重要信息系统安全体系结构及实用模型研究
|
摘要
重要信息系统是指国家信息系统安全等级保护体系中三级以上的系统,当其安全性受到破坏后,将严重影响社会秩序、公众利益甚至国家的安全和稳定,因此它是国家信息安全保障体系中的重点保护对象。国内信息安全专家沈昌祥院士提出以终端安全为核心来解决重要信息系统安全的思路。TCG提出的“可信计算”概念也不谋而合,同样主张从终端安全入手,通过提高终端平台的安全性,来确保信息系统的安全。
然而,纵观信息系统安全,尤其是重要信息系统安全的发展历程,目前依然存在如下几个较为突出的安全问题:1)缺乏适合于重要信息系统的安全体系结构。众所周知,信息系统的安全防护强度取决于“马奇诺防线”中最为薄弱的环节,如果没有合理的安全体系结构作为指导,信息系统中各安全部件就难以相互协调、有序工作,就很容易出现“安全短板”现象,从而导致信息系统安全防护不堪一击,所有的努力功亏一篑。2)可信计算和安全机制相脱节。重要信息系统的复杂性和异构性,增加了可信计算实施的难度,导致可信计算难以为上层安全机制提供良好的保障服务。同时,当前的大部分安全操作系统仍然沿用可信计算问世之前的系统安全机制,没有充分利用可信计算提供的可信功能来增强自身的安全性,使得可信计算形同虚设,没有起到应有的作用。3)系统的安全性和易用性不够。安全性和易用性在某种程度上是一对矛盾,为了提高系统的安全性,有时需要降低系统的易用性。如为了减小系统机密性安全被破坏的风险,当前大部分重要信息系统都禁止用户使用移动存储设备,禁止终端接入公共网络,从而导致系统的易用性遭到严重影响。于是在不降低系统易用性的前提下,提高系统的安全性是极其必要的。
本文紧紧围绕当前重要信息系统存在的上述安全问题,以“三纵三横两中心”保障体系为基础,从信息系统应用环境安全的角度出发,系统全面地研究了重要信息系统的安全体系结构和实用模型,取得了如下几方面的成果:
第一,提出了由可信应用环境、可信边界控制、可信网络传输组成的重要信息系统安全体系结构。并在此基础上对可信应用环境的安全体系结构进行了细化,充分体现了可信计算和安全有机融合的思想,即可信计算是安全的基础保障,安全机制协助可信计算为上层提供更良好的服务。
第二,提出了面向可信应用环境的隔离模型,为屏蔽和消除任务之间的有害干扰,维持任务行为的动态可信提供了理论指导。模型根据信息系统中应用的行为特征,通过对信息系统中的资源进行划分,建立起了应用与其运行过程中有密切关系的资源之间的对应关系。模型假设可信的任务不会发出干扰其它任务正常运行的信息流,在此基础上,不仅限制任务只能以主动读取其他应用对应资源的方式和外界进行通信,而且规定信息流的源头任务必须是可信的,从而消除了任务之间的有害干扰。显然,模型将识别任务之间的有害干扰转化为度量源头任务的可信性,实用性更高。
第三,给出了一个基于可信应用环境的系统安全模型,该模型采用“三实体”模式,通过定义用户能够启动的应用来限制用户的权限,通过限制应用启动后能够访问的资源来限制任务的权限。模型利用信任链传递机制的保障作用,将系统TCB扩展到应用服务平台层,确保访问控制机制能够充分利用任务运行时的语境,对信息流进行安全检查,以求做出更准确的访问控制决策。除此之外,模型还定义任务的完整性级别和用户可信度、应用可信度以及任务运行时的可信状态相关,从而改变了传统BLP和BIBA模型中实体机密性级别和完整性级别相等的局面,有利于信息的双向流动。
最后,提出了一个适用于重要信息系统的密钥管理方案。该方案具有安全性强、容易使用、易于更新等特点。方案充分利用了基于身份密码体制的优势,将身份认证和存储保护有效衔接起来,从而可以弥补身份认证模块存在的安全漏洞。同时方案借鉴了数字信封的思想,将存储保护的真正密钥用合法用户的公钥信息封装起来,只有合法用户通过自己的私钥才能计算而得,这一思想使得方案中的存储保护密钥不直接暴露给用户,从而降低了该密钥被泄露给非授权用户的风险。另外,方案充分利用了可信计算提供的保密存储功能,将存储保护密钥的封装信息存储在TPM中,使得只有出示了合法的授权数据后才能得到该信息,从而增强了方案的安全性。
A system is defined as an important information system when its security grade is above the third grade in the national classified information system protection in China. Any security destroying has an impact on social order, public benefit, even the national security and stability. Thus, the important information system must be protected in a high level. In China, Professor Shen Changxiang, a famous information security expert who is the academic member of Chinese Academy of Engineering, proposed the idea of using the platform security as the key to solve the security problem in important information system. This idea is consistent with "trusted computing", which was put forward by TCG. Trusted computing assures the information system security by improving platform security.
However, the information system security evolution shows that there still exists some important security problems: 1) lacking a security architecture that is fit for important information system. It is known that the security defense intensity of the information system depends on the weakest part of Maginot line. If there is no appropriate security architecture as a guide, it is difficult for the various security components in the information system to coordinate with each other and to work in order. Then, it often appears the "safety shortcomings" phenomenon, resulting in the vulnerability in the security and all the protection efforts in the information system are in vain. 2) Trusted computing and security mechanisms come apart. The complexity of important information system increases the difficulty in implementing trusted computing. As a result, it is difficult to provide a good assurance service for upper applications. At the same time, most of the current secure operating systems are still using the traditional security architecture before trusted computing. Thus, the current OSes do not take full advantage of the credible function provided by trusted computing to enhance their own safety, making the trusted computing exist in name only. 3) Security and usability are insufficient. To some extent, security and usability are contradictory, and sometimes it's necessary to reduce the usability to enhance the security. For example, in order to reduce the risk of destroying system confidentiality, most of the current important information systems prohibit using mobile storage devices and prohibit terminals from accessing the public network, which reducing the seriously. Therefore it's extremely necessary to enhance the system's security without reducing its usability.
With the guideline of "three vertical and three horizontal safeguard system" architecture, from the information system application environment security angle, this dissertation tightly focuses on the problems mentioned above and studies the security architecture and practical models of important information system systematically and comprehensively, and made the following contributions:
Firstly, a security architecture for important information system is proposed, which is composed of trusted application environment, trusted boundary control and trusted network transmission. On this architecture, the trusted application environment architecture is refined, fully reflecting the idea of organic integration for trusted computing and security, namely the trusted computing is the basic assurance for security, and security mechanism is helpful for trusted computing in providing better service for upper application.
Secondly, an isolation model based on trusted application environment is proposed, which provides a theoretical guidance for shielding and eliminating the harmful interference among tasks, and therefore maintaining the task behavior's dynamic trust ability. According to the behavior characters of applications in information system, this model sets up a correlation between the application and resource, which are strongly related to each other, through the partition of resources in information system. Also, the model assumes that it is impossible for a trusted task to send out information flows to interfere with other task's normal operation. Thus, in the model the task can only communicate with the environment by reading the other application's correlative resource and the first task in the information flow must be trusted, eliminating harmful interference among tasks. Then the model is more practical.
Thirdly, the thesis proposes a system security model based on trusted application environment. The model takes the mode of "three entities", which restricts the user's permission by defining what application he can run, and to restrict the task's permission by limiting the resources it can accesses. In order to make sure that an access control mechanism can take full use of the context task running in to check the safety of information flow and to give more accurate access control decision, this model has extended the system TCB to application level with the support of trust train transmission mechanism. In addition, the model defines that the task integrity level is related to user confidence level, application confidence level and the task's running state. This avoids the disadvantage that the confidential level is equal to the integrity level of entity in traditional BLP and BIBA model, making it easy for two-way information flow.
Finally, this thesis proposes a key management scheme for important information system, which is especially secure and easy to use and update. Taking full advantage of the identity-based code system, this scheme effectively integrates identification authentication with storage protection and avoides the security flaws existing in the authentication module. In addition, the scheme uses the idea of digital envelope to get the real storage protection key encapsulated with valid user's public key. Only the authenticated users in terminal can get the correct key with their own private key. This idea does not expose the storage protection key to user, which reduces the risk of leaking storage protection key to unauthenticated users. The scheme makes full use of the encryption storage functions provided by trusted computing to store the encapsulated key in TPM. Thus, only after providing the valid authentication information, the user can get the proper key, which improves the security of this scheme.
然而,纵观信息系统安全,尤其是重要信息系统安全的发展历程,目前依然存在如下几个较为突出的安全问题:1)缺乏适合于重要信息系统的安全体系结构。众所周知,信息系统的安全防护强度取决于“马奇诺防线”中最为薄弱的环节,如果没有合理的安全体系结构作为指导,信息系统中各安全部件就难以相互协调、有序工作,就很容易出现“安全短板”现象,从而导致信息系统安全防护不堪一击,所有的努力功亏一篑。2)可信计算和安全机制相脱节。重要信息系统的复杂性和异构性,增加了可信计算实施的难度,导致可信计算难以为上层安全机制提供良好的保障服务。同时,当前的大部分安全操作系统仍然沿用可信计算问世之前的系统安全机制,没有充分利用可信计算提供的可信功能来增强自身的安全性,使得可信计算形同虚设,没有起到应有的作用。3)系统的安全性和易用性不够。安全性和易用性在某种程度上是一对矛盾,为了提高系统的安全性,有时需要降低系统的易用性。如为了减小系统机密性安全被破坏的风险,当前大部分重要信息系统都禁止用户使用移动存储设备,禁止终端接入公共网络,从而导致系统的易用性遭到严重影响。于是在不降低系统易用性的前提下,提高系统的安全性是极其必要的。
本文紧紧围绕当前重要信息系统存在的上述安全问题,以“三纵三横两中心”保障体系为基础,从信息系统应用环境安全的角度出发,系统全面地研究了重要信息系统的安全体系结构和实用模型,取得了如下几方面的成果:
第一,提出了由可信应用环境、可信边界控制、可信网络传输组成的重要信息系统安全体系结构。并在此基础上对可信应用环境的安全体系结构进行了细化,充分体现了可信计算和安全有机融合的思想,即可信计算是安全的基础保障,安全机制协助可信计算为上层提供更良好的服务。
第二,提出了面向可信应用环境的隔离模型,为屏蔽和消除任务之间的有害干扰,维持任务行为的动态可信提供了理论指导。模型根据信息系统中应用的行为特征,通过对信息系统中的资源进行划分,建立起了应用与其运行过程中有密切关系的资源之间的对应关系。模型假设可信的任务不会发出干扰其它任务正常运行的信息流,在此基础上,不仅限制任务只能以主动读取其他应用对应资源的方式和外界进行通信,而且规定信息流的源头任务必须是可信的,从而消除了任务之间的有害干扰。显然,模型将识别任务之间的有害干扰转化为度量源头任务的可信性,实用性更高。
第三,给出了一个基于可信应用环境的系统安全模型,该模型采用“三实体”模式,通过定义用户能够启动的应用来限制用户的权限,通过限制应用启动后能够访问的资源来限制任务的权限。模型利用信任链传递机制的保障作用,将系统TCB扩展到应用服务平台层,确保访问控制机制能够充分利用任务运行时的语境,对信息流进行安全检查,以求做出更准确的访问控制决策。除此之外,模型还定义任务的完整性级别和用户可信度、应用可信度以及任务运行时的可信状态相关,从而改变了传统BLP和BIBA模型中实体机密性级别和完整性级别相等的局面,有利于信息的双向流动。
最后,提出了一个适用于重要信息系统的密钥管理方案。该方案具有安全性强、容易使用、易于更新等特点。方案充分利用了基于身份密码体制的优势,将身份认证和存储保护有效衔接起来,从而可以弥补身份认证模块存在的安全漏洞。同时方案借鉴了数字信封的思想,将存储保护的真正密钥用合法用户的公钥信息封装起来,只有合法用户通过自己的私钥才能计算而得,这一思想使得方案中的存储保护密钥不直接暴露给用户,从而降低了该密钥被泄露给非授权用户的风险。另外,方案充分利用了可信计算提供的保密存储功能,将存储保护密钥的封装信息存储在TPM中,使得只有出示了合法的授权数据后才能得到该信息,从而增强了方案的安全性。
A system is defined as an important information system when its security grade is above the third grade in the national classified information system protection in China. Any security destroying has an impact on social order, public benefit, even the national security and stability. Thus, the important information system must be protected in a high level. In China, Professor Shen Changxiang, a famous information security expert who is the academic member of Chinese Academy of Engineering, proposed the idea of using the platform security as the key to solve the security problem in important information system. This idea is consistent with "trusted computing", which was put forward by TCG. Trusted computing assures the information system security by improving platform security.
However, the information system security evolution shows that there still exists some important security problems: 1) lacking a security architecture that is fit for important information system. It is known that the security defense intensity of the information system depends on the weakest part of Maginot line. If there is no appropriate security architecture as a guide, it is difficult for the various security components in the information system to coordinate with each other and to work in order. Then, it often appears the "safety shortcomings" phenomenon, resulting in the vulnerability in the security and all the protection efforts in the information system are in vain. 2) Trusted computing and security mechanisms come apart. The complexity of important information system increases the difficulty in implementing trusted computing. As a result, it is difficult to provide a good assurance service for upper applications. At the same time, most of the current secure operating systems are still using the traditional security architecture before trusted computing. Thus, the current OSes do not take full advantage of the credible function provided by trusted computing to enhance their own safety, making the trusted computing exist in name only. 3) Security and usability are insufficient. To some extent, security and usability are contradictory, and sometimes it's necessary to reduce the usability to enhance the security. For example, in order to reduce the risk of destroying system confidentiality, most of the current important information systems prohibit using mobile storage devices and prohibit terminals from accessing the public network, which reducing the seriously. Therefore it's extremely necessary to enhance the system's security without reducing its usability.
With the guideline of "three vertical and three horizontal safeguard system" architecture, from the information system application environment security angle, this dissertation tightly focuses on the problems mentioned above and studies the security architecture and practical models of important information system systematically and comprehensively, and made the following contributions:
Firstly, a security architecture for important information system is proposed, which is composed of trusted application environment, trusted boundary control and trusted network transmission. On this architecture, the trusted application environment architecture is refined, fully reflecting the idea of organic integration for trusted computing and security, namely the trusted computing is the basic assurance for security, and security mechanism is helpful for trusted computing in providing better service for upper application.
Secondly, an isolation model based on trusted application environment is proposed, which provides a theoretical guidance for shielding and eliminating the harmful interference among tasks, and therefore maintaining the task behavior's dynamic trust ability. According to the behavior characters of applications in information system, this model sets up a correlation between the application and resource, which are strongly related to each other, through the partition of resources in information system. Also, the model assumes that it is impossible for a trusted task to send out information flows to interfere with other task's normal operation. Thus, in the model the task can only communicate with the environment by reading the other application's correlative resource and the first task in the information flow must be trusted, eliminating harmful interference among tasks. Then the model is more practical.
Thirdly, the thesis proposes a system security model based on trusted application environment. The model takes the mode of "three entities", which restricts the user's permission by defining what application he can run, and to restrict the task's permission by limiting the resources it can accesses. In order to make sure that an access control mechanism can take full use of the context task running in to check the safety of information flow and to give more accurate access control decision, this model has extended the system TCB to application level with the support of trust train transmission mechanism. In addition, the model defines that the task integrity level is related to user confidence level, application confidence level and the task's running state. This avoids the disadvantage that the confidential level is equal to the integrity level of entity in traditional BLP and BIBA model, making it easy for two-way information flow.
Finally, this thesis proposes a key management scheme for important information system, which is especially secure and easy to use and update. Taking full advantage of the identity-based code system, this scheme effectively integrates identification authentication with storage protection and avoides the security flaws existing in the authentication module. In addition, the scheme uses the idea of digital envelope to get the real storage protection key encapsulated with valid user's public key. Only the authenticated users in terminal can get the correct key with their own private key. This idea does not expose the storage protection key to user, which reduces the risk of leaking storage protection key to unauthenticated users. The scheme makes full use of the encryption storage functions provided by trusted computing to store the encapsulated key in TPM. Thus, only after providing the valid authentication information, the user can get the proper key, which improves the security of this scheme.
引文
[1]National Computer Security Center.DoD Trusted Computer System Evaluation Criteria.DoD,DoD5000.28-STD,1985.
[2]D.E.Bell,J.Leonard,LaPadula.Secure computer systems:Mathematical foundations.Technical Report 2547,MITRE Corporation,Bedford,MA,1973.
[3]Information Assurance Technical Framework Release 3.1[R].National Security Agency Information Assurance Solution Technical Directors,2002.
[4]沈昌祥.基于可信平台构筑积极防御的信息安全保障框架[J].信息安全与通信保密,9:17-19.2004.
[5]J.Whitmore,A.Bensoussan,et al.Design for Multics Security Enhancements.ESD-TR-74-176.Hanscom Field,Bedford,MA,USA.Air Force Electronic System Division,Dec 1973.
[6]E.I.Organick.The Multics System:An Examination of Its Structure.Cambridge,Mass.MIT Press,1972.
[7]Final Evaluation Report of Multics.MRI 1.0,CSC-EPL-85/003,National Computer Security Center:Ft.George G.Meade,MD,Sep 1985.
[8]B.L.D.Vito,P.H.Palmquist,et al.Specification and Verification of the ASOS Kernel.Proceedings of the 1990 IEEE Computer Society Symposium on Research in Security and Privacy,Oakland,California,61-74,1990.
[9]N.A.Waldhart.The Army Secure Operating System.Proceedings of the 1990 IEEE Computer Society Symposium on Research in Security and Privacy,Oakland,California,50-60,1990.
[10]S.Blotcky,K.Lynch,S.Lipner.SE/VMS:Implementing Mandatory Security in VAX/VMS.Proceedings of the 9th National Computer Security Conference.Gaithersburg,Md.National Bureau of Standards,47-54,1986.
[11]B.Pfitzmann,J.Riordan,et al.The PERSEUS System Architecture.IBM Technical Report NO.93381,IBM Research Division,Zurich,2001.
[12]沈昌祥,杨涛等.基于UNIX的安全操作系统可行性研究.技术报告,海军计算技术研究所,1990.11.
[13]杨涛,沈昌祥等.SUNIX系统设计说明.技术报告,海军计算技术研究所.1991.5.
[14]V.D.Gligor,C.S.Chandersekaran,et al.Design and Implementation of Secure Xenix.IEEE Transactions on Software Engineering.13(2):208-221,1987.
[15]V.D.Gligor,C.S.Chandersekaran,et al.A New Security Testing Method and its Application to the Secure Xenix Kernel.IEEE Transactions on Software Engineering,13(2):169-183,1987.
[16]L.G.Guy,C.H.Richard,F.Mark.Policy vs Mechanism in the Secure TUNIS Operation System.1989 IEEE Symposium on Security and Privacy,84-93,1989.
[17]Secure Computing Corporation.DTOS Lessons Learned Report.CDRL Sequence No.A008,Secure Computing Corporation,Rosevile,Minnesota,Jun 1997.
[18]Secure Computing Coroporation.DTOS Generalized Security Policy Specification.Technical report MDA904-93-C-4209 DTOS CDRL A019,Secure Computing Corporation,Roseville,Minnesota,June 1997.
[19]Secure Computing Corporation.Assurance in the Fluke Microkernel:Final Report.CDRL Sequence NO.A002,Secure Computing Corporation,Apr 1999.
[20]A.L.Peter,D.S.Stephen.Integrating Flexible Support for Security Policies into the Linux Operating System.Technical report,NSA and NAI labs,Jan 2001.
[21]LaGrande:Technology Architectural Overview.Intel White Paper,Intel,Sep 2003.
[22]G.David.LaGrande Architecture.SCMS-18,Sep 2003.
[23]A.Carroll,M.Juarez,et al.Microsoft Palladium:A business overview.http://www.microsoft.com/PressPass/features/2002/jul02/0724palladiumwp.asp,Aug 2002.
[24]Microsoft,Microsoft Next-Generation Secure Computing Base:An Overview,http://www.microsoft.com/resource/ngscb/ngscb_overview.mspx,Apr 2003.
[25]P.England,B.Lampson,et al.A Trusted Open Platform.IEEE Computer,36(7):55-62,2003.
[26]J.G.Steiner,C.Neuman,J.I.Schiller.Kerberos:An Authentication Service for Open Network Systems[C].USENIX Conference Proceedings,191-200,1988.
[27]S.M.Bellovin,M.Merritt.Limitations of the Kerberos Authentication System[J].Computer Communication Review,20(5):119-132,1990.
[28]J.T.Kohl,B.C.Neuman,T.Y.Tso.The Evolution of the Kerberos Authentication System.Distributed Open Systems,IEEE Computer Society Press,78-94,1994.
[29]T.M.A.Lomas,L.Gong,et al.Reducing Risks from Poorly Chosen Keys[J].Operating Systems Review,23(5):14-18,1989.
[30]孙晓蓉,徐春光,王育民.网络和分布式系统中的认证[J].计算机研究与发展,35(10):865-868,1998.
[31]S.P.Shieh,F.S.Ho,Y,L.Huang.An efficient authentication protocol for mobile networks[J].Journal of Information Science and Engineering,15:505-520,1999.
[32]H.Y.Chien,J.K.Jan.A hybrid authentication protocol for large mobile network[J].The Journal of Systems and Software,67:123-130,2003.
[33]R.J.Hwang,F.F.Su.A new efficient authentication protocol for mobile networks[J].Computer Standards & Interfaces,28:241-252,2005.
[34]D.E.Bell,J.Leonard,LaPadula.Secure computer systems:Mathematical foundations.Technical Report 2547,MITRE Corporation,Bedford,MA,1973.
[35]D.E.Bell,J.Leonard,LaPadula.Secure Computer System:Unified Exposition and Multics Interpretation.MTR-2997,MITRE Corp.,Bedford,MA,March,1976.
[36]K.Biba.Integrity considerations for secure computer systems.Technical Report 76-372,U.S.Air Force Electronic Systems Division,1977.
[37]R.S.Sandhu.Lattice-Based Access Control Models.IEEE Computer,26(11):9-19,Nov 1993.
[38]郑志蓉,蔡谊,沈昌祥.操作系统安全结构框架中应用类通信安全模型的研究.计算机研究与发展,42(2):322-328,2005.
[39]李益发,沈昌祥.一种新的操作系统安全模型.中国科学E辑,36(4):347-356,2004.
[40]R.S.Sandhu,E.Coyne,et al.Role-Based Access Control Models.IEEE Computer,IEEE Press,29(2):38-47,1996.
[41]H.Mantel,D.Sands.Controlled declassification based on intransitive noninterference.Proc.APLAS,129-145,2004.
[42]A.C.Myers,A.Sabelfeld,S.Zdancewic.Enforcing robust declassification.17th IEEE Computer Security Foundations Workshop,172-186,2004.
[43]D.D.Clark,D.R.Wilson.A Comparison of Commercial and Military Computer Security Policity.Proceedings of the IEEE Symposium on Security and Privacy,Oakland,CA,184-194,1987.
[44]L.Badger,D.F.Swine,et al.Practical domain and type enforcement for UNIX.Proceedings of IEEE Symposium on Security and Privacy,66-77,1995.
[45]季庆光,卿斯汉,贺也平.基于DTE技术的完整性保护形式模型.中国科学E辑,35(6):570-587,2005.
[46]F.C.B.David,J.N.Michael.The Chinese Wall Security Policy.Proceedings of IEEE Symposium on Security and Privacy,206-214,1989.
[47]H.N.Grace.Specification of a Trusted Computing Base.M79-228,the MITRE Corporation,Bedford,MA,USA,1979.
[48]H.N.Grace.Proposed Technical Evaluation Criteria for Trusted Computer Systems.M79-225,the MITRE Corporation,Bedford,MA,USA,Oct 1979.
[49]刘文清,卿斯汉,刘海峰.一个修改BLP安全模型的设计及在Seclinux上的应用.软件学报.13(4):567-573,2002.
[50]H.Serge,K.Phil.Domain and Type Enforcement for Linux.Proceedings of the Atlanta Linux Showcase,Oct 2000.
[51]B.Lee,F.S.Daniel,et al.A Domain and Type Enforcement UNIX Prototype.Fifth USENIX UNIX Security Symposium Proceedings,Salt Lake City,Utah,Jun 1995.
[52]J.Liedke.L4 Reference Manual.GMD/IBM Watson Technical Report,1996.
[53]M.Hohmuth.The Fiasco kernel,requirements definition.Technical Report ISSN 1430-211X,Dresden University Technology,Dept.Computer Science,Dec 1998.
[54]J.Liedke.On μ-kernel Construction.Proceedings of Symposium on Operating System Principles(SOSP),1995.
[55]H.Hartig,M.Hohmuth,et al.The Nizza Secure-System Architecture.In IEEE CollaborateCom 2005.San Jose,USA.Dec 2005.
[56]T.Garfinkel,M.Rosenblum,D.Boneh.Flexible OS support and applications for trusted computing.HotOS-Ⅸ,2003.
[57]T.Garfinkel,B.Pfaff,et al.Terra:a virtual machine-based platform for trusted computing.Proceedings of the nineteenth ACM symposium on Operating systems principles,ACM Press,193-206,2003.
[58]Trusted Computing Group.Trusted Network Connect Architecture for Interoperability[DB/OL].Http://www.trustedcomputinggroup.org/tnc/.
[59]J.Joshi,A.Ghafoor,et al.Digit government security Infrastructure Design Challenge.IEEE Computer,34(2):66-72,2001.
[60]T.Jaeger,R.Sailer,U.Shankar.PRIMA:policy-reduced integrity measurement architecture.Proc.of the Eleventh ACM Symposium on Access Control Models and Technologies,Lake Tahoe,CA,19-28,2006.
[61]方艳湘.基于虚拟机监视器的可信计算平台研究[博士论文].南开大学,2006.
[62]黄强.基于可信计算的终端安全体系结构研究[博士学位论文].海军工程大学,2007.
[63]Z.Steve.Challenges for Information-flow Security.Proceedings of the 1st International Workshop on the Programming Language Interference and Dependence (PLID'04), 2004.
[64] A. Acharya, M. Raje. MAPBox: Using parameterized behavior classes to confine untrusted applications. Proc. 9th USENIX Security Symposium, Aug 2000.
[65] A. Alexandrov, P. Kiniee, K. Schauser. Consh: Confined Execution Environment for Internet Computations (1999) [EB/OL].http://www.Cs.ucsb.edu/berto/papers/99-usenix-consh.ps, 1998.
[66] D. S. Peterson, M. Bishop, R. Pandey. A flexible containment mechanism for executing untrusted code. Proc. 11~(th) USENIX Security Symposium, August 2002.
[67] C. Crispin, B. Steve, et al. SubDomain: Parsimonious server security. Proc. of the 14~(th) Systems Administration Conference, Birgit Pfitzmann, 355-367, Dec 2000.
[68] J. A. Goguen, J. Meseguer. Security policies and security models. Proc. of the 1982 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, 11-20, Apr 1982.
[69] J. McLean. Security models and information flow. Proc. of 1990 IEEE Symposium on Research in Security and Privacy, IEEE Press, 177-186, 1990.
[70] C. O. Halloran. A calculus of information flow.. Proc. of First European Symposium on Research in Computer Security (SORICS 1990), 147-159, 1990.
[71] D. Sutherland. A model of information. Proc. of the ninth National Computer Security Conference, 175-183, 1986.
[72] J. T. Wittbold, D. M. Johnson. Information flow in non-deterministic systems. Proc. of the 1990 IEEE Symposium on Research on Security and Privacy, 144-161,1990.
[73] J. Rushby. Noninterference, transitivity, and channel-control security policies. Technical Report, CSL-92-02, Menlo Park: Stanford Research Institute, 1992.
[74] V. Haldar, D. Chandra, M. Franz. Semantic remote attestation: A virtual machine directed approach to trusted computing. USENIX Virtual Machine Research and Technology Symposium, May 2004.
[75] A. R. Sadeghi, C. Stable. Property-based attestation for computing platforms: Caring about properties, not mechanisms. The 2004 New Security Paradigms Workshop, Virginia Beach, VA, USA, Sep 2004.
[76] L. Chen, R. Landfermann, et al. A Protocol for Property-Based Attestation. STC'06, Alexandria, Virginia, USA, Nov 2006.
[77] N. Luhmann. Trust and Power Chichester. John Wiley and Sons, 1979.
[78] M. Deutsch. Cooperation and trust: Some theoretical notes. In M. R. Jones, editor, Nebraska symposium on motivation, University of Nebraska, 275-319,1962.
[79] M. Deutsch. The Resolution of Conflict: Constructive and Destructive Processes. New Haven, CT: Yale University, 1972.
[80] D. Gambetta. Can we trust trust? In D.G. Gambetta (Ed.), Trust, 213-237, Basil Blackwell, New York, 1988.
[81] Trusted Computing Platform Alliance. TCPA Design Philosophies and Concepts Version 1.0. https://www.trustedcomputinggroup.org. Jan 2001.
[82] E. Shi, A. Perrig, L. V. Doorn. BIND: A fine-grained attestation service for secure distributed systems. Proceedings of the 2005 IEEE Symposium on Security and Privacy, 154-168, 2005.
[83] A. P. Jonathan. Trust[ed | in] computing, signed code and the heat death of the Internet. Proc. of the 2006 ACM symp. Applied Computing, 1855-1859,2006.
[84]G Stoneburger.Information System Security engineering Principles-initial draft outline.http://csrc.nist.gov/publications/drafts/issep-071800.doc,2000.
[85]K.J.Biba.Integrity Considerations for Secure Computer Systems.Technical Report ESD-TR-76-372,USAF Electronic Systems Division,Bedford,MA,USA,Apr 1977.
[86]F.Timonthy.LOMAC:Low Water-Mark Integrity Protection for COTS Environments.Proceedings of the 2000 IEEE Symposium on Security and Privacy,Berkeley,California,May 2000.
[87]F.Timonthy.LOMAC:MAC You Can Live With.Proceedings of the FREENIX Track,USENIX Annual Technical Conference,Boston,MA,June 2001.
[88]弗莱格.信息安全原理与应用:第三版,ISBN 978-7-121-04744-2,2007.8
[89]S.Seth.Trusted computing promise and risk.http://www.eff.org/Infra/trusted_computing/20031001_tc.php.
[90]R.S.Sandhu.A Lattice Interpretation of the Chinese wall Policy.Proceeding Of the 15th NIST-NCSC National Computer Security Conference,221-235,Oct 1992.
[91]M.Blaze.A Cryptographic File System for Unix.Proceedings of the 1st ACM Conference on Computer and Communications Security(Fairfax,VA),9-16,1993.
[92]E.Zadok,I.Badulescu,A.Shender.Cryptfs:A stackable Vnode level encryption file system.Technical Report CUCS-021-98,Computer Science Department,Columbia University,1998.
[93]Microsoft Corporation.Encrypting file system for Windows 2000.Unpublished Whitepaper,Redmond,WA.
[94]M.Blaze.Key management in an encrypting file system.Proceedings of Summer 1994USENIX Technical Conference.
[95]苗胜,戴冠中,慕德俊,李美峰.基于IP复用的硬盘加密卡的设计与实现.计算机工程与应用,43(1):121-124,2007.
[96]刘涛.信息存储安全问题.信息化建设,1:48-49,2003.
[97]ISO International Standard 7498-2.Open Systems Interconnection Reference Model-Part 2:Security Architecture.1988.
[98]W.Fumy,P.Landrock.Principles of key management.IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS,11(5):785-793,JUN 1993.
[99]I.Ray,I.Ray,N.Narasimhamurthi.A cryptographic solution to implement access control in a hierarchy and more.ACM Symposium on Access Control Models and Technologies,Jun 2002.
[100]I.Lin,M.Hwang,C.Chang.A new key assignment scheme for enforcing complicated access control policies in hierarchy.Future Generation Computer Systems,19(4):457-462,2003.
[101]A.D.Santis,A.Ferrara,B.Masucci.Cryptographic key assignment schemes for any access control policy.Information Processing Letters(IPL),92(4):199-205,Nov 2004.
[102]M.Atallah,K.Frikken,M.Blanton.Dynamic and efficient key management for access hierarchies.ACM Conference on Computer and Communications Security(CCS'05),190-201,2005.
[103]A.Shamir.Identity Based Cryptosystems and Signature Schemes[C].Proceedings of CRYPTO 84 on Advances in cryptoiogy,LNCS 196,Springer-Verlag,47-53,1984.
[104]D.Boneh,M.Franklin.Identity-based encryption from the Weil pairings.Advances in Cryptology-Crypto 2001,LNCS 2139,Springer-Verlag,213-229,2001.
[105]P.Barreto,H.Y.Kim,et al.Efficient algorithms for pairings based cryptosystems.Advances in Cryptology-Crypto 2002,LNCS 2442,Springer-Verlag,354-368,2002.
[106]F.Zhang,K.Kim.ID-based blind signature and ring signature from pairings.Advances in cryptology-Asiacrypt 2002,LNCS 2501,Springer-Verlag,533-547,2002.
[107]赵勇,刘吉强,韩臻.基于身份的盲签名在移动电子支付中的应用.北京交通大学学报,31(5):82-86,2007.
[108]V.Miller.Use of Elliptic Curves in Cryptography.Proceedings of CRYPTO'85.New York:Springer-Verlag,1985.
[109]N.Koblicx.Elliptic Curve Crypto Systems.Springer-Verlag,177-182,1987.
[110]M.Bellare,P.Rogaway.Entity authentication and key distribution.Advances in Cryptology-CRYPTO'93,LNCS 773,Springer-Verlag,232-249,1993.
[111]M.Bellare,P.Rogaway.Provably secure session key distribution-the three party case.Proc.of the 27th ACM Symp.on the Theory of Computing,Lasvegas:ACM Press,57-66,1995.
[112]M.Sandiringama,A.Shimizu,M.T.Noda.Simple and Secure Password Authentication Protocol.IEICE Trans Comm.,E83-B(6):1363-1365,2000.
[113]W.C.Ku,C.M.Chen.Cryptanalysis of A One Time Password Authentication Protocols.Proceedings of the 2001 National Computer Symposium,Taiwan,17046-17050,Dec 2001.
[114]C.L.Lin,H.M.Sun,T.Hwang.Attacks And Solutions on Strong-password Authentication.In:IEICE Transactions on Communications,E84-B(9):2622-2627,Sep 2001.
[115]袁丁,范平志.一个安全的动态口令鉴别方案.四川大学学报(自然科学版),39(2),2002.
[116]Y.Zhao,Z.Han,et al.An Efficient and Divisible Payment Scheme for M-Commerce[C].Proceeding of Knowledge-Based Intelligent Information and Engineering Systems:9th International Conference,488-496,2005.
[117]万海山,李国,李大兴.使用USB KEY控制Windows 2000/NT开机登录.计算机应用,23:254-255,2006.
[118]顾巧云,李安欣.基于Windows的文件完整性检测系统的设计与实现.计算机工程,30.2004.
[2]D.E.Bell,J.Leonard,LaPadula.Secure computer systems:Mathematical foundations.Technical Report 2547,MITRE Corporation,Bedford,MA,1973.
[3]Information Assurance Technical Framework Release 3.1[R].National Security Agency Information Assurance Solution Technical Directors,2002.
[4]沈昌祥.基于可信平台构筑积极防御的信息安全保障框架[J].信息安全与通信保密,9:17-19.2004.
[5]J.Whitmore,A.Bensoussan,et al.Design for Multics Security Enhancements.ESD-TR-74-176.Hanscom Field,Bedford,MA,USA.Air Force Electronic System Division,Dec 1973.
[6]E.I.Organick.The Multics System:An Examination of Its Structure.Cambridge,Mass.MIT Press,1972.
[7]Final Evaluation Report of Multics.MRI 1.0,CSC-EPL-85/003,National Computer Security Center:Ft.George G.Meade,MD,Sep 1985.
[8]B.L.D.Vito,P.H.Palmquist,et al.Specification and Verification of the ASOS Kernel.Proceedings of the 1990 IEEE Computer Society Symposium on Research in Security and Privacy,Oakland,California,61-74,1990.
[9]N.A.Waldhart.The Army Secure Operating System.Proceedings of the 1990 IEEE Computer Society Symposium on Research in Security and Privacy,Oakland,California,50-60,1990.
[10]S.Blotcky,K.Lynch,S.Lipner.SE/VMS:Implementing Mandatory Security in VAX/VMS.Proceedings of the 9th National Computer Security Conference.Gaithersburg,Md.National Bureau of Standards,47-54,1986.
[11]B.Pfitzmann,J.Riordan,et al.The PERSEUS System Architecture.IBM Technical Report NO.93381,IBM Research Division,Zurich,2001.
[12]沈昌祥,杨涛等.基于UNIX的安全操作系统可行性研究.技术报告,海军计算技术研究所,1990.11.
[13]杨涛,沈昌祥等.SUNIX系统设计说明.技术报告,海军计算技术研究所.1991.5.
[14]V.D.Gligor,C.S.Chandersekaran,et al.Design and Implementation of Secure Xenix.IEEE Transactions on Software Engineering.13(2):208-221,1987.
[15]V.D.Gligor,C.S.Chandersekaran,et al.A New Security Testing Method and its Application to the Secure Xenix Kernel.IEEE Transactions on Software Engineering,13(2):169-183,1987.
[16]L.G.Guy,C.H.Richard,F.Mark.Policy vs Mechanism in the Secure TUNIS Operation System.1989 IEEE Symposium on Security and Privacy,84-93,1989.
[17]Secure Computing Corporation.DTOS Lessons Learned Report.CDRL Sequence No.A008,Secure Computing Corporation,Rosevile,Minnesota,Jun 1997.
[18]Secure Computing Coroporation.DTOS Generalized Security Policy Specification.Technical report MDA904-93-C-4209 DTOS CDRL A019,Secure Computing Corporation,Roseville,Minnesota,June 1997.
[19]Secure Computing Corporation.Assurance in the Fluke Microkernel:Final Report.CDRL Sequence NO.A002,Secure Computing Corporation,Apr 1999.
[20]A.L.Peter,D.S.Stephen.Integrating Flexible Support for Security Policies into the Linux Operating System.Technical report,NSA and NAI labs,Jan 2001.
[21]LaGrande:Technology Architectural Overview.Intel White Paper,Intel,Sep 2003.
[22]G.David.LaGrande Architecture.SCMS-18,Sep 2003.
[23]A.Carroll,M.Juarez,et al.Microsoft Palladium:A business overview.http://www.microsoft.com/PressPass/features/2002/jul02/0724palladiumwp.asp,Aug 2002.
[24]Microsoft,Microsoft Next-Generation Secure Computing Base:An Overview,http://www.microsoft.com/resource/ngscb/ngscb_overview.mspx,Apr 2003.
[25]P.England,B.Lampson,et al.A Trusted Open Platform.IEEE Computer,36(7):55-62,2003.
[26]J.G.Steiner,C.Neuman,J.I.Schiller.Kerberos:An Authentication Service for Open Network Systems[C].USENIX Conference Proceedings,191-200,1988.
[27]S.M.Bellovin,M.Merritt.Limitations of the Kerberos Authentication System[J].Computer Communication Review,20(5):119-132,1990.
[28]J.T.Kohl,B.C.Neuman,T.Y.Tso.The Evolution of the Kerberos Authentication System.Distributed Open Systems,IEEE Computer Society Press,78-94,1994.
[29]T.M.A.Lomas,L.Gong,et al.Reducing Risks from Poorly Chosen Keys[J].Operating Systems Review,23(5):14-18,1989.
[30]孙晓蓉,徐春光,王育民.网络和分布式系统中的认证[J].计算机研究与发展,35(10):865-868,1998.
[31]S.P.Shieh,F.S.Ho,Y,L.Huang.An efficient authentication protocol for mobile networks[J].Journal of Information Science and Engineering,15:505-520,1999.
[32]H.Y.Chien,J.K.Jan.A hybrid authentication protocol for large mobile network[J].The Journal of Systems and Software,67:123-130,2003.
[33]R.J.Hwang,F.F.Su.A new efficient authentication protocol for mobile networks[J].Computer Standards & Interfaces,28:241-252,2005.
[34]D.E.Bell,J.Leonard,LaPadula.Secure computer systems:Mathematical foundations.Technical Report 2547,MITRE Corporation,Bedford,MA,1973.
[35]D.E.Bell,J.Leonard,LaPadula.Secure Computer System:Unified Exposition and Multics Interpretation.MTR-2997,MITRE Corp.,Bedford,MA,March,1976.
[36]K.Biba.Integrity considerations for secure computer systems.Technical Report 76-372,U.S.Air Force Electronic Systems Division,1977.
[37]R.S.Sandhu.Lattice-Based Access Control Models.IEEE Computer,26(11):9-19,Nov 1993.
[38]郑志蓉,蔡谊,沈昌祥.操作系统安全结构框架中应用类通信安全模型的研究.计算机研究与发展,42(2):322-328,2005.
[39]李益发,沈昌祥.一种新的操作系统安全模型.中国科学E辑,36(4):347-356,2004.
[40]R.S.Sandhu,E.Coyne,et al.Role-Based Access Control Models.IEEE Computer,IEEE Press,29(2):38-47,1996.
[41]H.Mantel,D.Sands.Controlled declassification based on intransitive noninterference.Proc.APLAS,129-145,2004.
[42]A.C.Myers,A.Sabelfeld,S.Zdancewic.Enforcing robust declassification.17th IEEE Computer Security Foundations Workshop,172-186,2004.
[43]D.D.Clark,D.R.Wilson.A Comparison of Commercial and Military Computer Security Policity.Proceedings of the IEEE Symposium on Security and Privacy,Oakland,CA,184-194,1987.
[44]L.Badger,D.F.Swine,et al.Practical domain and type enforcement for UNIX.Proceedings of IEEE Symposium on Security and Privacy,66-77,1995.
[45]季庆光,卿斯汉,贺也平.基于DTE技术的完整性保护形式模型.中国科学E辑,35(6):570-587,2005.
[46]F.C.B.David,J.N.Michael.The Chinese Wall Security Policy.Proceedings of IEEE Symposium on Security and Privacy,206-214,1989.
[47]H.N.Grace.Specification of a Trusted Computing Base.M79-228,the MITRE Corporation,Bedford,MA,USA,1979.
[48]H.N.Grace.Proposed Technical Evaluation Criteria for Trusted Computer Systems.M79-225,the MITRE Corporation,Bedford,MA,USA,Oct 1979.
[49]刘文清,卿斯汉,刘海峰.一个修改BLP安全模型的设计及在Seclinux上的应用.软件学报.13(4):567-573,2002.
[50]H.Serge,K.Phil.Domain and Type Enforcement for Linux.Proceedings of the Atlanta Linux Showcase,Oct 2000.
[51]B.Lee,F.S.Daniel,et al.A Domain and Type Enforcement UNIX Prototype.Fifth USENIX UNIX Security Symposium Proceedings,Salt Lake City,Utah,Jun 1995.
[52]J.Liedke.L4 Reference Manual.GMD/IBM Watson Technical Report,1996.
[53]M.Hohmuth.The Fiasco kernel,requirements definition.Technical Report ISSN 1430-211X,Dresden University Technology,Dept.Computer Science,Dec 1998.
[54]J.Liedke.On μ-kernel Construction.Proceedings of Symposium on Operating System Principles(SOSP),1995.
[55]H.Hartig,M.Hohmuth,et al.The Nizza Secure-System Architecture.In IEEE CollaborateCom 2005.San Jose,USA.Dec 2005.
[56]T.Garfinkel,M.Rosenblum,D.Boneh.Flexible OS support and applications for trusted computing.HotOS-Ⅸ,2003.
[57]T.Garfinkel,B.Pfaff,et al.Terra:a virtual machine-based platform for trusted computing.Proceedings of the nineteenth ACM symposium on Operating systems principles,ACM Press,193-206,2003.
[58]Trusted Computing Group.Trusted Network Connect Architecture for Interoperability[DB/OL].Http://www.trustedcomputinggroup.org/tnc/.
[59]J.Joshi,A.Ghafoor,et al.Digit government security Infrastructure Design Challenge.IEEE Computer,34(2):66-72,2001.
[60]T.Jaeger,R.Sailer,U.Shankar.PRIMA:policy-reduced integrity measurement architecture.Proc.of the Eleventh ACM Symposium on Access Control Models and Technologies,Lake Tahoe,CA,19-28,2006.
[61]方艳湘.基于虚拟机监视器的可信计算平台研究[博士论文].南开大学,2006.
[62]黄强.基于可信计算的终端安全体系结构研究[博士学位论文].海军工程大学,2007.
[63]Z.Steve.Challenges for Information-flow Security.Proceedings of the 1st International Workshop on the Programming Language Interference and Dependence (PLID'04), 2004.
[64] A. Acharya, M. Raje. MAPBox: Using parameterized behavior classes to confine untrusted applications. Proc. 9th USENIX Security Symposium, Aug 2000.
[65] A. Alexandrov, P. Kiniee, K. Schauser. Consh: Confined Execution Environment for Internet Computations (1999) [EB/OL].http://www.Cs.ucsb.edu/berto/papers/99-usenix-consh.ps, 1998.
[66] D. S. Peterson, M. Bishop, R. Pandey. A flexible containment mechanism for executing untrusted code. Proc. 11~(th) USENIX Security Symposium, August 2002.
[67] C. Crispin, B. Steve, et al. SubDomain: Parsimonious server security. Proc. of the 14~(th) Systems Administration Conference, Birgit Pfitzmann, 355-367, Dec 2000.
[68] J. A. Goguen, J. Meseguer. Security policies and security models. Proc. of the 1982 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, 11-20, Apr 1982.
[69] J. McLean. Security models and information flow. Proc. of 1990 IEEE Symposium on Research in Security and Privacy, IEEE Press, 177-186, 1990.
[70] C. O. Halloran. A calculus of information flow.. Proc. of First European Symposium on Research in Computer Security (SORICS 1990), 147-159, 1990.
[71] D. Sutherland. A model of information. Proc. of the ninth National Computer Security Conference, 175-183, 1986.
[72] J. T. Wittbold, D. M. Johnson. Information flow in non-deterministic systems. Proc. of the 1990 IEEE Symposium on Research on Security and Privacy, 144-161,1990.
[73] J. Rushby. Noninterference, transitivity, and channel-control security policies. Technical Report, CSL-92-02, Menlo Park: Stanford Research Institute, 1992.
[74] V. Haldar, D. Chandra, M. Franz. Semantic remote attestation: A virtual machine directed approach to trusted computing. USENIX Virtual Machine Research and Technology Symposium, May 2004.
[75] A. R. Sadeghi, C. Stable. Property-based attestation for computing platforms: Caring about properties, not mechanisms. The 2004 New Security Paradigms Workshop, Virginia Beach, VA, USA, Sep 2004.
[76] L. Chen, R. Landfermann, et al. A Protocol for Property-Based Attestation. STC'06, Alexandria, Virginia, USA, Nov 2006.
[77] N. Luhmann. Trust and Power Chichester. John Wiley and Sons, 1979.
[78] M. Deutsch. Cooperation and trust: Some theoretical notes. In M. R. Jones, editor, Nebraska symposium on motivation, University of Nebraska, 275-319,1962.
[79] M. Deutsch. The Resolution of Conflict: Constructive and Destructive Processes. New Haven, CT: Yale University, 1972.
[80] D. Gambetta. Can we trust trust? In D.G. Gambetta (Ed.), Trust, 213-237, Basil Blackwell, New York, 1988.
[81] Trusted Computing Platform Alliance. TCPA Design Philosophies and Concepts Version 1.0. https://www.trustedcomputinggroup.org. Jan 2001.
[82] E. Shi, A. Perrig, L. V. Doorn. BIND: A fine-grained attestation service for secure distributed systems. Proceedings of the 2005 IEEE Symposium on Security and Privacy, 154-168, 2005.
[83] A. P. Jonathan. Trust[ed | in] computing, signed code and the heat death of the Internet. Proc. of the 2006 ACM symp. Applied Computing, 1855-1859,2006.
[84]G Stoneburger.Information System Security engineering Principles-initial draft outline.http://csrc.nist.gov/publications/drafts/issep-071800.doc,2000.
[85]K.J.Biba.Integrity Considerations for Secure Computer Systems.Technical Report ESD-TR-76-372,USAF Electronic Systems Division,Bedford,MA,USA,Apr 1977.
[86]F.Timonthy.LOMAC:Low Water-Mark Integrity Protection for COTS Environments.Proceedings of the 2000 IEEE Symposium on Security and Privacy,Berkeley,California,May 2000.
[87]F.Timonthy.LOMAC:MAC You Can Live With.Proceedings of the FREENIX Track,USENIX Annual Technical Conference,Boston,MA,June 2001.
[88]弗莱格.信息安全原理与应用:第三版,ISBN 978-7-121-04744-2,2007.8
[89]S.Seth.Trusted computing promise and risk.http://www.eff.org/Infra/trusted_computing/20031001_tc.php.
[90]R.S.Sandhu.A Lattice Interpretation of the Chinese wall Policy.Proceeding Of the 15th NIST-NCSC National Computer Security Conference,221-235,Oct 1992.
[91]M.Blaze.A Cryptographic File System for Unix.Proceedings of the 1st ACM Conference on Computer and Communications Security(Fairfax,VA),9-16,1993.
[92]E.Zadok,I.Badulescu,A.Shender.Cryptfs:A stackable Vnode level encryption file system.Technical Report CUCS-021-98,Computer Science Department,Columbia University,1998.
[93]Microsoft Corporation.Encrypting file system for Windows 2000.Unpublished Whitepaper,Redmond,WA.
[94]M.Blaze.Key management in an encrypting file system.Proceedings of Summer 1994USENIX Technical Conference.
[95]苗胜,戴冠中,慕德俊,李美峰.基于IP复用的硬盘加密卡的设计与实现.计算机工程与应用,43(1):121-124,2007.
[96]刘涛.信息存储安全问题.信息化建设,1:48-49,2003.
[97]ISO International Standard 7498-2.Open Systems Interconnection Reference Model-Part 2:Security Architecture.1988.
[98]W.Fumy,P.Landrock.Principles of key management.IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS,11(5):785-793,JUN 1993.
[99]I.Ray,I.Ray,N.Narasimhamurthi.A cryptographic solution to implement access control in a hierarchy and more.ACM Symposium on Access Control Models and Technologies,Jun 2002.
[100]I.Lin,M.Hwang,C.Chang.A new key assignment scheme for enforcing complicated access control policies in hierarchy.Future Generation Computer Systems,19(4):457-462,2003.
[101]A.D.Santis,A.Ferrara,B.Masucci.Cryptographic key assignment schemes for any access control policy.Information Processing Letters(IPL),92(4):199-205,Nov 2004.
[102]M.Atallah,K.Frikken,M.Blanton.Dynamic and efficient key management for access hierarchies.ACM Conference on Computer and Communications Security(CCS'05),190-201,2005.
[103]A.Shamir.Identity Based Cryptosystems and Signature Schemes[C].Proceedings of CRYPTO 84 on Advances in cryptoiogy,LNCS 196,Springer-Verlag,47-53,1984.
[104]D.Boneh,M.Franklin.Identity-based encryption from the Weil pairings.Advances in Cryptology-Crypto 2001,LNCS 2139,Springer-Verlag,213-229,2001.
[105]P.Barreto,H.Y.Kim,et al.Efficient algorithms for pairings based cryptosystems.Advances in Cryptology-Crypto 2002,LNCS 2442,Springer-Verlag,354-368,2002.
[106]F.Zhang,K.Kim.ID-based blind signature and ring signature from pairings.Advances in cryptology-Asiacrypt 2002,LNCS 2501,Springer-Verlag,533-547,2002.
[107]赵勇,刘吉强,韩臻.基于身份的盲签名在移动电子支付中的应用.北京交通大学学报,31(5):82-86,2007.
[108]V.Miller.Use of Elliptic Curves in Cryptography.Proceedings of CRYPTO'85.New York:Springer-Verlag,1985.
[109]N.Koblicx.Elliptic Curve Crypto Systems.Springer-Verlag,177-182,1987.
[110]M.Bellare,P.Rogaway.Entity authentication and key distribution.Advances in Cryptology-CRYPTO'93,LNCS 773,Springer-Verlag,232-249,1993.
[111]M.Bellare,P.Rogaway.Provably secure session key distribution-the three party case.Proc.of the 27th ACM Symp.on the Theory of Computing,Lasvegas:ACM Press,57-66,1995.
[112]M.Sandiringama,A.Shimizu,M.T.Noda.Simple and Secure Password Authentication Protocol.IEICE Trans Comm.,E83-B(6):1363-1365,2000.
[113]W.C.Ku,C.M.Chen.Cryptanalysis of A One Time Password Authentication Protocols.Proceedings of the 2001 National Computer Symposium,Taiwan,17046-17050,Dec 2001.
[114]C.L.Lin,H.M.Sun,T.Hwang.Attacks And Solutions on Strong-password Authentication.In:IEICE Transactions on Communications,E84-B(9):2622-2627,Sep 2001.
[115]袁丁,范平志.一个安全的动态口令鉴别方案.四川大学学报(自然科学版),39(2),2002.
[116]Y.Zhao,Z.Han,et al.An Efficient and Divisible Payment Scheme for M-Commerce[C].Proceeding of Knowledge-Based Intelligent Information and Engineering Systems:9th International Conference,488-496,2005.
[117]万海山,李国,李大兴.使用USB KEY控制Windows 2000/NT开机登录.计算机应用,23:254-255,2006.
[118]顾巧云,李安欣.基于Windows的文件完整性检测系统的设计与实现.计算机工程,30.2004.