共查询到20条相似文献,搜索用时 125 毫秒
1.
移动存储设备属于被动设备,其安全防护往往依赖于终端系统的安全机制,在提供安全性的同时会降低系统可用性.本文提出了一种基于可信虚拟域的移动存储设备结构框架TRSF(Trusted Removable Storage Framework)实现存储设备的主动防护.TRSF将智能卡芯片和动态隔离机制绑定到存储设备中,并由片上操作系统构建从底层可信平台模块到隔离运行环境的可信数据通道,从而为移动存储设备在非可信终端系统中被非可信进程访问和使用提供一个可信虚拟环境.最后基于TRSF实现了一款主动安全U盘UTrustDisk.与没有增加主动防护机制相比,增加该机制导致平均读写性能开销分别增加了7.5%和11.5%. 相似文献
2.
3.
4.
本文主要针对无线网络中的大量用户和大量WAP网站的安全可信问题,提出了一种基于用户和业务的双向安全可信框架.在双向安全可信框架下,网络可以对用户和业务进行分级评价,进而决定是否允许用户访问业务或业务内容通过网络进行发布. 相似文献
5.
BIOS作为可信计算平台的测量根是可信链的源头,其安全性尤为重要。论文提出了一种基于USBKey的、功能可扩展的安全控制模块增强BIOS安全的设计方案,实现了底层的开机身份认证和安全控制功能,经分析证明此方案可有效地减少可信测量根的不安全因素。 相似文献
6.
基于身份的SIP认证与密钥协商机制研究 总被引:1,自引:0,他引:1
因为简单、灵活和易扩展等特点,SIP得到了越来越广泛的应用,但SIP本身缺少有力的安全机制使其面临很多安全威胁。本文对SIP中的安全威胁和已有安全机制进行了分析,提出一种基于身份的SIP认证与密钥协商方案,通过3次交互实现双向认证,并在该过程中完成密钥协商。方案不需要公钥证书,以用户身份标识作为公钥,降低了计算复杂度和通信开销,保证了SIP消息传递过程中的完整性和真实性。 相似文献
7.
8.
9.
10.
基于角色的访问控制框架的研究与实现 总被引:10,自引:3,他引:7
介绍一种基于角色的访问控制框架,详细阐述了该框架的实现原理和工作机制.基于角色的访问控制(RBAC)是一种关于授权管理的概念模型,与传统的授权策略相比,它更加灵活、安全且易维护.基于角色的访问控制框架在原理上对RBAC基本模型进行了概念扩展,根据大规模数据资源授权管理的需要,提出了更加细化的资源概念和明确的权限判定机制。 相似文献
11.
当前,虚拟机技术和可信计算技术是两大热门技术,可信计算技术是实现信息系统安全的重要手段。是否可以在虚拟机的环境下,通过结合虚拟机和可信计算的技术优势,来实现终端系统与网络的可信,提高整个信息系统的安全?研究了如何设计一个基于虚拟机的可信计算平台安全架构,并进一步研究了虚拟化TPM的问题。同时,分析并总结了TCG定义的可信链技术。在此基础上,提出了虚拟机环境下可信链的实现方法,加强终端系统与网络的安全性。 相似文献
12.
Collaborative inter-domain network measurement provides a global view of performance for the rapid growth of the Internet. It substantially benefits a number of network security and monitoring problems if a group of involved organizations sharing their traces. However, data leakage could cause privacy breaches, violate legal obligations, or give away business secrets. Hence many individual Internet Service Providers are unwilling to share their traffic traces under existing anonymization mechanisms by a fear of data leakage. This paper proposed a flexible and secure framework used to securely share traffic traces collected from different domains to the joined parties. The framework extends the policy mechanism based on FLAIM, a GPL (General Public License) tool supporting a lot of trace formats with different anonymization algorithms. Meanwhile, three basic sharing trace mechanisms were proposed to keep the consistency and safety of shared datasets by sharing anonymization policy to the joined parties. A simple centralized policy storage model for recovery is introduced as well. Experimental result shows that the framework performs well for large amount of traffic traces processing. Moreover, with the mechanisms proposed providers can share their data in a secure way. 相似文献
13.
针对现有可信虚拟域构建方式无法满足云计算灵活配置等特性的问题,结合云计算企业内部敏感数据的防泄漏需求,提出了基于VPE的可信虚拟域构建方法TVD-VPE。TVD-VPE利用分离式设备驱动模型构建虚拟以太网VPE,通过后端驱动截获数据分组,并进行边界安全策略检查,最后对满足策略的数据帧进行加密。同时,还设计了可信虚拟域加入/退出协议确保用户虚拟机安全加入/退出,为边界安全策略的部署设计了面向可信虚拟域的管理协议,同时为高特权用户的跨域访问设计了跨域访问协议。最后,实现了原型系统并进行了功能测试及性能测试,测试结果证明本系统可以有效地防止非法访问,同时系统对Xen的网络性能的影响几乎可以忽略。 相似文献
14.
15.
16.
In this paper, a new way to a selection of the secure relay nodes in hybrid MANET–DTN networks based on the cooperation between routing, trust and game theory mechanisms is introduced. The hybrid MANET–DTN enables delivering the data or messages in the situation when communication paths are disconnected or broken and also in the emergency situations. We focus on the situations when MANET routing protocol cannot establish the end-to-end connection between source and destination nodes. In this situation, it is necessary to select relay nodes, that will be able to transport data or messages between isolated islands of mobile terminals with limited connectivity to other terminals. The proposed algorithm enables to select the relay nodes, that will come into contact with other mobile nodes located in different network areas with regards to trust and game theory. The parameter trust is computed for all mobile nodes and relies on a parameter obtained during routing and data transport processes. The game theory provides a powerful tool to select one candidate from a number of possible nodes with respect to confidence and security. Moreover, we propose a new mechanism to compute and select the trusted node, that can be used for transportation of the secure data in this hostile and disconnected environment. In order to verify the functionalities of this mechanism, we implement this mechanism into the OPNET modeler simulation environment and introduce performance analysis. 相似文献
17.
高鹏 《电信工程技术与标准化》2009,22(7):1-5
传统的网络安全系统已经不能满足可信的需求,可信网络应运而生。本文介绍了可信网络的基本概念和基本属性,分析了可信网络中的建模,体系结构,可控性和可生存性等关键问题,并讨论了移动网络中的可信机制。 相似文献
18.
The trusted network connection is a hot spot in trusted computing field and the trust measurement and access control technology are used to deal with network security threats in trusted network.But the trusted network connection lacks fine-grained states and real-time measurement support for the client and the authentication mechanism is difficult to apply in the trusted network connection,it is easy to cause the loss of identity privacy.In order to solve the abovedescribed problems,this paper presents a trust measurement scheme suitable for clients in the trusted network,the scheme integrates the following attributes such as authentication mechanism,state measurement,and real-time state measurement and so on,and based on the authentication mechanism and the initial state measurement,the scheme uses the realtime state measurement as the core method to complete the trust measurement for the client.This scheme presented in this paper supports both static and dynamic measurements.Overall,the characteristics of this scheme such as fine granularity,dynamic,real-time state measurement make it possible to make more fine-grained security policy and therefore it overcomes inadequacies existing in the current trusted network connection. 相似文献
19.
An active network is a network infrastructure which is programmable on a per-user or even per-packet basis. Increasing the flexibility of such network infrastructures invites new security risks. Coping with these security risks represents the most fundamental contribution of active network research. The security concerns can be divided into those which affect the network as a whole and those which affect individual elements. It is clear that the element problems must be solved first, since the integrity of network-level solutions will be based on trust in the network elements. In this article we describe the architecture and implementation of a secure active network environment (SANE), which we believe provides a basis for implementing secure network-level solutions. We guarantee that a node begins operation in a trusted state with the AEGIS secure bootstrap architecture. We guarantee that the system remains in a trusted state by applying dynamic integrity checks in the network element's runtime system, using a novel naming system, and applying node-to-node authentication when needed. The construction of an extended LAN is discussed 相似文献
20.
Vehicular ad hoc networks (VANETs) are usually operated among vehicles moving at high speeds, and thus their communication relations can be changed frequently. In such a highly dynamic environment, establishing trust among vehicles is difficult. To solve this problem, we propose a flexible, secure and decentralized attribute based secure key management framework for VANETs. Our solution is based on attribute based encryption (ABE) to construct an attribute based security policy enforcement (ASPE) framework. ASPE considers various road situations as attributes. These attributes are used as encryption keys to secure the transmitted data. ASPE is flexible in that it can dynamically change encryption keys depending on the VANET situations. At the same time, ASPE naturally incorporates data access control policies on the transmitted data. ASPE provides an integrated solution to involve data access control, key management, security policy enforcement, and secure group formation in highly dynamic vehicular communication environments. Our performance evaluations show that ASPE is efficient and it can handle large amount of data encryption/decryption flows in VANETs. 相似文献