Implementação de verificações biométricas processadas em cartões inteligentes a multi-aplicações.

As biometrias vêm sendo utilizadas como solução de controle de acesso a diversos sistemas há anos, mas o simples uso da biometria não pode ser considerado como solução final e perfeita. Muitos riscos existem e não devem ser ignorados. A maioria dos problemas está relacionada ao caminho de transmissão entre o local onde os usuários requerem seus acessos e os servidores onde são guardados os dados biométricos capturados em seu cadastro. Vários tipos de ataques podem ser efetuados por impostores que desejam usar o sistema indevidamente. Além dos aspectos técnicos, existe o aspecto social. É crescente a preocupação do usuário tanto com o armazenamento quanto o uso indevido de suas biometrias, pois é um identificador único e, por ser invariável no tempo, pode ser perdido para sempre caso seja comprometido. O fato de que várias empresas com seus diferentes servidores guardarem as biometrias está causando incomodo aos usuários, pois as torna mais suscetíveis à ataques. Nesta dissertação, o uso de cartões inteligentes é adotado como possível solução para os problemas supracitados. Os cartões inteligentes preparados para multi-aplicações são usados para realizar as comparações biométricas internamente. Dessa forma, não seria mais necessário utilizar diversos servidores, pois as características biométricas estarão sempre em um único cartão em posse do dono. Foram desenvolvidas e implementadas três diferentes algoritmos de identificação biométrica utilizando diferentes características: impressão digital, impressão da palma da mão e íris. Considerando a memória utilizada, tempo médio de execução e acurácia, a biometria da impressão da palma da mão obteve os melhores resultados, alcançando taxas de erro mínimas e tempos de execução inferiores a meio segundo.

Aspectos de segurança, persistência e nomeação em agentes de recursos para Internet das coisas

A realização da Internet das Coisas (Internet of Things, IoT) requer a integração e interação de dispositivos e serviços com protocolos de comunicação heterogêneos. Os dados gerados pelos dispositivos precisam ser analisados e interpretados em concordância com um modelo de dados em comum, o que pode ser solucionado com o uso de tecnologias de modelagem semântica, processamento, raciocínio e persistência de dados. A computação ciente de contexto possui soluções para estes desafios com mecanismos que associam os dados de contexto com dados coletados pelos dispositivos. Entretanto, a IoT precisa ir além da computação ciente de contexto, sendo simultaneamente necessário soluções para aspectos de segurança, privacidade e escalabilidade. Para integração destas tecnologias é necessário o suporte de uma infraestrutura, que pode ser implementada como um middleware. No entanto, uma solução centralizada de integração de dispositivos heterogêneos pode afetar escalabilidade. Assim esta integração é delegada para agentes de software, que são responsáveis por integrar os dispositivos e serviços, encapsulando as especificidades das suas interfaces e protocolos de comunicação. Neste trabalho são explorados os aspectos de segurança, persistência e nomeação para agentes de recursos. Para este fim foi desenvolvido o ContQuest, um framework, que facilita a integração de novos recursos e o desenvolvimento de aplicações cientes de contexto para a IoT, através de uma arquitetura de serviços e um modelo de dados. O ContQuest inclui soluções consistentes para os aspectos de persistência, segurança e controle de acesso tanto para os serviços de middleware, como para os Agentes de Recursos, que encapsulam dispositivos e serviços, e aplicações-clientes. O ContQuest utiliza OWL para a modelagem dos recursos e inclui um mecanismo de geração de identificadores únicos universais nas ontologias. Um protótipo do ContQuest foi desenvolvido e validado com a integração de três Agentes de Recurso para dispositivos reais: um dispositivo Arduino, um leitor de RFID e uma rede de sensores. Foi também realizado um experimento para avaliação de desempenho dos componentes do sistema, em que se observou o impacto do mecanismo de segurança proposto no desempenho do protótipo. Os resultados da validação e do desempenho são satisfatórios

Bombinakinin M gene associated peptide, a novel bioactive peptide from skin secretions of the toad Bombina maxima

A novel 28-amino acid peptide, termed bombinakinin-GAP, was purified and characterized from skin secretions of the toad Bombina maxima. Its primary structure was established as DMYEIKQYKTAHGRPPICAPGEQCPIWV-NH2, in which two cysteines form a disulfide bond. A FASTA search of SWISS-PROT databank detected a 32% sequence identity between the sequences of the peptide and a segment of rat cocaine- and amphetamine-regulated transcript (CART). Intracerebroventricular (i.c.v.) administration of the peptide induced a significant decrease in food intake in rats, suggesting that it played a role in the control of feeding by brain. Analysis of its cDNA structure revealed that this peptide is coexpressed with bombinakinin M, a bradykinin-related peptide from the same toad. Bombinakinin-GAP appears to be the first example of a novel class of bioactive peptides from amphibian skin, which may be implicated in feeding behavior. (C) 2003 Elsevier Science Inc. All rights reserved.

Security considerations in the design and peering of RFID discovery services

There is growing interest in Discovery Services for locating RFID and supply chain data between companies globally, to obtain product lifecycle information for individual objects. Discovery Services are heralded as a means to find serial-level data from previously unknown parties, however more realistically they provide a means to reduce the communications load on the information services, the network and the requesting client application. Attempts to design a standardised Discovery Service will not succeed unless security is considered in every aspect of the design. In this paper we clearly show that security cannot be bolted-on in the form of access control, although this is also required. The basic communication model of the Discovery Service critically affects who shares what data with whom, and what level of trust is required between the interacting parties. © 2009 IEEE.

HORMONAL-REGULATION OF TISSUE-TYPE PLASMINOGEN-ACTIVATOR AND PLASMINOGEN-ACTIVATOR INHIBITOR TYPE-1 IN CULTURED MONKEY SERTOLI CELLS

Sertoli cells play a central role in the control and maintenance of spermatogenesis. Isolated Sertoli cells of mouse and rat testes have been shown to secrete plasminogen activator (PA) and a plasminogen activator inhibitor type-1 (PAI-1) in culture. In this study, we have investigated the hormonal regulation of PA and PAI-1 activities in cultured monkey Sertoli cells. Sertoli cells (5x10(5) cells/well) isolated from infant rhesus monkey testes were preincubated at 35 degrees C for 16 h in 24-well plates precoated with poly(D-lysine) (5 mu g/cm(2)) in 0.5 mi McCoy's 5a medium containing 5% of fetal calf serum and further incubated for 48 h in 0.5 mi serum-free medium with or without various hormones or other compounds, PA as well as PAI-1 activities in the conditioned media were assayed by fibrin overlay and reverse fibrin autography techniques respectively. The Sertoli cells in vitro secreted only tissue-type PA (tPA), no detectable amount of urokinase-type PA (uPA) could be observed, Monkey Sertoli cells were also capable of secreting PAI-1, Immunocytochemical studies indicated that both tPA and PAI-1 positive staining localized in the Sertoli cells, spermatids and residual bodies of the seminiferous epithelium; Northern blot analysis further confirmed the presence of both tPA and PAI-1 mRNA in monkey Sertoli cells. Addition of follicle-stimulating hormone (FSH) or cyclic adenosine monophosphate (cAMP) derivatives or cAMP-generating agents and gonadotrophin-releasing hormone (GnRH) agonist or phorbol ester (PMA) to the cell culture significantly increased tPA activity. PAI-1 activity in the culture was also enhanced by these reagents except 8-bromo-dibutyryl-cAMP, forskolin and 3-isobutyl-1-methylxanthin (MIX) which greatly stimulated tPA activity, whereas decreased PAI-1 activity, implying that neutralization of PAI-1 activity by tile high level of tPA in the conditioned media may occur. These data suggest that increased intracellular signals which activate protein kinase A (PKA), or protein kinase C (PKC) can modulate Sertoli cell tPA and PAI-1 activities, The concomitant induction of PA and PAI-1 by the same reagents in the Sertoli cells may reflect a finely tuned regulatory mechanism in which PAI-1 could limit the excession of the proteolysis.

Assessment of visibility restriction mechanisms for RFID data Discovery Services

RFID is a technology that enables the automated capture of observations of uniquely identified physical objects as they move through supply chains. Discovery Services provide links to repositories that have traceability information about specific physical objects. Each supply chain party publishes records to a Discovery Service to create such links and also specifies access control policies to restrict who has visibility of link information, since it is commercially sensitive and could reveal inventory levels, flow patterns, trading relationships, etc. The requirement of being able to share information on a need-to-know basis, e.g. within the specific chain of custody of an individual object, poses a particular challenge for authorization and access control, because in many supply chain situations the information owner might not have sufficient knowledge about all the companies who should be authorized to view the information, because the path taken by an individual physical object only emerges over time, rather than being fully pre-determined at the time of manufacture. This led us to consider novel approaches to delegate trust and to control access to information. This paper presents an assessment of visibility restriction mechanisms for Discovery Services capable of handling emergent object paths. We compare three approaches: enumerated access control (EAC), chain-of-communication tokens (CCT), and chain-of-trust assertions (CTA). A cost model was developed to estimate the additional cost of restricting visibility in a baseline traceability system and the estimates were used to compare the approaches and to discuss the trade-offs. © 2012 IEEE.

Performance assessment of XACML authorizations for supply chain traceability web services

Service-Oriented Architecture (SOA) and Web Services (WS) offer advanced flexibility and interoperability capabilities. However they imply significant performance overheads that need to be carefully considered. Supply Chain Management (SCM) and Traceability systems are an interesting domain for the use of WS technologies that are usually deemed to be too complex and unnecessary in practical applications, especially regarding security. This paper presents an externalized security architecture that uses the eXtensible Access Control Markup Language (XACML) authorization standard to enforce visibility restrictions on trace-ability data in a supply chain where multiple companies collaborate; the performance overheads are assessed by comparing 'raw' authorization implementations - Access Control Lists, Tokens, and RDF Assertions - with their XACML-equivalents. © 2012 IEEE.

Molecular cloning and stress-induced expression of paralichthys olivaceus heme-regulated initiation factor 2 alpha kinase

The heme-regulated initiation factor 2 alpha kinase (HRI) is acknowledged to play an important role in translational shutoff in reticulocytes in response to various cellular stresses. In this study, we report its homologous cDNA cloning and characterization from cultured flounder embryonic cells (FEC) after treatment with UV-inactivated grass carp haemorrhagic virus (GCHV). The full-length cDNA of Paralichthys olivaceus HRI homologue (PoHRI) has 2391 bp and encodes a protein of 651 amino acids. The putative PoHRI protein exhibits high identity with all members of eIF2 alpha kinase family. It contains 12 catalytic subdomains located within the C-terminus of all Ser/Thr protein kinases, a unique kinase insertion of 136 amino acids between subdomains IV and V, and a relatively conserved N-terminal domain (NTD). Upon heat shock, virus infection or Poly PC treatment, PoHRI mRNA and protein are significantly upregulated in FEC cells but show different expression patterns in response to different stresses. In healthy flounders, PoHRI displays a wide tissue distribution at both the mRNA and protein levels. These results indicate that PoHRI is a ubiquitous eIF2a kinase and might play an important role in translational control over nonheme producing FEC cells under different stresses. (c) 2006 Elsevier Ltd. All rights reserved.

Influence of fluorine on radiation-induced charge trapping in the SIMOX buried oxides

Charge trapping in the fluorinated SIMOX buried oxides before and after ionizing radiation has been investigated by means of C-V characteristics. Radiation-induced positive charge trapping which results in negative shift of C-V curves can be restrained by implanting fluorine ions into the SIMOX buried oxides. Pre-radiation charge trapping is suppressed in the fluorinated buried oxides. The fluorine dose and post-implantation anneal time play a very important role in the control of charge trapping.

协同环境中共有资源的细粒度协作访问控制策略

在军事和商业领域中,由多个自治域形成的协作群体对共有资源(如客体、应用程序以及服务等)的访问问题越来越受到重视.协作中的基本事实是:尽管这些自治域有共同的目标,但同时有不同的自身利益.为了有效地保护共有资源,把“信任”的概念引入了协作访问控制中,并在基于量化权限的思想上,提出了细粒度的协作访问控制策略.在该策略里,权限的使用形式是元权限,也就是单位权限,它是访问共有客体权限的一个划分,可为多个域中不同用户所拥有.当访问共有资源时,参与者们所拥有的元权限的值之和以及人数必须达到规定的权限门限值和人数值,并且访问时间是所有参与者的共同许可访问时间段,这使得可以对协作资源进行有效地分布控制.另外,还引入了元权限的使用时间段约束.最后,证明了该细粒度协作访问控制策略关于协作系统的状态转换是保持安全的.

面向XML文档的细粒度强制访问控制模型

XML文档存放的信息需要受到访问控制策略的保护.现有的一些面向XML文档的访问控制模型都是基于自主访问控制策略或基于角色的访问控制.高安全等级系统需要强制访问控制来保证系统内信息的安全.首先扩展了XML文档模型使其包含标签信息,并给出了扩展后的文档模型需要满足的规则.然后通过讨论XML文档上的4种操作,描述了面向XML文档的细粒度强制访问控制模型的详细内容.该模型基于XML模式技术,它的控制粒度可以达到文档中的元素或者属性.最后讨论了该模型的体系结构和一些实现机制。

一种通用访问控制管理模型

目前的访问控制管理模型都是针对某种特定的访问控制模型提出的，不能适应多访问控制模型共存于一个大型系统的情况，一个管理模型不能同时适用于多访问控制模型的主要原因是管理者管理范围定义包含了某种访问控制模型中特有的组件．通过使用各种访问控制模型中共有的主体和权限来定义管理模型中的管理范围，将管理模型与访问控制模型之间的关系抽象为一个用于计算策略相关管理范围的函数，提出了一种能够用来管理不同访问控制模型的通用访问控制管理模型，为了便于模型实际使用，在模型中引入管理空间的概念与实际组织结构相对应，形成分布式访问控制管理结构，同时模型严格区分了管理空间的直接管理者和间接管理者在管理权限上的不同，使得管理者具有一定的自治性．最后讨论了管理模型中的管理规则和语义，证明了模型的完备性，并讨论和分析了针对不同访问控制模型的policy~*算法．

基于角色的受限委托模型

角色委托是RBAC模型需要支持的一种重要安全策略.它的主要思想是系统中的主动实体将角色委托给其他主动实体,以便以前者名义执行特定的工作.角色委托者要对委托角色的使用负责,所以对委托角色进行使用限制是整个模型的关键组成部分.目前已有一些模型扩展了RBAC模型以支持角色委托,但是这些模型对委托限制的支持非常有限.提出了角色委托限制的需求,包括临时性限制、常规角色关联性限制、部分性限制和传播限制.并且,给出了一个支持临时性限制和常规角色关联性限制的基于角色的委托模型.给出模型的形式化描述,为模型在实际环境中的应用奠定了基础.

一种使用组织结构的访问控制方法

大型组织的信息资源往往根据组织结构维护,其中存在大量同构的、拥有同类信息资源的单元。传统RBAC模型在这种环境下进行访问控制时需要为每个同构部分定义权限和角色。其中存在大量冗余的工作,特别在同构单元数量很多时授权管理非常困难。该文提出了一个支持组织结构的RBAC模型,模型引入了组织结构,定义了抽象的角色,通过将抽象角色与组织结构单元关联解决上述问题。还给出了模型的扩展以支持角色的使用范围限制和细粒度访问控制。

多安全策略访问控制的关键技术研究

在网络环境中，计算机系统面临的安全威胁是复杂的、多样的和动态变化的，因而，计算机系统的安全需求具有复杂性、多样性和动态变化性等特点。研究表明，多安全策略访问控制是应对复杂、动态安全需求的有效手段。本文对多安全策略访问控制的关键技术进行了研究，并取得了以下研究成果： 第一，对操作系统的强制访问控制框架的正确性验证进行了研究，提出了正确性验证的三个目标，给出了路径敏感的基于静态分析的正确性验证方法，对TrustedBSD MAC框架进行了正确性验证，并成功发现了多处钩子函数放置错误。 第二，对RBAC模型的安全策略的动态调整进行了研究，指出了RBAC模型在安全策略动态调整，特别是角色授权动态调整方面存在的不足，给出了基于状态的安全策略动态调整模型，并给出了基于虚拟域的安全策略动态调整模型的实现方法。 第三，对RBAC模型和Clark-Wilson模型的融合进行了研究，指出了这两个模型在大型应用的完整性保护方面存在的不足，对Clark-Wilson模型的验证规则和实施规则进行了扩展，并给出了RBAC模型和Clark-Wilson模型基于层次方法的融合。 第四，对安全策略描述框架的评价进行了研究，分析了灵活表达安全策略所需的安全策略描述组件，总结了六类典型的安全策略描述框架，提出了基于描述性和实施性评价指标的安全策略描述框架的评价方法，并对六类典型的安全策略描述框架进行了评价。 本文的研究解决了多安全策略访问控制的一些关键问题，为进一步研究多安全策略的实施、多安全策略的动态调整以及多安全策略的融合等问题奠定了理论与实践基础。