Inference control of open relational queries under closed-world semantics based on theorem proving

Relational database systems may serve to evaluate an open query under closed-world semantics. The evaluation returns an explicit output relation complemented with an often implicit statement about the completeness of that relation. The output relation is formed from all those tuples that both fit the format and satisfy the properties expressed in the query. Using first-order logic for specifying formal semantics, the output relation can be seen as a set of (ground) sentences obtained from the query formula by suitable substitutions of free variables by constants. A statement about the completeness of a relation can also explicitly be formalized as a sentence of first-order logic. Inference control for enforcing a confidentiality policy has to inspect and to possibly distort not only the sentences representing the tuples of the output relation but also the completeness sentences. Previously designed and formally verified control procedures employ theorem-proving for such inspections while iteratively considering candidates for those sentences and determining termination conditions, respectively. In this article, we outline an implementation of these control procedures and treat improvements of their runtime efficiency, in particular to overcome shortcomings of the underlying theorem prover, which is repeatedly called with an input comprising a completeness sentence of increasing size. The improvements are obtained by an equivalent rewriting of completeness sentences, exploiting the active domain or introducing new constants for combinations of the original constants, respectively, as well as by optimizing the number of such calls. Besides theoretical complexity considerations, we also present practical evaluations for some examples. These examples include queries that—without control—would return the whole underlying database relations and—with control—can be used for confidentiality-preserving data publishing.     

Confidentiality of a selectively encrypted H.264 coded video bit-stream

It is an assumption that selective encryption does not strongly protect confidentiality owing to the partial visibility of some video data. This is because, though encryption keys may be difficult to derive, an enhanced version of selectively encrypted video sequence might be found from knowledge of the unencrypted parts of the sequence. An efficient selective encryption method for syntax elements of H.264 encoded video was recently proposed at the entropy coding stage of an H.264 encoder. Using this recent scheme as an example, the purpose of this paper is a comprehensive cryptanalysis of selectively encrypted H.264 bit-streams to contradict the previous assumption that selective encryption is vulnerable. The novel cryptanalysis methods presented in this paper analyze the ability of an attacker to improve the quality of the encrypted video stream to make it watchable. The conclusion is drawn that if the syntax elements for selective encryption are chosen using statistical and structural characteristics of the video, then the selective encryption method is secure. The cryptanalysis is performed by taking into account the probability distribution of syntax elements within the video sequence, the relationship of syntax elements with linear regression analysis and the probability of successfully attacking them in order to enhance the visual quality. The results demonstrate the preservation of distorted video quality even after considering many possible attacks on: the whole video sequence; each video frame; and on small video segments known as slices.     

信息安全——机密性、完整性和可用性

本文讨论利用非对称密码或对称密码进行用户和主机初始鉴别。并阐述了以保密变换和报文鉴别为目的的密码密钥交换;以及检验用户/主机存在和确保信息完整性的连续鉴别;最后是其在各种通信模式,包括双方(一对一)、广播(一对多)和会议(多对多)等中的实现。     

隐蔽通道发现技术综述

本文首先解释了隐蔽通道的概念，介绍了隐蔽通道的分类。然后花主要精力，结合实例概述了当代国际上已经使用过的隐蔽通道的方法。并且对目前已有的这些方法从不同的方面给出了对比性的评价。在文章的讨论部分，作者基于目前的形势以及传统发现方法的限制给出了针对隐蔽通道发现方法建设性的见解和展望。     

安全多播中的密钥分配机制

一个完整的安全多播通信涉及很多因素,但是通过分析发现,其中很多安全因素都可以归结为群组密钥的分配和更新问题.给出了一个从密钥管理和密钥分配的角度来判定安全多播的标准,根据这个标准分析讨论了目前存在的几种多播密钥分配机制.并提出了安全多播通信的研究方向.     

On the secure implementation of security protocols

We consider the problem of implementing a security protocol in such a manner that secrecy of sensitive data is not jeopardized. Implementation is assumed to take place in the context of an API that provides standard cryptography and communication services. Given a dependency specification, stating how API methods can produce and consume secret information, we propose an information flow property based on the idea of invariance under perturbation, relating observable changes in output to corresponding changes in input. Besides the information flow condition itself, the main contributions of the paper are results relating the admissibility property to a direct flow property in the special case of programs which branch on secrets only in cases permitted by the dependency rules. These results are used to derive an unwinding theorem, reducing a behavioural correctness check (strong bisimulation) to an invariant.     

IDCE——一种保护移动Agent数据的机制

针对移动Agent的特定安全问题--数据保护问题,提出了关联数据链加密IDEC(Interrelated Data Chain Encryption)机制,并对该机制进行了安全性分析和性能分析.该机制的核心思想是通过对移动Agent收集到的数据进行关联加密,从而达到保护移动Agent数据的目的.研究表明,该机制对移动Agent的数据保护是可行的.     

Regression output from a remote analysis server

This paper is concerned with the problem of balancing the competing objectives of allowing statistical analysis of confidential data while maintaining standards of privacy and confidentiality. Remote analysis servers have been proposed as a way to address this problem by delivering results of statistical analyses without giving the analyst any direct access to data. Several national statistical agencies operate remote analysis servers [Australian Bureau of Statistics Remote Access Data Laboratory (RADL), <www.abs.gov.au>; Luxembourg Income Study, <www.lisproject.org>].Remote analysis servers are not free from disclosure risk, and current implementations address this risk by “confidentialising” the underlying data and/or by denying some queries. In this paper we explore the alternative solution of “confidentialising” the output of a server so that no confidential information is revealed or can be inferred.In this paper we review results on remote analysis servers, and provide a list of measures for confidentialising the output from a single regression query to a remote server as developed by Sparks et al. [R. Sparks, C. Carter, J. Donnelly, J. Duncan, C.M. O’Keefe, L. Ryan, A framework for performing statistical analyses of unit record health data without violating either privacy or confidentiality of individuals, in: Proceedings of the 55th Session of the International Statistical Institute, Sydney, 2005; R. Sparks, C. Carter, J. Donnelly, C.M. O’Keefe, J. Duncan, T. Keighley, D. McAullay, Remote access methods for exploratory data analysis and statistical modelling: privacy-preserving Analytics^™, Comput. Meth. Prog. Biomed. 91 (2008) 208–222.] We provide a fully worked example, and compare the confidentialised output from the query with the output from a traditional statistical package. Finally, we provide a comparison the confidentialised regression diagnostics with the synthetic regression diagnostics generated by the alternative method of Reiter [J.P. Reiter, Model diagnostics for remote-access regression servers, Statistics and Computing 13 (2003) 371–380].     

基于PKI体系的跨域密钥协商协议

基于口令的跨域密钥协商协议和Kerberos协议无法抵抗口令猜测攻击,在金融、航天等通信安全需求高的场所,需要一种更有效的协议来保证通信安全。给出一种新的基于PKI体系的跨域密钥协商协议,采用公钥算法保证数据传输的安全,结合使用Diffie-Hellman协议生成会话密钥。协议有效地解决了利用预置共享密钥参与加/解密实施中间人攻击,以及Kerberos弱口令导致的攻击者可以实施口令猜测攻击的问题。跨域通信的公钥信息仅存储在各自域认证服务器,域内用户不需要配置跨域服务器的公钥信息,降低了配置复杂度、域内用户和域认证服务器之间密钥管理的复杂性,同时提高了域服务器鉴别身份的能力和信息机密性,使其免疫多种攻击,具有良好的前向安全性和扩展性。     

高效安全的无证书混合签密方案

对两种新提出的无证书混合签密方案进行密码学分析,指出它们各自存在的正确性和安全性缺陷,进而提出一种更加安全和高效的无证书混合签密方案。通过引入vBNN-IBS签名算法,从而避免使用幂指数运算,进一步降低新方案的计算开销。在随机预言机模型下,新方案被证明是安全的,满足不可伪造性和机密性。对比分析表明,新方案在确保强安全性的同时具有更低的计算开销。