A Secure Identification and Key agreement protocol with user Anonymity (SIKA)

收稿日期:2009-05-18;修回日期:2009-07-24。

基金项目:国家自然科学基金资助项目(90604016)。

作者简介:邓亚平(1948-),男,重庆铜梁人,教授,主要研究方向:通信网络、网络安全;　付红(1985-),男,湖北荆州人,硕士,主要研究方向:通信网络、网络安全;　谢显中(1966-),男,重庆人,教授,主要研究方向:移动通信;　张玉成(1981-),男,江苏淮安人,博士研究生,主要研究方向:下一代网络;　石晶林(1972-),男,云南怒江人,研究员,博士生导师,主要研究方向:下一代网络。

文章编号:1001-9081(2009)11-2936-03基于公钥体制的3GPP 认证与密钥协商协议邓亚平1,付　红1,2,谢显中1,张玉成2,石晶林2(1.重庆邮电大学计算机科学与技术学院,重庆400065;　2.中国科学院计算技术研究所,北京100190)(woshifuhong1985@sina .com )摘　要:对比了第三代移动通信系统中的认证与密钥协商协议,分析了第三代合作伙伴计划(3GPP )最新发布的系统架构演进(S AE )Re1ease 8标准的认证与密钥协商协议,指出了协议中存在的几个安全缺陷。

针对协议的安全缺陷,结合公钥密码体制提出一种改进的3GPP S AE 认证与密钥协商协议。

改进协议利用公钥加密机制保护用户身份信息和网络域的用户认证向量,采用动态随机数方式生成本地认证中需要的密钥。

对改进协议进行安全和效率分析的结果表明,该协议可以有效解决上述安全缺陷,能以较少的资源开销获取安全性能的提升。

关键词:协议安全;公钥;认证;密钥协商;协议分析中图分类号:TP393.08 文献标志码:A3GPP authen ti ca ti on and key agree m en tprotocol ba sed on publi c key cryptosystemDE NG Ya 2p ing 1,F U Hong 1,2,X I E Xian 2zhong 1,Z HANG Yu 2cheng 2,SH I J ing 2lin2(1.College of Co m puter Science and Technology,Chongqing U niversity of Posts and Teleco mm unications,Chongqing 400065,China;2.Institute of Co m puting Technology,Chinese Acade m y of Sciences,B eijing 100190,China )Abstract:The authenticati on and key agree ment p r ot ocol adop ted by 3rd Generati on Partnershi p Pr oject (3GPP )Syste m A rchitecture Evoluti on (S AE )Release 8standard was analyzed in contrast with 3G,and several security defects in S AE p r ot ocol were pointed out,then an i m p r oved 3GPP S AE authenticati on and key agree ment p r ot ocol was put f or ward based on public key cryp t osyste m.I n the ne w p r ot ocol,user πs identity inf or mati on and authenticati on vect or in net w ork domain wereencryp ted based on public key cryp t osyste m,public parent key adop ted in l ocal authenticati on was generated by random data .The security and efficiency of the p r oposed new sche me was analyzed at last .The analysis results show that the p r oposal can effectively s olve the p r oble m s menti oned above and i m p r ove the security of p r ot ocol with less cost .Key words:p r ot ocol security;public key;authenticati on;key agree ment;p r ot ocol analysis0　引言通用移动通信系统(Universal Mobile Telecommunicati on Syste m,UM TS )认证与密钥协商机制在实现双向认证、密钥协商以及保证密钥新鲜性等基本功能的同时,也存在重定向攻击、用户身份泄露、序列号同步缺陷,以及认证向量易被截获的问题[1]。

1．状态检测防火墙什么时候实施规则变更备份？BA 防火墙变更之前B 防火墙变更之后C 作为完全备份的一部分D 作为增量备份的一部分2．哪项违反了CEI？ BA 隐瞒之前的犯罪记录行为B CISSP从业者从事不道德行为3．FTP的风险？ BA 没有目标认证B 明文传输4．L2TP是为了通过什么协议实现？ AA PPPB PCP5．VOIP在语音通信过程当中，弱点? BA 没有目标认证B 没有源认证6．(1) 假如：T为IDS控制成本费用200000美元E为每年恢复数据节省费用50000美元R是为实施控制措施之前的每年恢复费用100000美元问：实际投资回报为：A -50000B -100000C 100000D 150000A (投资回报就是控制前-控制后, 投资回报负值就是省了多少，正值就是赚了多少)(2) 问年度预期损失ALE怎么计算： BA (R+E)/TB（R-E）+TC (R-T)*ED T/(R-E)7．ipsec隧道模式下的端到端加密，ip包头 BA 加密，数据不加密B和数据一起加密C 不加密，数据加密8．实施一个安全计划，最重要的是： BA 获取安全计划所需的资源B 与高层管理者访谈9．安全要求属于： BA. ST安全目标B. PPC . TOE10．TOE属于 AA CCB 可信计算机11．公司进行信息安全评估，打算把所有应用程序维护外包，问对服务提供商什么是最重要的？ CA BIAB 风险管理C SLA12．公司运维外包服务，问什么时候跟服务提供商确定安全要求？ AA 合同谈判B 合同定义1.外部审计师违反了公司安全要求，问惩罚判定来源： CA 公司安全要求B 外部审计公司要求C 双方协议2.公司实施一个纵深防御政策，问由内到外的层次设计？ A？A 边界场地出入口办公区计算机机房B 围墙场地出入口计算机机房办公区域3.802.1 b具有什么功能？共享密钥4.SSL协议双向认证，部分使用，除了客户端验证服务器，还有？ AA 服务器对客户端自我验证B 客户端对服务器自我验证5.可重复使用是在CMMI的哪个阶段？第二个A、不可预测B、可重复C、可定义D、可管理E、可优化6.可重复使用是在SDLC的哪个阶段？开发阶段（如果说的是对象的可重复使用的话）7.实现机密性，使用以下哪个算法？ C （DES不安全、SHA是散列函数，RSA速度慢，当然前提这道题目得有条件，如加密消息时）A. DESB. SHA-1C. AESD. RSA8.以下哪项可以实现数字签名、完整性？ AA. RSAB. DSA9.关于ECC算法的，概念题10.同步、异步令牌11.在PKI中哪个组件负责主体身份与公钥证书绑定？ BA 注册机构B 证书颁发机构23是怎么预防电缆产生的电磁辐射。

GCLSolar Energy保利协鑫太阳能SUPPLIER :供应商Assessment Team :供应物名称ASSESSMENT DATE: 供应时间SARSupplier AuditReport供应商审核报告SUPPLIER ASSESSMENTGUIDELINE供应商评估指南2010SUPPLIER ASSESSEMENTMANUFACTURING制造类供应商评估INTRODUCTION引言GCL Solar Energy is committed to product excellence in the markets we serve. We intend to continuously demonstrate this commitment by providing defect-free products on time and at competitive prices.协鑫光伏能源致力于对产品精益求精，在我们服务的市场,我们将不断证明这一承诺，并提供有竞争力的价格，无缺陷的产品。

This requires that we exercise every possible means to assure quality and consistent on-time delivery of purchased goods, which in-turn, contributes to continuous Quality improvement. Through the application of Statistical Process Control (SPC) combined with the cooperation and commitment of our Suppliers and Supply Chain Teams, GCL Solar Energy will drive continuous improvement both in Technical and Commercial aspects of business.这就要求我们千方百计保证质量和购进一致好的部件，不断提高服务质量。

Signature confirmation is a critical aspect of various transactions and agreements, ensuring that all parties involved have given their consent and are aware of the terms and conditions.Here are some reasons why signature confirmation is essential:1.Legal Validity:A signature serves as a legal proof that the person has read,understood, and agreed to the terms of a document.Without a signature,a document may not hold up in a court of law.2.Authentication:Signatures help authenticate the identity of the person signing the document.It is a way to verify that the person who claims to have signed the document is indeed the same person.3.Record Keeping:Signatures provide a permanent record of who agreed to the terms ofa document.This is useful for future reference and can help in resolving disputes.4.Prevention of Fraud:By requiring a signature,organizations can reduce the risk of fraud.A forged or unauthorized signature can be detected and investigated.5.Finalization of Agreements:A signature acts as a seal of approval on an agreement, indicating that the negotiation phase is complete and both parties are ready to proceed with the terms as stated.6.Protection of Rights:Signatures ensure that the rights of all parties involved are protected.It is a way to make sure that no one can claim they were not aware of the terms they agreed to.7.Economic Transactions:In business and financial transactions,signatures are used to authorize payments,transfers,and other economic activities.They are a necessary step in the process to ensure that the transaction is legitimate and authorized.8.Electronic Signatures:With the advent of digital technology,electronic signatures have become common.They offer the same legal standing as traditional signatures and are often more convenient and secure.9.Nonrepudiation:Signatures provide a means of nonrepudiation,meaning that once a document is signed,the signer cannot later deny having signed it or claim that they did not agree to its contents.10.Cultural Significance:In many cultures,the act of signing a document is a significant and formal event,symbolizing commitment and seriousness about the agreement.In conclusion,signature confirmation is a fundamental part of ensuring that agreements are binding,legitimate,and respected by all parties involved.It is a simple yet powerful tool that helps maintain trust and integrity in various aspects of life,from personal contracts to international business deals.。

critical characteristicCritical Characteristics: What They Are and Why They MatterWhen it comes to manufacturing and product development, certain features of a product or process are deemed essential for safe and effective use. These features are known as critical characteristics, and their proper identification, control, and monitoring can be crucial for success.This document aims to provide an overview of critical characteristics, including what they are, their importance, and some key considerations for identifying and managing them.What Are Critical Characteristics?Critical characteristics can be defined as any attributes or features of a product or process that have an impact on its safety, performance, or regulatory compliance. These attributes can be physical, chemical, functional, or environmental, and they can be classified as either customer or regulatory requirements.Examples of critical characteristics in manufacturing include tolerance limits for dimensions, chemical composition, hardness, or strength, as well as functional requirements such as speed, accuracy, or durability. In product development, critical characteristics may include usability, reliability, safety, or regulatory compliance.Why Are Critical Characteristics Important?Identifying and controlling critical characteristics can be critical for several reasons:1. Safety: Critical characteristics can affect the safety of product users, as well as the environment, equipment, and personnel involved in the manufacturing or use of the product.2. Quality: Critical characteristics can impact the quality and performance of a product, affecting its ability to meet customer expectations, market demand, and regulatory requirements.3. Cost: Failing to manage critical characteristics can result in costly defects,recalls, or legal liabilities, as well as loss of reputation, market share, and revenue.4. Innovation: Managing criticalcharacteristics can facilitate innovation and product differentiation, allowing companies to stay ahead of competitors and meet emerging customer needs.How to Identify Critical Characteristics?Identifying critical characteristics involves a systematic approach that considers customer and regulatory requirements, product design, manufacturing processes, and risk management. Some key steps for identifying critical characteristics include:1. Define customer and regulatory requirements: Start by understanding the needs and expectationsof customers and regulatory agencies, as well as any applicable standards, laws, or regulations.2. Analyze product design: Evaluate the design of the product or process, including its intended use, performance requirements, and potentialfailure modes.3. Evaluate manufacturing processes: Examine the manufacturing processes, including inputs, outputs, controls, and variability, to identify critical steps and sources of variation.4. Conduct risk assessment: Perform a risk assessment to identify potential hazards, failure modes, and critical control points.5. Prioritize characteristics: Prioritize critical characteristics based on their impact on safety, performance, regulatory compliance, quality, and cost.How to Manage Critical Characteristics?Once critical characteristics have been identified, they must be managed through a combination of design, control, and monitoring activities. Some best practices for managing critical characteristics include:1. Design for manufacturability: Incorporate critical characteristics into the product design, using tools such as Design for Six Sigma, Quality Function Deployment, or Failure Mode and Effects Analysis.2. Establish control plans: Develop control plans and standard operating procedures that define critical steps, target values, tolerances, and measurement methods.3. Monitor and analyze data: Collect and analyze data on critical characteristics, using statistical process control, process capability analysis, or other tools, to identify trends, deviations, or opportunities for improvement.4. Implement corrective and preventive actions: Address deviations from critical characteristics using corrective and preventive actions, such as root cause analysis, process improvement, orquality system updates.5. Continuously improve: Continuously monitor and improve critical characteristics using a systematic approach, such as the Plan-Do-Check-Act cycle, to ensure ongoing compliance, customer satisfaction, and business success.ConclusionCritical characteristics play a vital role in ensuring the safety, quality, and regulatorycompliance of products and processes. Proper identification, control, and monitoring of these characteristics can help companies reduce risk, improve performance, and differentiate their products in the competitive marketplace. By applying the best practices outlined in this document, companies can develop a robust approach to managing critical characteristics and drive innovation and success in their industries.。

E/ECE/324 )Add.9/Rev.3E/ECE/TRANS/505 )August 14, 2008STATUS OF UNITED NATIONS REGULATIONECE 10-03UNIFORM PROVISIONS CONCERNING THE APPROVAL OF:VEHICLES WITH REGARD TO ELECTROMAGNETIC COMPATIBILITY Incorporating:02 series of amendments Date of Entry into Force: 03.09.97 Corr. 1 to the 02 series of amendments Dated: 11.03.98Supplement 1 to the 02 series of amendments Date of Entry into Force: 04.02.99 Corr. 2 to the 02 series of amendments Dated: 10.11.99Supplement 2 to the 02 series of amendments Date of Entry into Force: 12.08.04 03 series of amendments: Date of Entry into Force: 11.07.08E/ECE/324 )Add.9/Rev.3E/ECE/TRANS/505 )August 14, 2008UNITED NATIONSAGREEMENTCONCERNING THE ADOPTION OF UNIFORM TECHNICAL PRESCRIPTIONS FOR WHEELED VEHICLES, EQUIPMENT AND PARTS WHICH CAN BE FITTED AND/OR BE USED ON WHEELED VEHICLES AND THE CONDITIONS FOR RECIPROCAL RECOGNITION OF APPROVALS GRANTED ON THE BASIS OF THESE PRESCRIPTIONS (*)(Revision 2, including the amendments which entered into force on October 16, 1995)Addendum 9: Regulation No. 10Revision 3Incorporating all valid text up to:Supplement 2 to the 02 series of amendments − Date of entry into force: August 12, 200403 series of amendments: Date of entry into force: July 11, 2008UNIFORM PROVISIONS CONCERNING THE APPROVAL OF VEHICLES WITHREGARD TO ELECTROMAGNETIC COMPATIBILITY(*)Former title of the Agreement:Agreement Concerning the Adoption of Uniform Conditions of Approval and Reciprocal Recognition of Approval for Motor Vehicle Equipment and Parts, done at Geneva on March 20, 1958.REGULATION NO. 10UNIFORM PROVISIONS CONCERNING THE APPROVAL OF VEHICLESWITH REGARD TO ELECTROMAGNETIC COMPATIBILITYCONTENTSREGULATION1. Scope2. Definitions3. Application for approval4. Approval5. Markings6. Specifications7. Amendment or extension of a vehicle type approval following electrical/electronic sub assembly(ESA) addition or substitution8. Conformity of production9. Penalties for non-conformity of production10. Production definitely discontinued11. Modification and extension of type approval of a vehicle or ESAprovisions12. Transitional13. Names and addresses of Technical Services conducting approval tests, and of AdministrativeDepartmentsANNEXESAnnex 1:Examples of approval marksAnnex 2A:Model of information document for type approval of a vehicle, with respect to electromagnetic compatibilityAnnex 2B:Model of information document for type approval of an electric/electronic sub assembly, with respect to electromagnetic compatibilityAnnex 3A:Model of communication form for vehicle type approvalAnnex 3B:Model of communication form for type approval of electrical/electronic sub-assemblies Annex 3C:Attestation with regard to Paragraph 3.2.9.Annex 4:Method of measurement of radiated broadband electromagnetic emissions from vehicles Annex 5:Method of measurement of radiated narrowband electromagnetic emissions from vehiclesAnnex 6:Method of testing for immunity of vehicles to electromagnetic radiationAnnex 7:Method of measurement of radiated broadband electromagnetic emissions from electrical/electronic sub-assembliesAnnex 8:Method of measurement of radiated narrowband electromagnetic emissions from electrical/electronic sub-assembliesAnnex 9:Method(s) of testing for immunity of electrical/electronic sub-assemblies to electromagnetic radiationAnnex 10:Method(s) of testing for immunity to and emission of transients of electrical/electronic sub-assemblies1. SCOPEThis Regulation applies to:1.1.vehicles of Categories L, M, N and O (1) with regard to electromagnetic compatibility;ponents and separate technical units intended to be fitted in these vehicles with thelimitation given in Paragraph 3.2.1. with regard to electromagnetic compatibility.Itcovers:(a) requirements regarding the immunity to radiated and conducted disturbances forfunctions related to direct control of the vehicle, related to driver, passenger and otherroad users' protection and related to disturbances, which would cause confusion tothe driver or other road users;(b) requirements regarding the control of unwanted radiated and conducted emissions toprotect the intended use of electrical or electronic equipment at own or adjacentvehicles or nearby, and the control of disturbances from accessories that may beretrofitted to the vehicle.2. DEFINITIONSFor the purposes of this Regulation:2.1."Electromagnetic compatibility" means the ability of a vehicle or component(s) orseparate technical unit(s) to function satisfactorily in its electromagnetic environment withoutintroducing intolerable electromagnetic disturbances to anything in that environment.2.2."Electromagnetic disturbance" means any electromagnetic phenomenon which maydegrade the performance of a vehicle or component(s) or separate technical unit(s), or ofany other device, unit of equipment or system operated in vicinity of a vehicle. Anelectromagnetic disturbance may be electromagnetic noise, an unwanted signal or a changein the propagation medium itself.2.3."Electromagnetic immunity" means the ability of a vehicle or component(s) or separatetechnical unit(s) to operate without degradation of performance in the presence of(specified) electromagnetic disturbances which includes wanted radio frequency signalsfrom radio transmitters or radiated in-band emissions of industrial-scientific-medical (ISM)apparatus, internal or external to the vehicle.2.4."Electromagnetic environment" means the totality of electromagnetic phenomena existingat a given location.2.5."Broadband emission" means an emission, which has a bandwidth greater than that of aparticular measuring apparatus or receiver (International Special Committee on RadioInterference (CISPR) 25, second edition).2.6."Narrowband emission" means an emission which has a bandwidth less than that of aparticular measuring apparatus or receiver (CISPR 25, second edition).(1)As defined in Annex 7 to the Consolidated resolution on the Construction of Vehicles (R.E.3), (document TRANS/WP.29/Rev.1/Amend .2, as last amended by Amend.4).2.7."Electrical/electronic system" means (an) electrical and/or electronic device(s) or set(s) ofdevices together with any associated electrical connections which form part of a vehicle butwhich are not intended to be type approved separately from the vehicle.2.8."Electrical/electronic sub-assembly" (ESA) means an electrical and/or electronic deviceor set(s) of devices intended to be part of a vehicle, together with any associated electricalconnections and wiring, which performs one or more specialized functions. An ESA may beapproved at the request of a manufacturer or his authorized representative as either a"component" or a "separate technical unit (STU)".2.9."Vehicle type" in relation to electromagnetic compatibility includes all vehicles, which donot differ essentially in such respects as:2.9.1.the overall size and shape of the engine compartment;2.9.2.the general arrangement of the electrical and/or electronic components and the generalwiring arrangement;2.9.3.the primary material of which the body or shell of the vehicle is constructed (for example, asteel, aluminium or fiberglass body shell). The presence of panels of different material doesnot change the vehicle type provided the primary material of the body is unchanged.However, such variations must be notified."ESA type" in relation to electromagnetic compatibility means ESAs, which do not differ 2.10. Anin such essential respects as:2.10.1.the function performed by the ESA;2.10.2.the general arrangement of the electrical and/or electronic components, if applicable.2.11."Vehicle wiring harness" means supply voltage, bus system (e.g. CAN), signal or activeantenna cables, which are installed by the vehicle manufacturer.2.12."Immunity related functions" are:(a) Functions related to the direct control of the vehicle:(i) by degradation or change in: e.g. engine, gear, brake, suspension, activesteering, speed limitation devices;(ii) by affecting drivers position: e.g. seat or steering wheel positioning;(iii) by affecting driver's visibility: e.g. dipped beam, windscreen wiper.(b) Functions related to driver, passenger and other road user protection:(i) e.g. airbag and safety restraint systems.(c) Functions which when disturbed cause confusion to the driver or other road users:(i) optical disturbances: incorrect operation of e.g. direction indicators, stop lamps,end outline marker lamps, rear position lamp, light bars for emergency system,wrong information from warning indicators, lamps or displays related tofunctions in subparagraphs (a) or (b) which might be observed in the directview of the driver;(ii) acoustical disturbances: incorrect operation of e.g. anti-theft alarm, horn.(d) Functions related to vehicle data bus functionality:(i) by blocking data transmission on vehicle data bus-systems, which are used totransmit data, required to ensure the correct functioning of other immunityrelated functions.(e) Functions which when disturbed affect vehicle statutory data: e.g. tachograph,odometer.3. APPLICATION FOR APPROVAL3.1. Approval of a Vehicle Type3.1.1.The application for approval of a vehicle type, with regard to its electromagneticcompatibility, shall be submitted by the vehicle manufacturer.3.1.2. A model of information document is shown in Annex 2A.3.1.3.The vehicle manufacturer shall draw up a schedule describing all relevant vehicleelectrical/electronic systems or ESAs, body styles, variations in body material, generalwiring arrangements, engine variations, left-hand/right-hand drive versions and wheelbaseversions. Relevant vehicle electrical/electronic systems or ESAs are those which may emitsignificant broadband or narrowband radiation and/or those which are involved in immunityrelated functions of the vehicle (see Paragraph 2.12.).3.1.4. A vehicle representative of the type to be approved shall be selected from this schedule bymutual agreement between the manufacturer and the Competent Authority. The choice ofvehicle shall be based on the electrical/electronic systems offered by the manufacturer.One or more vehicles may be selected from this schedule if it is considered by mutualagreement between the manufacturer and the Competent Authority that differentelectrical/electronic systems are included which are likely to have a significant effect on thevehicle's electromagnetic compatibility compared with the first representative vehicle.3.1.5.The choice of the vehicle(s) in conformity with Paragraph 3.1.4. above shall be limited tovehicle/electrical/electronic system combinations intended for actual production.3.1.6.The manufacturer may supplement the application with a report on tests which have beencarried out. Any such data provided may be used by the approval authority for the purposeof drawing up the communication form for type-approval.3.1.7.If the Technical Service responsible for the type approval test carries out the test itself, thena vehicle representative of the type to be approved according to Paragraph 3.1.4. shall beprovided.3.1.8.For vehicles of Categories M, N, and O the vehicle manufacturer must provide a statementof frequency bands, power levels, antenna positions and installation provisions for theinstallation of radio frequency transmitters (RF-transmitters), even if the vehicle is notequipped with an RF transmitter at time of type approval. This should cover all mobile radioservices normally used in vehicles. This information must be made publicly availablefollowing the type approval.Vehicle manufacturers must provide evidence that vehicle performance is not adverselyaffected by such transmitter installations.3.2. ESA type Approval3.2.1.Applicability of this Regulation to ESA:3.2.2.The application for approval of a type of ESA with regard to its electromagnetic compatibilityshall be submitted by the vehicle manufacturer or by the manufacturer of the ESA.3.2.3. A model of information document is shown in Annex 2B.3.2.4.The manufacturer may supplement the application with a report on tests which have beencarried out. Any such data provided may be used by the approval authority for the purposeof drawing up the communication form for type-approval.3.2.5.If the Technical Service responsible for the type approval test carries out the test itself, thena sample of the ESA system representative of the type to be approved shall be provided, ifnecessary, after discussion with the manufacturer on, e.g., possible variations in the layout,number of components, number of sensors. If the Technical Service deems it necessary, itmay select a further sample.3.2.6.The sample(s) must be clearly and indelibly marked with the manufacturer's trade name ormark and the type designation.3.2.7.Where applicable, any restrictions on use should be identified. Any such restrictions shouldbe included in Annexes 2B and/or 3B.3.2.8.ESA which are brought to the market as spare parts need no type approval if they areobviously marked as a spare part by an identification number and if they are identical andfrom the same manufacturer as the corresponding original equipment manufacturer (OEM)part for an already type approved vehicle.ponents sold as aftermarket equipment and intended for the installation in motorvehicles need no type approval if they are not related to immunity related functions(see Paragraph 2.12.). In this case a declaration must be issued by the manufacturer thatthe ESA fulfils the requirements of this Regulation and in particular the limits defined inParagraphs 6.5., 6.6., 6.8. and 6.9.During the transition period, ending on November 4, 2008, the person or legal entityresponsible for placing on the market of such a product has to submit all relevantinformation and/or a sample to a Technical Service which will determine if the equipment isimmunity related or not. The result of the inspection shall be available within three weeksand not require additional testing. A document according to the example given in Annex 3Cshall be issued by the Technical Service within the same period. In case of doubts and ifthe Technical Service refuses to issue an attestation according to Annex 3C, themanufacturer has to apply for type approval for his product.4. APPROVAL4.1. Type Approval Procedures4.1.1. Type Approval of a VehicleThe following alternative procedures for vehicle type approval may be used at the discretionof the vehicle manufacturer.4.1.1.1. Approval of a Vehicle InstallationA vehicle installation may be type approved directly by following the provisions laid down inParagraph 6 of this Regulation. If this procedure is chosen by a vehicle manufacturer, noseparate testing of electrical/electronic systems or ESAs is required.4.1.1.2. Approval of Vehicle Type by Testing of Individual ESAsA vehicle manufacturer may obtain approval for the vehicle by demonstrating to theapproval authority that all the relevant (see Para. 3.1.3. of this Regulation)electrical/electronic systems or ESAs have been approved in accordance with thisRegulation and have been installed in accordance with any conditions attached thereto.4.1.1.3. A manufacturer may obtain approval according to this Regulation if the vehicle has noequipment of the type, which is subject to immunity or emission tests. Such approvals donot require testing.4.1.2. Type Approval of an ESAType approval may be granted to an ESA to be fitted either to any vehicle type (componentapproval) or to a specific vehicle type or types requested by the ESA manufacturer(separate technical unit approval).4.1.3.ESAs, which are intentional RF transmitters, which have not received type approval inconjunction with a vehicle manufacturer, must be supplied with suitable installationguidelines.4.2. Granting of Type Approval4.2.1. Vehicle4.2.1.1. If the representative vehicle fulfils the requirements of Paragraph 6 of this Regulation, typeapproval shall be granted.4.2.1.2. A model of communication form for type approval is contained in Annex 3A.4.2.2. ESA4.2.2.1. If the representative ESA system(s) fulfil(s) the requirements of Paragraph 6 of thisRegulation, type approval shall be granted.4.2.2.2. A model of communication form for type approval is contained in Annex 3B.4.2.3.In order to draw up the communication forms referred to in Paragraph 4.2.1.2. or 4.2.2.2.above, the Competent Authority of the Contracting Party granting the approval may use areport prepared or approved by a recognized laboratory or in accordance with the provisionsof this Regulation.4.3.Approval, or refusal of approval, of a type of vehicle or ESA in accordance with thisRegulation shall be notified to the Parties to the Agreement applying this Regulation on aform conforming to the model in Annex 3A or 3B of this Regulation, accompanied byphotographs and/or diagrams or drawings on an appropriate scale supplied by the applicantin a format not larger than A4 (210 x 297 mm) or folded to those dimensions.5. MARKINGS5.1.An approval number shall be assigned to each vehicle or ESA type approved. The first twodigits of this number (at present 03) shall indicate the series of amendments correspondingto the most recent essential technical amendments made to the Regulation at the date ofapproval. A Contracting Party may not assign the same approval number to another type ofvehicle or ESA.Markings5.2. Presenceof5.2.1. VehicleAn approval mark described in Paragraph 5.3. below shall be affixed to every vehicleconforming to a type approved under this Regulation.5.2.2. Sub-assemblyAn approval mark described in Paragraph 5.3. below shall be affixed to every ESAconforming to a type approved under this Regulation.No marking is required for electrical/electronic systems built into vehicles which areapproved as units.5.3.An international approval mark must be affixed, in a conspicuous and easily accessibleplace specified on the approval communication form, on each vehicle conforming to the typeapproved under this Regulation. This mark shall comprise:5.3.1. A circle containing the letter "E", followed by the distinguishing number of the countrygranting the approval. (1)5.3.2.The number of this Regulation, followed by the letter "R", a dash and the approval numberto the right of the circle specified in Paragraph 5.3.1.5.4.An example of the type-approval mark is shown in Annex 1 to this Regulation.5.5.Markings on ESAs in conformity with Paragraph 5.3. above need not be visible when theESA is installed in the vehicle.6. SPECIFICATIONSSpecifications6.1. General6.1.1. A vehicle and its electrical/electronic system(s) or ESA(s) shall be so designed, constructedand fitted as to enable the vehicle, in normal conditions of use, to comply with therequirements of this Regulation.6.1.1.1. A vehicle shall be tested for radiated emissions and for immunity to radiated disturbances.No tests for conducted emissions or immunity to conducted disturbances are required forvehicle type approval.6.1.1.2. ESA(s) shall be tested for radiated and conducted emissions, for immunity to radiated andconducted disturbances.6.1.2.Before testing the Technical Service has to prepare a test plan in conjunction with themanufacturer, which contains at least mode of operation, stimulated function(s), monitoredfunction(s), pass/fail criterion(criteria) and intended emissions.(1)1 for Germany,2 for France,3 for Italy,4 for the Netherlands,5 for Sweden,6 for Belgium,7 for Hungary,8 for the CzechRepublic, 9 for Spain, 10 for Serbia, 11 for the United Kingdom, 12 for Austria, 13 for Luxembourg, 14 for Switzerland,15 (vacant), 16 for Norway, 17 for Finland, 18 for Denmark, 19 for Romania, 20 for Poland, 21 for Portugal, 22 for theRussian Federation, 23 for Greece, 24 for Ireland, 25 for Croatia, 26 for Slovenia, 27 for Slovakia, 28 for Belarus, 29 for Estonia, 30 (vacant), 31 for Bosnia and Herzegovina, 32 for Latvia, 33 (vacant), 34 for Bulgaria, 35 (vacant), 36 for Lithuania,37 for Turkey, 38 (vacant), 39 for Azerbaijan, 40 for The former Yugoslav Republic of Macedonia, 41 (vacant), 42 for theEuropean Community (Approvals are granted by its Member States using their respective ECE symbol), 43 for Japan,44 (vacant), 45 for Australia, 46 for Ukraine, 47 for South Africa, 48 for New Zealand, 49 for Cyprus, 50 for Malta, 51 for theRepublic of Korea, 52 for Malaysia, 53 for Thailand, 54 and 55 (vacant), 56 for Montenegro, 57 (vacant) and 58 for Tunisia.Subsequent numbers shall be assigned to other countries in the chronological order in which they ratify or accede to the Agreement Concerning the Adoption of Uniform Technical Prescriptions for Wheeled Vehicles, Equipment and Parts which can be Fitted and/or be Used on Wheeled Vehicles and the Conditions for Reciprocal Recognition of Approvals Granted on the Basis of these Prescriptions, and the numbers thus assigned shall be communicated by the Secretary-General of the United Nations to the Contracting Parties to the Agreement.6.2. Specifications Concerning Broadband Electromagnetic Radiation from Vehicles6.2.1. Method of MeasurementThe electromagnetic radiation generated by the vehicle representative of its type shall bemeasured using the method described in Annex 4. The method of measurement shall bedefined by the vehicle manufacturer in accordance with the Technical Service.6.2.2. Vehicle Broadband Type Approval Limits6.2.2.1. If measurements are made using the method described in Annex 4 using avehicle-to-antenna spacing of 10.0 ± 0.2 m, the limits shall be 32 dB microvolts/m in the30 to 75 MHz frequency band and 32 to 43 dB microvolts/m in the 75 to 400 MHz frequencyband, this limit increasing logarithmically with frequencies above 75 MHz as shownin Appendix 2. In the 400 to 1,000 MHz frequency band the limit remains constant at43 dB microvolts/m.6.2.2.2. If measurements are made using the method described in Annex 4 using avehicle-to-antenna spacing of 3.0 ± 0.05 m, the limits shall be 42 dB microvolts/m in the30 to 75 MHz frequency band and 42 to 53 dB microvolts/m in the 75 to 400 MHz frequencyband, this limit increasing logarithmically with frequencies above 75 MHz as shown inAppendix 3. In the 400 to 1,000 MHz frequency band the limit remains constant at53 dB microvolts/m.6.2.2.3. On the vehicle representative of its type, the measured values, expressed indB microvolts/m shall be below the type approval limits.6.3. Specifications Concerning Narrowband Electromagnetic Radiation from Vehicles6.3.1. Method of MeasurementThe electromagnetic radiation generated by the vehicle representative of its type shall bemeasured using the method described in Annex 5. These shall be defined by the vehiclemanufacturer in accordance with the Technical Service.Narrowband Type Approval Limits6.3.2. Vehicle6.3.2.1. If measurements are made using the method described in Annex 5 using avehicle-to-antenna spacing of 10.0 ± 0.2 m, the limits shall be 22 dB microvolts/m in the30 to 75 MHz frequency band and 22 to 33 dB microvolts/m in the 75 to 400 MHz frequencyband, this limit increasing logarithmically with frequencies above 75 MHz as shown inAppendix 4. In the 400 to 1,000 MHz frequency band the limit remains constant at33 dB microvolts/m.6.3.2.2. If measurements are made using the method described in Annex 5 using avehicle-to-antenna spacing of 3.0 ± 0.05 m, the limit shall be 32 dB microvolts/m in the 30 to75 MHz frequency band and 32 to 43 dB microvolts/m in the 75 to 400 MHz frequency band,this limit increasing logarithmically with frequencies above 75 MHz as shown in Appendix 5.In the 400 to 1,000 MHz frequency band the limit remains constant at 43 dB microvolts/m.6.3.2.3. On the vehicle representative of its type, the measured values, expressed indB microvolts/m, shall be below the type approval limit.6.3.2.4. Notwithstanding the limits defined in Paragraphs 6.3.2.1., 6.3.2.2. and 6.3.2.3. of this Annex,if, during the initial step described in Paragraph 1.3. of Annex 5, the signal strengthmeasured at the vehicle broadcast radio antenna is less than 20 dB microvolts over thefrequency range 76 to 108 MHz measured with an average detector, then the vehicle shallbe deemed to comply with the limits for narrowband emissions and no further testing will berequired.6.4. Specifications Concerning Immunity of Vehicles to Electromagnetic Radiation6.4.1. Method of TestingThe immunity to electromagnetic radiation of the vehicle representative of its type shall betested by the method described in Annex 6.6.4.2. Vehicle Immunity Type Approval Limits6.4.2.1. If tests are made using the method described in Annex 6, the field strength shall be30 volts/m rms (root mean squared) in over 90% of the 20 to 2,000 MHz frequency bandand a minimum of 25 volts/m rms over the whole 20 to 2,000 MHz frequency band.representative of its type shall be considered as complying with immunity 6.4.2.2. Thevehiclerequirements if, during the tests performed in accordance with Annex 6, there shall be nodegradation of performance of "immunity related functions".6.5. Specification Concerning Broadband Electromagnetic Interference Generated byESAs.6.5.1. Method of MeasurementThe electromagnetic radiation generated by the ESA representative of its type shall bemeasured by the method described in Annex 7.6.5.2. ESA Broadband Type Approval Limits6.5.2.1. If measurements are made using the method described in Annex 7, the limits shall be 62 to52 dB microvolts/m in the 30 to 75 MHz frequency band, this limit decreasing logarithmicallywith frequencies above 30 MHz, and 52 to 63 dB microvolts/m in the 75 to 400 MHz band,this limit increasing logarithmically with frequencies above 75 MHz as shown in Appendix 6.In the 400 to 1,000 MHz frequency band the limit remains constant at 63 dB microvolts/m.6.5.2.2. On the ESA representative of its type, the measured values, expressed in dB microvolts/m,shall be below the type approval limits.narrowband electromagnetic interference generated by ESAs.6.6. Specificationsconcerning6.6.1. Method of MeasurementThe electromagnetic radiation generated by the ESA representative of its type shall bemeasured by the method described in Annex 8.6.6.2. ESA Narrowband Type Approval Limits6.6.2.1. If measurements are made using the method described in Annex 8, the limits shall be 52 to42 dB microvolts/m in the 30 to 75 MHz frequency band, this limit decreasing logarithmicallywith frequencies above 30 MHz, and 42 to 53 dB microvolts/m in the 75 to 400 MHz band,this limit increasing logarithmically with frequencies above 75 MHz as shown in Appendix 7.In the 400 to 1,000 MHz frequency band the limit remains constant at 53 dB microvolts/m. 6.6.2.2. On the ESA representative of its type, the measured value, expressed in dB microvolts/mshall be below the type approval limits.6.7. Specifications Concerning Immunity of ESAs to Electromagnetic Radiation6.7.1. Method(s) of TestingThe immunity to electromagnetic radiation of the ESA representative of its type shall betested by the method(s) chosen from those described in Annex 9.6.7.2. ESA Immunity Type Approval Limits6.7.2.1. If tests are made using the methods described in Annex 9, the immunity test levels shall be60 volts/m for the 150 mm stripline testing method, 15 volts/m for the 800 mm striplinetesting method, 75 volts/m for the Transverse Electromagnetic Mode (TEM) cell testingmethod, 60 mA for the bulk current injection (BCI) testing method and 30 volts/m for the freefield testing method in over 90% of the 20 to 2,000 MHz frequency band, and to a minimumof 50 volts/m for the 150 mm stripline testing method, 12.5 volts/m for the 800 mm striplinetesting method, 62.5 volts/m, for the TEM cell testing method, 50 mA for the bulk currentinjection (BCI) testing method and 25 volts/m for the free field testing method over the whole20 to 2,000 MHz frequency band.6.7.2.2. The ESA representative of its type shall be considered as complying with immunityrequirements if, during the tests performed in accordance with Annex 9, there shall be nodegradation of performance of "immunity related functions".。

EXPLORING SCIENCE 8 END OF UNIT TEST LEVEL 5-7Last update August 28, 2015 - Filetype: PDFEXPL ORING SCIENCE 8 END OF UNIT T ESTL EVEL 5-7EXPLORING SC IENC E 8END OF This e-book offers details on aspects highly relevant to EXPLORINGUNIT T EST LEVEL 5-7.The details in this papers also provides other related subjects about: end of unit test 7, 7th grade math end of year test, harcourt math end of grade test answers, grade 8 algebra unit test, nelson science 8 answers, end of year packet third grade, january 2012 earth science regents answer key, amsco apush practice test answer key, solution of conduction heat transfer by arpaci, quadratic functions unit test answers chapter 5, vocab unit d answers, ase a4 practice test answers, general principles of toxicology ppt presentation, mcdougal littell geometry test answer key.To open the document, you will have Adobe Reader software. If you do not have Adobe Reader already installed on your computer, you can download the installer and instructions free from the Adobe Web site. You might download and keep it on your personal computer for later examine. You should click this link beneath to download the documents.EXPLORING SC IENC E 8 END OF UNIT T EST LEVEL 5-7 (1.72 MB)(Click the link above to download)Related Book sFollowing are a few other book related to exploring science 8 end of unit test level 5-7.END OF U NI T T EST 7Get the PDF file for End Of Unit Test 7.Se pte mbe r 06, 2015 - File type: PDF7T H G RADE M AT H END OF YEAR T ESTGet the PDF file for 7Th Grade Math End Of Year Test.Se pte mbe r 06, 2015 - File type: PDFYOU T H G ENE CL U ST ERS T HE SCI ENCE & T HE 8 SI G NS OFTHE SCIENCE OF AGELOC™ YOUTH GENE CLUSTERS & THE 8 SIGNS OF AGING YOUTH GENE CLUSTERS 8 SIGNS OF AGING Fine Lines & Wrinkles Skin Structure Skin Structure PROPRIETARY SCIENCE...Last update 23 Fe b 2015 08:38 - File type: PDFCOG NI T I VE COM PL EX I T Y CL ASSI F I CAT I ON OF T HE 2012-13ST AT EWI DE7 Percentage of Points by Cognitive Complexity Level The tables below show the target range for the percentage of points by cognitive complexity level for each FCAT 2.0 and EOC...Last update 22 Fe b 2015 20:56 - File type: PDFM ECHANI CAL SYST EM S U U NI T 4 T EST ST U DENT CL ASSSMechanical Systems Grade 8 – Unit 4 Test Answer Key Page 1 Page 3 Page 5 1 B 14 D 26 C 2 C 15 C 27 C 3 A...Last update 21 Fe b 2015 15:16 - File type: PDFEND OF U NI T T EST 7Get the PDF file for End Of Unit Test 7.Se pte mbe r 06, 2015 - File type: PDF7T H G RADE M AT H END OF YEAR T ESTGet the PDF file for 7Th Grade Math End Of Year Test.Se pte mbe r 06, 2015 - File type: PDFHARCOU RT M AT H END OF G RADE T EST ANSWERSGet the PDF file for Harcourt Math End Of Grade Test Answers.Se pte mbe r 06, 2015 - File type: PDFG RADE 8 AL G EBRA U NI T T ESTGet the PDF file for Grade 8 Algebra Unit Test.Se pte mbe r 06, 2015 - File type: PDFNEL SON SCI ENCE 8 ANSWERSGet the PDF file for Nelson Science 8 Answers.Se pte mbe r 04, 2015 - File type: PDFEND OF YEAR PACKET T HI RD G RADEGet the PDF file for End Of Year Packet Third Grade.Se pte mbe r 04, 2015 - File type: PDFJ ANU ARY 2012 EART H SCI ENCE REG ENT S ANSWER KEY Get the PDF file for January 2012 Earth Science Regents Answer Key.Se pte mbe r 04, 2015 - File type: PDFAM SCO APU SH PRACT I CE T EST ANSWER KEYGet the PDF file for Amsco Apush Practice Test Answer Key.Nove mbe r 05, 2015 - File type: PDFSOL U T I ON OF CONDU CT I ON HEAT T RANSF ER BY ARPACIGet the PDF file for Solution Of Conduction Heat Transfer By Arpaci.Se pte mbe r 25, 2015 - File type: PDFQU ADRAT I C F U NCT I ONS U NI T T EST ANSWERS CHAPT ER 5Get the PDF file for Quadratic Functions Unit Test Answers Chapter 5.Se pte mbe r 07, 2015 - File type: PDFSERVSAF E PRACT I CE T EST ANSWERSGet the PDF file for Servsafe Practice Test Answers.Se pte mbe r 04, 2015 - File type: PDFT ASK 2 PROJ ECT OF G RADE 12 L OGet the PDF file for Task 2 Project Of Grade 12 Lo.Se pte mbe r 04, 2015 - File type: PDFT HE WONDERF U L ST ORY OF HENRY SU G AR AND SI X M ORE PDF DOWNL OADGet the PDF file for The Wonderful Story Of Henry Sugar And Six More Pdf Download. Se pte mbe r 04, 2015 - File type: PDFPHYSI CAL SCI ENCE PAPER 1 EX EM PL AR 2009Get the PDF file for Physical Science Paper 1 Exemplar 2009.Se pte mbe r 04, 2015 - File type: PDFYOU T H G ENE CL U ST ERS T HE SCI ENCE & T HE 8 SI G NS OFTHE SCIENCE OF AGELOC™ YOUTH GENE CLUSTERS & THE 8 SIGNS OF AGING YOUTH GENE CLUSTERS 8 SIGNS OF AGING Fine Lines & Wrinkles Skin...Last update 23 Fe b 2015 08:38 - File type: PDFCOG NI T I VE COM PL EX I T Y CL ASSI F I CAT I ON OF T HE 2012-13ST AT EWI DE7 Percentage of Points by Cognitive Complexity Level The tables below show the target range for the percentage of points by cognitive complexity level for...Last update 22 Fe b 2015 20:56 - File type: PDFM ECHANI CAL SYST EM S U U NI T 4 T EST ST U DENT CL ASSSMechanical Systems Grade 8 – Unit 4 Test Answer Key Page 1 Page 3 Page 5 1 B 14 D 26 C 2 C 15...Last update 21 Fe b 2015 15:16 - File type: PDFARPN J OU RNAL OF SCI ENCE AND T ECHNOL OG Y::CYBERCRI M E I NVOL. 2, NO. 7, August 2012 ISSN 2225-7217 ARPN Journal of Science and Technology ©2011-2012. All rights reserved. http [12] Laura Ani (2011 “Cyber...Last update 21 Fe b 2015 11:13 - File type: PDFHYDE PARK ANT I QU ES CENT ER, L L C DAT ED: , 20 VENDORAG REEM ENTRoom Name, & Space# Room Space No. Vendor’s Assigned Identification # Vendor’s Base Monthly Rent Amount $ Vendor’s Security Deposit Amount $ Vendor’s Allowable Discount... Last update 21 Fe b 2015 13:47 - File type: PDFM CEL VOG U E T RAI NER F EST I VAL OF I RI SH DANCI NGPreliminary Championships Under 10, 11, 12, 13, 14, 15 and Over 15 Dancers will dance a choice of Reel/Slip Jig & choice of Heavy Jig/Hornpipe....Last update 23 Fe b 2015 03:06 - File type: PDFI NG ENI O: AARÓN SÁENZ G ARZA X I COT ENCAT L) CÍA. AZU C. INGENIO: GRUPO: DOM/INGENIO: DOM/MÉXICO: DOM/SINALOA: TEL/INGENIO: FAX INGENIO: TEL/MÉXICO: FAX MÉXICO: E-mail: Secretaria Lupita: EL HIGO, S.A. DE C.V. ZUCARMEX Ribera 39 Zona Centro, El...Last update 21 Fe b 2015 18:25 - File type: PDF1061ACT U AT OR D100095X012 F EBRU ARY2013Product Bulletin 1061 Actuator 61.2:1061 February 2013 D100095X012 Table 4. Dimensions ACTUATOR SIZE C E F P H w/o Positioner Y w/3610JP Pos. mm Inches...Last update 23 Fe b 2015 02:25 - File type: PDF。

■ doi：10.3969/j.issn.1671-1122.2016.10.004y/2016年第10期n C t in f o s e c u r it y技术研究不需双线性对的基于身份的认证密钥协商协议----------------------------矢敏、叶伟伟2,欧庆于2------------------------------(1.91551部队，江西九江332006 ; 2.海军工程大学信息安全系，湖北武汉430033 )摘要：认证密钥协商协议是一个非常重要的密码学概念，可以用来确保数据的保密性和 完整性。

通过在密钥协商中加入隐式认证，可以使得用户确认只有其指定方才能完成与其的密钥协商，从而避免传统密钥协商协议的中间人攻击。

目前大部分认证密钥协商协议使用了双线性对，但双线性对的计算效率较低，因此研究并设计不使用双线性对的认证密钥协商协议一直是一个研究的热点。

尽管一些学者提出了一些方案，但是这些方案构造仍显复杂，为了提高协议的运行效率，文章研究并提出了一种基于身份的认证密钥协商协议，协议不使用双线性对，同时协议构造简单，安全性好。

在eC K模型下，将协议的安全性规约到C D H数学困难假设，形式化地证明了协议的安全性。

最后通过协议对比，表明文章提出的协议运行效率更高，安全性更好。

关键词：认证密钥协商；eC K模型；C D H数学困难假设；双线性对中图分类号：TP309 文献标识码：A文章编号：1671-1122 (2016) 10-0021-07中文引用格式:矢敏，叶伟伟,欧庆于.不需双线性对的基于身份的认证密钥协商协议[J].信息网络安全, 2016 (10) ： 21-27.英文引用格式：SHI Min,YE Weiwei,0U Qingyu.Identity-based Authenticated Protocol without Bilinear Pairing[J].Netinfo Security,2016 (10): 21-27.Identity-based Authenticated Protocol without Bilinear PairingSHI Min1,YE Weiwei2,OU Qingyu2(1.91551 Troops ofPLA, Jiujiang Jiangxi332006, China;2.Department o f I nformation Security, Naval Universityo f E ngineerings Wuhan Hubei 430033, China)A bstract:Authenticated key agreement protocol is a very important concept o f cryptography,w hich can be used to ensure the confidentiality and integrity o f data. By adding an im plicitauthentication in the key agreement, the user can confirm that only the intended party can completekey agreement with himself. The method avoids the middle man attack in traditional key agreementprotocol. At present, most o f the authenticated key agreement protocols use bilinear pairing whichhas low com putational efficiency. T herefore it is a hot research topic to study and design theauthentication key agreement protocol without using bilinear pairing. Although some scholars haveput forw ard some schem es, the construction o f these schem es is still som ewhat com plicated. Inorder to improve the efficiency o f the protocol, this paper presents an identity-based authenticatedkey agreement protocols without using bilinear pairings. At the same time, the protocol is simple instructure and good in security. The protocol’s security is reduced to CDH mathem atical difficultyhypothesis, and is formally proved in the eCK model. By comparison, it shows that the protocol hashigher efficiency and better security.K ey w ords:authenticated key agreement; eCK model; CDH mathematical difficult hypothesis;bilinear pairing收稿日期：2016-7-28基金项目：国家自然科学基金[6110042, 6120238]作者简介：矢敏（1981—)，男，江西，高级工程师，硕士，主要研究方向为信息安全；叶伟伟（1991—),男，重庆，硕士研究生，主要研究方向为密码理论与应用；欧庆于（ 1978—)，男，江西，副教授，硕士，主要研究方向为密码芯片设计。

确认函英语范文Confirmation letters are an essential part of business communication, serving as formal records of agreements, decisions, or important events. These letters provide a written account of the key details and help ensure clarity, transparency, and accountability between parties involved. Whether it's confirming a job offer, a business transaction, or a meeting outcome, a well-crafted confirmation letter can help strengthen professional relationships and mitigate potential misunderstandings.One of the primary purposes of a confirmation letter is to document an agreement or decision that has been reached. This could be anything from a sales contract to a job offer or a meeting agenda. By putting the details in writing, both parties have a clear record of the terms, conditions, and expectations. This written documentation can serve as a reference point in the future, should any questions or disputes arise.For example, when a company extends a job offer to a candidate, a confirmation letter is typically sent to formalize the offer. This letterwould outline the position title, start date, salary, benefits, and any other relevant details. The candidate can then review the information, sign, and return the letter to accept the offer. This written confirmation helps ensure that both the employer and the employee have a shared understanding of the employment terms.Similarly, in a business transaction, a confirmation letter is often used to summarize the key details of the agreement, such as the products or services being exchanged, the agreed-upon price, the delivery timeline, and the payment terms. This written record helps prevent misunderstandings and provides a reference point for both parties throughout the course of the transaction.Beyond documenting agreements, confirmation letters can also be used to summarize the outcomes of important meetings or discussions. For example, after a meeting with a client, the company might send a confirmation letter outlining the key decisions made, action items, and next steps. This helps ensure that all participants have a clear understanding of the meeting's results and their respective responsibilities going forward.Crafting an effective confirmation letter requires attention to detail and clear communication. The letter should be concise, yet comprehensive, providing all the relevant information in a well-organized manner. It's important to include the date, the names andcontact information of the parties involved, and a clear statement of the purpose of the letter.The body of the confirmation letter should be structured in a logical flow, with each key point or detail presented in a separate paragraph. This makes it easier for the recipient to quickly review and understand the information. It's also important to use clear and precise language, avoiding any ambiguity or jargon that could lead to misinterpretation.Additionally, confirmation letters should be proofread carefully to ensure accuracy and professionalism. Typos, grammatical errors, or inconsistencies can undermine the credibility of the document and potentially lead to confusion or disputes down the line.In conclusion, confirmation letters play a vital role in business communication, serving as formal records of agreements, decisions, and important events. By documenting these details in writing, confirmation letters help to ensure clarity, transparency, and accountability between the parties involved. Whether it's confirming a job offer, a business transaction, or a meeting outcome, a well-crafted confirmation letter can strengthen professional relationships and mitigate potential misunderstandings.。

Enabling Secure VM-vTPM Migrationin Private CloudsBoris Danev,Ramya Jayaram Masti,Ghassan O.Karame and Srdjan CapkunDepartment of Computer ScienceETH Zurich,Switzerland{bdanev,rmasti,karameg,capkuns}@inf.ethz.chABSTRACTThe integration of Trusted Co m puting technologies into vir-tualized co m puting environ m ents enables the hardware-ba-sed protection of private infor m ation and the detection of m alicious software.Their use in virtual platfor m s,however, requires appropriate virtualization of their m ain co m ponent, the Trusted Platfor m Module(TPM)by m eans of virtual TPMs(vTPM).The challenge here is that the use of TPM virtualization should not i m pede classical platfor m processes such as virtual m achine(VM)m igration.In this work,we consider the proble m of enabling se-cure m igration of vTPM-based virtual m achines in private clouds.We detail the require m ents that a secure VM-vTPM m igration solution should satisfy in private virtualized en-viron m ents and propose a vTPM key structure suitable for VM-vTPM m igration.We then leverage on this structure to construct a secure VM-vTPM m igration protocol.We show that our protocol provides stronger security guarantees when co m pared to existing solutions for VM-vTPM m igra-tion.We evaluate the feasibility of our sche m e via an i m ple-m entation on the Xen hypervisor and we show that it can be directly integrated within existing hypervisors.Our Xen-based i m ple m entation can be downloaded as open-source software.Finally,we discuss how our sche m e can be ex-tended to support live-m igration of vTPM-based VMs. 1.INTRODUCTIONTrusted Co m puting[1]is a set of technologies that pro-vide hardware and software support for secure storage and software integrity protection.Its integration into virtualized co m puting syste m s[2]enables the hardware-based protec-tion of private(sensitive)infor m ation and the detection of m alicious software that ai m s to subvert the operation of vir-tualized environ m ents.While these enhance m ents add an additional layer of security to the underlying data and ap-plications[3],the use of Trusted Co m puting in virtual plat-for m s raises several challenges with respect to virtualization of its hardware root of trust,the Trusted Platfor m Module Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on thefirst page.To copy otherwise,to republish,to post on servers or to redistribute to lists,requires prior specific permission and/or a fee.ACSAC’11Dec.5-9,2011,Orlando,Florida USACopyright2011ACM978-1-4503-0672-0/11/12...$10.00.(TPM),which provides secure storage and cryptographic op-erations.In fact,there is typically a single TPM m odule per hard-ware platfor m.Therefore,its functionality has to be ef-ficiently shared by the virtual m achines(VM)running on the sa m e hardware.This is typically achieved by virtual TPMs(vTPMs)that m i m ic the interface and functionality of the hardware TPM.One i m portant challenge is to real-ize vTPMs that co m ply with TPM specifications while not i m peding platfor m processes such as VM m igration. Although a nu m ber of realizations of vTPMs have been proposed[4–7],several issues re m ain unresolved with re-spect to the application of these realizations to the m igra-tion of vTPMs and their corresponding VMs(VM-vTPM). In this respect,current sche m es for secure VM-vTPM m i-gration protocols either increase the virtualized platfor m de-pendence on Privacy CA[4,7,8]or violate TPM usage re-strictions[5].Moreover,as far as we are aware,there is no i m ple m entation of a secure VM-vTPM m igration protocol. In this work,we consider the proble m of enabling secure vTPM-based VM(VM-vTPM)m igration in virtualized en-viron m ents.Wefirst extend and detail the require m ents that a secure VM-vTPM m igration protocol should satisfy in private cloud environ m ents.In these environ m ents,a central provider owns a nu m ber of virtualized servers and wishes to transfer VMs along with their corresponding vTPMs across these servers(e.g.,for load balancing purposes).Given this, we identify three security require m ents related to the au-thenticity of the m igration initiator,the preservation of the trust chain a m ong entities during m igration and the con-fidentiality of the m igration process.We argue that these require m ents are sufficient to support secure VM-vTPM m i-gration in private cloud environ m ents.Second,we discuss the i m plications of current vTPM key hierarchy designs on the efficiency and perfor m ance of the VM-vTPM m igration process.More specifically,we show that existent vTPM key structures are either decoupled fro m their corresponding hardware TPM keys or are tightly bound to the hardware TPM.The for m er approaches do not ben-efit fro m the security guarantees of TPM,while the latter m ake the vTPM keys non-m igratable according to the TPM specification and therefore required costly key regeneration at the destination after the VM-vTPM m igration process. Based on these observations,we derive a novel vTPM key hierarchy that introduces an inter m ediate layer of keys be-tween the TPM and vTPM and provides a logical separation of the vTPM keys according to their usage in the VM.Our proposed key hierarchy also enables vTPM key m igrationaccording to the TPM usage restrictions and m ini m izes the dependence of vTPM keys on Privacy CA.In addition,we propose and analyze a secure VM-vTPM m igration protocol that leverages on our vTPM key hier-archy.Our proposed protocol provides stronger security guarantees when co m pared to existing solutions for VM-vTPM m igration.Further m ore,we i m ple m ent a preli m i-nary Xen-based prototype of our protocol and we evaluate its perfor m ance.Our i m ple m entation de m onstrates that our secure VM-vTPM m igration solution can be directly inte-grated with the open-source hypervisor Xen[9].We note that our i m ple m entation is open source and is available for download at[10].Finally,we discuss how our sche m e can be extended to support live-m igration of vTPM-based VMs. We point out that while prior work has addressed different aspects of secure VM m igration,including vTPM m igration, to the best of our knowledge,this work is thefirst to explic-itly define the require m ents,propose a suitable vTPM key hierarchy and design and i m ple m ent a co m plete VM-vTPM m igration protocol.The rest of this paper is organized as follows.In Section2, we detail our syste m and attacker m odels and derive the cor-responding security require m ents.We then present a novel vTPM key hierarchy and we describe a secure m igration protocol in Section3.In Section4,we present a feasibility study and preli m inary perfor m ance results extracted fro m a preli m inary prototype i m ple m entation using the Xen hy-pervisor.Finally,we overview the related work in Section5 and conclude in Section6.2.PROBLEM AND SECURITY REQUIRE-MENTS2.1System ModelIn this paper,we consider a setting where a cloud provider P possesses several(>2)virtualized servers that are equip-ped with physical TPMs and wishes to securely m igrate virtual m achines(VM)a m ong these servers(e.g.,for load-balancing purposes).Here,each virtual m achine interfaces with the physical TPM through a software-based virtual TPM(vTPM)(refer to Section3.1for further details).We assu m e that vTPMs do not contain hardware and hyper-visor configuration infor m ation;this infor m ation(stored in the TPM)is obtained by querying the TPM.Si m ilarly,the hardware TPM does not include any VM specific infor m a-tion.This procedure decouples the vTPM fro m hardware-specific characteristics and enables its m igration.We assu m e that P wishes to m igrate a virtual m achine fro m a source server S to a destination server D.We as-su m e that S and D are equipped with public/private key pairs that are persistently stored on their respective TPMs1. During the m igration process,we assu m e that the virtual m achine can be suspended on S before it is transferred to D;once the transfer is co m pleted,the virtual m achine is resu m ed on D.Given this setting,we consider the proble m of enabling se-cure m igration of a VM along with its vTPM fro m S to D. Here,several challenges need to be overco m e to ensure the liveliness and soundness of the m igration process,na m ely: (i)only trusted servers should execute correct VMs,(ii)no 1Alternatively,the private keys could be sealed with TPM-specific keys and stored ondisk.Figure1:System model:a service provider P wishes to migrate a virtual machine from a virtualized source server S to a virtualized destination server D given some security constraints.Here,both S and D are equipped with hardware TPMs.external entity should be able to m odify/learn the contents of the VM during the m igration process and(iii)the m igra-tion can only be initiated by trusted parties(e.g.,P or S in our case).Further m ore,this entire process should not vio-late the trusted co m puting standards[1]and should be easy to integrate with current vTPM platfor m s/architectures. In what follows,we detail the attacker m odel and the se-curity properties that a m igration protocol should satisfy.2.2Attacker ModelWe assu m e the presence of an attacker A that can eaves-drop,m odify,insert or delete m essages in the network.We assu m e that A is interested in abusing the m igration proto-col to increase her benefit in the network(e.g.,starting her own VM,acquiring infor m ation about the transferred VM, etc.).We further assu m e that A is capable of exploiting software vulnerabilities of re m ote servers.However,we point out that A does not have physical ac-cess to any server in the network m anaged by P.In addi-tion,we assu m e that A is co m putationally bounded,in the sense that she cannot forge signatures,break authentication sche m es,without possessing the correct credentials. Thus,we can safely assu m e that the TPM e m bedded in the various virtualized servers can be trusted.This trust as-su m ption also extends to the software tool(e.g.,IMA[12], HyperSafe[13])that m easures the syste m state for attesta-tion using a(dyna m ic)root of trust(e.g.,Intel TXT[14], Flicker[15]).Otherwise,little can be done to ensure that the software hosted on a given server is“authentic”and can be trusted.For si m plicity and without loss of generality,we assu m e here that A cannot co m pro m ise or m odify the state of software on the source and/or destination server during the m igration protocol.That is,A can only co m pro m ise the software hosted by S and/or D,either before the start or after the end of the m igration process.2.3Requirements for Secure VM-vTPM Mi-gration ProtocolsWe now present the require m ents that any secure VM-vTPM m igration protocol should satisfy.These require-m ents are sufficient for secure VM-vTPM m igration and concern the parties involved in the m igration as well as the co mm unication channel over which the m igration occurs.In Section3,we also describe a protocol that fulfills the m.Requirement 1.(VM-vTPM Confidentiality and Integrity)An untrusted entity should not be able to learn any meaning-ful information about the VM-vTPM during the migration process.This includes the suspension,transfer and resump-tion of the VM-vTPM from the source to the destination. Furthermore,any modification to the VM-vTPM during the migration process should be detectable.In addition to the basic confidentiality property,preserv-ing the integrity of the vTPM during the m igration process e m erges as an i m portant require m ent for any secure VM-vTPM m igration protocol.Otherwise,an adversary can convince D to accept a different VM i m age by m odifying the contents of its vTPM.Requirement 2.(Initiation Authenticity)An untrusted entity should not be able to migrate any VM-vTPM.Only P should be allowed to initiate the VM-vTPM migration process.Restricting the initiation of the m igration process solely to those authorized entities prevents an adversary fro m contin-uously m igrating VMs across servers,thus alleviating Denial of Service(DoS)attacks against the entire syste m.Ensur-ing that only trusted parties can initiate the m igration also prevents collocation attacks,where the attacker places the target VM on the sa m e physical server together with another VM that it controls;this would create a covert-channel that m ight leak infor m ation about the target VM[11]. Although the initiation authenticity notion is i m portant to prevent abuse of the m igration process,it is has not been addressed,as far as we are aware,in prior work.Requirement 3.(Preserving the Trust Chain) Only trusted servers can receive correct VMs.More specif-ically,(i)trusted servers should not hold incorrect VMs-vTPMs and(ii)untrusted servers should not acquire correct VMs-vTPMs.By a correct VM,we refer to a VM which is found to be correct according to a trusted integrity m easure m ent m odule (e.g.,TPM-based attestation).Ensuring the integrity of the software hosted on both S and D prior to the m igration process is of para m ount i m-portance.A correct VM running in a trusted environ m ent should not be transferred to a server that m ight be co m pro-m ised(e.g.,the VM m ight contain sensitive data).Si m ilarly, a trusted server should not accept to run an incorrect VM that m ight have been co m pro m ised.For instance,if the hy-pervisor in S was co m pro m ised,then D cannot trust any protocol it establishes with S.Note that this require m ent does not address the case where an untrusted server executes incorrect VMs.3.A SECURE VM-VTPM MIGRATIONPROTOCOLIn this section,we outline an efficient solution that enables secure VM-vTPM m igration.We start by providing the necessary background on TPM and vTPM keys.3.1vTPM Key HierarchyThe design of the vTPM key hierarchy should provide the sa m e functionality as the original TPM key hierarchy, i.e.,allow proof of authenticity,attestation and secure stor-age[16].In addition,it should co m ply with the TPM key us-age restrictions and introduce m ini m al overhead during VM-vTPM m igration(e.g.,m ini m al key regeneration).In what follows,we provide a brief background on TPM functional-ity and keys and discuss several issues with existent vTPM key hierarchy proposals.We then introduce our vTPM hier-archy and discuss its i m plications on VM-vTPM m igration. Background on TPM Keys:The hardware TPM enables proofs of authenticity,attestation and secure storage based on three m ain cryptographic keys,na m ely the Endorsement Key(EK),the Storage Root Key(SRK)and the Attestation Identity Key(AIK).The EK is a persistent non-m igratable encryption key that is used to establish the authenticity of the TPM.The use of this key for transaction authentica-tion in the network is not reco mm ended as it would enable TPM transaction linking.The SRK is a non-m igratable encryption key that is used to protect the storage of other TPM keys outside the TPM.The AIK is an asy mm etric non-m igratable signing key generated inside the TPM and certified by a Certified Authority(Privacy CA).It is used as a one ti m e key to establish authenticity of the TPM dur-ing attestation[1].The AIK certificate proves the the AIK was created by a genuine TPM.Since it does not expose the EK,it can be safely used in network transactions with-out privacy concerns.The Platfor m Configuration Registers (PCR)are additional co m ponents used for attestation and secure storage;these co m ponents reside inside the TPM and store platfor m configuration m easure m ents2.The latter are used either to attest the syste m integrity during re m ote at-testation or seal data to particular syste m configurations[1]. Background on vTPM Keys:vTPM key hierarchies in-clude keys analogous to their TPM key hierarchy counter-parts.Each vTPM typically has its own virtual EK(vEK), virtual SRK(vSRK)which is used to protect the storage of other vTPM keys and virtual AIK s(vAIK s)used for platfor m attestation purposes.The relationship between vTPM and TPM key hierarchies is an i m portant design choice that needs to be taken into account in secure VM-vTPM m igration.Several vTPM key hierarchy proposals co m pletely decouple their keys fro m the TPM keys[4,7].This is achieved by obtaining the vTPM EK(vEK)and AIK(vAIK)credentials fro m a local au-thority.While this procedure avoids generating those keys on the platfor m vTPM after m igration,it is not clear how it re m oves the need for vTPM credential regeneration.The in-clusion of TPM PCRs in the certificate of a vEK to achieve VM-vTPM binding would require its frequent regeneration if TPM PCRs are periodically m odified(extended)by m eans of dyna m ic syste m m easure m ents[4].All vAIK s obtained before the TPM PCRs changed would not be valid any m ore. In addition,using a per m anent vEK to prove vTPM-TPM binding during attestation[4]allows linking vTPM trans-actions.On the other hand,tight coupling of the vTPM and TPM(as discussed in[4])by signing vTPM credentials 2These m easure m ents often consist of hashing the state of the software running on the platfor m.Figure2:vTPM key set and hierarchy.Our proposed hierarchy consists of an intermediate layer of a global SRK (gSRK)and a set of signing keys(SK s)that connect the TPM SRK and AIK s to the vTPM vSRK and vAIK.We also logically separate the vTPM keys into internal and external keys.using the TPM AIK directly m andates that the correspond-ing keys be non-m igratable and thus,requires extensive re-generation of vTPM keys on the destination platfor m after VM m igration.The sa m e li m itation arises for the vSRK if it is encrypted directly using the TPM SRK.Refer to Appendix A for m ore details regarding existent vTPM key hierarchy designs.Our vTPM Key Hierarchy:In order to enable m igra-tion with m ini m ized key regeneration after VM-vTPM m i-gration,we propose a vTPM key hierarchy which introduces an inter m ediate layer of keys between the TPM and vTPM. This inter m ediate layer consists of one global SRK(gSRK) and a set of signing keys(SK)that connect the TPM SRK and AIK s to the vTPM vSRK and vAIK respectively(Fig-ure2).Even though this renders the signing keys gSRK and SK s non-m igratable3,it allows the m igration of the vSRK and vAIK s and preserves the strong binding between the TPM and vTPM.Further m ore,using a separate SK with every vAIK used in external co mm unications prevents link-ing different vTPM transactions.We point out here that the vSRK and vAIK credentials can only be generated on a TPM containing the corresponding SRK and AIK.Gen-erating the vAIK s on the platfor m itself re m oves the need for vEK because the authenticity of the vTPM only depends on the TPM AIK.We further separate the vTPM keys into internal and ex-ternal keys(see Figure2).Internal vTPM keys are retained across VM m igration.These include the vSRK and the encryption and signing keys used only within the VM.The encryption keys are part of the vSRK hierarchy and the cre-dentials of the signing keys are signed by a vAIK key linked to a TPM AIK(the key chain is shown in dotted ovals in Figure2).Given that one such vAIK could be sufficient for all internal signing,binding and legacy keys,VM-vTPM m igration would incur m ini m al regeneration at the destina-tion4.External vTPM keys are those keys used for sign-3This is the case in order to preserve co m pliance with the TPM key usage restrictions4We note,however,that several vAIK can be used if needed.ing and encrypting data exchanged between VMs over the network.Corresponding vAIK s are therefore restricted to one-ti m e use in order to prevent vTPM transaction linking. Hence,these vAIK s are not part of a m igrating vTPM. Below we provide a su mm ary description of our vTPM hierarchy keys and discuss the i m plications of this hierarchy on VM-vTPM m igration:•vSRK:Analogous to the TPM SRK,the vSRK pro-tects the storage of other TPM keys.However,the storage of the vSRK itself is protected using the global SRK.•Global SRK(gSRK):This is an non-m igratable asy m-m etric encryption key that is a direct descendant of the TPM SRK.It is used to protect the vSRK of in-dividual TPMs(by sealing)which in turn protects the other keys of their respective vTPMs(also by sealing).Creating this inter m ediate gSRK m akes the vSRK s m igratable which would have not been possible if they were direct descendants of the TPM SRK.•vAIK:Analogous to the TPM AIK,a vAIK can be used to establish the authenticity of the vTPM and to sign other keys.We use a special vAIK instance to sign data and/or certificates used only within the VM.This instance is transferred to the destination during vTPM m igration.If a vAIK signs data and/or certifi-cates to be sent over the network,it is restricted to one ti m e use to prevent vTPM transaction linking.Such AIK s are not part of a m igrating vTPM.All vAIK s are linked to the TPM AIK via their own signing keys (SK).•Signing Keys(SKs):These are an inter m ediate layer of non-m igratable TPM signing keys that associate vAIK s with TPM AIK s.At least one SK is used for the special vAIK instance(see above).Note that this SK can be co mm on to all vTPMs on the sa m e plat-for m.All the other SK s are used to bind vAIK s to TPM AIK s intended to sign data and/or certificatesto be sent over the network.SK s are not m igratedduring vTPM m igration and therefore need to be gen-erated on the destination platfor m.This entire keyhierarchy is depicted in Figure2.Si m ilar to m ost software-based vTPM solutions,our vTPMkeys are stored outside the TPM and are prone to leakageand unauthorized m odification.While the confidentialityof vTPM keys is protected by the vSRK,it is also possi-ble to protect their integrity by the use of hash verification.This enables the detection of key m odification,but does notprevent denial of service attacks by m odifying the hashesthe m selves(on thefilesyste m).During m igration,the vSRK of the vTPM is unsealedfro m the TPM using the corresponding gSRK and is trans-ferred along with other vTPM keys that are used only withinthe VM including the special vAIK instance.At the desti-nation,after m igration,the vSRK is sealed to the destina-tion’s TPM using its gSRK.Further m ore,the credentialsfor the special vAIK instance are regenerated using the des-tination’s special AIK and SK instances.3.2Protocol DescriptionGiven the above vTPM key hierarchy,we proceed to pre-senting a possible construction of a secure VM-vTPM m i-gration protocol(Figure3).Our exe m plary construction m ainly consists of three stages:the authentication stage,the attestation stage and the datatransfer stage.In thefirst stage,the authentication stage,Sand D m utually authenticate each other using their publickey certificates and establish a secure channel for their sub-sequent co mm unication.This can be achieved,for exa m ple,by using a non-m igratable binding key that is stored on theTPM and that is bound to a secure configuration of either D or S.Although this approach has clear advantages,it be-co m es rather costly as the m essage size increases;that is,theprotocol will incur a prohibitively high overhead e.g.,whena VM RAM is transferred fro m S to D.In that case,a m oresuitable approach would be to rely on the establish m ent ofDiffie-Hell m an sy mm etric keys[17]between S and D.Forinstance,this can be realized by using the TLS handshakeprotocol[18].Once a session key K is established,S and Dcan use it to ensure the confidentiality and integrity of theirco mm unication.This can,for exa m ple,be done by concate-nating each m essage with its hash(for integrity verification)and encrypting the result using key K(for confidentiality).Since we assu m e that an attacker cannot co m pro m ise them achines of S and D during the m igration process,the es-tablished session keys can be stored in the syste m m e m oryof both S and D.Once the authentication stage is co m pleted,the attesta-tion stage starts.This stage m ainly consists of the integrity verification of both S and D.In Section3.3,we show that this verification prevents a considerable nu m ber of security threats.To verify the integrity of D,S proceeds as follows.It initi-ates the attestation process by sending D a freshly generatedrando m nonce N s.This would trigger a m easure m ent m od-ule in D to perfor m a syste m m easure m ent.Syste m m ea-sure m ents typically include load and/or run ti m e propertiesof the hypervisor[12,13].These properties can be m easuredusing a nu m ber of techniques such as[19,20].The load ti m e integrity of the m easure m ent m odule itselfcan be further protected using a dyna m ic root of trust(like in Flicker[15]),which also provides a secure isolated runti m e environ m ent.The m easure m ent m odule also extendsthe public key certificate of D(or its hash)into the PCRs5.Given this,D then sends a signed copy of its PCRs(i.e., D sends Sign AIK(P CR||N s)signed using an AIK key obtained fro m a Privacy CA)containing details about theexecution of the m easure m ent m odule,the syste m configu-ration,its public key certificate along with a freshly gener-ated rando m nonce N s.We point out that these integritym easure m ents do not include any infor m ation correspond-ing to the contents of the VM being transferred.Instead,the integrity of the transferred VM is verified by S prior tom igration(if any)and by D before resu m ption.S then ver-ifies that the extracted PCRs correspond to those of D bychecking the public key certificate extension into the PCRs.It then checks the validity of the AIK to verify the authen-ticity of D’s TPM and D’s PCRs to verify D’s integrity.Si m ilarly,D also verifies the integrity of S.If these verifica-tions pass,then the data transfer stage can start.In this last stage,the actual transfer of the VM-vTPMoccurs.Here,D sends S a freshly generated rando m nonceN d indicating its readiness to receive the m igrating VM-vTPM.S then transfers the contents of the VM-vTPM alongwith the received nonce on the established secure channel.In our construction,we require that D also checks the in-tegrity of the m igrated VM(for the reasoning why,refer toSection3.3).Since it is assu m ed that the vTPM(or VM)queries the underlying TPM to obtain hardware and hyper-visor m easure m ent infor m ation,no separate m echanis m s arerequired to update the vTPM with this infor m ation after m i-gration.Finally,S deletes its local copy of the VM-vTPMand both S and D resu m e their operation.3.3Security AnalysisIn what follows,we briefly analyze the security of ourprotocol construction.The establish m ent of a secure channel between S and D ensures the confidentiality and integrity of all their ex-changed m essages.Further m ore,the use of Diffie-Hell m an session keys ensures the forward security of the exchanged m essages.That is,an attacker A cannot acquire the session key K once the m igration protocol is ter m inated,even if it gains full control of S and all the exchanged m essages be-tween S and D.6To acquire the key,A has to co m pro m ise D. As such,our protocol construction satisfies the VM-vTPM confidentiality and integrity require m ent(Require m ent1). Further m ore,since the public key certificate of D(and S, respectively)is extended in the PCRs during its integrity verification,S can ensure that the m easured PCRs corre-spond to the physical m achine of D.7This prevents A fro m presenting m easure m ents perfor m ed on another m a-chine and clai m ing that they pertain to the m achine of D (or S,respectively);in this case,this m isbehavior will be 5A variant sche m e for linking the public key to the PCRs relies on the use of special TLS certificate extensions—which m ight,however,increase the size of trusted co m puting base (TCB)[21].6Recall in this case that S can securely delete K at the end of the m igration process.7Linking the PCR m easure m ents to D cannot be achieved solely by the use of the AIK of D.This is because the AIK does not contain any infor m ation that could be used for identifying the entity to which it was issued(in this case, S or D)[1].。

GMP Inspection Aide Memoire No.11Parenteral Product Lyophilisation OperationsIntroductionA GMP inspection or audit of a lyophilisation (freeze-drying) operation should be undertaken by personnel familiar with the scientific principles involved and aware of what constitutes appropriate good practice at the various stages of the overall process operation.Lyophilisation is an important method of presenting pharmaceutical products for injection. For many heat sensitive materials . bio-materials and proteins, amongst the advantages of drying without excessive heat use are fixing the product stability by drying to low moisture levels, preservation of the original composition, and rapid and easily dissolution of the reconstituted product.The successful manufacture of lyophilised pharmaceutical products comes from a sequence of properly planned and executed activities undertaken in a quality assured overall environment. The auditor will want to confirm that (a) good process development has been undertaken and recorded, together with(b) properly planned and executed process transfer and scale-up activities (c) appropriately controlled facilities and equipment are present and operated by competent personnel and (d) quality controlled materials and components are provided.The overall review process should cover inspection of the processing facility and equipment. It will also necessarily include a review of documentation including validation reports. Current standard operating procedures should be in place for all activities and examples should be reviewed in detail for content and integrity. Batch documentation and key operational monitoring records should also be reviewed . records of routine temperature measurements established during production operations, sterilisation records, environmental monitoring results, post-lyophilisation sorting and inspection records.The activities under review can be split into three sequential stages described as follows:1. Process design, configuration and validationA risk assessment approach should form the basis of developing the design, qualification, validation, operational and monitoring activities.The location of the lyophilisation equipment should have been made so as to ensure enough room for aseptic operations, loading and unloading and adequate access to technical operations areas.A design qualification report should be available where key aspects were verified . that valves and gauges are of sanitary design and external drains have air breaks. Equipment operational qualification should include checks on all key operating parameters . sublimation rate and condenser capacity,and shelf temperature distribution studies. Computerised operations must also be in a validated state and under control . using the GAMP guide recommendations. A periodic calibration and maintenance program in line with the manufac turer’s recommendations should be in place.Personnel training must be undertaken initially and as appropriate thereafter for all activities involved in these operations.Lyophilisation cycles should be validated for each product taking into consideration the specifics of time, product temperature, shelf or heat transfer temperature, chamber pressure, condenser temperature, condenser pressure, freezing temperature, primary drying, and secondary drying condition requirements.Process simulations using media fills are required. To ensure the microbiological efficacy of this validation, the freezing of media is not usually made and air replaces nitrogen before final closure seating when dealing with vial/cartridge filled product.2. Routine processing and control activitiesThe overall process often starts with solution preparation. Minimal bio-burden should be present in bulk formulated solutions prior to aseptic filtration and filling. Solution preparation, and where relevant, final dosage container filling, should be undertaken in line with appropriate GMPs.Regular monitoring of filling volumes during filling is important since this is not possible once the product has been lyophilised.Grade A environmental protection is required from the time the product is filled into the primary container which will be subject to lyophilisation, including the transportation and loading into the lyophiliser. The microbiological part of the environmental monitoring programme should also include the personnel performing processing activities. Equipment should be cleaned using methods which have been validated for residue removal and coverage. If relevant, validation of CIP coverage should be undertaken.Sterilisation should be made preferably using saturated clean steam and performed after each cycle, although gas sterilisation is practiced for some equipment. Sterilisation cycles must be initially validated and periodically re-validated. Surface sanitization using chemicals may also be employed but is no longer acceptable as an alternative to chamber sterilisation.Complete removal of condensate after cleaning and steam sterilisation is important so as not to affect the validated lyophilisation processes.Gases used for breaking chamber vacuum must be sterile filtered prior to entry. Gas and vent filters should be tested to a defined schedule. If integrity testing is difficult, then use of redundant filtration maybe appropriate.Testing for leakage of gases into the closed system, and the frequency and methods for each type of testing and limits must be established. Periodic inspection of chamber shelves for leaks must also be made.Validated time limits are required to be established for the various processing steps. The closure of containers should ideally be done mechanically to avoid manual operation and the final stopper seating should take place in the lyophiliser.3. Activities after lyophilisation and container closureThe unloading of the lyophiliser should be done into a clean room environment to minimise the potential entry of contamination into the chamber.As a minimum, the over-sealing performed after container closure should be done under laminar flow air protection.Product inspection and sorting should be made for each processed batch since this may be the last opportunity to remove actual and potentially defective product before administration to the patient. These operations should be validated and/or a verification check should be made of the efficacy of such inspections on a batch by batch basis.There should be evidence that the documentation generated from batch processing cycles and associated activities, . cycle charts and records, are reviewed by a suitably authorised person before batch disposition is made.Further Information Resources:EU Guide to Good manufacturing Practice Annex 1Good Pharmaceutical Freeze-Drying Practice. Interpharm PressParenteral Society Technical Monographs Nos. 5, 7, 8, 9 10, 12US FDA: Guide to inspections of lyophilization of parenteralsISO 13408: Aseptic processing of health care productsISPE GAMP Guide for Validation of Automated Systems (GAMP 4)ISPE GAMP Good Practice Guide: Validation of Process Control Systems (2003)GMP Inspection Aide Memoire No.11Parenteral Product Lyophilisation OperationsSite:Process Location:Process Identification:The questions are grouped into three audit/inspection levels (AL) depending on thetype of audit/inspection undertaken:Due Diligence = Level 1 questionsStandard = Levels 1 + 2 questionsInternal Site Self Inspection = All questionsAQ = Additional Question (to be added by AM user if required for specific inspectionsubject)Question Responses/Comments ALA Process development/design21.Has a risk analysis approach been usedto develop the overall process.design,equipment qualification,processvalidation,operations and monitoringactivities?22.Is there a development report fullydescribing the rationale for the cyclesused?23.If relevant,is there good correlationbetween the process specifications ofthe development batches(bio-batches)and regular production batches?14.Has process transfer,scale-up and cycledevelopment been successfullyperformed and documented?Review the relevant report(s)AQ25.Are failure investigations performed anddocumented?6.Do Lyophiliser recorder charts and2 records carry all relevant information(Lyophiliser identification,load,cycledescription,steriliser run number(uniquefor each cycle)date,operatorsignature)?27.After approval by an authorised personare recorder charts included in thepermanent batch record?8.Are Lyophilisation and equipment1 sterilisation cycle records or chartsreviewed and approved by a responsibleperson prior to disposition of the lot?Review some completed and approvedrecords for acceptability.AQAdditional Area or Process Specific Questions/Comments and Notes Array Further Information Resources:EU Guide to Good manufacturing Practice Annex 1Good Pharmaceutical Freeze-Drying Practice. Interpharm PressParenteral Society Technical Monographs Nos. 5, 7, 8, 9, 10 & 12US FDA: Guide to inspections of lyophilization of parenteralsISO 13408: Aseptic processing of health care productsISPE GAMP Guide for Validation of Automated Systems (GAMP 4)ISPE GAMP Good Practice Guide: Validation of Process Control Systems (2003)。

PROPRIETARY NOTICE所有权声明Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.该文件中的信息（包括URL和其他网址）会随时变更，恕不另行通知。

欢迎共阅项目管理讲义第一章 概论引言在当今社会的各个领域里，项目管理作为一种科学的管理方法已被广泛应用，但究其具体和准1.1在英语里：（1）（2（3（4 对束呢？为了回答这个问题，我们在对项目的各种定义作一个回顾，从中我们可以看出，尽管不同行业对其有不同的理解，但它们都有一些共同的特性：（1） 项目具有一定的目标，是在一定条件下组织实施的。

没有明确的目标，项目管理就失去了工作和努力的方向。

从广义上讲，项目目标可以是产品，也可以是服务。

（2） 项目的一次性的，每一个项目具有特定的任务和目标，目标实现，任务完成，项目也就结束。

（3） 项目的实施具有一定的约束条件，或可以说是有相应的要求或约束，如时间、质量、性能、费用、环境等，不同的项目所需要的要求或条件不同。

要想达到或实现目标就必须满足相应的要求或克服这些约束条件。

（4） 项目的实施需要使用一定的资源，如人力、信息、方法、设备设施、水电能源等，在某种意义上讲，项目是资源的组合体。

（5）项目的实施需要一定的组织，组织的大小依据项目的规模不同而不同。

并且项目的一次性决定了组织的临时性。

（6）在项目的实施过程中，项目预设的条件可能会发生变化，这就可能使项目不能按照预定的计划实施，严重时可能导致失败，因此，这就意味着在项目的实施过程中具有以一定的风险性。

由此可以得出，项目含有目标、组织、条件、资源四个基本要素，它是一个为实现目标的过程或活动，而不是最终形成的成果，因此，项目就是在一定的条件下利用有限的资源达到预定目标的有组织活动。

1.2工程项目项目和工程项目是人们极易混淆的两个概念。

在这里我们作一简单介绍。

部开发等）使用价值、出的过程。

因此，1.3宿在词典里：人类组织社会活动一个最基本的手段。

在英语里：it is an action of managing something or running a business。

其实，对这个词的理解我们可以借助于字义和语法来对之做出较为准确的分析和判断。

药品生产企业实施药品（GMP2010）年修订关于组织全区抗艾滋病、结核病及疟疾类药品生产企业填报调查问卷的函附件药品生产企业实施药品GMP（2010年修订）过程中存在差距的调查问卷Questionnaire for Investigation of the Gaps of Pharmaceutical Enterprises in Relation to the GMP Guidelines (revised in 2010)1.在中国药品GMP（2010年修订）的总体实施层面，您主要欠缺哪些知识，有哪些培训需求？What are your major knowledge shortages and need for training in the frame of the implementation of the Chinese GMP Guidelines (revised in 2010)?a. 以风险为基础的质量保证体系Risk based quality assurance systemb. 质量受权人和其他关键人员Qualified person and other key personsc. 人员培训Personnel Trainingd. 文件体系Documentation systeme. 空调净化系统HV AC systemf. 工艺用水制备Process water preparationg. 设备的校准，确认和预防性维护Equipment calibration, qualification, and preventive maintenanceh. 工艺验证Process validationi. 清洁验证Cleaning validationj. 产品质量回顾Product quality reviewk. 库房Warehousel. 供应商确认Supplier qualificationm. 委托生产，委托检验Contract manufacturing / testingn. 质控实验室QC laboratoryo. 偏差、纠正与预防措施Deviation / CAPAp. 超标检验数据调查OOS investigationsq. 变更控制Change control2.您所建立的质量保证体系是否以确保产品安全并且符合注册批准要求为目的，以科学为准则并且以风险管理为基础？Is your quality assurance system established on scientific principles and on risk management basis to ensure that your products are safe and comply with the requirements of the Marketing Authorization?a. 您的质量保证体系把那些可能影响产品质量的关键参数考虑在内了吗？Does your quality assurance system consider critical parameters that may impact on product quality?b. 那些关键参数及其控制范围是通过风险评估确定的吗？它们包含在验证总计划中了吗？Are those critical parameters and their control ranges defined by risk assessment and included in the VMP (Validation Master Plan)?c. 您有用于确定那些参数及其范围的系统性方法吗，譬如“失效模式影响分析”？Is there a systematic approach such as FMEA (Failure Mode Effect Analysis) to define those parameters and ranges?d. 您公司有风险评估的书面程序吗，尤其是（相关的）决策程序？Does your company have a written risk assessment procedure, especially for the decision making procedure?3.对于质量受权人和其他关键人员（生产、质控、质保、仓储、工程等），您是否系统地制定了清晰明确的岗位说明？Have you established a well-defined job description system for Qualified Persons (QP) and other key persons (production, quality control, quality assurance, warehousing, engineering, etc.)?a. 质量保证或质量受权人员在质量事务和成品批放行方面，有独立决策权吗？Is there an independence of quality assurance / Qualified Person in makingdecision of quality matters and batch release of finished products?b. 在法规事务、检验技术和生产技术方面，对质量受权人和其他关键人员有持续性的培训吗？Do the Qualified Person and other key persons receive continuous training inregulatory affairs and in analytical and production technology?c. 相关人员在岗位说明书上签字了吗?Are the job descriptions signed by the people concerned?d. 现场是否有：组织机构图、岗位说明书（质量受权人、质量保证部经理、质量控制部经理和生产部经理）、成品批放行程序。