YAO Lin,FAN Qingna,KONG Xiangwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.06.023

2011-01-01

Abstract:As a result of the high mobility of the pervasive computing,the principles communicating with each other usually locate at different domains.To secure the service access and communications,the principles should authenticate each other and establish a fresh session key.A novel inter-domain authentication and key establishment protocol is proposed.The proposed protocol reduces the burden of certificates management by adopting the biometric encryption.After inter-domain mutual authentication,the two principles build a new session key using the signcryption technique.The protocol can defend lots of attacks and its correctness is proven by the SVO logic.

Lianhai Liu,Yujue Wang,Jingwei Zhang,Qing Yang

DOI: https://doi.org/10.3390/s19030482

IF: 3.9

2019-01-01

Sensors

Abstract:A vehicular ad hoc network (VANET) is a special mobile ad hoc network that provides vehicle collaborative security applications using intervehicle communication technology. The method enables vehicles to exchange information (e.g., emergency brake). In VANET, there are many vehicle platoon driving scenes, where vehicles with identical attributes (location, organization, etc.) are organized as a group. However, this organization causes the issue of security threats (message confidentiality, identity privacy, etc.) because of an unsafe wireless communication channel. To protect the security and privacy of group communication, it is necessary to design an effective group key agreement scheme. By negotiating a dynamic session secret key using a fixed roadside unit (RSU), which has stronger computational ability than the on-board unit (OBU) equipped on the vehicle, the designed scheme can help to provide more stable communication performance and speed up the encryption and decryption processes. To effectively implement the anonymous authentication mechanism and authentication efficiency, we use a batch authentication scheme and a shared secret key mechanism among the vehicles, RSUs and trusted authority (TA). We design an efficient group secret key agreement scheme, which satisfies the above communication and security requirements, protects the privacy of vehicles, and traces the real identity of the vehicle at a time when it is necessary. Computational analysis shows that the proposed scheme is secure and more efficient than existing schemes.

Changqin Huang,Guanghua Song,Yao Zheng,Deren Chen

DOI: https://doi.org/10.1007/978-3-540-30102-8_39

2004-01-01

Abstract:Large-scale scientific and engineering computation is normally accomplished through the interaction of collaborating groups and diverse heterogeneous resources. Grid computing is emerging as an applicable paradigm, whilst, there is a critical challenge of authorization in the grid infrastructure. This paper proposes a Parallelized Subtask-level Authorization Service architecture (PSAS) based on the least privilege principle, and presents a context-aware authorization approach and a flexible task management mechanism. The minimization of the privileges is conducted by decomposing the parallelizable task and re-allotting the privileges required for each subtask. The dynamic authorization is carried out by constructing a multi-value community policy and adaptively transiting the mapping. Besides applying a relevant management policy, a delegation mechanism collaboratively performs the authorization delegation for task management. In the enforcement mechanisms involved, the authors have extended the RSL specification and the proxy certificate, and have modified the Globus gatekeeper, jobmanager and the GASS library to allow authorization callouts. Therefore the authorization requirement of an application is effectively met in the presented architecture.

Jianxin Li,Jinpeng Huai,Chunming Hu

DOI: https://doi.org/10.1109/srds.2007.12

2007-01-01

Abstract:The increasing complexity and dynamics of grid environments have posed great challenges for secure and privacy-preserving collaboration in a virtual organization. In this paper, we propose PEACE-VO, a secure policy-enabled collaboration framework for virtual organizations. PEACE-VO employs role mapping to define trust relationships across autonomous domains. Nevertheless, a critical issue emerges when the system applies role mapping, which is potential policy conflict in a local domain. We first develop two concepts to depict such possible conflicts within the collaboration policy. Next, we propose a fully distributed evaluation algorithm to detect potential policy conflicts, which does not require domains to disclose their full local security policies and therefore preserves critical domain privacy. Finally, we design two dedicated protocols for virtual organization management and authorization services, respectively. We have successfully implemented the PEACE-VO framework with two fundamental protocols, i.e., VO management protocol and service authorization protocol, in the CROWN Grid. Comprehensive experimental study shows our approach is scalable and efficient.

ZHAO Hui,LI Ming-chu,WANG Zhi-hui

DOI: https://doi.org/10.3321/j.issn:1002-8331.2007.24.033

2007-01-01

Computer Engineering and Applications Journal

Abstract:VO(Virtual Organization) is the basic management unit of grid computing,and coordinative computing group is the base of VO.The analysis and verification of security protocols in grid computing are very complex due to the complexity of grid computing.In this paper,The notion of grid computing channel is introduced and a formal verification method of grid security protocols based on the traditional Strand Space theory is defined to provide analysis and verification for security protocols of multi-user coordinative computing in grid environment.

Xb Zhao,Ky Lam,Sl Chung,M Gu,Jg Sun

DOI: https://doi.org/10.1007/978-3-540-27800-9_36

2004-01-01

Abstract:With the rapid development of the global information infrastructure, the use of virtual organization (VO) is gaining increasing importance as a model for building large-scale business information systems. The notion of VO is significant in that it could serve as a basic framework for implementing geographically distributed, cross-organizational application systems in a highly flexible manner. VO is generally composed of participants from different organizations driven by specific tasks. In order to control both participation and access to shared resources, authorization is essential in VO. However, authorization in VO is challenging because of the dynamic and distributed nature of VO, thus requiring mechanisms that axe efficient, scalable and being able to handle complex access control policies. This paper analyzes the requirement of authorization services for VO and proposes the use of threshold scheme as a basic mechanism for implementing authorization services in large scale distributed computing systems. While pointing out the desirable features of threshold schemes for complex authorization policies, the paper also discusses the practical limitations of threshold schemes in such an environment. The main contribution of this paper is that it suggests a practical approach for deploying threshold closure, an optimal form of threshold schemes, for implementing authorization of VO. In essence, we suggest segregating the policy and mechanism aspects of threshold closure so that complex policies may be specified using threshold closure which are implemented conveniently using existing authentication-based enforcement mechanisms available in traditional security infrastructure.

Jianxin Li,Jinpeng Huai,Chunming Hu,Yanmin Zhu

DOI: https://doi.org/10.1016/j.ins.2010.05.014

IF: 8.1

2010-01-01

Information Sciences

Abstract:Nowadays, various promising paradigms of distributed computing over the Internet, such as Grids, P2P and Clouds, have emerged for resource sharing and collaboration. To enable resources sharing and collaboration across different domains in an open computing environment, virtual organizations (VOs) often need to be established dynamically. However, the dynamic and autonomous characteristics of participating domains pose great challenges to the security of virtual organizations. In this paper, we propose a secure collaboration service, called PEACE-VO, for dynamic virtual organizations management. The federation approach based on role mapping has extensively been used to build virtual organizations over multiple domains. However, there is a serious issue of potential policy conflicts with this approach, which brings a security threat to the participating domains. To address this issue, we first depict concepts of implicit conflicts and explicit conflicts that may exist in virtual organization collaboration policies. Then, we propose a fully distributed algorithm to detect potential policy conflicts. With this algorithm participating domains do not have to disclose their full local privacy policies, and is able to withhold malicious internal attacks. Finally, we present the system architecture of PEACE-VO and design two protocols for VO management and authorization. PEACE-VO services and protocols have successfully been implemented in the CROWN test bed. Comprehensive experimental study demonstrates that our approach is scalable and efficient.

ZHAO Xi-Bin,GUO Zhi,YONG Jian-Ping,GU Ming

2005-01-01

Computer Science

Abstract:It is a challenging work to implement authorization service for Virtual Organization in Grid Computing Sys- tem because of the dynamic and distributed nature of Virtual Organication. After analyzing the requirement of autho- rization service and the existing mechanisms for implementing authorization services in Grid Computing Systems, the paper proposes an efficient multi-level architecture named MLA for implementing authorization in Grid Computing Systems. With the use of threshold closure mechanism, the proposed architecture has the scalability and the strong power to express authorization policy, hence can provide flexible and efficient approach to implement authorization service in GCS.

SHI Hua-ji,YUE Yi,ZHAO Xi-bin,ZHAO Zhi-feng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.17.014

2007-01-01

Abstract:This paper analyzes desires of dynamic group key managerment oriented to vitual organization in grid computing system,investigates the four layers architecture of the VO based on selective environment by members in VO and the policy of member admission,and gives a layered distributed key protocol which appropriate to the VO of four layers architecture,the protocol can avoid the abuse of the centralized distribution and the single-point failure exists in the management pattern,also possesses the benefit of layered architecture.

Huaji Shi,Xibin Zhao

DOI: https://doi.org/10.1109/SOSE.2006.17

2006-01-01

Abstract:This paper analyzes the requirement of authorization service for grid computing systems and proposes the use of threshold closure as a basic mechanism for implementing authorization service in grid computing systems. While pointing out the desirable features of threshold closure for complex authorization policies, the paper also discusses the practical limitations of threshold closure in such an environment, and then puts forward a new authorization service for virtual organization. In addition, an access control protocol which is based on PKI is designed in the paper. By segregating the policy and mechanism aspects of threshold closure, the new service can use existing security infrastructure in grid computing system while keep the ability to express complex authorization policy effectively

Yan Dong,Qi Guoning

DOI: https://doi.org/10.3321/j.issn:1004-132X.2005.09.009

2005-01-01

Abstract:Based on Web Services and grid technology, a structure of virtual organization (VO) in favor of co-operative services was studied, and an entity model of members of Grid-based VO and a really dynamic model of VO applicable to Grid Technology-an abstract model of VO holding with wide world/region scheduling service center was constructed. According to this model, a practical network model of VO structure based on Open Grid Service Architecture (OGSA) was constructed finally, a key technology of VO co-operative service was brought forward and solved, and rules of task scheduling satisfied with both network services required and the least service cost was brought forward.

Wz Qiang,H Jin,Xh Shi,Dq Zou

DOI: https://doi.org/10.1007/978-3-540-30208-7_43

2004-01-01

Abstract:As an important aspect of grid security, access control model gets more and more attention. Entities in virtual organizations (VOs) must establish a dynamic, secure and cooperative trust mechanism. This paper analyses the cross-organization, dynamic, cooperative and multilevel characteristics of access control problem in grid, and proposes a novel VO-based access control framework. The multilevel access control model is introduced for multilevel requirements and delegation concept is also introduced for permission delegation across organizations.

Deqing Zou,Laurence T. Yang,Wezhong Qiang,Xueguang Chen,Zongfen Han

DOI: https://doi.org/10.1109/aina.2007.33

2007-01-01

Abstract:Collaboration is used for information sharing and activity coordinating, and it exists broadly in many fields. Group communication enables efficient communication between a set of processes logically organized into groups and communicating via multicast in an asynchronous environment. One of the key technologies for collaborative applications is secure group communication. Current research on secure group communication scarcely considers the existing security mechanism in local systems. As a result, group communication systems couldn't provide general support for collaborative applications running on a specific system. Based on the existing grid security technologies, we propose an authentication and access control framework at Virtual Organization (VO) level for group communication in grid environment. By introducing Role-Based Access Control (RBAC) and attribute-based approach, we define group management policies and design group control protocols. The protocols are analyzed from three aspects: compatibility, performance, and security. Finally, we implement a prototype based on GridShib.

Bei Shui Liao,Ji Gao,Jun Hu,Jiu Jun Chen

DOI: https://doi.org/10.1109/ICSMC.2004.1401073

2004-01-01

Abstract:The emergence and the development of OGSA-compliant Grid provide powerful means for the integration and interaction of applications (Grid services) within a virtual organization (VO). However, it is still a challenge to control the composition, transaction, and coordination, of Grid services, according to the dynamic business requirements of a VO. Based on the policy-based management and autonomous intelligent agents, this paper proposes a framework for OGSA-compliant Grid control. In this system, individual agent (Task Agent) is in charge of composing Grid services and taking part in the social interactions within a VO. Several Task Agents and a management agent (AM) form a VO. The business requirements or user's preferences are represented as policies, which are used to control the behaviors of agents.

WZ Qiang,H Jin,XH Shi,DQ Zou

DOI: https://doi.org/10.1109/cit.2005.134

2005-01-01

Abstract:In this paper we define a decentralized management mechanism for the dynamic coalition characteristic of virtual organization. We propose an identity-based threshold signature scheme for joint management. We also propose the policy mode for joint management, which uses role-based access control mechanism for authorization policies definition, and voting mechanism for authorization decision-making. Our solution can satisfy the dynamic coalition requirement of virtual organization, and also guarantee the autonomous characteristic of participant organizations and grid entities. Privacy preservation is also provided for grid entities to interact with authorized entities. Authorization revocation mechanism is taken into consideration in this paper. The experimental performance also shows the scalability of the solution.

邵学军,施化吉,赵曦滨

DOI: https://doi.org/10.3321/j.issn:1001-506x.2009.01.049

2009-01-01

Abstract:This article analyzes authorized demand for management of virtual organization in the grid computing system and consequently proposes using threshold closure as authorized service mechanism for virtual organizations in the grid computing system.The study not only analyzes the applicability of the threshold closure but presents the limitations of the specific implementation and based on which,a new authorization service system is put forward and the access control protocol based on the public key infrastructure as well as the corresponding authorization service architecture combined with the existing security infrastructure in grid computing system are designed.The architecture guarantees the processing efficiency and capacity of the complex authorized strategy,and meanwhile it makes full use of the existing grid security infrastructure through the separation strategy of the threshold closure and implementation mechanism.

Rong-bin WANG,Shu-yu CHEN,Wei-ping WANG,Ling YU

DOI: https://doi.org/10.13196/j.cims.2009.05.193.wangrb.021

2009-01-01

Abstract:To realize dynamic generation of the access control policies and improve the dynamic adaptability of authorization verification for requester in grid, the automatic composition scheme for access control policy set in grid was put forward. According to the services composition constraints, the composition relationships of policy set for autonomous domains of Virtual Organization (VO) was constructed. The theory of algebra set was used to implement composition and computing for the policy set. And the automatic composition for policy set was realized by means of automatic composition engine and automatic trigger rules, and the access control polices set in VO was therefore generated. As there might be conflicts and redundancy policy subset in composed polices set, a method to resolve conflicts and automatic permission combination was proposed. The automatic composition algorithm was also presented. By analysis and implementation of the scheme, it was demonstrated that the scheme was with higher flexibility and dynamic adaptability.

Yongrui Cui,Mingchu Li,Yizhi Ren,Kouichi Sakurai

DOI: https://doi.org/10.1587/transfun.e92.a.1339

2009-01-01

Abstract:A novel adaptive reputation-based virtual organization formation is proposed. It restrains the bad performers effectively based on the consideration of the global experience of the evaluator and evaluates the direct trust relation between two grid nodes accurately by consulting the previous trust value rationally. It also consults and improves the reputation evaluation process in PathTrust model by taking account of the inter-organizational trust relationship and combines it with direct and recommended trust in a weighted way, which makes the algorithm more robust against collusion attacks. Additionally, the proposed algorithm considers the perspective of the VO creator and takes required VO services as one of the most important fine-grained evaluation criterion, which makes the algorithm more suitable for constructing VOs in grid environments that include autonomous organizations. Simulation results show that our algorithm restrains the. bad performers and resists against fake transaction attacks and badmouth attacks effectively. It provides a clear advantage in the design of a VO infrastructure.

Jianxin Li,Bo Li,Zongxia Du,Linlin Meng

DOI: https://doi.org/10.1109/SNPD.2010.35

2010-01-01

Abstract:Cloud computing has become a popular computing paradigm in which virtualized and scalable resources are consolidated to provide services over Internet. However, the resource capability of a single cloud is generally limited, and some applications often require various cloud centers over Internet to deliver services together. Therefore, a Virtual Organization (VO) will be a promising approach to integrate services and users across multiple autonomous clouds. However, how to build a secure virtual organization to achieve the collaboration goals is a critical problem, and some issues such as membership agreement, policy conflict and trust management should be adequately addressed. In this paper, we present a framework CloudVO which based on security policies and trust management techniques to provide some flexible and dynamic VO management protocols for clouds. Therefore, CloudVO can achieve inter-cloud collaboration without destroying a cloud's local policies. Based on previous VO security management experiences, we have conducted some preliminary simulations to verify the effectiveness our approaches for cloud computing environments.

Ge Cheng,Hai Jin,Deqing Zou,Xinwen Zhang,Min Li,Chen Yu,Guofu Xiang

DOI: https://doi.org/10.1109/grid.2009.5353079

2009-01-01

Abstract:In grid and cloud computing infrastructures, the integrity of a computing platform is a critical security requirement in order to provide secure and honest computing environments to service providers and resource consumers. However, due to the fact that software components running on a single platform are usually provided and maintained by different authorities which are potentially untrusted to each other, the problem to monitor and protect runtime system integrity become very challenging and has not been well addressed yet. In this paper, we present a virtualization based dynamic integrity protection method which ensures that only appropriate authorities can control over their components without interfering with other component providers or authorities. In our solution, integrity requirements defined by the authorities of upper components (e.g., service middleware and applications) are respected by preventing the underlying components (e.g., operating system) from exposing their sensitive data, which can be caused by update of the underlying components or other malicious actions. We implement our solution on Xen-based platform, and our evaluation results show that the solution is effective for integrity protection with acceptable performance overhead.