With the development of cloud computing, the mutual understandability among distributed data access control has become an important issue in the security field of cloud computing. To ensure security, confidentiality a...With the development of cloud computing, the mutual understandability among distributed data access control has become an important issue in the security field of cloud computing. To ensure security, confidentiality and fine-grained data access control of Cloud Data Storage (CDS) environment, we proposed Multi-Agent System (MAS) architecture. This architecture consists of two agents: Cloud Service Provider Agent (CSPA) and Cloud Data Confidentiality Agent (CDConA). CSPA provides a graphical interface to the cloud user that facilitates the access to the services offered by the system. CDConA provides each cloud user by definition and enforcement expressive and flexible access structure as a logic formula over cloud data file attributes. This new access control is named as Formula-Based Cloud Data Access Control (FCDAC). Our proposed FCDAC based on MAS architecture consists of four layers: interface layer, existing access control layer, proposed FCDAC layer and CDS layer as well as four types of entities of Cloud Service Provider (CSP), cloud users, knowledge base and confidentiality policy roles. FCDAC, it’s an access policy determined by our MAS architecture, not by the CSPs. A prototype of our proposed FCDAC scheme is implemented using the Java Agent Development Framework Security (JADE-S). Our results in the practical scenario defined formally in this paper, show the Round Trip Time (RTT) for an agent to travel in our system and measured by the times required for an agent to travel around different number of cloud users before and after implementing FCDAC.展开更多
This paper proposes a security policy model for mandatory access control in class B1 database management system whose level of labeling is tuple. The relation hierarchical data model is extended to multilevel relatio...This paper proposes a security policy model for mandatory access control in class B1 database management system whose level of labeling is tuple. The relation hierarchical data model is extended to multilevel relation hierarchical data model. Based on the multilevel relation hierarchical data model, the concept of upper lower layer relational integrity is presented after we analyze and eliminate the covert channels caused by the database integrity. Two SQL statements are extended to process polyinstantiation in the multilevel secure environment. The system is based on the multilevel relation hierarchical data model and is capable of integratively storing and manipulating multilevel complicated objects ( e.g., multilevel spatial data) and multilevel conventional data ( e.g., integer, real number and character string).展开更多
With the rapid development of computer technology, cloud-based services have become a hot topic. They not only provide users with convenience, but also bring many security issues, such as data sharing and privacy issu...With the rapid development of computer technology, cloud-based services have become a hot topic. They not only provide users with convenience, but also bring many security issues, such as data sharing and privacy issue. In this paper, we present an access control system with privilege separation based on privacy protection(PS-ACS). In the PS-ACS scheme, we divide users into private domain(PRD) and public domain(PUD) logically. In PRD, to achieve read access permission and write access permission, we adopt the Key-Aggregate Encryption(KAE) and the Improved Attribute-based Signature(IABS) respectively. In PUD, we construct a new multi-authority ciphertext policy attribute-based encryption(CP-ABE) scheme with efficient decryption to avoid the issues of single point of failure and complicated key distribution, and design an efficient attribute revocation method for it. The analysis and simulation result show that our scheme is feasible and superior to protect users' privacy in cloud-based services.展开更多
Emerging cloud computing has introduced new platforms for developing enterprise academic web applications, where software, platforms and infrastructures are published to the globe as services. Software developers can ...Emerging cloud computing has introduced new platforms for developing enterprise academic web applications, where software, platforms and infrastructures are published to the globe as services. Software developers can build their systems by multiple invocations of these services. This research is devoted to investigating the management and data flow control over enterprise academic web applications where web services and developed academic web application are constructing infrastructure-networking scheme at the application level. Academic web services are invoked over http port and using REST based protocol;thus traditional access control method is not enough to control the follow of data using host and port information. The new cloud based access control rules proposed here are to be designed and implemented to work at this level. The new proposed access control architecture will be a web service gateway, and it published itself as a service (SaaS). We used three case studies to test our moodle and then we apply JSON parsers to perceive web service description file (WSDL file) and supply policies according to data are to be allowed or denied based on user roll through our parsing.展开更多
To address the private data management problems and realize privacy-preserving data sharing,a blockchain-based transaction system named Ecare featuring information transparency,fairness and scalability is proposed.The...To address the private data management problems and realize privacy-preserving data sharing,a blockchain-based transaction system named Ecare featuring information transparency,fairness and scalability is proposed.The proposed system formulates multiple private data access control strategies,and realizes data trading and sharing through on-chain transactions,which makes transaction records transparent and immutable.In our system,the private data are encrypted,and the role-based account model ensures that access to the data requires owner’s authorization.Moreover,a new consensus protocol named Proof of Transactions(PoT)proposed by ourselves has been used to improve consensus efficiency.The value of Ecare is not only that it aggregates telemedicine,data transactions,and other features,but also that it translates these actions into transaction events stored in the blockchain,making them transparent and immutable to all participants.The proposed system can be extended to more general big data privacy protection and data transaction scenarios.展开更多
In order to cope with varying protection granularity levels of XML(extensible Markup Language) documents, we propose a TXAC (Two-level XML. Access Control) framework,in which an extended TRBAC ( Temporal Role-Based Ac...In order to cope with varying protection granularity levels of XML(extensible Markup Language) documents, we propose a TXAC (Two-level XML. Access Control) framework,in which an extended TRBAC ( Temporal Role-Based Access Control) approach is proposed to deal withthe dynamic XML data With different system components, LXAC algorithm evaluates access requestsefficiently by appropriate access control policy in dynamic web environment. The method is aflexible and powerful security system offering amulti-level access control solution.展开更多
Big data has a strong demand for a network infrastructure with the capability to support data sharing and retrieval efficiently. Information-centric networking (ICN) is an emerging approach to satisfy this demand, w...Big data has a strong demand for a network infrastructure with the capability to support data sharing and retrieval efficiently. Information-centric networking (ICN) is an emerging approach to satisfy this demand, where big data is cached ubiquitously in the network and retrieved using data names. However, existing authentication and authorization schemes rely mostly on centralized servers to provide certification and mediation services for data retrieval. This causes considerable traffic overhead for the secure distributed sharing of data. To solve this problem, we employ identity-based cryptography (IBC) to propose a Distributed Authentication and Authorization Scheme (DAAS), where an identity-based signature (IBS) is used to achieve distributed verifications of the identities of publishers and users. Moreover, Ciphertext-Policy Attribnte-based encryption (CP-ABE) is used to enable the distributed and fine-grained authorization. DAAS consists of three phases: initialization, secure data publication, and secure data retrieval, which seamlessly integrate authentication and authorization with the in- terest/data communication paradigm in ICN. In particular, we propose trustworthy registration and Network Operator and Authority Manifest (NOAM) dissemination to provide initial secure registration and enable efficient authentication for global data retrieval. Meanwhile, Attribute Manifest (AM) distribution coupled with automatic attribute update is proposed to reduce the cost of attribute retrieval. We examine the performance of the proposed DAAS, which shows that it can achieve a lower bandwidth cost than existing schemes.展开更多
利用Visual Basic.Net开发具有管理功能的B/S系统,关键是制作好各种数据库访问页。而对于Vi sual Basic.Net的三个数据绑定控件Repeater(重复)、DataList(数据列表)、Data6rid(数据表格),其中Data6rid是开发数据库访问页的最有力工具。...利用Visual Basic.Net开发具有管理功能的B/S系统,关键是制作好各种数据库访问页。而对于Vi sual Basic.Net的三个数据绑定控件Repeater(重复)、DataList(数据列表)、Data6rid(数据表格),其中Data6rid是开发数据库访问页的最有力工具。下面以Visual Basic.Net 2005为版本,论述如何在Asp.Net中巧妙使用该控件,实现各种数据库访问功能及一些特殊效果。展开更多
Data sharing is a main application of cloud computing. Some existing solutions are proposed to provide flexible access control for outsourced data in the cloud. However, few attentions have been paid to group-oriented...Data sharing is a main application of cloud computing. Some existing solutions are proposed to provide flexible access control for outsourced data in the cloud. However, few attentions have been paid to group-oriented data sharing when multiple data owners want to share their private data for cooperative purposes. In this paper, we put forward a new paradigm, referred to as secure, scalable and efficient multi-owner(SSEM) data sharing in clouds. The SSEM integrates identity-based encryption and asymmetric group key agreement to enable group-oriented access control for data owners in a many-to-many sharing pattern. Moreover, with SSEM, users can join in or leave from the group conveniently with the privacy of both group data and user data.We proposed the key-ciphertext homomorphism technique to construct an SSEM scheme with short ciphertexts. The security analysis shows that our SSEM scheme achieves data security against unauthorized accesses and collusion attacks. Both theoretical and experimental results confirm that our proposed scheme takes users little costs to share and access outsourced data in a group manner.展开更多
Today’s network industry needs highly qualified engineers to understand, configure, develop and upgrade switches that can build scalable high performance and ultra-low latency networks. This paper describes a new net...Today’s network industry needs highly qualified engineers to understand, configure, develop and upgrade switches that can build scalable high performance and ultra-low latency networks. This paper describes a new networking laboratory that has been set up to provide hands-on experience on datacenter network switches, such as ARISTA, programming and monitoring the traffic. This paper explains the networking laboratory coursework that students carry out during the course of a semester. The laboratory consists of six hands on experiments on the latest datacenter switches from Arista Networks, two programming assignments that teaches some of the protocols used at data link layer and routing protocols used at the network layer of OSI reference model. The final two laboratory experiments use the Wireshark software tool for traffic monitoring and peeking into details of some of the protocols in TCP/IP such as ARP protocol, Ethernet and so forth. The coursework details include the switch basics, switch hardware, Extensible Operating System (EOS), configuration of Link Aggregation Control Protocol, Multi-chassis Link Aggregation Protocol, Access Control Lists, and Open Short Path First version 2 on Arista switches 7050T-64 and 7048T-4S. The programming tasks cover High-level Data Link Control (HDLC) and Routing Algorithms.展开更多
文摘With the development of cloud computing, the mutual understandability among distributed data access control has become an important issue in the security field of cloud computing. To ensure security, confidentiality and fine-grained data access control of Cloud Data Storage (CDS) environment, we proposed Multi-Agent System (MAS) architecture. This architecture consists of two agents: Cloud Service Provider Agent (CSPA) and Cloud Data Confidentiality Agent (CDConA). CSPA provides a graphical interface to the cloud user that facilitates the access to the services offered by the system. CDConA provides each cloud user by definition and enforcement expressive and flexible access structure as a logic formula over cloud data file attributes. This new access control is named as Formula-Based Cloud Data Access Control (FCDAC). Our proposed FCDAC based on MAS architecture consists of four layers: interface layer, existing access control layer, proposed FCDAC layer and CDS layer as well as four types of entities of Cloud Service Provider (CSP), cloud users, knowledge base and confidentiality policy roles. FCDAC, it’s an access policy determined by our MAS architecture, not by the CSPs. A prototype of our proposed FCDAC scheme is implemented using the Java Agent Development Framework Security (JADE-S). Our results in the practical scenario defined formally in this paper, show the Round Trip Time (RTT) for an agent to travel in our system and measured by the times required for an agent to travel around different number of cloud users before and after implementing FCDAC.
文摘This paper proposes a security policy model for mandatory access control in class B1 database management system whose level of labeling is tuple. The relation hierarchical data model is extended to multilevel relation hierarchical data model. Based on the multilevel relation hierarchical data model, the concept of upper lower layer relational integrity is presented after we analyze and eliminate the covert channels caused by the database integrity. Two SQL statements are extended to process polyinstantiation in the multilevel secure environment. The system is based on the multilevel relation hierarchical data model and is capable of integratively storing and manipulating multilevel complicated objects ( e.g., multilevel spatial data) and multilevel conventional data ( e.g., integer, real number and character string).
基金financially supported by the National Natural Science Foundation of China(No.61303216,No.61272457,No.U1401251,and No.61373172)the National High Technology Research and Development Program of China(863 Program)(No.2012AA013102)National 111 Program of China B16037 and B08038
文摘With the rapid development of computer technology, cloud-based services have become a hot topic. They not only provide users with convenience, but also bring many security issues, such as data sharing and privacy issue. In this paper, we present an access control system with privilege separation based on privacy protection(PS-ACS). In the PS-ACS scheme, we divide users into private domain(PRD) and public domain(PUD) logically. In PRD, to achieve read access permission and write access permission, we adopt the Key-Aggregate Encryption(KAE) and the Improved Attribute-based Signature(IABS) respectively. In PUD, we construct a new multi-authority ciphertext policy attribute-based encryption(CP-ABE) scheme with efficient decryption to avoid the issues of single point of failure and complicated key distribution, and design an efficient attribute revocation method for it. The analysis and simulation result show that our scheme is feasible and superior to protect users' privacy in cloud-based services.
文摘Emerging cloud computing has introduced new platforms for developing enterprise academic web applications, where software, platforms and infrastructures are published to the globe as services. Software developers can build their systems by multiple invocations of these services. This research is devoted to investigating the management and data flow control over enterprise academic web applications where web services and developed academic web application are constructing infrastructure-networking scheme at the application level. Academic web services are invoked over http port and using REST based protocol;thus traditional access control method is not enough to control the follow of data using host and port information. The new cloud based access control rules proposed here are to be designed and implemented to work at this level. The new proposed access control architecture will be a web service gateway, and it published itself as a service (SaaS). We used three case studies to test our moodle and then we apply JSON parsers to perceive web service description file (WSDL file) and supply policies according to data are to be allowed or denied based on user roll through our parsing.
基金This work was supported by the National Key R&D Program of China(No.2018YFB1700100)the National Natural Science Foundation of China(No.61873317)。
文摘To address the private data management problems and realize privacy-preserving data sharing,a blockchain-based transaction system named Ecare featuring information transparency,fairness and scalability is proposed.The proposed system formulates multiple private data access control strategies,and realizes data trading and sharing through on-chain transactions,which makes transaction records transparent and immutable.In our system,the private data are encrypted,and the role-based account model ensures that access to the data requires owner’s authorization.Moreover,a new consensus protocol named Proof of Transactions(PoT)proposed by ourselves has been used to improve consensus efficiency.The value of Ecare is not only that it aggregates telemedicine,data transactions,and other features,but also that it translates these actions into transaction events stored in the blockchain,making them transparent and immutable to all participants.The proposed system can be extended to more general big data privacy protection and data transaction scenarios.
文摘In order to cope with varying protection granularity levels of XML(extensible Markup Language) documents, we propose a TXAC (Two-level XML. Access Control) framework,in which an extended TRBAC ( Temporal Role-Based Access Control) approach is proposed to deal withthe dynamic XML data With different system components, LXAC algorithm evaluates access requestsefficiently by appropriate access control policy in dynamic web environment. The method is aflexible and powerful security system offering amulti-level access control solution.
文摘Big data has a strong demand for a network infrastructure with the capability to support data sharing and retrieval efficiently. Information-centric networking (ICN) is an emerging approach to satisfy this demand, where big data is cached ubiquitously in the network and retrieved using data names. However, existing authentication and authorization schemes rely mostly on centralized servers to provide certification and mediation services for data retrieval. This causes considerable traffic overhead for the secure distributed sharing of data. To solve this problem, we employ identity-based cryptography (IBC) to propose a Distributed Authentication and Authorization Scheme (DAAS), where an identity-based signature (IBS) is used to achieve distributed verifications of the identities of publishers and users. Moreover, Ciphertext-Policy Attribnte-based encryption (CP-ABE) is used to enable the distributed and fine-grained authorization. DAAS consists of three phases: initialization, secure data publication, and secure data retrieval, which seamlessly integrate authentication and authorization with the in- terest/data communication paradigm in ICN. In particular, we propose trustworthy registration and Network Operator and Authority Manifest (NOAM) dissemination to provide initial secure registration and enable efficient authentication for global data retrieval. Meanwhile, Attribute Manifest (AM) distribution coupled with automatic attribute update is proposed to reduce the cost of attribute retrieval. We examine the performance of the proposed DAAS, which shows that it can achieve a lower bandwidth cost than existing schemes.
基金supported in part by National High-Tech Research and Development Program of China(“863”Program)under Grant No.2015AA016004National Natural Science Foundation of China under Grants No.61173154,61272451,61572380
文摘Data sharing is a main application of cloud computing. Some existing solutions are proposed to provide flexible access control for outsourced data in the cloud. However, few attentions have been paid to group-oriented data sharing when multiple data owners want to share their private data for cooperative purposes. In this paper, we put forward a new paradigm, referred to as secure, scalable and efficient multi-owner(SSEM) data sharing in clouds. The SSEM integrates identity-based encryption and asymmetric group key agreement to enable group-oriented access control for data owners in a many-to-many sharing pattern. Moreover, with SSEM, users can join in or leave from the group conveniently with the privacy of both group data and user data.We proposed the key-ciphertext homomorphism technique to construct an SSEM scheme with short ciphertexts. The security analysis shows that our SSEM scheme achieves data security against unauthorized accesses and collusion attacks. Both theoretical and experimental results confirm that our proposed scheme takes users little costs to share and access outsourced data in a group manner.
文摘Today’s network industry needs highly qualified engineers to understand, configure, develop and upgrade switches that can build scalable high performance and ultra-low latency networks. This paper describes a new networking laboratory that has been set up to provide hands-on experience on datacenter network switches, such as ARISTA, programming and monitoring the traffic. This paper explains the networking laboratory coursework that students carry out during the course of a semester. The laboratory consists of six hands on experiments on the latest datacenter switches from Arista Networks, two programming assignments that teaches some of the protocols used at data link layer and routing protocols used at the network layer of OSI reference model. The final two laboratory experiments use the Wireshark software tool for traffic monitoring and peeking into details of some of the protocols in TCP/IP such as ARP protocol, Ethernet and so forth. The coursework details include the switch basics, switch hardware, Extensible Operating System (EOS), configuration of Link Aggregation Control Protocol, Multi-chassis Link Aggregation Protocol, Access Control Lists, and Open Short Path First version 2 on Arista switches 7050T-64 and 7048T-4S. The programming tasks cover High-level Data Link Control (HDLC) and Routing Algorithms.
