Loading...
Netinfo Security

Table of Content

    10 August 2014, Volume 14 Issue 8 Previous Issue    Next Issue
    Orginal Article
    For Selected: Toggle Thumbnails
    Orginal Article
    A New Network Authentication Scheme based on Biometric Recognition
    WANG Yu-na, LV Qiu-yun
    2014, 14 (8):  1-5.  doi: 10.3969/j.issn.1671-1122.2014.08.001
    Abstract ( 517 )   HTML ( 4 )   PDF (1866KB) ( 307 )  
    This paper analyzes the causes of today's network authentication based on biometric recognition has not been widely used : the need for special equipments to extract biometric features, the rampant use of fingerprints, and the difficulties of reporting biometric features loss. Meanwhile, this paper compares several major biometric recognition technologies to analyze the practicality, the convenience and the security. By judging from the rapid development of the Bio-3D printing technology, this paper points out that the Bio-3D printing technology may bring impact to the biometric recognition in the future. In this paper, a network authentication scheme based on face recognition is proposed, in which faces are used as the basis for network authentication. By tracking facial activities in real time to achieve real-time facial image, the system can prevent the photo and video attacks, while increasing the reliability and the security of authentication . Finally the paper analyzes the implementation, the additive and the security of the scheme, draws a conclusion that the scheme has superior performance with the consideration of the cost of this scheme .This paper also looks forward to the application of the biometric recognition on the network authentication. Because of the uniqueness of the biometric features and because the biometric features cannot be resetting, more attention should be put on the biometric features protection and more related research should be done on the biometric features which can be better made use of.
    References | Related Articles | Metrics
    An Overview on the Secure Program Obfuscation
    CHENG Rong, ZHANG Fang-guo
    2014, 14 (8):  6-11.  doi: 10.3969/j.issn.1671-1122.2014.08.002
    Abstract ( 487 )   HTML ( 1 )   PDF (1459KB) ( 191 )  
    Program obfuscation is a compiler that transfers the original program into an unintelligible form while preserving the functionality. The concept of obfuscation was first introduced in code obfuscation, which is used for software protection, digital watermarking, etc. However, it lacks formal analysis and security proof. Obfuscation for cryptographic purposes was proposed by Barak et al., and they gave the formal definition of `virtual black-box obfuscation and its security requirements. General obfuscation of cryptographic functions has important meaning in theoretical research and has close relation with other cryptographic primitives such as random oracle, fully homomorphic encryption, zero knowledge, etc. Besides, secure obfuscation of specific cryptographic functions has practical use in cloud computing and delegate computing. In recent years, secure program obfuscation has become one of the hottest topics in the progress of cryptographic research. As obfuscation of general function families was proved impossible under Barak’s standard definition, thus following researches are mainly focused on realizing secure obfuscation of specific families of functions, new definition models of obfuscation, and relations and applications of obfuscation in other cryptographic primitives. In this paper, we give an overview on the study of secure obfuscation, which includes constructions of secure obfuscation of specific cryptographic functions, studies on special models of obfuscation and generalization and applications of secure obfuscation.
    References | Related Articles | Metrics
    Security Analysis and Improvement of ID-based Proxy Signature
    ZHANG Jian-hong, ZHEN Wei-na
    2014, 14 (8):  17-20.  doi: 10.3969/j.issn.1671-1122.2014.08.003
    Abstract ( 508 )   HTML ( 1 )   PDF (1718KB) ( 95 )  
    With the development of digital signatures based on public key cryptography, key management issue decides whether digital signature technology can be widely used or not, simplifing key management becomes the new development direction of digital signature. Thus, Identity-based digital signature is proposed, which simplifies the work of key management, with the advantage of a short signature. After that, the bilinear mapping is applied to identity-based digital signature in cryptographic filed, which effectively simplifies the certificates key management and key distribution problem. Subsequently, a variety of identity-based digital signature variant schemes have been proposed, such as identity-based proxy signature, identity-based blind signature, identity-based ring signature and identity-based threshold signature and so on. The main content in this paper is identity-based proxy signature. According to the analysis of identity-based proxy signature scheme made by Wang, this paper demonstrates this solution is unsafe, although such program is proven to be secure under the random oracle model in existing references. Otherwise, the program does not meet the unforgeability, the original signer can forge a legal and valid proxy signature, proxy signer can also abuse proxy signature right. On this basis, this paper improves the original program, not only overcomes the deficiencies of the original program, but also meets the various security needs of proxy signature.
    References | Related Articles | Metrics
    The Research of Session Attack and Investigation Method
    XU Guo-tian
    2014, 14 (8):  21-27.  doi: 10.3969/j.issn.1671-1122.2014.08.004
    Abstract ( 578 )   HTML ( 1 )   PDF (3867KB) ( 283 )  
    Session certification is a common identity recognition mechanism of dynamic website. Most websites use this mechanism to prevent unauthorized access. If the user is not authenticated, then browse to a restricted access page, the site can't read legitimate session_id from the HTTP packet, illegal visitors will be redirected to the login page. Hacker use Session attack to capture the victim's session id, and login to the site by this value. Finally, he can get the victim's identity. If victim is an administrator, then hacker can modify the website data, even plant Trojan, leading to greater harm. It is a serious threat to the security of information network. The research of session attack and investigation method is important to forensic. The key to the successful implementation of session attack is to obtain session_id of legitimate users. Research group found no relevant research results about clue survey area of session spoofing attack.In this paper, three methods to capture session_id are studied such as switch MAC address table "aging" phenomenon, MAC-PORT attack and XSS attack. Investigation method of session attack is also studied.
    References | Related Articles | Metrics
    AnDa: a Dynamic Analysis System for Malicious Code
    REN Wei, LIU Kun, ZHOU Jin
    2014, 14 (8):  28-33.  doi: 10.3969/j.issn.1671-1122.2014.08.005
    Abstract ( 371 )   HTML ( 2 )   PDF (6197KB) ( 139 )  
    Recently, mobile terminals have been extended to business applications rapidly, and have been more closely related to user privacy and property. As static monitoring cannot guarantee software security, the analysis of dynamic monitoring sandbox can realize real-time monitoring in a faster, more accurate, safer, and high feasible manner. The problem of privacy leakage exists in Android platform malware, such as accessing user data and exposing them to networks, or intercepting and spying on phone calls and short text messages. Thus, this article proposes a solution system called AnDa, which records sensitive behavior of Android malwares using dynamic detection sandbox. The overall designs and key technologies of the system are described, including real-time monitoring of behaviors such as accessing to phone calls, text messages, location information, SIM card and so on. It has been tested on both virtual machine and physical machine. This work adopted analysis technique on dynamic detection sandbox, to realize the software dynamic monitoring and behavior analysis under Android platform. It can achieve effectively monitoring Java Method Hook for API from Android framework layers and common malware characteristics. The system support devices over Android 4.0. Depending on the information of malicious behavior, AnDa can determine the type of malware and detect new viruses, so that important phone calls and personal data will be protected, and the security will be greatly improved.
    References | Related Articles | Metrics
    Modeling and Simulation of Rational Cryptographic Protocols based on Swarm
    YANG Xue-jun, CHEN Ning-jiang
    2014, 14 (8):  34-39.  doi: 10.3969/j.issn.1671-1122.2014.08.006
    Abstract ( 345 )   HTML ( 0 )   PDF (1937KB) ( 137 )  
    Aiming at the question of number of strategies were chosen by participants in real world when the rational cryptographic protocols running, a model and the algorithm of solving this problem is designed, which simulated the rational actions on the Swarm platform of intelligent agents. Firstly, payoff matrix was defined in this article, and then, the state-copy formulation of participants is listed up; 3 Nash Equilibrium values discovered by solving the formulation, i.e., the different value which all the participants were used to honest strategy, tactics and non honesty mixed strategy, and game algorithm is designed according to the different values; at last, each object is defined in the main game needed on the Swarm, however, the basic object function can not fully meet rational cryptographic protocols on the Swarm, so the transformation of the Swarm platform part of the main object function given the key code transformation, the game of interaction in the whole swarm is implemented on the Swarm. As the result shows, rational participants will be difficult to reach Nash Equilibrium through rounds of game when the pay off function is constant. However, by using incentives to encourage the profits of honest participants, rational participants will be easy to Nash Equilibrium with less rounds of game, and the proportion of the honest participants is at least half the list. There are some reference values by using the algorithmic game theory that presents the methods which simulated on the Swarm platform for researching rational cryptographic protocols in this article.
    References | Related Articles | Metrics
    Algorithm of Chinese Keywords Extraction based on Multi-feature
    PAN Li-min, WU Jun-hua, LIN Meng, LUO Sen-lin
    2014, 14 (8):  40-44.  doi: 10.3969/j.issn.1671-1122.2014.08.007
    Abstract ( 320 )   HTML ( 0 )   PDF (1657KB) ( 146 )  
    In text processing area, key words has become a critical technique for a long time. Key words extraction is aimed to extract the vital words or phrases which can summarize the literature content. Considering the influence of 6 factors (such as term frequency, term length, part of speech, position, internet-dictionary and stop word list) to the weight of keywords in text, we propose a new algorithm of Chinese keywords extraction in this paper. The proposed algorithm combines linear weighting, and compound word construction and filtering. The experimental data consist of 10 categories of literature which are downloaded from China National Knowledge Infrastructure, namely environment, information technology, transportation, education, economics, culture and history, chemistry, medicine, agriculture and politics. The results show when the value of candidate words equals 5, the approximate matching precision is 54.8%, the recall rate is 65.1%. The proposed method can not only solves the problem of low recall coursed by word-segmentation in keyword extraction, but also extract words which are not high-frequency but important for the text meaning effectively.
    References | Related Articles | Metrics
    Mobility Model for Opportunistic Network based on Community Tier
    ZHOU Yong-jin, MA Chun-guang, MIAO Jun-feng, QI Feng
    2014, 14 (8):  45-49.  doi: 10.3969/j.issn.1671-1122.2014.08.008
    Abstract ( 485 )   HTML ( 0 )   PDF (1982KB) ( 97 )  
    Because there is not a complete communication route between source node and destination node, so opportunistic network is supposed to solve it in the form of store-carry-transmit, which make use of the chance bring by the mobile nodes. Although opportunistic network has high communication delay, it has been used in some environment which can’t build a complete network route, for example network of handheld device, vehicular delay tolerant network. But in opportunistic network research, it is hard or impossible to build a real scene, so that researcher use simulation experiment to represent the real world. And the mobility model which to simulate the way of move pattern is the foundation of simulation. Particular, in opportunistic network of handheld device, the realistic extent of mobility model can heavily affect the further research, so someone propose some effective mobility model base on social complex networks theory. In this paper, based on recent literature, we propose a community tier based mobility model (CTMM), which analyse the same and the difference between the nodes form angel of community tier, and realize the otherness of node in item of choosing the mobile way and goal. The results indicate that the node in ACTIVE have a higher meet cumulative number of nodes than the node in STEADY, which result from node in AVEIVE always move between different community. In term of accurately of real world, CTMM can be used in opportunistic network of handheld device.
    References | Related Articles | Metrics
    The Research of NTP Protocol Communication Middleware based on the NESSUS
    DU Chun-lai, WANG Qing-liang, WANG Jing-zhong, WANG Bao-cheng
    2014, 14 (8):  50-54.  doi: 10.3969/j.issn.1671-1122.2014.08.009
    Abstract ( 564 )   HTML ( 1 )   PDF (1914KB) ( 103 )  
    With the rapid development of distributed system technology, three-layer distributed system is the main direction of future development, communication middleware is a indispensable layer. Communication middleware can enlarge the scale of distributed systems, support more users to connect to the server, simplify the communication process of the user and the server, make the communication process of the client and the server more secure, realize the cross-platform application. Currently there are some mature communication middlewares, such as ACE and ICE, but there is a problem that the designers of three-layer distributed system must understand their complex functions and operations, sometime many functions are not used by designers. So designing a small, efficient communication middleware is very important for designers. NESSUS is a popular network vulnerability scanning system in the world which is a distributed system based on C / S and B / S structure. The communication between the client and the server is built on the transport protocol of NTP. This paper focuses on how the NESSUS communicates between the client and the server, packaging the communication module and providing the middleware interfaces, while introducing message send / receive queue buffer pool technology and SSL components. Then a set of small, efficient, secure, cross-platform communication middleware is presented, which is also applicable to other client / server three-layer distributed systems.
    References | Related Articles | Metrics
    Design and Implementation of Topology Display in Cloud Computing PaaS based on Cloud Foundry
    HOU Li-zhi, CUI Yi-dong
    2014, 14 (8):  55-60.  doi: 10.3969/j.issn.1671-1122.2014.08.010
    Abstract ( 439 )   HTML ( 1 )   PDF (4232KB) ( 191 )  
    Cloud computing PaaS (platform as a service) platform draws wide attentions in recent years. Not only does it provide environment and resources for users, it also improves the utilization of hardware resources and reduces business operation costs. However, there is lack of mechanism to constrain the behavior of providers. In order to fill the gap, the concept of topology management was brought up. In one hand, the application topology can monitor the relationship between applications and resources, in another hand, resource topology can monitor the relationship between resources and applications, both of them can realize monitoring of applications from different angles. We use a hash array to store topology information, and the message bus publish-subscribe model to pass the messages. After that, we can achieve the topology information, and then demonstrate the results in Web pages. To sum up, the PaaS platform driven by Cloud Foundry designed and implemented in this paper runs well. It presents the resource pool information and the relationship between application and resources clearly. Thus, the system can improve the quality of services and protect the interests of users. Application topology display and resource topology display can duly reflect the relationship between resources and application of the system, both of them display from different angles can provides great convenience to the cloud provider to manage application.
    References | Related Articles | Metrics
    The Analysis of the Security Strategy based on Process Management
    YANG Chun-hui, YAN Cheng-hua
    2014, 14 (8):  61-66.  doi: 10.3969/j.issn.1671-1122.2014.08.011
    Abstract ( 477 )   HTML ( 0 )   PDF (1715KB) ( 216 )  
    The strategy of the process managements' security and analyses based on hook technology was put forward against the security problems of process management, which analyzing the types and characters of recent vicious process. And under the help of message processing mechanism of Windows, API functions' invocation technologies, database technologies, the rules of black and white list and so on to achieve the modularity of the collection of process, the analysis of process, the responses, the rules of black and white list, the database’s adding and the like to monitor and manage system process from the aspects of security, low power, self-protection and the like. To analyze the malicious process of suspicious, illegal and high memory consumption, this could make the process management operating safely. The results of the experiment validate that under the VC language platform and aiming at LAN environment to achieve the functions’ modularity respectively above mentioned and finally experimenting from two aspects: the test of function (commonly-used process, the collection of process, the analysis of process and so on) as well as the test of operational efficiency (the memory usage of the system itself and the usage of CPU) the project can achieve security management of the system process safely, quickly and accurately, monitoring and force close the vicious process, realize the function of self-protection for system process and lighten the monitoring burdens of the safety regulators, thus improving the efficiency in the work of network security.
    References | Related Articles | Metrics
    A Hybrid Authentication Service System for 2D Barcode in O2O Application
    ZHANG Yong-qiang, TANG Chun-ming
    2014, 14 (8):  67-70.  doi: 10.3969/j.issn.1671-1122.2014.08.012
    Abstract ( 504 )   HTML ( 0 )   PDF (1356KB) ( 312 )  
    As an information carrier, the 2D barcodes can bring consumers quick and convenient shopping experiences. However, the 2D barcodes must overcome the security challenges in the mobile internet environment, such as information leak and tampering, user authentication and repudiation. The capacity of 2D barcodes used in O2O application is limited and not suitable for embedding the digital certificates and certificate chains to utilize user authentication in traditional PKI system. In this paper, a technical solution is proposed to authenticate the electronic tag data in 2D barcodes, which is combining PKI and IBC cryptography. The length of public key in IBC, which is generated according to dedicated rules from digital certificates of PKI entity, is shortest to be used in 2D barcodes. The private key is securely delivered to the end user using a handshake authentication protocol. The signature and verification process are also designed to meet the security requirements in O2O appliances. Based on the proposal, the private keys of IBC system can be securely transferred to the users, and a trusting chain for the IBC digital signatures is established from the PKI digital certificates. A trusting network framework may be set up to authenticate the electronic tag data, and meet the security challenges in the capacity limited 2D barcodes, including data privacy, user authentication and trusting chain, etc.
    References | Related Articles | Metrics
    Safety Assessment on Digital Radio Transmission based on Attack Tree Model
    LI Hui, ZHANG Ru, LIU Jian-yi, ZHAO Jing
    2014, 14 (8):  71-76.  doi: 10.3969/j.issn.1671-1122.2014.08.013
    Abstract ( 400 )   HTML ( 5 )   PDF (1960KB) ( 115 )  
    Digital radio is widely used in supervisory control and data acquisition system, and the transmission security is increasingly challenged. In order to systematically analyze and assess the digital radio transmission security in supervisory control and data acquisition system, this paper uses attack tree modeling method for the existing risk in the digital radio transmission stage, improves the traditional attack tree, refines attack nodes, quantifies the attack risk of leaf nodes, and establishes an attack tree model in which threats to the supervisory control and data acquisition system is the target. And it directly reflects the various possible attack picture based on the attack tree. This paper calculates the probability of the occurrence of each attack picture based on attack tree, and considers the overall safety of the system under various attack pictures. Finally, it analyzes quantitatively the impact of each change in the probability of attacks on the system security based on security sensitivity. And it identifies the key way which has a greater impact on system security, and proposes measures to improve the system security level. This attack tree model can be used to assess systemic risk and to distinguish different security threat levels of different attacks to the system, thus to provide a basis for decision-makers to take appropriate protective measures for the digital radio transmission.
    References | Related Articles | Metrics
    A Filtering Method of Images based on a Simple Background Change Rules
    LIU Jian-zhong, LIU Xin-rong
    2014, 14 (8):  77-81.  doi: 10.3969/j.issn.1671-1122.2014.08.014
    Abstract ( 370 )   HTML ( 0 )   PDF (2094KB) ( 123 )  
    There is no strict mathematic definition for image noise till now, general noise filtering methods have the character of blindness. This article defines that the area around the point p but excluding the point p is the background (the surrounding environment) of the point p. It maintains that the noise point is not consistent with the background change rules. Thus, this paper proposes a method for filtering based on the background change rules. The main idea is to use the change rules around the noise point to “rule” the noise point, making it become harmony with the surrounding environment, so as to eliminate the noise. This method uses the surrounding environment to correct the noise point, letting the noise in accordance with the surrounding environment, thus not damaging it. The edges of the image is also the environment, therefore the method is a lossless filtering for the edges of the image, so it can protect the information of the edges of the image.
    References | Related Articles | Metrics
    Study on Trust Evaluation Method in WSNs based on Repeated Games
    YANG Jun-wei, FANG Jie, ZHANG Shi-bin, CHEN Jian-jun
    2014, 14 (8):  82-87.  doi: 10.3969/j.issn.1671-1122.2014.08.015
    Abstract ( 461 )   HTML ( 0 )   PDF (1865KB) ( 101 )  
    The IOT which is to achieve the connection between human and things through the complete perception, reliable transmission and intelligent processing is the third wave of technology revolution in information industry after the application and popularization of computer and Internet. In China, IOT is taken into account as the twelfth five-year plan. Undoubtedly, with the Maturity of technology and system, it will completely change our lives. As one of the most iconic technology in the Internet of things era, the wireless sensor networks (WSNs) will be the focus and focal point of the present and future application and research. However, the focuses of WSNs are the routing algorithm, key distribution and architecture in previous studies. And the trust of node has been always overlooked. In some existing trust management models, they didn't quite take the time effect issue among nodes into consideration, and there were irrationality in weights and the way of computing reputation value. According to WSNs’ characteristics, a reasonable and feasible model which is based on repeated games is created in this paper .Besides, we establish a punishment and reward mechanism to solve the time issue of node’ reputation. Finally, we confirmed the trust manage model could evaluation node’ reputation effectively in WSNs. Through inhibition selfish node and malicious node, the reliability of WSNs has got a great progress.
    References | Related Articles | Metrics
    The Research of a New Distributed Website Condition Monitoring Mechanism
    XIA Ye-chao, LIANG Lin, YANG Da-lu, XIA Zheng-min
    2014, 14 (8):  88-91.  doi: 10.3969/j.issn.1671-1122.2014.08.016
    Abstract ( 410 )   HTML ( 0 )   PDF (1477KB) ( 86 )  
    Along with the physical world information in various fields continued to deepen, website has become an important carrier to provide service and information exchange, and its monitoring status also affects system security related fields. According to site monitoring problem study, this paper proposes website monitoring system structure model based on the distributed monitoring node configuration. Dividing the Internet into unit area, one or more monitoring agent is deployed on the basis of the size and structure of each unit. Each monitoring agent is responsible its target website and regularly reports to the monitoring center about the operation situation of the website. The monitoring center will provide the resolution according to the evaluation data and the alarm events from the monitoring agent. The site monitoring system based on the distributed monitoring node configuration is taken to monitor operation status and ensure that each operator can access the required monitoring sites.
    References | Related Articles | Metrics