【摘要】：不斷增長的對于以內容為中心的應用需求已經(jīng)促使研究人員開始重新思考,并且重新設計在互聯(lián)網(wǎng)上信息存儲和傳遞的方式。越來越多的網(wǎng)絡負載包含的內容具有多個收件人。然而,互聯(lián)網(wǎng)中以主機為中心的架構是為兩個固定端之間的點對點通信設計的。這樣做的結果是,當前的互聯(lián)網(wǎng)架構與當前的數(shù)據(jù)以及以內容為中心的應用之間不相互匹配,無論信息的來源是什么,用戶需要的數(shù)據(jù)在很多情況下是未知的�；趦热莸木W(wǎng)絡已經(jīng)被提出來應對這樣的要求,這是因為基于內容的網(wǎng)絡有著高效率,低網(wǎng)絡負載,低延遲和高能源效率的優(yōu)勢。發(fā)布訂閱通信范式就是這種網(wǎng)絡中最復雜和成熟的例子。本論文針對發(fā)布訂閱系統(tǒng)中的安全關鍵技術進行研究,實現(xiàn)高效、安全的信息分發(fā)和管理,保證信息的完整性、保密性和可用性。本文的主要研究成果如下： (1)為了保證發(fā)布訂閱系統(tǒng)在非完全可信網(wǎng)絡環(huán)境下的信息安全,本文針對多域發(fā)布訂閱系統(tǒng)模型,提出了一種基于冗余屬性的發(fā)布訂閱系統(tǒng)加密算法,該算法利用事件的冗余屬性構成一個向量空間模型,并將冗余屬性應用于事件加密過程。事件在發(fā)送過程中時,事件的冗余屬性按照預先建立的規(guī)則以不同的組合形式出現(xiàn)在路由中。所以一旦發(fā)現(xiàn)信息泄露給未授權的用戶,系統(tǒng)可以通過被泄露信息中的冗余屬性組合來確認存在線路嗅探的鏈接,并撤銷相關的授權證書。這種方式不會增加匹配過程的開銷和訂閱過程的開銷。因此,當線路嗅探不可忽視時,本文的方案有助于提高發(fā)布訂閱系統(tǒng)的安全性。通過仿真證明提出的方案在沒有完全信任代理連接的支持下,可以有效地提高系統(tǒng)的安全性能。 (2)為了實現(xiàn)發(fā)布訂閱系統(tǒng)中訪問控制的三個目標：保密性控制、完整性控制和可用性控制,針對目前大多數(shù)研究只對事件內容和訂閱條件進行加密,而將訪問控制策略公開的現(xiàn)狀,本文提出了一種基于廣告信息加密的發(fā)布訂閱系統(tǒng)訪問控制機制。這個方案不僅能夠控制信息的安全傳送,而且保留了發(fā)布訂閱通信的優(yōu)勢,如客戶端的解耦性和系統(tǒng)的可擴展性。在網(wǎng)絡中,訂閱信息與廣告信息相遇的同時建立發(fā)布事件的事件傳播樹。在此基礎上,將含敏感信息的訪問策略添加到廣告信息中,像加密發(fā)布信息一樣對廣告信息進行加密。訪問控制策略的安全性在訂閱信息與廣告信息的匹配過程中得以實現(xiàn)。這種方式在實現(xiàn)信息加密的同時仍然可以完成基于內容的路由,并且不會增加事件發(fā)布過程的開銷。通過仿真表明提出的方案實現(xiàn)了對信息細粒度的訪問控制,并且提高了發(fā)布訂閱系統(tǒng)訪問控制策略的安全性能,而只增加少量系統(tǒng)的信息開銷。 (3)在基于內容的發(fā)布訂閱系統(tǒng)中,通常有數(shù)以千計的訂閱者,使用集中式機制處理安全需求是不可行的。由于對一個服務／實體感興趣的訂閱者數(shù)量時刻都可能發(fā)生變化,因此建立一個靜態(tài)安全群組是不現(xiàn)實的。針對這個問題,本文提出了一種混合模式的密鑰管理機制來管理事件的加密密鑰,它利用分散機制對代理進行高效分組,并且提供了包括注冊、密鑰生成和動態(tài)成員管理在內的密鑰管理方案。最后通過仿真證明了在發(fā)布訂閱系統(tǒng)中,混合模式的密鑰管理機制與其他密鑰管理方法相比,能夠有效地減少系統(tǒng)的密鑰更新開銷和密鑰存儲開銷。
[Abstract]:Growing demand for content-centric applications has prompted researchers to rethink and redesign information storage and delivery on the Internet. More and more network loads contain multiple recipients. However, the host-centric architecture in the Internet is designed for point-to-point communications between two fixed ends. As a result, the current Internet architecture does not match the current data and applications centered on content, regardless of the source of the information, and the data required by the user is unknown in many cases. content-based networks have been proposed to address such requirements because content-based networks have the advantages of high efficiency, low network load, low latency, and high energy efficiency. Publishing a subscription communication paradigm is the most complex and mature example of such a network. This paper focuses on the research of key technology in publishing subscription system, realizes efficient and secure information distribution and management, and ensures the integrity, confidentiality and availability of information. The main achievements of this thesis are as follows: (1) In order to ensure the information security of the publishing and subscribing system in the non-completely trusted network environment, this paper proposes a publishing subscription system encryption based on redundant attributes, aiming at the multi-domain publishing subscription system model. The algorithm uses the redundant attributes of the event to form a vector space model and applies the redundant attributes to the event encryption process. When an event is in the sending process, the redundant attributes of the event appear in different combinations in different combinations according to the pre-established rules once the discovery information is revealed to an unauthorized user, the system can confirm the presence of a link to the line sniffing by combining the redundancy attribute in the leaked information and revoke the associated authorization certificate. This way does not increase the cost of the matching process and the subscription process overhead. Therefore, when the line sniffing is not ignored, the scheme in this paper helps to improve the security of the publishing subscription system Through simulation, the proposed scheme can effectively improve the security of the system without the support of the fully trusted agent connection. Performance. (2) In order to achieve three objectives of access control in a publishing subscription system: confidentiality control, integrity control, and availability control, for most studies, only the event content and subscription conditions are encrypted, and access control policies will be accessed In this paper, a publishing subscription system based on advertisement information encryption is proposed in this paper. Ask the control mechanism. This scheme not only can control the security delivery of information, but also retains the advantages of publishing subscription communication, such as the decoupling and system of clients. Scalability. In a network, subscription information meets advertisement information while setting up a publishing event The event propagation tree. On this basis, the access policy containing sensitive information is added to the advertisement information, The interest rate is encrypted. The security of the access control policy is in the matching process of subscription information and advertisement information in this way, the content-based route can still be completed while the information encryption is achieved, The simulation results show that the proposed scheme realizes the fine-grained access control, improves the security performance of the access control strategy of the publishing subscription system, and only adds a small amount of system. Information overhead. (3) In a content-based publishing subscription system, there are typically thousands of subscribers using a centralized mechanism to process an installation Full demand is not feasible. Since the number of subscribers interested in a service/ entity may change, a static security is established In view of this problem, this paper proposes a key management mechanism of mixed mode to manage the encryption key of the event, which uses the decentralized mechanism to efficiently group the agent, and provides the method including registration, key generation and dynamic member management. Finally, it proves that the key management mechanism of hybrid mode can effectively reduce the key updating of the system compared with other key management methods.
【學位授予單位】：北京郵電大學
【學位級別】：博士
【學位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關期刊論文 前8條

1 張繼德;屈爾慶;賀志芳;;基于發(fā)布/訂閱系統(tǒng)的安全管理平臺設計[J];計算機科學;2008年04期

2 苑洪亮;張捷;郭長國;史殿習;;內容發(fā)布訂閱系統(tǒng)中事件可靠傳遞的研究[J];計算機工程與科學;2007年09期

3 董飚;陳金輝;孫亞民;;大規(guī)模發(fā)布/訂閱系統(tǒng)中的可靠性模型[J];計算機科學;2008年09期

4 馬建剛;黃濤;汪錦嶺;徐罡;葉丹;;面向大規(guī)模分布式計算發(fā)布訂閱系統(tǒng)核心技術[J];軟件學報;2006年01期

5 鄒吉昌;段斌;李晶;;基于內容的發(fā)布/訂閱系統(tǒng)安全框架設計[J];計算機工程與設計;2008年19期

6 王曦;肖曉麗;;基于移動代理和密鑰共享的發(fā)布/訂閱系統(tǒng)的研究與設計[J];計算機工程與設計;2008年18期

7 姚剛;鄧江沙;;基于JMS的消息過濾改進算法[J];計算機技術與發(fā)展;2006年07期

8 薛濤;馮博琴;李波;董劍;;基于內容的發(fā)布訂閱系統(tǒng)中快速匹配算法的研究[J];小型微型計算機系統(tǒng);2006年03期

相關博士學位論文 前1條

1 王青龍;廣播加密中的叛逆者追蹤研究[D];北京交通大學;2009年

，

本文編號：2301395