可信计算环境下基于进化理论的层信任模型实现

本文采用形式化的方法,借鉴和吸收生物学、经济学、社会科学等相关学科的理论,对可信计算进行深入分析,并进行严格的逻辑推理证明,提出了基于进化理论的层信任模型。该模型在逻辑结构上定义了可信计算环境基本的信任链和可信层,物理结构上通过广电网的基于法定权利义务关系的可信根广播和在可信终端建立基于可信存储的可信根来实现可信计算环境。该模型使得现有通用计算平台也适用于可信计算环境,提出了解决可信计算环境的外部性和公正性的方法,减少了可信终端主动防御带来的验证开销,用较小的代价实现了可信计算环境下可信计算实体的可信度收敛。     

一种可信计算环境下DAA协议实现方案

证明是可信计算从体系结构上保障网络服务安全的重要功能。文中介绍了TCG可信计算环境下的认证策略和以TPM为基础的直接匿名认证协议（Direct Anonymous Attestation,DAA）,分析了其特点,提出为了获得更好的应用性,对DAA协议进行基于ECC算法的扩展方案。经安全性分析证明,该方案在可信计算环境下只需有限的系统资源,可以有效提高可信网络接入的安全性与可管可控性。     

可信物联网的研究

针对物联网发展中安全体系尚不完善的问题,从物联网三层技术体系架构出发,分析了可信计算在物联网安全中的应用前景,并且以RFID协议为基础,利用可信计算技术,提出了一种基于平台完整性证明的可信接入方案,并对其进行了仿真,证明了通过本方案能够建立一个可信的数据交互环境。     

可信计算平台可信计算基构建研究

对基于PC构建的可信计算平台中可信计算基的构建方式进行了分析,指出通过逻辑方式构建的可信计算基存在被篡改和绕过的可能性,并提出了一种基于密码技术构建可信计算基的方法。该方法以可信平台模块为信任根,验证可信计算基的完整性,防止可信计算基被篡改;将系统中受控可执行程序执行解释部分加密存放,密钥存放在可信平台模块,程序的执行必须通过可信计算基,防止了可信计算基被绕过。通过分析其基本原理,验证了基于密码技术可有效构建具备完整性和唯一性的可信计算基。     

可信计算环境下的计算机取证技术研究

可信计算技术是目前信息安全领域一项较新的技术,用于保护数据的可靠性和安全性.可信计算技术的应用,在为网络安全提供了基本保障的同时,却给计算机取证带来了困难.介绍了可信计算的背景和计算机取证的概念,分析了可信计算对计算机取证的影响,最后以Windows操作下的可信计算环境为例,分析了可信环境的构建技术对取证带来的挑战,提出了相应的研究方法和思路.     

基于可信芯片的平台身份证明方案研究

对基于可信第三方的平台身份证明方案进行了研究,提出了一种用证书和令牌标识可信计算平台并直接使用令牌证明平台身份的方案。与其他方案相比,该方案降低了证明过程的计算量和通信量,并且验证方验证平台身份的同时能够确认平台状态可信,获得了更高的安全性。利用协议组合逻辑证明了方案满足平台身份验证正确性和匿名性。原型系统实验结果表明,该方案平台身份证明效率高,特别适用于无线网络环境。     

可信计算平台的认证机制的设计

为了使可信计算平台之间的身份能够安全并高效地验证,通过对可信计算平台和PKI技术的研究与分析,设计一种基于PKI技术的可信计算平台之间的相互验证的协议。该协议通过引入可信第三方CA,用可信第三方向相互认证的可信平台颁发AIK证书,可信计算平台通过可信第三方验证对方AIK证书的真实性和AIK私钥加密AIK证书,验证平台的身份和完整性以及可信计算平台的状态。     

《可信计算体系结构》标准产业化应用

可信计算是一种计算运算与安全防护同时进行的新计算模式,通过对计算过程的可管可测,为通用计算平台提供对恶意代码或非法操作的主动免疫能力。可信计算体系结构的脉络是,将国产密码体系作为可信基础,将可信平台控制模块作为可信计算的信任根,并以可信主板为可信计算的平台,将可信网络作为可信过程交互的纽带,对上层业务应用进行透明支撑,保障应用执行环境和网络环境安全。本文介绍了《可信计算体系结构》标准的相关内容,包括可信计算体系结构的原理及功能、核心组件及其在多种平台环境中产业化落地的应用等。《可信计算体系结构》标准为可信计算产业化过程在设计实现和部署应用方面提供规范和指南,促进了可信计算技术及其产业化更快更好地有序发展。     

跨平台的可信执行环境模块方案研究

针对现有TPM、MTM等可信计算模块不能跨平台使用,未考虑算法、协议、功能更新等问题,提出一种基于硬件的可信执行环境模块（TEEM, trusted execution environment module）架构,该架构利用ARM TrustZone技术构建一个运行在硬件安全隔离环境中的可信计算模块。该模块能够为多种平台提供可信计算功能,具备较强的移动性和便携性,并且允许用户根据需要灵活地配置、升级模块的功能和算法。设计并实现了基于TEEM架构的原型系统,原型系统的安全性分析和性能测试结果表明,TEEM能够为用户提供一个安全、稳定、高效的可信执行环境。     

可信计算环境下基于主机身份的一次性密钥交换协议

该文介绍了可信计算环境下可信网络连接的基本概念,分析了TNC协议扩展存在的问题,介绍了直接匿名证明DAA协议。提出了一种新的,基于主机身份的一次性密钥交换协议I-OKEP,并分析了其安全性。经安全性分析证明,该协议可以在可信计算环境下保证密钥交换的机密性与可靠性,同时还可以保证主机完整性与主机匿名性。     

A blockchain-enabled security management framework for mobile edge computing

Mobile edge computing (MEC) integrates mobile and edge computing technologies to provide efficient computing services with low latency. It includes several Internet of Things (IoT) and edge devices that process the user data at the network's edge. The architectural characteristic of MEC supports many internet-based services, which attract more number of users, including attackers. The safety and privacy of the MEC environment, especially user information is a significant concern. A lightweight accessing and sharing protocol is required because edge devices are resource constraints. This paper addresses this issue by proposing a blockchain-enabled security management framework for MEC environments. This approach provides another level of security and includes blockchain security features like temper resistance, immutable, transparent, traceable, and distributed ledger in the MEC environment. The framework guarantees secure data storage in the MEC environment. The contributions of this paper are twofold: (1) We propose a blockchain-enabled security management framework for MEC environments that address the security and privacy concerns, and (2) we demonstrate through simulations that the framework has high performance and is suitable for resource-constrained MEC devices. In addition, a smart contract-based access and sharing mechanism is proposed. Our research uses a combination of theoretical analysis and simulation experiments to demonstrate that the proposed framework offers high security, low latency, legitimate access, high throughput, and low operations cost.     

基于虚拟机的可信计算

当前,虚拟机技术和可信计算技术是两大热门技术,可信计算技术是实现信息系统安全的重要手段。是否可以在虚拟机的环境下,通过结合虚拟机和可信计算的技术优势,来实现终端系统与网络的可信,提高整个信息系统的安全？研究了如何设计一个基于虚拟机的可信计算平台安全架构,并进一步研究了虚拟化TPM的问题。同时,分析并总结了TCG定义的可信链技术。在此基础上,提出了虚拟机环境下可信链的实现方法,加强终端系统与网络的安全性。     

基于区块链和知识证明的匿名数据共享算法

由于车载网(Vehicular Ad-Hoc Networks,VANETs)中车辆的存储容量有限,就需要增加边缘计算的数据存储空间。然而,边缘服务器并不是完全信任的,这就存在车与车间所共享数据的安全和隐私泄露问题。为此,提出基于区块链和知识证明的匿名数据共享(Blockchain and Zero-Knowledge Proofs-based Anonymous Data-sharing,BZAD)算法。通过区块链和知识证明,构建一个分布式、匿名数据共享策略。同时,引用发布-订阅模式的存储数据,提高对数据的管理效率。性能分析表明,BZAD算法在维持高安全性的同时,具有较高的运行效率。     

云环境数据服务的可信安全模型

针对云服务提供商的可信状态和云环境数据服务的安全需求,提出了云环境数据服务的可信重加密安全模型,即在云环境下的数据安全需要云服务提供商满足一定的可信程度,再结合有效的重加密算法才能得以保证。通过对重加密模型进行安全分析,并用密码算法对重加密模型进行验证,得到实现重加密算法的约束条件,同时提出可信评价模型,对云服务提供商的可信状态进行动态评价,为建立云环境数据服务的可信安全提供理论基础和实现依据。     

可信计算环境下的WLAN Mesh安全关联方案

针对第3版WLAN鉴别基础设施（WAI）协议用于建立WLAN Mesh安全关联时所存在的问题,提出了一种基于改进WAI协议的WLAN Mesh安全关联方案。通过性能对比分析,该方案提高了WLAN Mesh安全关联的性能,特别是降低了认证服务器（AS）的负载。为了适用于可信计算环境,继而在该方案的基础上提出了一种可信计算环境下的WLAN Mesh安全关联方案。此外,利用串空间模型（SSM）证明了这2个WLAN Mesh安全关联方案是安全的。     

移动边缘计算安全研究

移动边缘计算具有靠近用户、业务本地处理、灵活路由等特点,成为满足5G低时延业务需求的关键技术之一。由于移动边缘计算靠近用户、处于相对不安全的环境、核心网控制能力减弱等,存在非授权访问、敏感数据泄露、(D)DoS攻击等安全风险。本文在介绍边缘计算概念、应用场景的基础上,分析移动边缘计算的安全威胁、安全防护框架、安全防护方案,并展望后续研究方向。     

SOS: Self‐organized secure framework for VANET

While authentication is a necessary requirement to provide security in vehicular ad hoc networks, user's personal information such as identity and location must be kept private. The reliance on road side units or centralized trusted authority nodes to provide security services is critical because both are vulnerable, thus cannot be accessed by all users, which mean security absence. In this paper, we introduce a self‐organized secure framework, deployed in vehicular ad hoc networks. The proposed framework solution is designed not only to provide an effective, integrated security and privacy‐preserving mechanism but also to retain the availability of all security services even if there are no road side units at all and/or the trusted authority node is compromised. A decentralized tier‐based security framework that depends on both trusted authority and some fully trusted nodes cooperated to distribute security services is presented. Our approach combines the useful features of both Shamir secret sharing with a trust‐based technique to ensure continuity of achieving all security services. Mathematical analysis of security issues that the proposed framework achieves as well as the availability of offering security services is provided. Proposed framework examination was done to show the performance in terms of storage, computation complexity, and communication overhead as well as its resilience against various types of attacks. Comparisons with different types of security schemes showed that the protocol developed gave better results in most comparison parameters while being unique ensuring continuity of security services delivery.     

基于TPM联盟的可信云平台管理模型

以可信计算技术为基础,针对可信云平台构建过程中可信节点动态管理存在的性能瓶颈问题,提出了基于TPM联盟的可信云平台体系结构及管理模型。针对TPM自身能力的局限性,提出了宏TPM和根TPM的概念。针对可信云中节点管理时间开销大的问题,引入时间树的概念组织TPM联盟,利用TPM和认证加密技术解决数据在TPM联盟内节点间的可信传输问题,提出了一种基于时间树的TPM联盟管理策略,包括节点配置协议、注册协议、注销协议、实时监控协议、网络管理修复协议和节点更新协议,阐述了时间树的生成算法,分析了建立可信节点管理网络的时间开销和节点状态监控的有效性。最后,通过仿真实验说明了模型具有较好的性能和有效性。     

Fog-Sec: Secure end-to-end communication in fog-enabled IoT network using permissioned blockchain system

The technological integration of the Internet of Things (IoT)-Cloud paradigm has enabled intelligent linkages of things, data, processes, and people for efficient decision making without human intervention. However, it poses various challenges for IoT networks that cannot handle large amounts of operation technology (OT) data due to physical storage shortages, excessive latency, higher transfer costs, a lack of context awareness, impractical resiliency, and so on. As a result, the fog network emerged as a new computing model for providing computing capacity closer to IoT edge devices. The IoT-Fog-Cloud network, on the other hand, is more vulnerable to multiple security flaws, such as missing key management problems, inappropriate access control, inadequate software update mechanism, insecure configuration files and default passwords, missing communication security, and secure key exchange algorithms over unsecured channels. Therefore, these networks cannot make good security decisions, which are significantly easier to hack than to defend the fog-enabled IoT environment. This paper proposes the cooperative flow for securing edge devices in fog-enabled IoT networks using a permissioned blockchain system (pBCS). The proposed fog-enabled IoT network provides efficient security solutions for key management issues, communication security, and secure key exchange mechanism using a blockchain system. To secure the fog-based IoT network, we proposed a mechanism for identification and authentication among fog, gateway, and edge nodes that should register with the blockchain network. The fog nodes maintain the blockchain system and hold a shared smart contract for validating edge devices. The participating fog nodes serve as validators and maintain a distributed ledger/blockchain to authenticate and validate the request of the edge nodes. The network services can only be accessed by nodes that have been authenticated against the blockchain system. We implemented the proposed pBCS network using the private Ethereum 2.0 that enables secure device-to-device communication and demonstrated performance metrics such as throughput, transaction delay, block creation response time, communication, and computation overhead using state-of-the-art techniques. Finally, we conducted a security analysis of the communication network to protect the IoT edge devices from unauthorized malicious nodes without data loss.