Web Service在企业集成中的安全应用

随着企业应用的需求越来越复杂,在复杂的企业环境下处理基于SOAP消息的安全信息是需要解决的实际问题。具体分析Web服务(Web Service)在企业环境下的安全机制,以及这种方式下如何安全处理SOAP消息。以一个税务部门信息服务平台为例分析了采用安全的Web Service的企业应用集成方案,实践证明此方式可以达到比较好的安全性能要求。     

Providing EAP-based Kerberos pre-authentication and advanced authorization for network federations

Kerberos is a well-known standard protocol which is becoming one of the most widely deployed for authentication and key distribution in application services. However, whereas service providers use the protocol to control their own subscribers, they do not widely deploy Kerberos infrastructures to handle subscribers coming from foreign domains, as happens in network federations. Instead, the deployment of Authentication, Authorization and Accounting (AAA) infrastructures has been preferred for that operation. Thus, the lack of a correct integration between these infrastructures and Kerberos limits the service access only to service provider's subscribers. To avoid this limitation, we design an architecture which integrates a Kerberos pre-authentication mechanism, based on the use of the Extensible Authentication Protocol (EAP), and advanced authorization, based on the standards SAML and XACML, to link the end user authentication and authorization performed through an AAA infrastructure with the delivery of Kerberos tickets in the service provider's domain. We detail the interfaces, protocols, operation and extensions required for our solution. Moreover, we discuss important aspects such as the implications on existing standards.     

公钥基础设施在网络安全中的研究与应用

文章提出了一种基于ＰＫＩ的网络安全模型,旨在为网络服务提供有效认证、访问控制、授权、传输机密性、不可否认性等安全机制。该模型在 ＰＫＩ的基础上,结合了 Ｋｅｒｂｅｒｏｓ的优势,并扩展了其机制中服务票据的思想,提出了由授权服务器签名的授权证书的概念,以保证自治式与集中式访问控制相结合的安全管理模式。     

Java移动代码的授权访问研究

Java移动代码是一种可以通过网络从一台计算机传珐另一台计算机上运行的Ｊava程序,在现代网络计算及电子商务中具有广泛应用,Ｊava的这一显著特性也蕴藏着授权管理上的不足,未授权者可以很容易地非法使用这些程序,针对Ｊava移动代码的这些不足之处,分别对Ｊava Applet及Ｊava Applet及Ｊava Servlet提出了基于数字签名算法的授权与访问控制方案,安全,有效地解决了这种新兴的授权与访问控制问题。     

Agent-based multimedia presentation and adaptation service

In this paper, we aim to provide adaptive multimedia services especially video ones to end-users in an efficient and secure manner. Users moving outside the office should be able to maintain an office-like environment at their current locations. First, the agents within our proposed architecture negotiate the different communication and interaction factors autonomously and dynamically. Moreover, we needed to develop a user agent in addition to service and system agents that could negotiate the requirements and capabilities at run time to furnish best possible service results. Thus we designed and integrated a video indexing and key framing service within our overall agent-based architecture. We integrated this video indexing and content-based analysis service to adapt the video content according to run time conditions. We designed a video XML schema to validate the media content out of this multimedia service according to specific requirements and features, as we will describe later.

Handling distributed authorization with delegation through answer set programming

Distributed authorization is an essential issue in computer security. Recent research shows that trust management is a promising approach for the authorization in distributed environments. There are two key issues for a trust management system: how to design an expressive high-level policy language and how to solve the compliance-checking problem (Blaze et al. in Proceedings of the Symposium on Security and Privacy, pp. 164–173, 1996; Proceedings of 2nd International Conference on Financial Cryptography (FC’98). LNCS, vol.1465, pp. 254–274, 1998), where ordinary logic programming has been used to formalize various distributed authorization policies (Li et al. in Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 114–130, 2002; ACM Trans. Inf. Syst. Secur. (TISSEC) 6(1):128–171, 2003). In this paper, we employ Answer Set Programming to deal with many complex issues associated with the distributed authorization along the trust management approach. In particular, we propose a formal authorization language providing its semantics through Answer Set Programming. Using language , we cannot only express nonmonotonic delegation policies which have not been considered in previous approaches, but also represent the delegation with depth, separation of duty, and positive and negative authorizations. We also investigate basic computational properties related to our approach. Through two case studies. we further illustrate the application of our approach in distributed environments.     

多级异地远程控制系统中的权限管理

在多级控制系统中，控制权限的正确设置与管理对整个多级远程系统能否安全可靠运行起着至关重要的作用。本文介绍了利用西门子的Win CC中的内部变量来实现多级控制系统的权限设置与管理，并在黄河引黄涵闸远程监控系统中获得了成功的应用。     

安全RADIUS认证、授权、计费系统的构建

构建了基于远程访问拨号接入用户服务（RADIUS）的认证、授权和计费系统。试运行表明RADIUS原有实现方式的大运算量和频繁的文件读写操作降低了用户认证效率，且存在系统管理员盗用用户账号的风险。改进TRADIUS实现方式，降低了认证程序实现复杂度，提高了用户认证效率，同时降低了密码泄漏风险。对于广泛采用RADIUS的安全应用是很好的借鉴。     

一种基于SPKI的匿名支付方案

SPKI is a proposed standard for public-key certificates. One important property of SPKI is that SPKI is key-oriented rather than name-oriented, and the public-key is globally unique. In this paper we propose an anonymous paymentscheme based on SPKI aiming at the problem of anonymous payment in B2C e-commerce. In the scheme we use the key-oriented characteristic of SPKI to link the public key to the account, and use authorization certificates to pay. The scheme achieves the anonymity very well.