共查询到20条相似文献,搜索用时 88 毫秒
1.
针对当前可信计算平台身份证明最好的理论解决方案——直接匿名认证(DAA ,Direct Anonymous Attestation)协议中平台隐私数据(,A e )是以明文方式直接存储在平台上很容易受到攻击的问题,基于 TPM 的安全存储功能,提出了平台隐私数据(,A e )的保护方案。该方案根据用户的身份生成隐私数据(,A e )的保护密钥和授权数据,利用 TPM 的安全存储功能对该保护后的隐私数据进行存储,并通过理论分析和实验验证,表明了所提方案在保护隐私数据(,A e )的同时,对直接匿名认证协议的性能影响也不大,增强了 DAA 协议的身份认证可信。 相似文献
2.
以可信计算技术为基础,针对可信云平台构建过程中可信节点动态管理存在的性能瓶颈问题,提出了基于TPM联盟的可信云平台体系结构及管理模型。针对TPM自身能力的局限性,提出了宏TPM和根TPM的概念。针对可信云中节点管理时间开销大的问题,引入时间树的概念组织TPM联盟,利用TPM和认证加密技术解决数据在TPM联盟内节点间的可信传输问题,提出了一种基于时间树的TPM联盟管理策略,包括节点配置协议、注册协议、注销协议、实时监控协议、网络管理修复协议和节点更新协议,阐述了时间树的生成算法,分析了建立可信节点管理网络的时间开销和节点状态监控的有效性。最后,通过仿真实验说明了模型具有较好的性能和有效性。 相似文献
3.
4.
针对可信平台模块(TPM)访问受重放攻击和替换攻击威胁的问题,提出一种改进的TPM访问控制方法.首先建立TPM长期访问控制功能,通过创建额外授权数据以保证进程结束后继续授权会话,同时将TPM地址与Domain U的身份标识号相关联,以保护其地址免受替换攻击.其次,建立TPM所有权共享功能,允许多个DomainU使用相同的TPM地址并防止死锁,因共享地址不能被重写,可保护敏感数据免受攻击.最后基于Xen实现了该方法并评估了其性能.实验结果证明了该方法的可行性和有效性,TPM访问性能开销在可接受的范围内. 相似文献
5.
6.
背景和现状 通常理解“可信计算”的机制是,在PC 硬件平台上导入安全芯片架构,通过其提供的安全功能来提高终端系统的安全性,其核心技术是称作“可信平台模块”TPM 的安全芯片。TPM其实是一个含有密码运算部件和存储部件的小型SOC(片上系统),所有有关可信的度量、度量的存储、度量的报告等体现“可信”的事件或活动都需要通过TPM 来进行。 “可信”就是可以信任,用户通过了计算平台的身份认证,就赢得了平台对用户的信任;检验平台软硬件配置的正确性,实现了用户对平台运行环境的信任;应用程序的完整性和合法性验证,体现出应用程序的可… 相似文献
7.
由于移动自组网Manet(Mobile Ad-hoc Networks)是一个无中心的网络且不存在值得信任的结点,传统的公平非抵赖协议因需要一个固定可信第三方TTP(Trusted Third Party)而不足以保证Manet的高效性和安全性.本文在可信平台模块TPM(Trusted Platform Module)的安全体系结构基础上提出了一种Manet中基于动态第三方的可信公平非抵赖协议,以取代固定TTP,提高协议效率,并运用TPM完整性度量技术和DAA(Direct Anonymous Attestation)远程认证技术,保证证据可信.最后利用Event B对该协议进行形式化建模,证明其有效性和公平性. 相似文献
8.
选取认证密钥分配协议Otway-Rees协议作为研究对象,利用协议组合逻辑(PCL)作为协议证明工具,对安全协议形式化分析及证明进行了研究。首先给出了Otway-Rees协议常见的攻击形式,分析了存在的缺陷,提出了改进方案(AOR协议);然后,为了更好地形式化描述AOR协议,对传统的PCL进行一定的扩展;紧接着,用扩展后的PCL对改进的协议中各个实体的行为和协议的安全属性进行形式化描述,将改进后的协议进行模块化划分,并利用PCL进行组合证明;最后,得出改进后的AOR协议具有密钥保密属性。 相似文献
9.
10.
目前的可信计算研究方案,比较多地强调应用TPM模块,但对TPM模块自身的可靠性和稳定性等考虑的较少,若TPM发生故障,则整个系统就无法正常工作,同时用户的一些重要信息也不能恢复。文中提出了一种基于USB KEY和BIOS的安全解决方案,当TPM故障时,调用禁用TPM模块,使TPM进入功能禁用状态,不进行度量操作,计算机进入非可信工作模式;在启动过程中,利用USB KEY和访问控制模块,实现在BIOS层的身份认证;利用保存在USB KEY里的相关密钥,恢复用户的一些重要信息。 相似文献
11.
Password-based three-party authenticated key exchange protocol allow clients to establish a protected session key through a server over insecure channels.Most of the existing PAKE protocols on lattices were designed for the two parties,which could not be applied to large-scale communication systems,so a novel three-party PAKE protocol from lattices was proposed.The PAKE protocol was constructed by using a splittable public-key encryption scheme and an associated approximate smooth projective Hash function,and message authentication mechanism was introduced in the protocol to resist replay attacks.Compared with the similar protocols,the new protocol reduces the number of communication round and improves the efficiency and the security of protocol applications. 相似文献
12.
13.
无线ATM系统的混合纠错方案及其在突发信道上的性能分析 总被引:1,自引:0,他引:1
本文提出了一种适用于无线ATM系统的混合纠错方案:用RS码保护话音信号,用截短RS/混合Ⅱ型ARQ保护图像和数据。文中分析和仿真了这一混合纠错方案在突发信道上的性能。结果表明,利用RS码强的纠错能力,通过有限次的重传就可获得低的信元丢失率和传输时延。 相似文献
14.
15.
Currently most existing entity authentication protocols can not guarantee anonymity against compromised verifier in semi-honest model. To solve the question, this paper puts forward a shared certificate entity authentication model, by which some qualities for anonymous entity authentication in semi-honest situation are suggested reasonably. On basis of our proposed model, this paper designs two anonymous entity authentication protocols including an anonymous shared certificate bi-entity authentication protocol and an anonymous shared certificate multi-entity authentication protocol. In proposed protocols it is only single certificate that is used to verify identity correctly and anonymously for legitimate users who has different identity secret. Any compromised verifier has capability to verify correctly whether the user identity is legitimate or not, but it is difficult for it to judge which legitimate user has been verified and distinguish who the verifying user is in particular, therefore attacker does not learn any useful information from legitimate user by spying upon the information of public channel or compromising the certificate. So the security requirements of anonymous entity authentication are achieved successfully, meanwhile the proposed model is more feasibly and effective than zero knowledge protocol in practical applications. 相似文献
16.
This study compared the effects on performance of four features of the LAPB and LAPD protocols. LAPB is the link level for the X.25 protocol, and LAPD is the link level for the ISDN "D" signaling channel. The features were: multireject in which additional reject or selective reject frames can be retransmitted under certain conditions, selective reject in which an entity can request selected frames to be retransmitted, the null information frame (NIF) with which additional control frames are sent to help detect missing frames, and multiple service access points (SAP's) in which several link-level protocol handlers are multiplexed on the same physical link (a feature unique to LAPD). Results indicate that the current standard LAPB/D protocol with multireject is the preferred protocol. Selective reject generally performed worse than the standard protocol, and offered improvement only with complex and expensive enhancements. The NIF feature yielded a virtually unnoticeable performance improvement. Multi-SAP introduced a virtually unnoticeable impairment when it was used to carry the same traffic load as a single SAP. 相似文献
17.
A new two-factor authenticated key agreement protocol based on biometric feature and password was proposed.The protocol took advantages of the user’s biological information and password to achieve the secure communication without bringing the smart card.The biometric feature was not stored in the server by using the fuzzy extractor technique,so the sensitive information of the user cannot be leaked when the server was corrupted.The authentication messages of the user were protected by the server’s public key,so the protocol can resist the off-line dictionary attack which often appears in the authentication protocols based on password.The security of the proposed protocol was given in the random oracle model provided the elliptic computational Diffie-Hellman assumption holds.The performance analysis shows the proposed protocol has better security. 相似文献
18.
19.
摘要:软件定义网络(software defined networking,SDN)是一种新型网络创新架构,其分离了控制平面与转发平面,使得网络管理更为灵活。借助SDN控制与转发分离的思想,在SDN基础上引入一个集中式安全中心,在数据平面设备上采集数据,用于对网络流量进行分析,通过熵值计算和分类算法判断异常流量行为。对于检测到的网络异常情况,安全中心通过与SDN控制器的接口通告SDN控制器上的安全处理模块,进行流表策略的下发,进而缓解网络异常行为。通过本系统可以在不影响SDN控制器性能的情况下,快速检测网络中的异常行为,并通过SDN下发流表策略对恶意攻击用户进行限制,同时对SDN控制器进行保护。 相似文献
20.
RFID安全保密技术研究进展 总被引:2,自引:0,他引:2
文中首先概括了RFID系统的安全需求和需要保护的位置,然后介绍了RFID物理安全机制和基于密码技术的安全机制,包括kill命令、阻塞标签、夹子标签、假名标签、Hash-Lock协议、随机化Hash-Lock协议、Hash链协议等,并对其安全性进行了分析,分别指出其存在的安全威胁。 相似文献