistic and spatiotemporal chaotic systems is proposed. The extreme sensitivity of chaotic system can greatly increase the complexity of the proposed scheme. Further more, the scheme also takes advantage of DNA coding and eight DNA coding rules are mixed to enhance the efficiency of image confusion and diffusion. To resist the chosen-plaintext attack, information entropy of DNA coded image is modulated as the parameter of spatiotemporal chaotic system, which can also guarantee the sensitivity of plain image in the encryption process. So even a slight change in plain image can cause the complete change in cipher image. The experimental analysis shows that it can resistant different attacks, such as the brute-force attack, statistical attack and differential attack. What’s more, The image encryption scheme can be easily implemented by software and is promising in practical application.     

Password hardening based on keystroke dynamics

We present a novel approach to improving the security of passwords. In our approach, the legitimate user’s typing patterns (e.g., durations of keystrokes and latencies between keystrokes) are combined with the user’s password to generate a hardened password that is convincingly more secure than conventional passwords alone. In addition, our scheme automatically adapts to gradual changes in a user’s typing patterns while maintaining the same hardened password across multiple logins, for use in file encryption or other applications requiring a long-term secret key. Using empirical data and a prototype implementation of our scheme, we give evidence that our approach is viable in practice, in terms of ease of use, improved security, and performance. Published online: 26 October 2001     

一种新的抗剪切的数字图像加密算法

提出一种将图像的重要信息嵌入自身,再进行加密的算法。该算法将图像8×8块的重要信息嵌入到由Lorenz混沌系统决定的另一图像块中,再对嵌入自身信息后的图像采用Lorenz混沌系统进行像素加密。通过对实验结果分析,证明该算法具有较好的安全性和较强的抗剪切攻击能力。     

基于硬件的动态指令集随机化框架的设计与实现

针对现有的指令集随机化方法存在从代码段中剥离数据困难、静态指令集随机化密钥固定和伪随机数密钥不安全等问题,设计并实现了基于硬件的动态指令集随机化框架（HDISR）,通过在装载程序时加密程序代码,将指令集随机化引入内核层和应用层的安全防护,内核使用单独的内核密钥,不同的应用程序使用不同的用户密钥。实验结果表明,HDISR 能将代码注入攻击降级为拒绝服务攻击,且额外硬件损耗少于2.57%,每兆字节代码加密的启动延时0.31 s。     

基于动态许可证的信任版权安全认证协议

信任软件版权管理是数字版权体系中专门针对软件版权控制的一项重要研究内容.针对当前版权许可软件措施在安全性、有效性方面无法完全满足国际通用的最终用户许可协议(EULA)要求的问题,基于第三方可信中心提出了一种动态许可证支持的信任版权动态分布式安全认证协议.该协议将软件实体、软件运行环境以及版权状态联合考虑,通过"特征关联,原子授权,强制收权"的机制有效解决了"软件版权的安全保护,软件资源的任意迁移和软件内容的完整保持"这3方面的问题.协议交互中通过加密和数字签名保证分布式环境下数据的安全性和完整性,而实现上以代码随机验证签名实现反跟踪.分析证明,所提出的方案在可行性、安全性以及完备性方面均达到了ELUA协议的要求.与已有的方案相比,协议认证机制安全可靠,成本低且易于实施,为软件版权保护提供了一种全新的视野.