发布订阅系统安全关键技术研究
发布时间:2018-10-31 07:34
【摘要】:不断增长的对于以内容为中心的应用需求已经促使研究人员开始重新思考,并且重新设计在互联网上信息存储和传递的方式。越来越多的网络负载包含的内容具有多个收件人。然而,互联网中以主机为中心的架构是为两个固定端之间的点对点通信设计的。这样做的结果是,当前的互联网架构与当前的数据以及以内容为中心的应用之间不相互匹配,无论信息的来源是什么,用户需要的数据在很多情况下是未知的。基于内容的网络已经被提出来应对这样的要求,这是因为基于内容的网络有着高效率,低网络负载,低延迟和高能源效率的优势。发布订阅通信范式就是这种网络中最复杂和成熟的例子。本论文针对发布订阅系统中的安全关键技术进行研究,实现高效、安全的信息分发和管理,保证信息的完整性、保密性和可用性。本文的主要研究成果如下: (1)为了保证发布订阅系统在非完全可信网络环境下的信息安全,本文针对多域发布订阅系统模型,提出了一种基于冗余属性的发布订阅系统加密算法,该算法利用事件的冗余属性构成一个向量空间模型,并将冗余属性应用于事件加密过程。事件在发送过程中时,事件的冗余属性按照预先建立的规则以不同的组合形式出现在路由中。所以一旦发现信息泄露给未授权的用户,系统可以通过被泄露信息中的冗余属性组合来确认存在线路嗅探的链接,并撤销相关的授权证书。这种方式不会增加匹配过程的开销和订阅过程的开销。因此,当线路嗅探不可忽视时,本文的方案有助于提高发布订阅系统的安全性。通过仿真证明提出的方案在没有完全信任代理连接的支持下,可以有效地提高系统的安全性能。 (2)为了实现发布订阅系统中访问控制的三个目标:保密性控制、完整性控制和可用性控制,针对目前大多数研究只对事件内容和订阅条件进行加密,而将访问控制策略公开的现状,本文提出了一种基于广告信息加密的发布订阅系统访问控制机制。这个方案不仅能够控制信息的安全传送,而且保留了发布订阅通信的优势,如客户端的解耦性和系统的可扩展性。在网络中,订阅信息与广告信息相遇的同时建立发布事件的事件传播树。在此基础上,将含敏感信息的访问策略添加到广告信息中,像加密发布信息一样对广告信息进行加密。访问控制策略的安全性在订阅信息与广告信息的匹配过程中得以实现。这种方式在实现信息加密的同时仍然可以完成基于内容的路由,并且不会增加事件发布过程的开销。通过仿真表明提出的方案实现了对信息细粒度的访问控制,并且提高了发布订阅系统访问控制策略的安全性能,而只增加少量系统的信息开销。 (3)在基于内容的发布订阅系统中,通常有数以千计的订阅者,使用集中式机制处理安全需求是不可行的。由于对一个服务/实体感兴趣的订阅者数量时刻都可能发生变化,因此建立一个静态安全群组是不现实的。针对这个问题,本文提出了一种混合模式的密钥管理机制来管理事件的加密密钥,它利用分散机制对代理进行高效分组,并且提供了包括注册、密钥生成和动态成员管理在内的密钥管理方案。最后通过仿真证明了在发布订阅系统中,混合模式的密钥管理机制与其他密钥管理方法相比,能够有效地减少系统的密钥更新开销和密钥存储开销。
[Abstract]:Growing demand for content-centric applications has prompted researchers to rethink and redesign information storage and delivery on the Internet. More and more network loads contain multiple recipients. However, the host-centric architecture in the Internet is designed for point-to-point communications between two fixed ends. As a result, the current Internet architecture does not match the current data and applications centered on content, regardless of the source of the information, and the data required by the user is unknown in many cases. content-based networks have been proposed to address such requirements because content-based networks have the advantages of high efficiency, low network load, low latency, and high energy efficiency. Publishing a subscription communication paradigm is the most complex and mature example of such a network. This paper focuses on the research of key technology in publishing subscription system, realizes efficient and secure information distribution and management, and ensures the integrity, confidentiality and availability of information. The main achievements of this thesis are as follows: (1) In order to ensure the information security of the publishing and subscribing system in the non-completely trusted network environment, this paper proposes a publishing subscription system encryption based on redundant attributes, aiming at the multi-domain publishing subscription system model. The algorithm uses the redundant attributes of the event to form a vector space model and applies the redundant attributes to the event encryption process. When an event is in the sending process, the redundant attributes of the event appear in different combinations in different combinations according to the pre-established rules once the discovery information is revealed to an unauthorized user, the system can confirm the presence of a link to the line sniffing by combining the redundancy attribute in the leaked information and revoke the associated authorization certificate. This way does not increase the cost of the matching process and the subscription process overhead. Therefore, when the line sniffing is not ignored, the scheme in this paper helps to improve the security of the publishing subscription system Through simulation, the proposed scheme can effectively improve the security of the system without the support of the fully trusted agent connection. Performance. (2) In order to achieve three objectives of access control in a publishing subscription system: confidentiality control, integrity control, and availability control, for most studies, only the event content and subscription conditions are encrypted, and access control policies will be accessed In this paper, a publishing subscription system based on advertisement information encryption is proposed in this paper. Ask the control mechanism. This scheme not only can control the security delivery of information, but also retains the advantages of publishing subscription communication, such as the decoupling and system of clients. Scalability. In a network, subscription information meets advertisement information while setting up a publishing event The event propagation tree. On this basis, the access policy containing sensitive information is added to the advertisement information, The interest rate is encrypted. The security of the access control policy is in the matching process of subscription information and advertisement information in this way, the content-based route can still be completed while the information encryption is achieved, The simulation results show that the proposed scheme realizes the fine-grained access control, improves the security performance of the access control strategy of the publishing subscription system, and only adds a small amount of system. Information overhead. (3) In a content-based publishing subscription system, there are typically thousands of subscribers using a centralized mechanism to process an installation Full demand is not feasible. Since the number of subscribers interested in a service/ entity may change, a static security is established In view of this problem, this paper proposes a key management mechanism of mixed mode to manage the encryption key of the event, which uses the decentralized mechanism to efficiently group the agent, and provides the method including registration, key generation and dynamic member management. Finally, it proves that the key management mechanism of hybrid mode can effectively reduce the key updating of the system compared with other key management methods.
【学位授予单位】:北京邮电大学
【学位级别】:博士
【学位授予年份】:2014
【分类号】:TP393.08
本文编号:2301395
[Abstract]:Growing demand for content-centric applications has prompted researchers to rethink and redesign information storage and delivery on the Internet. More and more network loads contain multiple recipients. However, the host-centric architecture in the Internet is designed for point-to-point communications between two fixed ends. As a result, the current Internet architecture does not match the current data and applications centered on content, regardless of the source of the information, and the data required by the user is unknown in many cases. content-based networks have been proposed to address such requirements because content-based networks have the advantages of high efficiency, low network load, low latency, and high energy efficiency. Publishing a subscription communication paradigm is the most complex and mature example of such a network. This paper focuses on the research of key technology in publishing subscription system, realizes efficient and secure information distribution and management, and ensures the integrity, confidentiality and availability of information. The main achievements of this thesis are as follows: (1) In order to ensure the information security of the publishing and subscribing system in the non-completely trusted network environment, this paper proposes a publishing subscription system encryption based on redundant attributes, aiming at the multi-domain publishing subscription system model. The algorithm uses the redundant attributes of the event to form a vector space model and applies the redundant attributes to the event encryption process. When an event is in the sending process, the redundant attributes of the event appear in different combinations in different combinations according to the pre-established rules once the discovery information is revealed to an unauthorized user, the system can confirm the presence of a link to the line sniffing by combining the redundancy attribute in the leaked information and revoke the associated authorization certificate. This way does not increase the cost of the matching process and the subscription process overhead. Therefore, when the line sniffing is not ignored, the scheme in this paper helps to improve the security of the publishing subscription system Through simulation, the proposed scheme can effectively improve the security of the system without the support of the fully trusted agent connection. Performance. (2) In order to achieve three objectives of access control in a publishing subscription system: confidentiality control, integrity control, and availability control, for most studies, only the event content and subscription conditions are encrypted, and access control policies will be accessed In this paper, a publishing subscription system based on advertisement information encryption is proposed in this paper. Ask the control mechanism. This scheme not only can control the security delivery of information, but also retains the advantages of publishing subscription communication, such as the decoupling and system of clients. Scalability. In a network, subscription information meets advertisement information while setting up a publishing event The event propagation tree. On this basis, the access policy containing sensitive information is added to the advertisement information, The interest rate is encrypted. The security of the access control policy is in the matching process of subscription information and advertisement information in this way, the content-based route can still be completed while the information encryption is achieved, The simulation results show that the proposed scheme realizes the fine-grained access control, improves the security performance of the access control strategy of the publishing subscription system, and only adds a small amount of system. Information overhead. (3) In a content-based publishing subscription system, there are typically thousands of subscribers using a centralized mechanism to process an installation Full demand is not feasible. Since the number of subscribers interested in a service/ entity may change, a static security is established In view of this problem, this paper proposes a key management mechanism of mixed mode to manage the encryption key of the event, which uses the decentralized mechanism to efficiently group the agent, and provides the method including registration, key generation and dynamic member management. Finally, it proves that the key management mechanism of hybrid mode can effectively reduce the key updating of the system compared with other key management methods.
【学位授予单位】:北京邮电大学
【学位级别】:博士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前8条
1 张继德;屈尔庆;贺志芳;;基于发布/订阅系统的安全管理平台设计[J];计算机科学;2008年04期
2 苑洪亮;张捷;郭长国;史殿习;;内容发布订阅系统中事件可靠传递的研究[J];计算机工程与科学;2007年09期
3 董飚;陈金辉;孙亚民;;大规模发布/订阅系统中的可靠性模型[J];计算机科学;2008年09期
4 马建刚;黄涛;汪锦岭;徐罡;叶丹;;面向大规模分布式计算发布订阅系统核心技术[J];软件学报;2006年01期
5 邹吉昌;段斌;李晶;;基于内容的发布/订阅系统安全框架设计[J];计算机工程与设计;2008年19期
6 王曦;肖晓丽;;基于移动代理和密钥共享的发布/订阅系统的研究与设计[J];计算机工程与设计;2008年18期
7 姚刚;邓江沙;;基于JMS的消息过滤改进算法[J];计算机技术与发展;2006年07期
8 薛涛;冯博琴;李波;董剑;;基于内容的发布订阅系统中快速匹配算法的研究[J];小型微型计算机系统;2006年03期
相关博士学位论文 前1条
1 王青龙;广播加密中的叛逆者追踪研究[D];北京交通大学;2009年
,本文编号:2301395
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2301395.html
