Cui Yan-Li,Zhang Xing

DOI: https://doi.org/10.1109/cnmt.2009.5374540

2009-01-01

Abstract:In the distributed environment, one important security issue is how to apply further security control to the object that is released to other terminals. The appearance of trusted computing technology has provided an effective solution for this issue in the distributed environment. At the same time, through combining trusted computing technology with the strong isolation and sharing characteristic provided by virtual machine technology has further increased the security and the flexibility of distributed access control. Therefore, this paper uses trusted computing technology to improve the security of the terminal in carrying out the distributed access control, designs a trusted terminal architecture that bases on the trusted computing technology and the virtual machine technology as well as a enhanced mode that suits in distributed access control, and on this basis, analyzes the security of system design.

Lianhai Liu,Yujue Wang,Jingwei Zhang,Qing Yang

DOI: https://doi.org/10.1049/joe.2018.5311

2019-01-01

Journal of Engineering

Abstract:The messages in vehicular ad hoc networks (VANET) are vulnerable to attack in the open wireless environment. Group communication in VANET is receiving more attention, which confronts many security issues. First, only users who have passed legal authentication can communicate in the group. The ring signature is an effective solution. In addition, the group membership in the vehicular self-organising network changes rapidly, which leads to dynamic adjustment of group members. It is necessary to consider the computing power and communication capability of each node in the group members. To speed up the authentication process, a roadside unit with more computing power and communication capability than vehicles is selected as the signature agent, which effectively reduces the computational load of vehicles and accelerates the communication throughput. Meanwhile, the computational task and communication overhead have not been well-solved. To address these issues, this paper proposed an efficient proxy ring signature scheme for VANET to achieve higher signature efficiency and lower transmission overhead. The scheme allows both privacy protection and original signer tracing. Security analysis shows that the proposed scheme meets the security requirements of VANET.

Lianhai Liu,Yujue Wang,Jingwei Zhang,Qing Yang

DOI: https://doi.org/10.3390/s19030482

IF: 3.9

2019-01-01

Sensors

Abstract:A vehicular ad hoc network (VANET) is a special mobile ad hoc network that provides vehicle collaborative security applications using intervehicle communication technology. The method enables vehicles to exchange information (e.g., emergency brake). In VANET, there are many vehicle platoon driving scenes, where vehicles with identical attributes (location, organization, etc.) are organized as a group. However, this organization causes the issue of security threats (message confidentiality, identity privacy, etc.) because of an unsafe wireless communication channel. To protect the security and privacy of group communication, it is necessary to design an effective group key agreement scheme. By negotiating a dynamic session secret key using a fixed roadside unit (RSU), which has stronger computational ability than the on-board unit (OBU) equipped on the vehicle, the designed scheme can help to provide more stable communication performance and speed up the encryption and decryption processes. To effectively implement the anonymous authentication mechanism and authentication efficiency, we use a batch authentication scheme and a shared secret key mechanism among the vehicles, RSUs and trusted authority (TA). We design an efficient group secret key agreement scheme, which satisfies the above communication and security requirements, protects the privacy of vehicles, and traces the real identity of the vehicle at a time when it is necessary. Computational analysis shows that the proposed scheme is secure and more efficient than existing schemes.

YAO Lin,FAN Qingna,KONG Xiangwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.06.023

2011-01-01

Abstract:As a result of the high mobility of the pervasive computing,the principles communicating with each other usually locate at different domains.To secure the service access and communications,the principles should authenticate each other and establish a fresh session key.A novel inter-domain authentication and key establishment protocol is proposed.The proposed protocol reduces the burden of certificates management by adopting the biometric encryption.After inter-domain mutual authentication,the two principles build a new session key using the signcryption technique.The protocol can defend lots of attacks and its correctness is proven by the SVO logic.

Xiao Qing-hua,Ping Ling-di,Chen Xiao-ping,Pan Xue-zeng

DOI: https://doi.org/10.1631/bf02842478

2004-01-01

Journal of Zhejiang University SCIENCE A

Abstract:Secret sharing and digital signature is an important research area in information security and has wide applications in such fields as safeguarding and legal use of confidential information, secure, multiparty computation and electronic commerce. But up to now, study of signature based on general vector space secret sharing is very weak. Aiming at this drawback, the authors did some research on vector space secret sharing against cheaters, and proposed an efficient but secure vector space secret sharing based multi-signature scheme, which is implemented in two channels. In this scheme, the group signature can be easily produced if an authorized subset of participants pool their secret shadows and it is impossible for them to generate a group signature if an unauthorized subset of participants pool their secret shadows. The validity of the group signature can be verified by means of verification equations. A group signature of authorized subset of participants cannot be impersonated by any other set of participants. Moreover, the suspected forgery can be traced, and the malicious participants can be detected in the scheme. None of several possible attacks can successfully break this scheme.

L Chen,XL Xu,GC Chen,C Chen

DOI: https://doi.org/10.1109/icct.2003.1209833

2003-01-01

Abstract:In collaborative virtual environment (CVE) systems, participants can freely join and share a virtual environment and do some collaborative works synchronously. And network communication architecture is very important for CVE systems to realize scalability, minimized delay and reliability. In this paper, the communication of CVE systems is categorized in three types: state update, command and event. Furthermore, this paper introduces the collaboration requests and interactive stream in CVE systems. Based on these introductions, a communication architecture for collaborative virtual environment systems is described. This architecture uses updatable queue abstraction in application layer to do message obsolescence and uses interactive stream transport protocol in transport layer to achieve efficient transmission of messages among a large number of participants.

Siqin Zhao,Kang Chen,Weimin Zheng

DOI: https://doi.org/10.1109/ChinaGrid.2009.45

2009-01-01

Abstract:It is very important to protect critical resources such as private data and code in computer systems. It is promising to protect private data and to improve the system security by leveraging the isolation attribute of virtual machine(VM). The isolation attribute of VM is provided by Virtual Machine Monitor (VMM) that runs in higher priority than guest OSes. If the critical components are isolated in VMs,access control can be enforced or attestation can be made when the subject is accessing via VMs. In this way, VMs can improve the security level of critical components such as OS, kernel, data, and applications. For computer system security, VMs can be used to detect malware intrusions and to protect critical components, which can be implemented by integrating detection or protection mechanism in either VMM or VMs. Authentication is required to create trustful VMs. This paper surveys technologies related of using virtual machines to enhance system security.

Xiaowei Li,Hongxiang Sun,Qiaoyan Wen

DOI: https://doi.org/10.1109/ccis.2012.6664413

2012-01-01

Abstract:Numerous virtual machines have been designed to make full use of the adequate resources and facilitate people's lives. In turn, it results in the necessity of communication between the virtual machines. As we know, the data of communication between the virtual machines which located on the different hosts, could potentially be altered or intercepted during transport. To solve the problem, we design and operation of the transparent encryption-decryption communication mechanism (TEDCM) in the privilege virtual machine, the result suggests that the TEDCM in our paper is a good choice to solve the problem of information leakage.

Chen Wen-Zhi,Zhu Hong-Wei,Huang Wei

DOI: https://doi.org/10.1109/CW.2008.110

2008-01-01

Abstract:The security problem became more severe since the security requirement of different applications may conflict with the others in distributed application or grid computing. Virtualization technology can improvethe system's security, but did not satisfy the requirement of virtual resource sharing and inner-domain communication in distributed services and grid computing. By dividing the virtual resources into sharing virtual resources and normal ones, SeVMM provided secure mechanism for inter-domain communication control, which formed the base of multi-level security control model for virtual machine monitors, operating systems and applications. Case study and application showed that SeVMM improved the system's security without causing significant performance penalty.

赵阳,刘明芳,林曦君

DOI: https://doi.org/10.3969/j.issn.1671-0428.2013.03.004

IF: 5.105

2013-01-01

Computers & Security

Abstract:With the development of cloud computing, virtualization technology, interaction in virtual machines on the same physical host also encounters hitherto unknown security problem. This paper is based on trusted computing, using shared memory mechanism based on KVM, applies dedicated security trusted pipeline, and uses trusted measurement to verify the authenticity and reliability of two virtual machines. By encrypting memory pseudo address, it isolates other virtual machine except the interaction of the two sides, and guarantees the information trusted and security during the communication process. At last, we analyze and summarize the method.

Qiwei Lu,Wenchao Huang,Xudong Gong,Xingfu Wang,Yan Xiong,Fuyou Miao

DOI: https://doi.org/10.48550/arXiv.1307.2977

2013-07-11

Abstract:With the rapid development of MANET, secure and practical authentication is becoming increasingly important. The existing works perform the research from two aspects, i.e., (a)secure key division and distributed storage, (b)secure distributed authentication. But there still exist several unsolved problems. Specifically, it may suffer from cheating problems and fault authentication attack, which can result in authentication failure and DoS attack towards authentication service. Besides, most existing schemes are not with satisfactory efficiency due to exponential arithmetic based on Shamir's scheme. In this paper, we explore the property of verifiable secret sharing(VSS) schemes with Chinese Remainder Theorem (CRT), then propose a secret key distributed storage scheme based on CRT-VSS and trusted computing for MANET. Specifically, we utilize trusted computing technology to solve two existing cheating problems in secret sharing area before. After that, we do the analysis of homomorphism property with CRT-VSS and design the corresponding shares-product sharing scheme with better concision. On such basis, a secure distributed Elliptic Curve-Digital Signature Standard signature (ECC-DSS) authentication scheme based on CRT-VSS scheme and trusted computing is proposed. Furthermore, as an important property of authentication scheme, we discuss the refreshing property of CRT-VSS and do thorough comparisons with Shamir's scheme. Finally, we provide formal guarantees towards our schemes proposed in this paper.

Cryptography and Security

Yibo Cao,Shiyuan Xu,Xue Chen,Yunhua He,Shuo Jiang

DOI: https://doi.org/10.1016/j.comnet.2022.109149

IF: 5.493

2022-09-04

Computer Networks

Abstract:Message authentication has been a research hotspot in current vehicular ad hoc networks (VANETs). Many researchers adopt group signatures based on number-theoretic assumptions to authenticate the vehicular users’ identities. Nevertheless, the classical group signature is vulnerable to quantum computing attacks and without considering the negative consequences of secret key disclosure. In this paper, to address these problems, we propose a novel group signature protocol for authentication in VANETs, which is based on lattice cryptography to achieve quantum-resistance and Bonsai-tree signature architecture to achieve forward security. Our scheme is proven secure in terms of traceability, anonymity, and forward-security under the Short Integer Solution (SIS) and Learning With Errors (LWE) hardness. Through comprehensive performance evaluation, we demonstrate that the storage overhead of our scheme is relatively diminutive and the computation cost of the sign and verify algorithms are efficient and practical compared with other existing schemes.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

CHEN Wen-zhi,HUANG Wei,XIE Cheng,HE Qin-ming

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.02.016

2009-01-01

Abstract:Virtualization was introduced to increase the security of embedded devices while avoiding the shortcomings caused by the hardware-based approach such as poor flexibility,high complexity and high production cost of equipments.Virtualization platform SmartVP offers a secure system environment by the software-based approach.SmartVP partitions the computing resources on the ARM processor into two parallel sets,one for standard real-time operating system T-Kernel and the other for general-purpose operating system Linux.The trusted computing base of SmartVP is constructed by protecting the code and data of the software on T-Kernel,as well as by implementing the fundamental security services and interfaces.Both performance benchmark and applications show that SmartVP improves the security of embedded devices and reduces the implementing risk together with developing time and cost.

Xian Chen,Wenzhi Chen,Peng Long,Zhongyong Lu,Zonghui Wang

DOI: https://doi.org/10.1109/cbd.2013.32

2013-01-01

Abstract:For the ability to explore the memory's fullest potential, memory de-duplication has been widely experimented with in current main stream virtualization platforms. A lot of work has been done to improve the efficiency of memory de-duplication, while too little attention was paid to the introduced security issues which have been proved by prior work. To deal with this security risk and efficiently manage the memory we start our work in this paper. We first conduct extensive experiments on different OS platforms to study the realistic situation of page sharing. By analyzing the results we find: 1) Page sharing is contributed mostly by self-sharing (nearly 90%), and the self-sharing rate varies significantly between Linux and Windows OS platforms. Compared with self-sharing the inter-VM sharing rate is extremely low, under 1% in most cases. 2) Page size has a larger influence on Linux platform than Windows platform, so sub-page de-duplication proposed in prior work may achieve better performance on Linux platform. On the basis of above findings we propose a group-based secure page sharing model (or GSKSM), in which we consider both VM processes and normal processes. We have successfully implemented it in Linux kernel 3.6.6, and the experiment results show it works well with negligible overhead. Finally based on GSKSM we further present an efficient memory management approach (or SEMMA), which combines GSKSM and balloon technique to efficiently manage the memory, and the preliminary experiment result is satisfactory.

Chengzhe Lai,Dong Zheng,Qinglan Zhao,Xiaohong Jiang

DOI: https://doi.org/10.1016/j.vehcom.2018.01.004

IF: 6.7

2018-01-01

Vehicular Communications

Abstract:Recently, the envisioned integration between vehicular ad-hoc network (VANET) and cellular network can accommodate rich applications since integrated VANET-Cellular network enables mobile operators to provide vehicle users with seamless data access to the operators' services. In integrated VANET-Cellular networks, the clustering algorithms associating vehicles into groups can provide high performance data transmission service and have been widely studied. However, in most of the existing literature, the security issues in such a scenario cannot be taken into full consideration, which may decrease the reliability of the system, mainly including: 1) How to efficiently and securely set up and maintain a group; and 2) How to perform the secure group access management. For this end, we propose a secure group management framework in integrated VANET-Cellular networks, which consists of two schemes, i.e., SEGM-I and SEGM-II. SEGM-I is proposed for the fixed trusted member scenario, and SEGM-II is designed for a general case, i.e., dynamic untrusted member scenario. The SEGM can be divided into two phases: group setup and maintenance phase, and group access authentication phase. During group setup and maintenance phase, SEGM-II can dynamically maintain the group by using contributory group key agreement, supporting group joining, group leaving, group merging, and group partition. During group access authentication phase, we propose a lightweight group access authentication protocol based on message authentication code (MAC) aggregation technique with DoS attacks resistance. The proposed SEGM is communication-efficient and secure against hostile eavesdroppers as well as various other attacks specific to group settings. Finally, performance evaluations demonstrate its efficiency in terms of group management and access authentication overhead.

Xiaolin Wang,Yan Sang,Yi Liu,Yingwei Luo

DOI: https://doi.org/10.1007/978-94-007-2105-0_31

2011-01-01

Abstract:With the development of virtualization technology, some security problems have appeared. Researchers begin to suspect the security of virtualized environment and consider how to evaluate the security degree of virtualized environment. But there are not uniform virtualized environment security evaluation criteria at present. In this paper, we analyze the security problem in virtualized environment and present our virtualized environment security evaluation criteria. We take a further research on support technology and authentication method. First, we introduce the background of the problem. Next, we summarize the related work. After that we present our virtualized environment security evaluation criteria and introduce our work on support technology and authentication method. For support technology, we propose some safety guarantee technology for each security level. For authentication method, we give some ideas for the evaluation of each security level.

Pengfei Sun,Qingni Shen,Liang Gu,Yangwei Li

DOI: https://doi.org/10.1109/anthology.2013.6784967

2013-01-01

Abstract:Virtualization technologies enable multi-tenancy cloud business models by providing a scalable, shared resource platform for all tenants. Computing capacity, storage, and network are shared between multi-tenants. However, placing different customers' workloads on the same virtualization platform may lead to security vulnerabilities, which include the failure of mechanisms separating storage, memory, routing, and even reputation between different tenants of the shared infrastructure. The co-location of many customers inevitably causes conflict for the cloud provider as customers' communication security requirements are likely to be divergent from each other. In this paper, we introduce Multi-lateral Security concept to multi-tenancy cloud platform. It is difficult to analyze policies defined by consumers in the same virtualization platform in order to guarantee configuration stability given that policies may have conflicts leading to unpredictable effects. We present the Multilateral Security Architecture for Virtualization platform (VPMS) which enables the multilateral security for consumers.

Jingkai Mao,Haoran Zhu,Junchao Fan,Lin Li,Xiaolin Chang

2024-05-02

Abstract:The Virtual Machine (VM)-based Trusted-Execution-Environment (TEE) technology, like AMD Secure-Encrypted-Virtualization (SEV), enables the establishment of Confidential VMs (CVMs) to protect data privacy. But CVM lacks ways to provide the trust proof of its running state, degrading the user confidence of using CVM. The technology of virtual Trusted Platform Module (vTPM) can be used to generate trust proof for CVM. However, the existing vTPM-based approaches have the weaknesses like lack of a well-defined root-of-trust, lack of vTPM protection, and lack of vTPM's trust proof. These weaknesses prevent the generation of the trust proof of the CVM. This paper proposes an approach to generate the trust proof for AMD SEV-based CVM so as to ensure its security by using a secure vTPM to construct Trusted Complete Chain for the CVM (T3CVM). T3CVM consists of three components: 1) TR-Manager, as the well-defined root-of-trust, helps to build complete trust chains for CVMs; 2) CN-TPMCVM, a special CVM provides secure vTPMs; 3) CN-CDriver, an enhanced TPM driver. Our approach overcomes the weaknesses of existing approaches and enables trusted computing-based applications to run seamlessly in the trusted CVM. We perform a formal security analysis of T3CVM, and implement a prototype system to evaluate its performance.

Cryptography and Security,Software Engineering

沈晴霓,杜虹,卿斯汉

2010-01-01

Abstract:In view of some new security issues in the computing platform with virtualization technology, this paper proposes the application of the security-oriented virtualized trusted platform (VTP) architecture, whose trusted computing base (TCB) is hierarchal and self-contained with three layer-by-layer facilities from the trust root-hardware TPM/TCM, trusted virtual machine monitor (TVMM) to security manager(SM). Based on open-source project-XEN, it gives a sample design of the virtualized trusted platform for the virtual machine and its application's security with such mechanisms as remote attestation, information flow control, secure migration and privacy protection. Scenario analysis shows that the sample VTP can support different security goals of its applications flexibly.

Haoxiang Huang,Jianbiao Zhang,Lei Zhang,Jun Hu,YiHao Cao

DOI: https://doi.org/10.1016/j.cose.2023.103648

IF: 5.105

2023-12-11

Computers & Security

Abstract:In the cloud environment, the virtual computing node has become the dominant form of cloud services used by users. Hence, it is increasingly critical to guarantee the trusted operation of the virtual computing node's operating system (VCNOS). However, previous schemes suffer a lot, such as insufficient consideration of the comprehensive of the measured objects, ignoring the dynamic of trusted, and the trusted measurement mechanisms rarely consider their security. Thus, a three-dimensional dynamic trusted measurement model SABDTM, which integrates the integrity measurement of kernel static data, trusted evaluation of operating system behavior (OSB), and the feedback trust of interacting nodes, is proposed. First, SABDTM divided OSB into multiple atomic behaviors and introduced the Bayesian decision theory to predict trusted expectations of OSBs. Second, the feedback trust of interacting nodes is considered to improve the comprehensiveness of the trusted measurement and evaluate its value based on the Euclidean distance function to reduce the impact of inaccurate feedback from malicious nodes. Subsequently, we set the appropriate weight for trusted measurement values of different moments based on Induced Ordered Weighted Averaging to accurately portray the actual state of VCNOS. Moreover, we designed a lightweight and independent subsystem to perform the trusted measurement, which guarantees the security of the measurement service. The security of our model is proved rigorously based on the non-interference theory. Finally, the experiments and comparative analysis demonstrated our model has better functionality and superiority.

computer science, information systems