Security analysis of application layer protocols on wireless local area networks

This paper aims at analyzing the security issues that lie in the application layer (AL) protocols when users connect to the Internet via a wireless local area network (WLAN) through an access point. When adversaries launch deauthentication flood attacks cutting users’ connection, the connection managers will automatically research the last access point’s extended service set identifier (ESSID) and then re-establish connection. However, such re-connection can lead the users to a fake access point with the same ESSID set by attackers. As the attackers hide behind users’ access points, they can pass AL’s authentication and security schemes, e.g. secure socket layer (SSL). We have proved that they can even spy on users’ account details, passwords, data and privacy.     

Security Policies for Web Service Invocation of Automotive Industry Chain Collaboration Platform

To meet the actual requirements of an automotive industry chain collaboration platform (AICCP), this paper offers several simple but effective security policies based upon the traditional security mechanism of data transfer, including user ID verification with SOAP (simple object access protocol) header, SOAP message encryption with SOAP extension and XML (extensible markup language) file encryption and decryption. Application of these policies to the AICCP for more than one year proves the effectiveness of the data exchange practice between the AICCP and enterprise Intranet.     

Keyword search encryption scheme resistant against keyword-guessing attack by the untrusted server

The user data stored in an untrusted server, such as the centralized data center or cloud computing server, may be dangerous of eavesdropping if the data format is a plaintext. However, the general ciphertext is difficult to search and thus limited for practical usage. The keyword search encryption is a helpful mechanism that provides a searchable ciphertext for some predefined keywords. The previous studies failed to consider the attack from the data storage server to guess the keyword. This kind of attack may cause some critical information revealed to the untrusted server. This paper proposes a new keyword search encryption model that can effectively resist the keyword-guessing attack performed by the untrusted data storage （testing） server. The testing （query） secret is divided into multiple shares so that the security can be guaranteed if the servers cannot conspire with each other to retrieve all shares of the secret.     

A General Attribute and Rule Based Role-Based Access Control Model

Growing numbers of users and many access control policies which involve many different resource attributes in service-oriented environments bring various problems in protecting resource.This paper analyzes the relationships of resource attributes to user attributes in all policies, and propose a general attribute and rule based role-based access control(GAR-RBAC) model to meet the security needs. The model can dynamically assign users to roles via rules to meet the need of growing numbers of users. These rules use different attribute expression and permission as a part of authorization constraints, and are defined by analyzing relations of resource attributes to user attributes in many access policies that are defined by the enterprise. The model is a general access control model, and can support many access control policies, and also can be used to wider application for service. The paper also describes how to use the GAR-RBAC model in Web service environments.     

Robust password and smart card based authentication scheme with smart card revocation

User authentication scheme allows user and server to authenticate each other, and generates a session key for the subsequent communication. How to resist the password guessing attacks and smart card stolen attacks are two key problems for designing smart cart and password based user authentication scheme. In 2011, Li and Lee proposed a new smart cart and password based user authentication scheme with smart card revocation, and claimed that their scheme could be immunity to these attacks. In this paper, we show that Li and Lee＇s sctleme is vulnerable to off-line password guessing attack once the information stored in smart card is extracted, and it does not provide perfect forward secrecy. A robust user authentication scheme with smart card revocation is then proposed. We use a most popular and widely used formal verification tool ProVerif, which is based on applied pi calculus, to prove that the proposed scheme achieves security and authentication.     

基于区块链技术的汽车配件追溯系统构建研究

汽车配件种类繁多,其从生产企业至最终装至消费者车辆上的流转过程不一,将区块链技术应用于汽车配件的追溯,可有效实现汽车配件流转过程的检索,防止信息的篡改和不正当的市场竞争行为。基于区块链技术的汽车配件追溯系统构建时应充分分析汽车配件的流转过程和配件编码规则,将与其有关的追溯信息、配件属性类型信息、企业信息、车型信息、车辆信息、物流信息等分区块进行存储,所构建的系统包括面对使用者的客户端、数据信息上链的接入服务端以及数据处理和加密的功能模块等。     

Personalization method of e-catalog based on user interesting degree

The user interesting degree evaluation index is designed to fulfill the users’ real needs, which includes the user’ attention degree of commodity, hot commodity and preferential commodity. User interesting degree model (UIDM) is constructed to justify the value of user interesting degree; the personalization approach is presented; operations of add and delete nodes (branches) are covered in this paper. The improved e-catalog is more satisfied to users’ needs and wants than the former e-catalog which stands for enterprises, and the improved one can complete the recommendation of related products of enterprises.     

网络消息即时传输系统的研究与设计

讨论了客户机／服务器程序的设计方法，利用面向对象的编程方法，进行了整个系统的设计。设计了服务器端处理用户请求算法、服务器端的底层通讯类、客户机／服务器之间的通讯数据类，服务器端分配用户帐号的策略等。该系统实现了TCP／IP网络的即时消息传送、消息广播、实时聊天、文件传输等功能。     

Chosen ciphertext secure identity-based broadcast encryption in the standard model

To give concurrent consideration both the efficiency and the security (intensity of intractable problem) in the standard model, a chosen ciphertext secure identity-based broadcast encryption is proposed. Against the chosen ciphertext security model, by using identity (ID) sequence and adding additional information in ciphertext, the self-adaptive chosen identity security (the full security) and the chosen ciphertext security are gained simultaneously. The reduction of scheme’s security is the decisional bilinear Diffie-Hellman (BDH) intractable assumption, and the proof of security shows that the proposed scheme is indistinguishable against adaptive chosen ciphertext attacks in the standard model under the decisional BDH intractable assumption. So the security level is improved, and it is suitable for higher security environment.     

基于ECC和指纹USBKey的身份认证协议

分析了现有网络身份认证方案的不足,给出了一种指纹识别技术与USBKey技术相结合的身份认证方案。利用载有指纹特征的指纹USBKey改进现有的USBKey认证技术。利用椭圆曲线密码算法ECC（elliptic curve cryption）,提高身份认证协议的安全性。采用挑战与应答的认证机制,实现了双向身份认证。使用含指纹特征的数字证书,防止非法用户篡改指纹特征。给出的身份认证协议实现了USBKey对用户权限的验证及远程服务器对用户身份的实体认证。能够有效抵御窃听攻击、假冒攻击、重放攻击及DoS攻击。     

基于KFS分布式文件系统元数据模型的改进

研究了云计算环境下的分布式文件系统KFS的系统架构,对于海量数据存储的云存储系统来说元数据管理效率是关键,通过分析KFS文件系统的元数据模型,提出了基于KFS分布式文件系统元数据的改进模型,即利用内存缓冲策略,对待插入的元数据进行预处理并批量插入,减少查找和分裂次数,大大提高了KFS文件系统的数据访问效率.最后通过算法复杂度的分析,证明该改进算法能有效提高分布式文件系统KFS的元数据服务器的效率.同时该改进模型对于采用B^＋树索引机制来集中管理元数据的类似系统同样适用.     

网络化HRM系统访问权限控制方法研究

研究了网络化人力资源管理（HRM）系统中功能模块和页面的访问权限控制方法与实现问题.采用基于角色的访问控制（RBAC,Role-Based Access Control）模型,实现网络化HRM系统的访问权限控制,其最大特点是：通过引入角色（R）的概念,建立用户（U）和权限（P）之间的关联,通过为用户分配角色、为角色分配权限,达到控制用户访问权限的目的.某大型跨地域HRM系统的成功实施表明：基于RBAC模型的访问权限控制方法,不仅简化用户权限配置工作量,而且大大提高系统与数据的安全性和可靠性,使得系统具有方便性、灵活性、安全性和易扩展性.     

XML与数据库交互技术的研究及实现

通过对XML的数据存取机制和XML与数据库的映射技术的分析和研究,提出了XML与数据库进行数据交换的设计方案.通过ADO.NET实现对数据库系统的连接,在Web服务器与数据库之间建立一个数据业务接口,实现数据库中数据到XML文档和XML文档到数据库中表数据的转换.数据库与外界之间都以XML文档作为交换介质,屏蔽了所有数据库有关的技术细节,同时使系统的可扩展性更好.本文对异构数据源的数据交换有通用的参考和指导意义.     

Chosen ciphertext secure fuzzy identity based encryption without ROM

Two new constructions of chosen-ciphertext secure fuzzy identity-based encryption(fuzzy-IBE) schemes without random oracle are proposed.The first scheme combines the modification of chosen-plaintext secure Sahai and Waters'"large universe"construction and authenticated symmetric encryption, and uses consistency checking to handle with ill-formed ciphertexts to achieve chosen-ciphertext security in the selective ID model.The second scheme improves the effciency of first scheme by eliminating consistency checking.This improved scheme is more effcient than existing chosen-ciphertext secure fuzzy-IBE scheme in the standard model.     

GSM-R系统的安全策略研究与改进

由于网络结构与用户终端移动性本身的制约,GSM-R本身存在着一些网络安全隐患,本文旨在提出GSM-R系统安全策略的改进方案.文章结合GSM-R系统在铁路上的应用,简要阐述了现有GSM-R系统所采用的安全机制和存在的安全缺陷.针对GSM-R系统采用的单向认证和信息加密的局部性两个方面分别提出了相应的改进方案,即系统的双向认证和端到端加密,并详细描述了认证过程和加密过程.     

协同设计系统中基于角色的访问控制

在对协同设计中访问控制和角色进行深入分析的基础上，确定了协同设计中角色的粒度，给出访问控制的特点,采用基于角色的访问控制技术和JSP中提供的Scssion机制，将协同设计中的角色、权限、用户相关联，实现了访问控制．在协同设计原型系统中，利用访问控制子系统对整个协同设计系统实施访问控制．结果表明该访问控制系统能够满足协同设计的要求．     

PowerBuilder对Windows API函数调用的研究

PowerBuider(以下简称PB）是目前国内广泛使用的基于客户／服务器（C／S）模式的数据库前端开发工具，它广泛应用于企事业单位内部的资源管理以及管理信息系统的开发，阐述了PB中如何更好将Data WindowsAPI函数结合，实现一些基础操作，以及在调用Windows API函数时注意的问题，PB与Windows API技术的恰当结合，将有助于提高PB开发程序的效率，完善应用系统，方便用户使用。     

Efficient peer-to-peer file sharing in 3G networks

In 3G networks upgraded with high speed packet access (HSPA) technology, the high access bandwidth and advanced mobile devices make it applicable to share large files among mobile users by peer-to-peer applications. To receive files as quickly as possible is essential for mobile users in file sharing applications, since they are subject to unstable signal strength and battery failures. While many researches present peer-to-peer file sharing architectures in mobile environments, few works focus on decreasing the time spent in disseminating files among users. In this paper, we present an efficient peer-to-peer file sharing design for HSPA networks called efficient file sharing (EFS) for 3G networks. EFS can decrease the dissemination time by efficiently utilizing the upstream-bandwidth of mobile nodes. It uses an adaptive rearrangement of a node’s concurrent uploading transfers, which causes the count of the node’s concurrent uploading transfers to lower while ensuring that the node’s upstream-bandwidth can be efficiently utilized. Our simulations show that, EFS achieves much less dissemination time than other protocols including Bullet Prime and a direct implementation of BitTorrent for mobile environments.     

文件存取权确认系统的数据编外管理设计法

文件存取权确认系统一直是多用户计算机具有的一种有效的文件保护机制。本文提出磁盘数据编外管理法,在用此法为单用户计算机设计类似系统方面进行了尝试并取得满意结果。文中通过实例介绍一种具体实现方法。因为不用改动操作系统,实现容易,便于推广。     

接入交换机在局域网安全上的应用

文章阐述了接入层交换机的安全保障机制,并从防止蠕虫病毒扩散、网络广播风暴控制、防dhcp server欺骗攻击、ARP欺骗防护等四个方面介绍了安全控制策略的配置方法,以期减少局域网的安全隐患,提高网络的运行效率。