Trusted Virtual Domains Toward secure distributed services

Cloud-to-edgePON solutions for cable operators Bring HFC and FTTH together with a future-ready network that’s built for efficiency1 Cloud-to-edge PON solutions for cable operators Bring HFC and FTTH together with a future-ready network that’s built for efficiencySeize the opportunity for next-generation broadband servicesDeploy a flexible, unified network with a built-in competitive edgeNext-generation PON technologies already deliver speeds of 10Gbps with a roadmap to 25, 50G and beyond.But deploying a new network technology comes with challenges—high costs, a lack of skilled labor, and the need to maintain two networks, to name a few. What if you could deploy a cloud-to-edge next-gen PON solution suite that’s flexible enough to ease the transition from HFC to PON and allows you to choose EPON or GPON technology—all while unifying network management and simplifying deployment?Now you can with CommScope.With subscriber demand for high-capacity broadband on the rise, MSOs are poised to deliver a new set of advanced services based on next-generation PON technology. But this opportunity is not exclusive to cable operators. Broadband competition is heating up in a range of markets, with billions in public funding fueling new fiber-to-the-home buildouts by service providers of all kinds in low-density and underserved environments.For cable operators, staying competitive and seizing the all-fiber opportunity does not mean walking away from existing investments in HFC networks and DOCSIS ®. The key to successful network evolution is to extend the lifespan of their existing networks, while deploying PON solutions that can coexist alongside them and provide an evolutionary path to what’s next.Leveraging CommScope’s flexible PON solutions and expertise, cable operators can transition to PON using the fiber strategy that makes the most sense for their business. This may include greenfield extensions of PON service to new neighborhoods or major footprint expansions using government funds. It may also include strategic overbuilds within existing HFC footprint, leveraging PON to create new service tiers for high-bandwidth residential and business subscribers to reduce traffic on the HFC network. Subscribers and services can then be added to PON networks over time to provide a gradual cutover that maximizes existing HFC investments while helping cable operators remain competitive.Cloud-to-edge PON solutions for cable operators Bring HFC and FTTH together with a future-ready network that’s built for efficiency 2CommScope’s deep experience with DAA has helped inspire our cloud-to-edge next-gen PON solution suite. Our solutions are flexible, truly open, and dynamic, and they are designed to evolve seamlessly and cost effectively from HFC to all-fiber. Whether deploying EPON or GPON/XGS-PON, MSOs can trust CommScope to deliver solutions that leverage their existing infrastructure while allowing them to manage mixed networks in parallel through a single pane of glass.Target broadband access architecturesWith CommScope, MSOs can choose the right network migration path for their service and business goals, with the expert help they’ll need to execute even the most ambitious PON rollouts successfully. And with our complete fiber connectivity portfolio and deep architectural expertise, our customers can trust that their active and passive networks are built to work together and optimized for their unique environments and business goals.HeadendOutside plant HomeConverged cable access platform (CCAP)Fiber AmplifiersTapFiber Amplifiers Shelf: PON remote OL Optical splittersNode: PON remote OL Shelf, Shelf: PON remote OL T (cabinet)The CommScope FLX™ portfolioThe CommScope FLX portfolio gives MSOs the flexibility they need to migrate their networks to PON on their own terms. Operators can choose to build out an EPON network with DPoE, which provides the fastest path to PON, requires minimal changes to headend and CPE infrastructure, and offers a low total CapEx. They can also deploy a GPON/XGS-PON network for maximum performance and a modern back office. Regardless of the PON technology they choose, operators can rely on CommScopeto deliver the solutions and expertise they need to execute the transition to PON successfully.The CommScope FLX portfolio also allows MSOs to have flexibility in architectural choices. They can begin with a traditional hardware-based infrastructure that runs management and control plane functions within the OLT. When they’re ready, operators can transition to a disaggregated, software-defined architecture that runs these services on COTS servers or in the cloud. This helps improve capital efficiencies, reduce operating expenses, and accelerate the rollout of new features.CommScope extends this flexibility from cloud to edge, offering OLT devices that can be deployed in central facilities such as the headend or hub, or remote locations such as strand-mounted node enclosures or cabinets. We also offer EPON and GPON ONU solutions that provide 1G and 10G service at the customer premises, and a complete line of network and OLT optics.ONU/ONT3 Cloud-to-edge PON solutions for cable operators Bring HFC and FTTH together with a future-ready network that’s built for efficiencyCloud-to-edge PON solutions for cable operatorsBring HFC and FTTH together with a future-ready network that’s built for efficiency 4Work smarter, not harder with ServAssure ® solutionsWhen cable operators are ready for what’s next in network device management and monitoring, they’re ready for ServAssure. ServAssure is a hardware and vendor-agnostic platform that gives service providers the visibility and control they need to streamline management, detect and prevent outages proactively, improve subscriber experiences, and reduce OpEx.ServAssure Domain Manager:Future-ready, universal infrastructureServAssure Domain Manager is a standards-based platform that gives service providers a single location from which to manage hardware and services. Automated workflows and tools provide continuous visibility and control across domains and vendors. The Domain Manager is modular and extendable with a variety of platform deployment options (cloud/virtualization).Key benefits·Optimize operations with a centralized,universal platform·Simplify device onboarding, configuring andlicensing with secure access·Save time managing devices with automation ·Improve performance with event and telemetry logging,visibility and export tools ·Reduce IT costs with automated, agiledeployment optionsServAssure NXT Performance Manager:Anticipate and solve tomorrow’s problems todayThe system uses artificial intelligence (AI), machine learning (ML) and domain-specific analysis to predict and help remediate service disruptions, often before they affect subscribers. Reduce customer calls, truck rolls and service costs. Ideal for large system deployments, it’s also available as a hosted service for smaller to midsize service providers.CommScope has deep expertise in network management software, with thousands of subscriber termination systemsthat represent all major brands. CommScope’s solutions help service providers unleash the power of data to prevent and solve performance issues.Key benefits·Accelerate diagnosis/resolution times and enhance qualityof technician visits with AI and ML ·Identify and minimize risks proactively with actionable,detailed insights·Monitor network performance proactively and continuously withreal-time service alarms·Simplify troubleshooting with advanced tools for fieldtechnicians and network operations centers·Improve situational awareness using geo and logic map views5 Cloud-to-edge PON solutions for cable operators Bring HFC and FTTH together with a future-ready network that’s built for efficiencyTrusted FTTH cabling and connectivity solutionsBy leveraging CommScope’s complete line of FTTH passives and our deep expertise in inside and outside plant architectures, cable operators can trust that their next-gen PON networks are easy to deploy and optimized for end-to-end high performance. We offer a diverse line of cabinets, closures, terminals, and cabling to support any deployment type. Our innovative fiber indexing and optical tap technologies reduce the need for skilled labor and splicing in the outside plant. And with CommScope’s NOVUX™, the industry’s first modular FTTH ecosystem, we’re making connectivity easier to deploy than ever before.CommScope has been building passive networks for over 40 years. Our experience helps us guide cable operators on the right topologies for their unique networks, while considering the many factors that impact these critical decisions.For example, our interactive FTTH ePlanner helps network engineers and consultants easily understand and navigate the choices that go into transforming their conceptual network vision into a working design. From the central office, feeder, and distribution network to the inside of the customer’s home, each section introduces the key topologies, product types, and design considerations involved in building out the network. It uses interactive decision trees to help guide users through key decisions as they configure a customized broadband network design.Cloud-to-edge PON solutions for cable operators Bring HFC and FTTH together with a future-ready network that’s built for efficiency 6CommScope solves the unique PON challenges of rural deploymentIn rural environments, where housing density is low, deploying PON in a traditional centralized architecture can be a challenge from a cost and time to deploy perspective. However, MSOs can leverage their existing nodes infrastructure, available feeder fiber and take advantage of R-OLTs that can be housed into these nodes to significantly improve both time and costs of rural deployment. These benefits are revealed in detail when we review the key takeaways from a recent study conducted in an area with an average of 7.6 homes per mile (4.7 homes per kilometer). Similar to DAA deployments, the R-OLTs can be easily provisioned, monitored and new features updated in the field with additional operational efficiencies and savings coming from the use of a single management system for both technologies.Reduced facilities costs and deployment timeConstructing a traditional walk-in facility can cost hundreds of thousands of dollars per site and take several months to complete. But a 40-80% savings has been demonstrated with the re-use of existing housings and power available at the node and the use of environmentally hardened, smaller power footprint R-OLTs. We also found deployment time to be reduced by 70-80% when compared to the construction of traditional facilities, due to the reduction or elimination of costly and time-consuming permitting requirements.Increased hardware utilizationMany of today’s existing OLTs have been designed for high-density environments, which leads toinefficiencies in hardware utilization when they are deployed in rural markets. In our study, the use of environmentally hardened R-OLTs that can be deployed with low initial port counts and scaled through the addition of ports and the transition from a 1:128 split ratio to a 1:64 split ratio when more bandwidth capacity is required.Improved management and service efficiencyIn rural environments, it is critical to control the costs of networkmaintenance and management. We discovered that R-OLTs contributed to a reduction in the volume and complexity of truck rolls in low-density environments. These savings are derived from several features of CommScope’s R-OLT and ServAssure solutions, which include cloud-based management, zero-touch provisioning, proactive performance management, and the ability to deliver updates and new features over the network, which is similar with DAA deployments.Optimized outside plant investmentsCovering long distances with fiber to reach relatively few homes can strain the finances of rural service providers. But the fiber-efficient nature of R-OLTs combined with sound topology choices were shown to help. By placing the last active device deeper in the network, fiber counts and their associated costs were reduced substantially in the feeder network. Passive connectivity costs were driven even lower thanks to deploying R-OLTs deeper in the network. This allows CommScope’s cascaded, tap, and indexingtechnologies—which benefit from the increased optical budget—to be used, creating up to a 33% savings in labor costs.7 Cloud-to-edge PON solutions for cable operators Bring HFC and FTTH together with a future-ready network that’s built for efficiencyWhy CommScope?CommScope not only offers a comprehensive portfolio of solutions that spans multiple network architectures, but we also offer the expertise it takes to bring them together in a 360-degree view. With CommScope on your team, you can anticipate and solve tomorrow’s challenges as you evolve for what is next.Deep expertiseWe’ve designed and deployednetworks of all types and all sizes—all around the globe. From HFC and DOCSIS to GPON, EPON, and 10G EPON, we’ve helped service providers evolve their networks with speed and success.Open and independent Our solutions are built for flexibility, allowing them tointegrate into today’s real-world environments seamlessly and at scale. We provide a hardware agnostic approach that is designed for today’s reality of mixed network technologies and multivendor environments.End-to-end solutions CommScope’s expertise does not begin and end with our hardware. We take a comprehensive approach to network evolution that spans actives, passives, hardware, software, data center, and cloud—and we offer theexpertise it takes to bring it all together.We transformwhat’s next in PONA unique combination of PON and HFC expertiseFor cable operators, the journey to next-gen PON begins with an understanding of existing network architectures, facilities, and infrastructure—then the planning begins. That’s where an experienced partner can make all the difference.CommScope’s Professional Services team can help MSOs make the transition to PON seamless, while reducing costs and time to deployment. Our deep expertise in HFC and FTTH networks helps us guide cable operators through the key decisions they need to make as they transition to PON.At CommScope, we understand the complex integration issues that can arise with mixed networks, and we can help ensure that there are no loose ends or blind spots throughout planning and deployment. Our Professional Services team consists of more than 1,300 professionals in 30 countries, and offers a diverse skill set that can expedite and improve the planning, design, and implementation of next-gen PON networks for cable operators worldwide.CommScope pushes the boundaries of communicationstechnology with game-changing ideas and ground-breakingdiscoveries that spark profound human achievement.We collaborate with our customers and partners to design,create and build the world’s most advanced networks. It is ourpassion and commitment to identify the next opportunity andrealize a better tomorrow. Discover more at .Visit our website or contact your local CommScope representative for more information.© 2022 CommScope, Inc. All rights reserved. All trademarks identified by ™ or ® are trademarks or registered trademarks in the US and may be registered in other countries. All product names, trademarks and registered trademarks are property of their respective owners. This document is for planning purposes only and is not intended to modify or supplement any specifications or warranties relating to CommScope products or services.BR-116317-EN (04/22)。

第三章信息安全有关标准第一节标准的发展一．国际标准的发展1960年代末，1970年代初，美国出现有关论文。

可信Ttusted，评测级别，DoD美国防部1967年10月，美国防科委赞助成立特别工作组。

1970年，Tast Force等人《计算机系统的安全控制》（始于1967年）。

1970年代初，欧、日等国开始。

1970年2月，美发表计算机系统的安全控制。

1972年，美发表DoD5200.28条令。

1972年，美DoD《自动数据处理系统的安全要求》1973年，美DoD《ADP安全手册-实施、撤消、测试和评估安全的资源共享ADP系统的技术与过程》1973年，美发表DoD5200.28-M（.28相应的指南）。

1976年，MITRE公司的Bell、LaPadula推出经典安全模型——贝尔-拉柏丢拉模型（形式化）。

1976年，美DoD《主要防卫系统中计算机资源的管理》1976年，美联邦信息处理标准出版署FIPS PUB制订《计算机系统安全用词》。

1977年，美国防研究与工程部赞助成立DoD（Computer Security Initiative，1981年01月成立DoD CSC）。

1977年3月，美NBS成立一个工作组，负责安全的审计。

1978年，MITRE公司发表《可信计算机系统的建设技术评估标准》。

1978年10月，美NBS成立一个工作组，负责安全的评估。

1983年，美发布“可信计算机系统评价标准TCSEC”桔皮书（1985年正式版DoD85）。

DoD85：四类七级：D、C（C1、C2）、B（B1、B2、B3）、A（后又有超A）。

1985年，美DoD向DBMS，NET环境延伸。

1991年，欧四国(英、荷兰、法等)发布“信息技术安全评价标准IT-SEC”。

1993年，加拿大发布“可信计算机系统评价标准CTCPEC”。

国际标准组织IEEE/POSIX的FIPS，X/OPEN。

1993年，美DoD在C4I(命令、控制、通信、计算机、集成系统)上提出多级安全MIS技术。

minio cors策略MinIO is an open-source object storage service that allows users to store massive amounts of data in a scalable, distributed environment. One of the key features of MinIO is its support for Cross-Origin Resource Sharing (CORS) policies, which allow users to define who can access their data from different origins.MinIO's CORS policies help users control access to their data by specifying which domains are allowed to make cross-origin requests to the MinIO server. This is an important security feature that helps prevent unauthorized access to data and ensures that only trusted domains can interact with the MinIO server.Setting up CORS policies in MinIO is a simple process that can be done through the MinIO client or by directly editing the configuration file. Users can specify the allowed origins, methods, headers, and expose headers to define the behavior of their MinIO server when handling cross-origin requests. By carefully configuring these settings, users can ensure that their data remains secure while still allowing legitimate access from trusted sources.From a practical perspective, CORS policies in MinIO are essential for developers who need to build applications that access data stored in MinIO from different domains. By allowing specific domains to access the MinIO server, developers can create dynamic and interactive web applications that make use of the data stored in MinIO without compromising security.Additionally, CORS policies in MinIO can help organizations comply with regulatory requirements by ensuring that sensitive data is only accessed from approved sources. By defining strict CORS policies, organizations can prevent data breaches and maintain the integrity of their data, ultimately building trust among customers and stakeholders.Furthermore, the flexibility of MinIO's CORS policies allows users to customize their settings to meet specific use cases and requirements. Whether users want to enable CORS for a single domain or for multiple domains, MinIO provides the tools to create a tailored solution that fits their needs.In conclusion, setting up CORS policies in MinIO is a crucial step in ensuring the security and integrity of data stored in a MinIO server. By carefully configuring these policies, users can control access to their data, facilitate the development of web applications, comply with regulations, and customize settings to meet specific requirements. MinIO's support for CORS policies demonstrates its commitment to providing a secure and flexible object storage solution for users worldwide.。

保你平安 - Ensuring Your SafetyIntroductionIn the fast-paced and unpredictable world we live in, it is crucial to prioritize our safety and well-being. “保你平安” is a Chinese phrase that translates to “Ensuring Your Safety.” This article aims to explore various aspects of safety and provide practical tips and advice to help individuals protect themselves in different situations.The Importance of Personal SafetyPersonal safety is the foundation of a happy and fulfilling life. It encompasses physical, mental, and emotional well-being. It not only protects individuals from harm but also helps maintain a sense of security and peace of mind. Here are some key reasons why personal safety should be a top priority:1. Physical Well-beingMaintaining personal safety helps prevent accidents, injuries, and illnesses. Taking precautions and being aware of potential risks can greatly reduce the likelihood of encountering harmful situations.2. Mental and Emotional HealthFeeling safe and secure contributes to positive mental and emotional health. It allows individuals to focus on personal growth, build strong relationships, and pursue their goals with confidence and peace of mind.3. Independence and EmpowermentWhen individuals prioritize their safety, they gain a sense of independence and empowerment. Being aware of potential dangers and having the necessary skills and knowledge to protect oneself enables individuals to navigate through life with greater confidence.Ensuring Personal Safety: Tips and StrategiesAchieving personal safety requires a combination of awareness, preparedness, and informed decision-making. The following sections outline practical tips and strategies for ensuring personal safety in various aspects of life.Online SafetyWith the increasing use of technology and the internet, online safety has become a paramount concern. Here are some measures to protect yourself in the virtual world:e strong and unique passwords for all online accounts.2.Regularly update your software and antivirus programs to preventmalware and viruses.3.Be cautious when sharing personal information and avoid disclosingsensitive details to unknown sources.4.Verify the authenticity of websites before making online purchasesor sharing payment information.cate yourself about common online scams and practice cautionwhen clicking on unfamiliar links or downloading attachments.Home SafetyOur homes should be a sanctuary where we feel safe and protected. Consider the following strategies to enhance home safety:1.Install a robust security system with burglar alarms andsurveillance cameras.2.Keep entry points, such as doors and windows, secure and well-maintained.3.Install fire detectors and regularly check fire escape routes.4.Avoid broadcasting vacation plans on social media platforms toprevent potential burglaries.5.Build a strong neighborhood network and look out for each other’shomes.Physical SafetyTaking precautions to ensure physical safety is essential, regardless of our surroundings. Here are some tips to minimize physical risks:1.Be aware of your surroundings and trust your instincts. If asituation feels unsafe, remove yourself from it.2.When walking alone, stick to well-lit and populated areas.e public transportation during peak hours to ensure safety innumbers.4.Avoid excessive consumption of alcohol or drugs, as they impairjudgment and increase vulnerability.5.Learn basic self-defense techniques to protect yourself inthreatening situations.Travel SafetyWhether traveling locally or internationally, it is crucial toprioritize personal safety. Remember these tips to have a safe and enjoyable journey:1.Research your destination beforehand and be aware of any traveladvisories or warnings.2.Keep important documents, such as passports and identification,secure at all times.3.Share your itinerary with a trusted friend or family member foradded security.4.Be cautious of your belongings and avoid displaying signs ofwealth or affluence.5.Respect cultural norms and customs of the country you are visitingto avoid misunderstandings or conflicts.Conclusion“保你平安” is a powerful Chinese phrase that reminds us to prioritize our safety and well-being. Achieving personal safety requires a proactive approach, including being aware of potential risks, staying informed, and implementing preventative measures. By following the tips and strategies outlined in this article, individuals can takesignificant steps toward ensuring their safety in various aspects oflife. Remember, personal safety is not a one-time effort but an ongoing commitment to ourselves and those we care about. Stay safe and enjoy a fulfilling life!。

IEICE TRANS.INF.&SYST.,VOL.E95–D,NO.6JUNE20121577 PAPERA New Cloud Architecture of Virtual Trusted Platform ModulesDongxi LIU†a),Member,Jack LEE††∗,Julian JANG†,Surya NEPAL†,and John ZIC†,NonmembersSUMMARY We propose and implement a cloud architecture of virtual Trusted Platform Modules(TPMs)to improve the usability of TPMs.In this architecture,virtual TPMs can be obtained from the TPM cloud on demand.Hence,the TPM functionality is available for applications that do not have physical TPMs in their local platforms.Moreover,the TPM cloud allows users to access their keys and data in the same virtual TPM even if they move to untrusted platforms.The TPM cloud is easy to access for applications in different languages since cloud computing delivers services in standard protocols.The functionality of the TPM cloud is demonstrated by applying it to implement the Needham-Schroeder public-key protocol for web authentications,such that the strong security provided by TPMs is integrated into high level applications.The chain of trust based on the TPM cloud is discussed and the security properties of the virtual TPMs in the cloud is analyzed.key words:TPM,cloud,virtualization,trust service1.IntroductionTrusted computing is a category of technology developed by the Trusted Computing Group(TCG)[1]to facilitate the development of trusted systems.The standards of trusted computing specify the hardware and software components needed to build trusted systems.In particular,the hardware component is a chip called Trusted Platform Module(TPM), which is used as the hardware root in system trust.The trust of TPM lies in its capabilities of secure key management(i.e.,key generation,storage and use),and se-cure storage and reporting of platform configuration mea-surements.A TPM can generate RSA key pairs.The private RSA keys are always used within the TPM,never leaving it without encryption.A TPM stores measurements in a set of Platform Configuration Registers(PCRs),which are physi-cally protected.The platform measurements stored in PCRs are signed with a key in the TPM when reporting the in-tegrity of a system for remote attestation[2].TPMs are currently provided by embedding them into computer motherboards.For an application to benefit from the TPM functionality,there are several requirements.First, the computer running the application must have a TPM. Second,the supporting softwares(e.g.,TPM drivers and TCG Software Stack(TSS)[3])must be installed for the ap-plication to access the TPM.Third,the application users must be willing to use the TPM since the computer being Manuscript received July13,2011.Manuscript revised December7,2011.†The authors are with the CSIRO ICT Centre,Australia.††The author was with Sydney University,Australia.∗Presently,with the Defense Signals Directorate,Australia. a)E-mail:dongxi.liu@csiro.auDOI:10.1587/transinf.E95.D.1577used might not be owned by them.However,the above requirements are sometimes not easy to satisfy,thus making TPMs not so usable and ham-pering the wide acceptance of TPMs by secure applica-tions[4].A lot of computers(new or legacy)are not man-ufactured with TPMs.Most IBM blade servers[5]do not contain TPMs,nor do many resource-constrained embed-ded systems due to the size and cost overheads of a separate TPM[6].There is the software-based TPM emulator[7]. However,it is only developed for Unix and not as secure as physical TPMs.For the requirement of supporting software, the current TSS is mainly implemented in C language such as TrouSerS[8]or in Java such as jTSS[9].Hence,it is hard for the applications developed in other languages to access the TPM functionality.For example,Javascript code in web applications cannot access the TPM functionality easily.At last,application users may be reluctant to use TPMs in the computers they use but do not own(e.g.,a public computer in an Internet bar)since the TPMs there may not have proper keys and PCRs.In this paper,we propose a cloud architecture of virtual TPMs(the TPM cloud),embodying the concept of infras-tructure as a service in cloud computing[10].Our motiva-tion is to improve the usability of TPMs.A usable secu-rity mechanism is more likely to be widely and effectively used[4],[11],[12].The TPM cloud will help applications to benefit from the strong security provided by TPMs.From the TPM cloud,users can apply for their own TPM instances(or virtual TPMs)on demand,as exempli-fied in Fig.1.The TPM cloud contains a cluster of physical TPMs and virtualizes them to provide TPM instances for a large number of users.Consequently,applications can ac-cess the TPM functionality irrespective of the availability of TPMs in the underlying computers.Moreover,even if users run their applications in different computers,they still can access the same TPM instance since it is provided as a ser-vice in the cloud.Hence,there is no need to migrate private keys among computers,avoiding inconvenience and poten-tial security problems.Cloud computing advocates thede-Fig.1A cloud of virtual TPMs.Copyright c 2012The Institute of Electronics,Information and Communication Engineers1578IEICE TRANS.INF.&SYST.,VOL.E95–D,NO.6JUNE2012livery of services in standard protocols,such as Simple Ob-ject Access Protocol(SOAP),so there is no interoperability problem between the TPM cloud and its applications.Our contributions of this work are summarized as follows:•We propose an architecture of the TPM cloud(Sect.2).The TPM cloud facilitates the usability of TPMs since it addresses the requirement problems as discussed above.The TPM functionalities in the cloud are pro-vided as Web service operations,so they can be easily integrated into application design and implementation.Easy access to TPM functionalities is also realized asa key step to promote the wide acceptance of TPMsand regarded as a future working direction in the re-port[4]†.•We formalize the functionality of the TPM cloud (Sect.3).The formal functionality specification laysa foundation for analyzing and implementing the TPMcloud.To support a large number of users,the TPM cloud virtualizes a cluster of physical TPMs.Based on the formalization,we suggest some improvement to the TPM specification,which can make TPMs moreflexi-ble to be used in various contexts.•We implement a prototype of the TPM cloud and ap-ply it to implement the Needham-Schroeder public-key protocol[14]for Web authentication(Sect.4).In the implementation of this protocol,both the user and the Web server depend on the TPM cloud to decrypt en-crypted messages.That is,their private keys are ma-nipulated only by the TPMs in the cloud.Hence,even if the user logs onto the server through a public com-puter,the private key is still secure and not released to the public computer.The TPM cloud brings strong security to Web applications without sacrificing users flexibility of using different computer platforms.•We analyze the security properties of the virtual TPMs in the TPM cloud by comparing them with physical TPMs and software-based virtual TPMs.We conclude that the virtual TPMs in the TPM cloud are as secure as physical TPMs in practical applications(Sect.5).A preliminary version of this paper was presented in[13].In this new version,we revised the key hierarchy in the TPM cloud,and formalized all components of the cloud architecture and more cloud commands to cover the typi-cal use of the TPM cloud.The new key hierarchy makes it easier to migrate keys among physical TPMs,hence making the cloud architecture simpler as discussed in Sect.3.We also discussed the establishment of trust chains based on the TPM cloud and analyzed the security properties in this ver-sion.2.ArchitectureThe architecture of TPM cloud is shown in Fig.2.This ar-chitecture includes a virtual TPM service,a user manage-ment component,a cryptographic service,and a number of physical TPM services and theirmanagement.Fig.2The cloud architecture of virtual TPMs.2.1Virtual TPM ServiceThe virtual TPM service has the cloud port as the interface to users or applications,such as the Javascript Web pages and the Web server in the implementation of the Needham-Schroeder public-key protocol.Through this port,users or applications send cloud commands to consume TPM ser-vices,such as registering new TPM instances,creating keys and signing data.The secure I/O module in this component protects the communication between the TPM cloud and its users.The TPM cloud is designed to have a Cloud Key(CK),which is a RSA key.We denote the public part of CK as PK c.Every cloud command received should be encrypted with PK c.In the TPM cloud,all operations involving private keys must be performed within physical TPMs(a security feature of TPM),so the secure I/O module relies on physical TPMs to decrypt the encrypted cloud commands.In other words,the secure I/O module needs not to know the private CK.The result of virtual TPM service should also be pro-tected,since the result(such as a decryption result)might contain valuable data.If needed,the result of cloud com-mands is encrypted with symmetric encryption algorithms before sending back.By using symmetric encryption,users do not keep and manage private keys on their platforms.The symmetric key for encrypting the result is generated by users and provided as an argument in the cloud command.The execution planner determines the execution of cloud commands after being decrypted by the secure I/O module.It needs to select the component(the TPM man-agement,the cryptographic service or the user management) and may need to divide a cloud command into a sequence of steps,suitable for other components to execute.As an ex-ample,to execute a cloud command for data decryption,the execution planner needs to load the key into a physical TPM and then call the physical TPM UnBind command.2.2User ManagementThe user management component manages the state of users and maintains a TPM instance for each user.A TPM in-†This report appears after our paper[13]is presented.LIU et al.:A NEW CLOUD ARCHITECTURE OF VIRTUAL TRUSTED PLATFORM MODULES1579 stance includes the virtual TPM state,a key hierarchy and aset of virtual PCRs.The virtual TPM state indicates the state of a TPM in-stance by simulating stateflags in the physical TPM,suchas theflags indicating whether a TPM instance is enabledor disabled,activated or deactivated.The virtual state doesnot need to support all stateflags in the physical TPM sincesomeflags might not make sense for TPM instances incloud,such as the stateflag indicating the physical presenceof a human since virtual TPMs in the cloud are accessed asa network service.On the other hand,TPM instances mayhaveflags not included in physical TPMs.As a future work,a delegatedflag could be used to indicate whether a TPMinstance is delegated by its owner to other users.Before introducing the key hierarchy for a virtual TPM,we describe briefly the key management in a physical TPM.Each TPM has a unique endorsement key(EK),which isgenerated by the chip manufacturer.Before using a TPM,users need to take the ownership of the TPM and create astorage root key(SRK).Both EK and SRK are RSA keypairs.Other RSA keys in the TPM are created under a parentkey.Their private keys are always used within TPM andwhen released outside TPM they are encrypted with theirparent keys.The SRK can be used as a parent key.The key hierarchy for a virtual TPM is shown in Fig.3.A virtual TPM has a virtual EK and a virtual SRK,whichare both generated by a physical TPM with a Virtual TPMRoot Key as their parent key.As a migratable storage keycreated under SRK,the Virtual TPM Root Key is created onone physical TPM,and then migrated and loaded into everyphysical TPM.Therefore,the virtual EK and SRK can beloaded into every physical TPM since the Virtual TPM RootKey is already ing Virtual TPM Root Key is animportant improvement over the old cloud architecture in[13].The Virtual TPM Root Key facilitates the managementof physical TPMs and the migration of keys among them,with more details discussed in Sect.3.1.In addition,theCloud Key is also created on one physical TPM,and thenmigrated and loaded into every physical TPM.The virtual EK is created as a binding key since its pub-lic key is used to encrypt data,for instance,by Privacy CAwhen activating an identity key.The virtual SRK is a stor-age key and used as the parent key to create other keys.Allkeys in the virtual TPM are migratable,such that they arenot bound to a physical TPM.This feature is useful to main-tain the availability of virtual TPMs in case of physicalTPMFig.3The key hierarchy for virtual TPM.failure and balance the load among physical TPMs.A key can move from one physical TPM to another for unbinding data if the target TPM is not busy.A virtual PCR is a sequence of bytes with the same length as a physical PCR.Virtual PCRs stay outside phys-ical TPMs.To protect their contents,we encrypt virtual PCRs with the virtual public EK.Before executing a PCR dependent TPM command,the virtual PCRs need to be de-crypted with the corresponding virtual private EK.Since virtual PCRs are not in physical TPMs,the TPM commands dependent on PCRs need to be specially treated,as dis-cussed below.2.3Cryptographic ServiceThe cryptographic service implements some cryptographic operations(e.g.,symmetric encryption algorithms)that are not provided by physical TPMs.The cryptographic opera-tions are similar to vendor-specific commands in some phys-ical TPMs.For example,an Atmel TPM has the specific commands TPM BindV20and TPM VerifySignature for public-key encryption and verification,respectively.The cryptographic service also deals with the TPM commands relying on PCRs.A critical feature for physi-cal PCRs is that they can only be extended and not all of them are resettable.Hence,it is hard to swap a set of vir-tual PCRs into the physical PCRs as in classic virtual mem-ory management systems.However,we realize that some PCR dependent TPM commands can still be implemented in physical TPMs after rewriting,while others have to be simulated in software.Our solution is that if a command only refers to the state of PCRs,then it is rewritten for ex-ecution on a physical TPM;if a command needs the actual values of PCRs,then it is simulated.A command is said to refer to the state of PCRs if it does not change PCRs and only use them to affect the execution of subsequent TPM commands;otherwise we say it needs the actual values of PCRs.For example,the command TPM Extend needs the actual values of the argument PCRs since it changes the values of PCRs;the command TPM CreateWrapKey refers to the state of the argument PCRs since the result-ing key can only be loaded into a TPM by a subsequent command TPM LoadKey if the PCRs are not changed.That is,the commands TPM CreateWrapKey and TPM LoadKey do not care about the actual values of PCRs,just requir-ing them to have the same values.Moreover,the command TPM CreateWrapKey has to be executed by a physical TPM since it generates RSA keys.The method of rewriting PCR dependent TPM commands is described in Sect.3.3.2.4Physical TPMs and Their ManagementThe TPM cloud depends on physical TPMs to manipu-late private keys and execute TPM commands(except some commands replying on PCRs).The TPM cloud might have a large number of users.For the scalability of the TPM cloud, the cloud architectures supports a number of physical TPMs.1580IEICE TRANS.INF.&SYST.,VOL.E95–D,NO.6JUNE2012The physical TPM management component coordinates all physical TPMs to execute multiple TPM commands in par-allel.The scheduler in this component determines which physical TPM is selected to execute a new command,such that the workload of physical TPMs is balanced.The execu-tor accepts the requests to execute TPM commands and is-sues the commands to physical TPMs.The key loader loads a key into a physical TPM to be used by other TPM com-mands.The key is not necessarily created on the same TPM.3.Formal Functionality of the TPM CloudWe describe formally the functionality of each TPM cloud component and their interactions to explain the processing of cloud commands.The formal functionality specification lays a foundation for the analysis and implementation of TPM cloud.We start with the description of several sim-plified physical TPM commands to be used.Details of them can be found in the TCG TPM specification[1].TPM LoadKey(pHandle,pUsageAuth,key):Loads ke y into a physical TPM and returns a key handle.The parent of ke y is specified by the handle pHandle and has the usage authorization(or password)pUsageAuth. TPM BindV20(key,data):Encrypts data with ke y.TPM UnBind(handle,usageAuth,encdata):Decrypts the encrypted data encdata with the key specified by handle.The usage authorization of the key is useageAuth.TPM Extend(index,data):Extends the PCR index with data.TPM PCR Reset(index):Resets the PCR index to its de-fault initial value.TPM CreateWrapKey(pHandle,pUsageAuth,usageAuth, indices):Creates a new key having the usage autho-rization usageAuth under the parent key pHandle with the usage authorization pUsageAuth.The new key is locked by PCRs indices.TPM Sign(handle,usageAuth,data):Signs data with the key specified by handle.The key has the usage au-thorization useageAuth.The Cloud Key and Virtual TPM Root Key are only used inside the cloud,so in the following we give them a default usage authorization,represented by a underscore.3.1Physical TPM Representation and Access Operations In the TPM management component,a physical TPM is represented as a tuple(id,ckhandle,rkhandle),where id is an identifier,ckhandle the handle for the Cloud Key,and rkhandle the handle for the Virtual TPM Root Key.Recall that the Cloud Key and Virtual TPM Root Key are loaded into every physical TPM.Let pTPM be a set of physical TPMs managed by the TPM management component.Sup-pose pTPM includes a TPM(id,ckhandle,rkhandle).Then, we refer to this TPM by pTPM[id],its components ckhandle and rkhandle by pTPM[id].ckhandle and pTPM[id].rkhandle,respectively.Due to the use of the Virtual TPM Root Key,the man-agement of physical TPMs in this new cloud architectureis simpler.Unlike the representation of physical TPMs in[13],users are not linked to physical TPMs any more in theabove TPM representation,since the Virtual TPM Root Keyis used as the parent of all virtual EKs and virtual SRKs.That is,by using the Virtual TPM Root Key,a user is nolonger bound to a particular physical TPM in this new cloudarchitecture because the SRK of a physical TPM is not usedas the parent key for creating his virtual EK and SRK.The TPM management component provides the fol-lowing operations for other components to access physi-cal TPMs.The operation schedule()returns the identiferof a physical TPM,which is scheduled to execute a com-mand.The operation execute(id,tpmcmd)executes theTPM command tpmcmd on the physical TPM id.For exam-ple,execute(id,TPM Extend(i,data))sends the commandTPM Extend(i,data)to physical TPM id for executing.The operation load(name,id,v srkp w d,ke y)defined inFig.4loads ke y into the TPM id,and returns a handle.ke y issupposed to be created under the virtual SRK of user name,which has the usage authorization v srkp w d.Briefly,this op-erationfirst loads the virtual SRK of user name into the TPMid,and then loads ke y into the same TPM.When loading the virtual SRK,the TPM id uses the Virtual TPM Root Key onit as the parent key.The virtual SRK is then used as theparent key to load ke y.The virtual SRK v srk is retrievedthrough the operation getVTPM(name).keyhrk.srk,which isdescribed pared with the load operation in[13],the operation in Fig.4is simpler since we do not need torewrap ke y on the source physical TPM.The Virtual TPMRoot Key is loaded into every physical TPMs,so we candirectly load ke y and its parent virtual SRK into the targetphysical TPM.3.2Representation of Users and Virtual TPMsA user is described by a pair(name,v tpm),meaning that theuser name has the TPM instance v tpm.A TPM instance v tpm is represented by a tuple(o w nerauth,state,ke y hrk, {pcrs}pubek),where o w nerauth is the owner authorization of the TPM instance,state its state,ke y hrk the key hierarchycreated for this TPM instance,and pcrs a set of PCRs en-crypted with the public virtual EK pubek.For a TPM instance,we consider only the own-ership state for simplicity.That is,the statefield in v tpm is a boolean to indicate whether the command TPM TakeOwnership is executed or not.Other stateflagsload(name,id,v srkp w d,ke y){1.rkhdl=pTPM[id].rkhandle;2.vsrk=getVTPM(name).keyhrk.srk;3.vsrkhdl=execute(id,TPM LoadKey(rkhdl,,vsrk);4.keyhdl=execute(id,TPM LoadKey(vsrkhdl,v srkp w d,ke y);}Fig.4Loading key into TPM.LIU et al.:A NEW CLOUD ARCHITECTURE OF VIRTUAL TRUSTED PLATFORM MODULES1581can be supported similarly.For example,we can add other boolean-valuedfields to indicate whether a TPM instance is enabled or activated.The key hierarchy in a TPM instance is described by the tuple(ek,srk,{(ke y1,handle1),...,(ke y n,handle n)}),in-cluding the virtual EK ek,the virtual SRK srk,and a set of pairs of ke y i and handle i.The key ke y i is cre-ated under srk,as shown in Fig.3.A key is a pair ({usa g eauth,pri v ke y}srk.pubkey,pubke y),consisting of the public key pubke y and a blob of private key pri v ke y and its usage authorization usa g eauth encrypted with the public key srk.pubkey.Hence,the private key is protected when stored in a virtual TPM.Let U be a list of users.The operation getVTPM(name) returns the TPM instance owned by the user name.That is, if(name,v tpm)∈U,then getVTPM(name)=v tpm.Given a TPM instance v tpm,its fourfields are referred to by the notations v tpm.ownerauth,v tpm.state,v tpm.keyhrk and v tpm.encpcrs.For the key hierarchy in v tpm,the virtual EK and the virtual SRK are accessed by using the notations v tpm.keyhrk.ek and v tpm.keyhrk.srk,respectively.Other keys in the hierarchy are referred to by v tpm.keyhrk.keys. We use v tpm.keyhrk.keys[handle]for the key indexed by the handle handle,and v tpm.keyhrk.keys[ke y]for the handle of ke y.That is,if(ke y,handle)∈v tpm.keyhrk.keys,then v tpm.keyhrk.keys[handle]=ke y and v tpm.keyhrk.keys[ke y]=handle.For a key ke y,its public key and private key are accessed by ke y.pubkey and ke y.privkey,respectively.A new user or a new TPM instance is created by using the registration operation register(name,pass w d) in Fig.5.The operation starts by creating a virtual EK ek under the Virtual TPM Root Key on TPM id.We do not require PCRs to lock ek,so the last argument of TPM CreateWrapKey is an empty PCR index list[].Next, the initial PCRs initpcrs(an array with each entry initial-ized as20bytes of0s)is encrypted by the public virtual EK ek.pubkey.At last,a tuple for the new user is added into U, where the password is stored after hashing.Since the own-ership of the new TPM instance is not taken,the ownership state is false and accordingly the virtual SRK is not existing (represented by an underscore).3.3Simulation and Rewriting of TPM CommandsThe implementation of cryptographic operations(e.g.,sym-metric encryption)is straightforward.In this section,we describe how the TPM commands that are dependent on register(name,pass w d){1.id=schedule();rkhdl=pTPM[id].rkhandle;2.ek=execute(id,TPM CreateWrapKey(rkhdl,,pass w d,[]));3.encpcrs=execute(id,TPM BindV20(ek.pubkey,initpcrs));4.ne w user=(name,(hash(pass w d),false,(ek,,∅),encpcrs));5.U=U∪{ne w user};}Fig.5Registration of new users.PCRs are specially treated.The commands TPM Extend and TPM CreateWrapKey are taken as examples.The command TPM Extend is simulated since it needs the actual PCRs values.The simulation in Fig.6follows firmly the semantics of the physical TPM Extend com-mand.In the simulation,the virtual PCRs of user name is first decrypted with the virtual EK by calling the command TPM UnBind.Next,the concatenation of virtual PCR index and data(i.e.,pcrs[index] data)is hashed,resulting in the new(or extended)virtual PCRs.At last,the extended vir-tual PCRs are encrypted with the public virtual EK of user name and put back to the TPM instance.The operation createkey in Fig.7creates a key under the virtual SRK of user name and returns a handle khdl.The usage of virtual SRK is protected by pass w d,and the new key has the usage authorization usa g eauth.Different from pcrextend,the operation createkey relies on the corre-sponding physical TPM command TPM CreateWrapKey to create keys within a physical TPM,such that the private keys are not released ourside physical TPMs during genera-tion.There are two cases of invoking TPM CreateWrapKey. If the argument indices is an empty list[],meaning that the new key is not locked by any PCR,then the arguments of createkey are passed to TPM CreateWrapKey directly. Otherwise,the argument indices is rewritten(as described below)before passed.pcrextend(name,pass w d,index,data){1.id=schedule();rkhdl=pTPM[id].rkhandle;2.vek=getVTPM(name).keyhrk.ek;3.vekhdl=execute(id,TPM LoadKey(rkhdl,,vek));4.epcrs=getVTPM(name).encpcrs;5.pcrs=execute(id,TPM UnBind(vekhdl,pass w d,epcrs));6.pcrs[index]=hash(pcrs[index] data);7.getVTPM(name).encpcrs=execute(id,TPM BindV20(vek.pubkey,pcrs)); }Fig.6Simulation of TPM Extend.createkey(name,pass w d,usa g eauth,indices){1.id=schedule();rkhdl=pTPM[id].rkhandle;2.vsrk=getVTPM(name).keyhrk.srk;3.vsrkhdl=execute(id,TPM LoadKey(rkhdl,,vsrk));4.if indices=[]then5.khdl=execute(id,TPM CreateWrapKey(vsrkhdl,pass w d,usa g eauth,[]));6.else7.vek=getVTPM(name).keyhrk.ek;8.vekhdl=execute(id,TPM LoadKey(rkhdl,,vek));9.epcrs=getVTPM(name).encpcrs;10.pcrs=execute(id,TPM UnBind(vekhdl,pass w d,epcrs));11.execute(id,TPM PCR Reset(rindex));12.for each index in indices do13.execute(id,TPM Extend(rindex,pcrs[index]));14.khdl=execute(id,TPM CreateWrapKey(vsrkhdl,pass w d,usa g eauth,rindex));}Fig.7Rewriting of TPM CreateWrapKey.1582IEICE TRANS.INF.&SYST.,VOL.E95–D,NO.6JUNE2012We cannot simply put the virtual PCRs specified by indices into the corresponding physical PCRs since PCRs can only be extended.Our solution is to use a resettable physical PCR rindex to record the current state of virtual PCRs indices.To this end,we reset the PCR rindex and extend this PCR with each specified virtual PCR.Then, we invoke the physical command TPM CreateWrapKey with rindex as its argument for specifying a physical PCR.For the command TPM Load,it can also refer to PCRs when loading a key(the argument of TPM Load for specifying PCRs is not given in this paper).The vir-tual PCRs for TPM LoadKey are also treated in the same way.Hence,when the same virtual PCRs are specified for TPM CreadWrapKey and TPM LoadKey,the resettable physical PCR rindex would have the same value,allow-ing a key locked by the specified PCRs to be successfully loaded.Our solution shows an indirect way of using virtual PCRs when considering the restriction of physical PCRs.3.3.1Limitations of TPM SpecificationFrom the formalization of createkey,wefind that the TPM specification should allow an extra argument for the com-mand TPM TakeOwnership,which can configure whether PCRs are or are not resettable when taking the ownership of a TPM.This will bring muchflexibility for the usage of PCRs in various scenarios.For example,a user of a PC might want all PCRs in its TPM not to be resettable,while the TPM cloud wants all PCRs to be resettable.If all PCRs are resettable,the virtual TPM commands using PCRs can be implemented more easily.In addition,the TPM specification requires the com-mands TPM Seal and TPM UnSeal use nonmigratable keys. Since the TPM cloud is only supposed to support migrat-able keys for better load balancing,such commands pro-vided by physical TPMs become useless.On the other hand, the TPM Seal command binds the sealed data with the se-cret value tpmProof,which is only known within a TPM. That is,a sealed data cannot be unsealed by another phys-ical TPM even if the two TPMs have the same PCRs.If the TPM specification could allow TPM Seal to use migrat-able keys to seal data only with the values of PCRs,then the physical commands TPM Seal and TPM UnSeal can be used in the TPM cloud.Moreover,it also makes it possible to unseal data when it is sealed to a TPM that is broken. 3.4Cloud Commands ProcessingCloud commands are encrypted with the public Cloud Key PK C.To decrypt a cloud command ecmd,the secure I/O module executes the following two steps:selects a physi-cal TPM id and then executes the command TPM UnBind. id=schedule();cmd=execute(id,TPM UnBind(pTPM[id].ckhandle,,ecmd);After a cloud command is decrypted,it is passed to the execution planner,where the steps of processing cloud com-mands are defined.In the following,we take several cloud commands as examples to describe their processing.These commands cover the typical uses of TPM cloud,ranging from registration of new users,generation and use of keys to extension of PCRs.3.4.1Preparation of New Virtual TPMsA new virtual TPM is created when users send a regis-tration command cTPM Register(name,pass w d)(i.e.,the cloud command after decryption).The prefix“cTPM”is used to indicate cloud commands.The implementation of cTPM Register is straightforward.The execution planner just needs to call the operation register in the user man-agement component with the same arguments.After a new virtual TPM is created,users need to take its ownership,like using a physical TPM.The cloud com-mand cTPM TakeOwnership(name,pass w d)is for this pur-pose.Figure8gives the steps to take ownership.The execu-tion plannerfirst checks the user password and makes sure the ownership of TPM instance for user name has not been taken.After these checks,a new virtual SRK is created and recorded into the TPM instance.Like the virtual EK,the virtual SRK is also protected with the usage authorization pass w d.Hence,when a user is authenticated to own a TPM instance,he can access the virtual EK and SRK without pro-viding extra passwords.This design makes the cloud com-mands more convenient to use.At last,the state of the TPM instance is changed accordingly to indicate that the owner-ship has been taken.3.4.2Key Creation and Loading in TPM CloudThe cloud command cTPM CreateWrapKey(name,pass w d, usa g eAuth,indices)is used to create a key for user name under his virtual SRK.The new key is protected by the usage authorization usa g eAuth and locked by virtual PCRs indices.The steps implementing this command is shown in Fig.9.First,the user name is authenticated by checking the password pass w d,and then the createkey operation in the cryptographic service is invoked with the same arguments. At last,the new key is added into the key hierarchy.There is no key handle yet(indicated by a underscore),since the key has not been loaded into a TPM.A key is loaded into a virtual TPM by the cloud command cTPM LoadKey(name,pass w d,ke y),defined in cTPM TakeOwnership(name,pass w d){1.vTPM=getVTPM(name);2.assert(hash(pass w d)=vTPM.ownerauth);3.assert(vTPM.state=false);4.id=schedule();rkhdl=pTPM[id].rkhandle;5.srk=execute(id,TPM CreateWrapKey(rkhdl,,pass w d,[]));6.vTPM.keyhrk.srk=srk;7.vTPM.state=true;}Fig.8Steps for taking TPM ownership.。

用法: nltest [/OPTIONS]/SERVER:<ServerName> - 指定 <ServerName>/QUERY - 查询 <ServerName> 的 netlogon 服务/REPL - 强制在 <ServerName> BDC 上部分同步/SYNC - 强制在 <ServerName> BDC 上完全同步/PDC_REPL - 强制从 <ServerName> PDC 执行 UAS 更改消息/SC_QUERY:<DomainName> - 查询 <ServerName> 上 <Domain> 的安全通道/SC_RESET:<DomainName>[\<DcName>] - 将<ServerName> 上 <Domain> 的安全通道重置为 <DcName>/SC_VERIFY:<DomainName> - 验证 <ServerName> 上 <Domain> 的安全通道/SC_CHANGE_PWD:<DomainName> - 更改 <ServerName> 上 <Domain> 的安全通道密码 /DCLIST:<DomainName> - 获取 <DomainName> 的 DC 列表/DCNAME:<DomainName> - 获取 <DomainName> 的 PDC 名称/DSGETDC:<DomainName> - 调用 DsGetDcName /PDC /DS /DSP /GC /KDC/TIMESERV /GTIMESERV /WS /NETBIOS /DNS /IP /FORCE /WRITABLE /AVOIDSEL LDAPONLY /BACKG /DS_6/TRY_NEXT_CLOSEST_SITE /SITE:<SiteName> /ACCOUNT:<AccountName> /RET_D /RET_NETBIOS/DNSGETDC:<DomainName> - 调用 DsGetDcOpen/Next/Close /PDC /GC/KDC /WRITABLE /LDAPONLY /FORCE /SITESPEC/DSGETFTI:<DomainName> - 调用 DsGetForestTrustInformation/UPDATE_TDO/DSGETSITE - 调用 DsGetSiteName/DSGETSITECOV - 调用 DsGetDcSiteCoverage/DSADDRESSTOSITE:[MachineName] - 调用 DsAddressToSiteNamesEx/ADDRESSES:<Address1,Address2,...>/PARENTDOMAIN - 获取此计算机的父级域名/WHOWILL:<Domain>* <User> [<Iteration>] - 查看 <Domain> 是否将登录到 <Use /FINDUSER:<User> - 查看哪个受信域将登录到 <User>/TRANSPORT_NOTIFY - 向 netlogon 通知新传输/DBFLAG:<HexFlags> - 新的调试标志/USER:<UserName> - 查询 <ServerName> 上的用户信息/TIME:<Hex LSL> <Hex MSL> - 将 NT GMT 时间转换为 ASCII/LOGON_QUERY - 查询累计登录尝试次数/DOMAIN_TRUSTS - 查询 <ServerName> 上的域信任/PRIMARY /FOREST /DIRECT_OUT /DIRECT_IN /ALL_TRUSTS /V/DSREGDNS - 强制注册所有特定于 DC 的 DNS 记录/DSDEREGDNS:<DnsHostName> - 对于指定的 DC，取消注册特定于 DC 的 DNS 记录 /DOM:<DnsDomainName> /DOMGUID:<DomainGuid> /DSAGUID:<DsaGuid>/DSQUERYDNS - 查询所有特定于 DC 的 DNS 记录的最近更新状态/BDC_QUERY:<DomainName> - 查询 <DomainName> 的 BDC 的复制状态/LIST_DELTAS:<FileName> - 显示给定更改日志文件的内容/CDIGEST:<Message> /DOMAIN:<DomainName> - 获取客户机摘要/SDIGEST:<Message> /RID:<RID in hex> - 获取服务器摘要/SHUTDOWN:<Reason> [<Seconds>] - 由于 <Reason> 关闭 <ServerName>/SHUTDOWN_ABORT - 中止系统关闭NLTEST 概述Nltest.exe 是一个非常强大的命令行实用程序，用于测试 Windows NT 域中的信任关系和域控制器复制的状态。

网络安全竞赛标题大全1. "HackShield: Unleash Your Cyber-Defending Skills"2. "CyberWarriors: Battle for Virtual Supremacy"3. "CodeCrack: Can You Beat the Cyber Puzzle?"4. "The Ultimate Cybersecurity Showdown"5. "CyberHunt: A Quest for Digital Safety"6. "Lockdown: The Cybersecurity Battle of the Champions"7. "CyberThrone: Forging the Future of Online Security"8. "SecureNet: Defend Your Digital Kingdom"9. "WebWarriors: Conquer the Cyber Battlefield"10. "Hacking Heights: Rise Above the Cyber Threats"11. "CyberGuardians: Protecting the Virtual World"12. "CodeCombat: A Clash of Cyber Knowledge"13. "SecureSprint: Race Against Cyber Attacks"14. "CyberMaze: Navigate the Labyrinth of Online Threats"15. "HackWars: The Ultimate Cybersecurity Showdown"16. "CyberStorm: Unleash the Power of Online Defense"17. "SecureBeat: Dance to the Rhythm of Cyber Protection"18. "CyberSpace Diplomacy: Negotiating Security in a Virtual World"19. "The Security Gauntlet: Overcoming Cyber Challenges"20. "HackQuest: Journey through the Realm of Cyber Defense"21. "CyberSentinels: Guardians of Online Safety"22. "CrypticLock: Decrypt the Secrets of Cybersecurity"23. "CyberDefender: Rise as the Guardian of Digital Domains"24. "SecureSphere: Unite for a Safer Cyber Environment"25. "CyberBattlefield: A Clash of Hacker Titans"26. "CodeCrusaders: Conquer the Cybersecurity Frontier"27. "Incognito: The Hidden World of Cybersecurity"28. "CyberTrail: Follow the Path to Digital Safety"29. "SecureFusion: Bridging the Gap between Tech and Security"30. "CyberNation: Defending Borders in the Digital Age"31. "HackerNot: A Challenge to Outsmart the Cyber Threats"32. "CodeRevolt: Fighting for Online Freedom"33. "The Security Enigma: Deciphering the Secrets of Cyber Defense"34. "CyberGuardian League: Assemble for the Battle of Security"35. "Zero Day Challenge: Defy the Limitations of Cyber Protection"36. "Cybermind Drift: Abandon All Digital Fears"37. "CodeWar: A Clash of Titans in the Virtual Arena"38. "SecureSphere: Forge the Shield of Cybersecurity"39. "CyberTrailblazers: Pioneering the Path to Online Safety"40. "HackFight: A Showdown of Supreme Cyber Skills"41. "CyberGuardians: Defenders of the Online Universe"42. "Zero Hour: Rise to the Cybersecurity Challenge"43. "SecureFusion: The Fusion of Defense and Tech Expertise"44. "CyberStorm: Surviving the Digital Tempest"45. "CrypticNet: Unraveling the Mysteries of Cybersecurity"46. "CodeSentinel: An Odyssey for Digital Security"47. "HackMania: Conquer the Challenge of Cyber Defense"48. "CyberWizards: Crafting Spells to Ensure Online Safety"49. "SecureExpedition: Journey Into the Heart of Cybersecurity"50. "CyberMatrix: Merge Domains to Protect the Digital Realm"51. "HackerHunt: The Ultimate Quest for Cyber Victory"52. "CodeCitadel: Fortify Your Digital Empire"53. "CyberGuardians: Protecting the Matrix of Online Safety"54. "SecureSphere: Building Fortresses of Cyber Defense"55. "CyberTrail: Navigating the Boundaries of Online Security"56. "HackQuest: Can You Outsmart the Cyber Threats?"57. "CodeWarriors: Rise to the Elite Ranks of Cybersecurity"58. "SecureSprint: Racing Toward a Safer Cyber World"59. "CyberBattle: Unleash the Skills and Tactics for Victory"60. "HackerHaven: A Safe Haven in the World of Cyber Threats"。

专利名称：TAMPER-RESISTANT TRUSTED VIRTUAL MACHINE发明人：JIN, HONXIA,LEAKE, DONALD,JR.,LOTSPIECH, JEFFREY,NIN,SIGFREDO,PLOUFFE, WILFRED申请号：EP2004052884申请日：20041109公开号：WO2005052841A9公开日：20060720专利内容由知识产权出版社提供摘要：A trusted Java virtual machine provides a method for supporting tamper-resistant applications, ensuring the integrity of an application and its secrets such as keys. The trusted Java virtual machine verifies the integrity of the Java application, prevents debugging of the Java application, and allows the Java application to securely store and retrieve secrets. The trusted Java virtual machine environment comprises a TrustedDictionary, a TrustedBundle, an optional encryption method for encrypting and decrypting byte codes, and an underlying trusted Java virtual machine. The encrypted TrustedDictionary protects data while the TrustedBundle protects programming code, allowing applications to store secret data and secure counters. The application designer can restrict TrustedBundle access to only those interfaces that the application designer explicitly exports. The open source code may optionally be encrypted. Secrets required by the open source programming code of the application are encrypted in TrustedDictionary.申请人：INTERNATIONAL BUSINESS MACHINES CORPORATION,IBM UNITEDKINGDOM LIMITED,JIN, HONXIA,LEAKE, DONALD, JR.,LOTSPIECH, JEFFREY,NIN, SIGFREDO,PLOUFFE, WILFRED更多信息请下载全文后查看。

有关互联网对学生的影响的英语作文全文共3篇示例，供读者参考篇1The Internet and How It Changed My LifeHi there! My name is Timmy and I'm 10 years old. Today I want to tell you all about the internet and how it has changed my life as a student. The internet is this crazy thing that lets me access a whole world of information and entertainment right from my computer or tablet! It's almost like magic.Before I started using the internet, learning was a lot harder. When I had questions about something we were studying in school, I used to have to go to the library and look through big, heavy books to find the answers. Finding what I needed took forever! And a lot of the time, the book would use really complicated words that a kid like me could hardly understand.But now with the internet, getting information is just a few clicks away. I can look up anything I'm curious about, whether it's facts about dinosaurs for my science project or videos explaining how to solve a tricky math problem. There are websites and resources made for kids my age that explain things in a way I canactually understand. It has made learning so much easier and more fun!The best part is, I can learn about my interests and hobbies too, not just school topics. I'm really into coding and building robots, so I've found a ton of awesome websites and tutorials that are teaching me those skills. My parents always tell me that when they were kids, opportunities to learn coding and robotics were pretty limited. But thanks to the internet, I'm exploring my passions and maybe even setting myself up for a cool career when I'm older!Speaking of careers, the internet is such a big part of basically every job these days. By using it for school projects, online learning, and coding practice, I'm picking up super valuable computer skills. Who knows, maybe someday I'll get to have an awesome job where I get to surf the web all day!The internet hasn't just helped me learn academic stuff though - it's also my gateway to unlimited fun and entertainment. I can watch my favorite shows and movies, play online games with my friends, and even make my own funny videos to share on sites like YouTube Kids. My parents saythey're glad I have ways to be creative and have fun without just zoning out in front of a TV all day.And I can't forget about how awesome the internet is for keeping in touch with my family and friends! Since my grandparents live far away, we use video chat apps so I can see and talk to them face-to-face whenever I want. I also get to stay connected with my friends from school during breaks by chatting and sharing memes. Some of my parents' friends think kids these days don't know how to socialize because of the internet, but I disagree! It has totally expanded my social circle.Of course, my parents have made sure to teach me about the downsides of the internet too. They've warned me about not sharing personal information online, being careful about which sites I visit, and double checking that the information I find is from real, trusted sources. The internet can be a little like a jungle – amazing to explore but you've got to watch out for any potential dangers.My parents have rules about limiting my internet time as well. They say it's important to find a balance and not get too sucked into the online world. I'm not allowed to take my tablet or laptop to my room at night, and we have a program that blocks certain websites and videos from loading. That way I don't accidentally stumble across anything inappropriate!Overall though, I truly feel that the internet has enriched my life in so many ways. It has opened up endless learning opportunities that just weren't available to my parents when they were kids. I'm picking up valuable technological skills that will help me so much as I get older. And I get to have fun and stay connected with my family and friends in ways that were totally unimaginable even 20 years ago!I know the internet can be misused and there are definite downsides to being constantly plugged in. But with guidance from my parents and teachers, I've learned to be a responsible internet user who takes advantage of all the amazing things it has to offer. Mastering the internet and being tech-savvy is one of the most important skills for my generation to learn. After all, we're the first true "digital natives" who have never known a world without it!The internet has become as essential as reading, writing, and math when it comes to equipping me for future success. No matter what career path I choose to pursue, I know the internet literacy I've developed will give me a major head start. So thanks to the internet, us kids today have the world at our fingertips in a way previous generations could only dream of. Pretty cool, huh?I can't wait to see what else the internet has in store for me as I keep learning and growing!篇2The Internet and MeHi there! My name is Jamie and I'm a 4th grader at Oakwood Elementary School. Today I want to tell you all about the internet and how it affects kids like me. The internet is this amazing thing that lets you access a huge amount of information from computers and phones all around the world. It has really changed so much about how we live our lives!I remember when I was a little kid and we didn't have the internet at home. If I had a question about something, I'd have to ask my parents or look it up in our encyclopedia set that took up a whole shelf in the living room. Those big books were so outdated by the time they made it to our house. Nowadays, I can just pick up my tablet and do a quick search to find the latest facts on whatever I'm curious about. It's so much faster and easier!The internet also helps me a ton with my schoolwork. My teachers give us websites to visit to read about the topics we're studying in class. There are interactive games and videos thatmake learning way more fun than just reading from a textbook. For book reports, I can find tons of analysis, summaries, and reviews online to help me understand the stories better. The internet is like having a huge library at my fingertips 24/7!Speaking of libraries, I love that I can borrow ebooks and audiobooks online from our local library's website. I've read so many more books since they started offering that service. I can download a new book anywhere I have my tablet instead of just the ones my parents can drive me to the physical library to pick up. Reading is one of my favorite hobbies and the internet made it so much more accessible.My friends and I also have a lot of fun interacting online and playing multiplayer games together over the internet. Some nights we'll just hangout in a group video chat while we're all playing the same game. It's like the virtual version of having everyone over at someone's house! We'll chat about school, YouTube videos, movies, you name it. The internet made it way easier to stay connected with my friends outside of school.Not everything is perfect with the internet though. My parents are always warning me about internet safety. Like not giving out any personal information to strangers online, being careful what websites I visit, and not spending toooooo muchtime staring at screens. There's also a ton of false information and cyberbullying that can happen, which is definitely not cool. I try to be responsible and make good choices.Overall, I'd say the internet has had a pretty big impact on my life as a student though. It opened up a huge world of knowledge, enabled way more communication and fun with friends, and altogether made learning a lot more interactive and interesting. I can't even imagine going back to not having internet! While it's important to be safe and not get too obsessed with it, the internet is an amazing resource when used properly. I'm really grateful I was born in a time when I can take advantage of everything it offers. Who knows what technological advancements will come next?!篇3The Amazing Internet and How It Changed My LifeHi there! My name is Timmy and I'm 10 years old. I go to Oakwood Elementary School and I'm in 5th grade. Today I want to tell you all about the internet and how it has totally changed my life as a student!I have to say, the internet is one of the most amazing inventions ever in my opinion. It has made learning so mucheasier and more fun. It's like having a gigantic library with every book imaginable right at my fingertips! Whenever I need to research something for a school project, I can just hop online and find tons of websites with helpful information. It sure beats having to lug home a bunch of heavy encyclopedia volumes from the school library.Speaking of libraries, the internet is like the biggest library that has ever existed. There are websites about literally every topic you can imagine - from dinosaurs to Ancient Egypt to coding to you name it. And a lot of the information comes from really reliable sources like universities, museums, and scientific organizations. My teacher is always telling us to double check information online using trusted sites with .edu or .gov domains. It's crazy how much knowledge is out there!Not only do I use the internet for research, but it has also been a huge help with my regular schoolwork and studying. There are so many great educational websites and videos that make learning new concepts way more interesting and interactive than just reading from a textbook. My math teacher has us watch videos that actually show the steps for solving different types of problems. In science, we get to see all kinds of cool experiments and see how things work through simulations.The internet brings the topics we're learning about to life in such a vivid way.The internet has especially been valuable for me when it comes to learning about subjects I'm really interested in outside of my normal schoolwork. I've always been fascinated by outer space, so I spend a lot of time on websites from NASA and other space agencies looking at images from telescopes and reading about the latest discoveries. I even taught myself some coding by following tutorials for kids online. There are so many opportunities to learn new skills on the internet that schools don't necessarily teach.Another way the internet has totally transformed my life as a student is how it allows me to collaborate with others. Group projects are so much easier thanks to online tools where my classmates and I can work together virtually. We don't have to all get together in person, since we can video chat, share documents, and get feedback from each other over the internet. Students from different schools and even different countries can connect and exchange ideas online. It opens up so many more opportunities for teamwork and learning from others.Of course, the internet also provides endless possibilities for fun and entertainment for a kid like me when I'm not doingschoolwork. I can watch my favorite shows and movies, play games, listen to music, and much more - all from my computer, tablet or phone. It helps give my brain a break from all the learning!However, my parents and teachers are always reminding me that I need to be smart and safe when using the internet. Since there is SO much information out there, I have to be careful about what sources I get information from and not believe everything I read online. My school taught us how to identify trustworthy websites and how to avoid phishing scams or inappropriate content. Internet safety is really important.My parents also try to limit how much time I spend staring at screens and encourage me to balance my internet usage with other activities that don't involve technology. That's probably a good idea, because as awesome as the internet is, I don't want it to be the ONLY thing I'm doing all day every day.Overall though, in my opinion the internet has been an overwhelmingly positive thing for me as a student. It has opened up vast universes of knowledge and made learning so much more interactive, collaborative, and fun. Instead of being limited to the information in the few textbooks and libraries available tome locally, I have access to resources from all over the world right at my fingertips.For today's generation of students, the internet is simply indispensable. We live in an incredible age where the ability to connect with others globally and uncover information on any topic is just a click away. As incredible as the internet already is, I can only imagine how it will continue evolving and what new possibilities for learning it will unlock in the future.So that's my take on how the internet has impacted my life as a 10-year-old student. What has your experience with the internet been like? I'd love to hear your perspective! Thanks for reading my essay. Time for me to go use the internet to look up some fun coding projects to try out. See ya!。

Authorized InitialIntroductionThe term “authorized initial” refers to the process of granting permission or authorization for an initial action or step. It is a crucial aspect of various procedures and protocols in different fields, ensuring that only approved individuals or entities can proceed with certain actions. This article will explore the concept of authorized initial in detail, discussing its significance, applications, and potential challenges.Significance of Authorized InitialAuthorized initial plays a vital role in maintaining security, accountability, and control in numerous domains. By requiring authorization before initiating an action, organizations can ensure that only trusted individuals are granted access to sensitive information or resources. This helps prevent unauthorized access, data breaches, and potential misuse of privileges.Moreover, authorized initial provides a clear audit trail by documenting who initiated a particular action and when. This traceability is essential for accountability purposes and can be valuable in investigating any potential issues or breaches that may occur during the process.Applications of Authorized Initialrmation Security: In the field of information security,authorized initial is extensively used to control access toconfidential data. For example, before granting access to a secure database containing sensitive customer information, individualsmust go through an authorized initial process such as providingvalid credentials or obtaining approval from designatedauthorities.2.Financial Transactions: Authorized initial is crucial infinancial transactions to ensure that only authorized individuals can initiate fund transfers or approve payments. This helpsprevent fraudulent activities and unauthorized transactions fromtaking place.3.Legal Procedures: In legal procedures such as signing contractsor executing legal documents, authorized initial ensures that only designated persons have the authority to initiate these actions on behalf of organizations or individuals involved.4.Software Development: In software development processes likeversion control systems (e.g., Git), authorized initial is usedwhen developers want to make changes to the codebase. They needpermission from the repository owner before their changes becomepart of the official codebase.Challenges in Implementing Authorized InitialWhile authorized initial offers numerous benefits, its implementation can present certain challenges. Some of the key challenges include:plex Authorization Workflows: In complex systems ororganizations, defining and managing authorization workflows canbe challenging. Determining who has the authority to grant initial authorization and establishing a streamlined process can be time-consuming and resource-intensive.2.Maintaining Security: Properly securing the authorized initialprocess is crucial to prevent unauthorized access or manipulation.Organizations must implement robust authentication mechanisms,access controls, and encryption protocols to ensure the integrity and confidentiality of the authorization process.er Experience: Balancing security requirements with a seamlessuser experience is a significant challenge. Organizations need to design user-friendly interfaces that guide individuals through the authorized initial process while maintaining stringent securitymeasures.pliance with Regulations: Depending on the industry orjurisdiction, organizations may need to comply with specificregulations regarding authorized initial processes. Ensuringcompliance while maintaining efficiency can be a complex task. ConclusionIn conclusion, authorized initial is a critical aspect of various procedures across different domains. It establishes a secure and accountable framework by requiring permission before initiating actions.From information security to financial transactions, its applications are diverse and essential for maintaining control and preventing unauthorized access. Although implementing authorized initial comes with challenges such as defining workflows and balancing security with user experience, organizations must prioritize its implementation to safeguard sensitive data and resources effectively.。

Oracle® Secure Global Desktop发行版 5.3 平台支持和发行说明2017 年 4 月E73989-01Oracle 法律声明版权所有 © 2017, Oracle 和/或其附属公司。

保留所有权利。

本软件和相关文档是根据许可证协议提供的，该许可证协议中规定了关于使用和公开本软件和相关文档的各种限制，并受知识产权法的保护。

除非在许可证协议中明确许可或适用法律明确授权，否则不得以任何形式、任何方式使用、拷贝、复制、翻译、广播、修改、授权、传播、分发、展示、执行、发布或显示本软件和相关文档的任何部分。

除非法律要求实现互操作，否则严禁对本软件进行逆向工程设计、反汇编或反编译。

此文档所含信息可能随时被修改，恕不另行通知，我们不保证该信息没有错误。

如果贵方发现任何问题，请书面通知我们。

如果将本软件或相关文档交付给美国政府，或者交付给以美国政府名义获得许可证的任何机构，则适用以下注意事项：U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to ernment end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations.As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the ernment.本软件或硬件是为了在各种信息管理应用领域内的一般使用而开发的。

This guide describes how to use the Unified Threat Management appliance (UTM) SSL VPN Wizard to configure the Secure Sockets Layer (SSL) virtual private networking (VPN) feature. This feature provides remote access for mobile users to their corporate resources, bypassing the need for a preinstalled VPN client on their computer. Using the Secure Sockets Layer (SSL) protocol the UTM can authenticate itself to an SSL-enabled client, such as a standard web browser. Once the authentication and negotiation of encryption information are complete, the server and client can establish an encrypted connection.For information about other features and for complete configuration steps, see the ProSecure Unified Threat Management (UTM) Appliance Reference Manua l at: . This guide contains the following sections:•SSL VPN Portal Options•Use the SSL VPN Wizard for Client ConfigurationsSSL VPN Portal OptionsThe UTM’s SSL VPN portal can provide two levels of SSL service to the remote user:•SSL VPN tunnel. The UTM can provide the full network connectivity of a VPN tunnel using the remote user’s browser instead of a traditional IPSec VPN client. The SSLcapability of the user’s browser provides authentication and encryption, establishing asecure connection to the UTM. Upon successful connection, an ActiveX-based SSL VPN client is downloaded to the remote computer to allow the remote user to access thecorporate network.The SSL VPN client provides a point-to-point (PPP) connection between the client and the UTM, and a virtual network interface is created on the user’s computer. The UTMassigns the computer an IP address and DNS server IP addresses, allowing the remote computer to access network resources in the same manner as if it were connecteddirectly to the corporate network.•SSL port forwarding.Like an SSL VPN tunnel, SSL port forwarding is a web-based client that is installed transparently and then creates a virtual, encrypted tunnel to theremote network. However, port forwarding differs from an SSL VPN tunnel in severalways:-Port forwarding supports only TCP connections, but not UDP connections or connections using other IP protocols.-Port forwarding detects and reroutes individual data streams on the user’s computer to the port-forwarding connection rather than opening up a full tunnel to the corporatenetwork.-Port forwarding offers more fine-grained management than an SSL VPN tunnel. You define individual applications and resources that are available to remote users.The SSL VPN portal can present the remote user with one or both of these SSL service levels, depending on how you set up the configuration.Use the SSL VPN Wizard for Client Configurations The SSL VPN Wizard facilitates the configuration of the SSL VPN client connections by taking you through six screens, the last of which allows you to save the SSL VPN policy. For information about how to edit policies or to configure policies manually, see the reference manual.To start the SSL VPN Wizard:1.Select Wizards from the main menu. The Welcome to the NETGEAR ConfigurationWizard screen displays:2.Select the SSL VPN Wizard radio button.3.Click Next. The first SSL VPN Wizard screen displays.The tables in the following sections explain the buttons and fields of the SSL VPN Wizard screens. See the reference manual for additional information about the settings in the SSL VPN Wizard screens.SSL VPN Wizard Step 1 of 6 (Portal Settings)Figure 1. Portal SettingsConfigure the portal settings:1.Enter the settings as explained in the following table.Note:If you leave the Portal Layout Name field blank, the SSL VPNWizard uses the default portal layout. You need to enter a nameother than SSL VPN in the Portal Layout Name field to enable theSSL VPN Wizard to create a portal layout. Do not enter an existingportal layout name in the Portal Layout Name field. If you do, theSSL VPN Wizard fails. The UTM does not reboot.Table 1. SSL VPN Wizard Step 1 of 6 screen settings (portal settings)Table 1. SSL VPN Wizard Step 1 of 6 screen settings (portal settings) (continued)2.Click Next.After you have completed the SSL VPN Wizard, you can change the portal settings by selecting VPN > SSL VPN > Portal Layout.SSL VPN Wizard Step 2 of 6 (Domain Settings)Figure 2. Domain SettingsTo configure the domain settings:1.Enter the settings as explained in the following table.Note:If you leave the Domain Name field blank, the SSL VPN Wizard uses the default domain name geardomain. You need to enter a nameother than geardomain in the Domain Name field to enable the SSLVPN Wizard to create a domain.you do, the SSL VPN Wizard fails and the UTM reboots to recoverits configuration.Table 2. SSL VPN Wizard Step 2 of 6 screen settings (domain settings)Table 2. SSL VPN Wizard Step 2 of 6 screen settings (domain settings) (continued)Table 2. SSL VPN Wizard Step 2 of 6 screen settings (domain settings) (continued)Table 2. SSL VPN Wizard Step 2 of 6 screen settings (domain settings) (continued)2.Click Next.After you have completed the SSL VPN Wizard, you can change the domain settings by selecting Users > Domains. For more information about domain settings, see the reference manual.SSL VPN Wizard Step 3 of 6 (User Settings)Figure 3. User Settings To configure the user settings:1.Enter the settings as explained in the following table.do, the SSL VPN Wizard fails and the UTM reboots to recover itsconfiguration.2.Click Next .Table 3. SSL VPN Wizard Step 3 of 6 screen settings (user settings)After you have completed the SSL VPN Wizard, you can change the user settings by selecting Users > Users on the main menu.SSL VPN Wizard Step 4 of 6 (Client Addresses and Routes)Figure 4. Client Addresses and RoutesTo configure the client addresses and routes:1.Enter the settings as explained in the following table.Destination Network and Subnet Mask fields. If you so, the SSLVPN Wizard fails and the UTM reboots to recover its configuration.Table 4. SSL VPN Wizard Step 4 of 6 screen settings (client addresses and routes)2.Click Next.After you have completed the SSL VPN Wizard, you can change the client IP address range and routes by selecting VPN > SSL VPN > SSL VPN Client. For more information about client IP address range and routes settings, see the reference manual.SSL VPN Wizard Step 5 of 6 (Port Forwarding)Figure 5. Port ForwardingTo configure port forwarding (optional):1.Enter the settings as explained in the following table.Server IP Address field or a port number that is already in use inthe TCP Port Number field. If you do, the SSL VPN Wizard fails andthe UTM reboots to recover its configuration.Table 5. SSL VPN Wizard Step 5 of 6 screen settings (port-forwarding settings)Table 5. SSL VPN Wizard Step 5 of 6 screen settings (port-forwarding settings) (continued)a. Users can specify the port number with the host name or IP address.2.Click Next.After you have completed the SSL VPN Wizard, you can change the client IP address range and routes by selecting VPN > SSL VPN > Port Forwarding. For more information about port forwarding settings, see the reference manual.SSL VPN Wizard Step 6 of 6 (Verify and Save Your Settings) Verify your settings. If you need to change a screen, click the Back action button to return to the screen you want to changes.Figure 6. Verify and Save your SettingsTo save your settings:1.Click Apply to save your settings. If the UTM accepts the settings, the messageOperation Succeeded displays at the top of the screen, and the Welcome to theNETGEAR Configuration Wizard screen displays.Access the New SSL Portal Login ScreenScreens that you can access from the SSL VPN configuration menu of the web management interface display a user portal link () in the upper right corner of the screen. The link is the SSL VPN default portal and is not the same as the new SSL portal login screen that you defined with the SSL VPN Wizard.To open the new SSL portal login screen:1.Select VPN > SSL VPN > Portal Layouts.The Portal Layouts screen displays.2.In the Portal URL field of the List of Layouts table, select the URL that ends with the portallayout name that you defined with the SSL VPN Wizard. The new SSL portal login screen displays. The following figure shows an SSL portal login screen.3.Enter the user name and password that you created with the help of the SSL VPN Wizard.4.Click Login. The default User Portal screen displays. The format of the User Portal screendepends on the settings that you selected on the first screen of the SSL VPN Wizard (see SSL VPN Wizard Step 1 of 6 (Portal Settings) on page 3).Figure 7 shows the User Portal screen with both a VPN Tunnel and a Port Forwarding menu option.Figure 7. Portal screen with both a VPN Tunnel and a Port Forwarding menu option.Figure 8 shows the User Portal screen with a Port Forwarding menu option only. The VPN Tunnel menu option is not displayed..Figure 8. User Portal screen with a Port Forwarding menu option only.The default User Portal screen displays a simple menu that provides the SSL user with the following menu selections:•VPN Tunnel. Provides full network connectivity.•Port Forwarding. Provides access to the network services that you defined as described in SSL VPN Wizard Step 5 of 6 (Port Forwarding) on page 14.•Change Password. Allows users to change their passwords.•Support. Provides access to the NETGEAR website.Note:The first time that a user attempts to connect through the VPNtunnel, the NETGEAR SSL VPN tunnel adapter is installed on theuser’s computer. The first time a user attempts to connect using theport forwarding tunnel, the NETGEAR port forwarding engineinstalls.。

域安全通道实用工具nltest.exe的使用简介工具：此工具在Microsoft Windows NT 4.0资源工具包中可以找到，另外如果你有Windows 2003安装盘的话，在安装盘的Support Tools目录下有安装Support Tools的一个工具包安装程序，你安装此工具包后同样也有nltest.exe工具。

简介：nltest.exe是一个非常强大的命令行工具，它能用来在Windows NT域中测试信任关系和域控制器复制的状态。

一个域由一个独立主域控制器（PDC）和零个或者更多备份域控制器（BDC）组成。

当在Windows NT上下文关系中使用信任时，它描述两个Windows NT域之间的关系。

每个包含的域或者是等待信任域角色，也或者是已信任域角色。

对于任何已给出的信任关系，在等待信任域的每个域控制器和已信任域的每个域控制器之间只有唯一的一个连续的通信通道。

举例，如果域A信任域B，那么B就是已信任域，A就是等待信任域。

另外一个例子，假设域C信任域D，同时域D也信任域C，这种情况下，在域控制器之间有两个截然不同的信任关系，通常我们把它叫作完全信任模式，或者双路线模式。

然而，为了诊断安全通道，最好是认为在等待信任域的每个域控制器和已信任域的域控制器之间存在两个独立的安全通道。

信任关系并不是可传递的，举例，假设域E信任域F，域F信任域G，这并不表示域E就信任域G。

这是因为每个域的管理员必须为发生信任关系的两个域之间明确地授权。

信任关系的另一种形式是它有时被引用成一个隐式的信任。

在一个独立域模式中，或者在任何两个域之间没有清楚的信任关系的环境中，隐式信任关系是活动的和功能上需要的。

这种隐式信任关系存在于一个域的域控制器和域中所有成员计算机之间。

清楚的信任关系在域用户管理中建立。

隐式信任关系在成为域成员时建立。

Nltest.exe能够用来测试一个域中的域控制器和运行Windows NT的域成员之间的信任关系。

Certificate ThumbprintIntroductionIn the world of digital security, certificates play a crucial role in establishing trust between entities. A certificate thumbprint, also known as a fingerprint, is a unique identifier for a digital certificate. It serves as a cryptographic hash of the cer tificate’s contents, allowing quick and efficient verification of its integrity. In this article, we will delve into the concept of certificate thumbprints,their significance, and their applications in various domains.What is a Certificate Thumbprint?A certificate thumbprint is a condensed representation of a digital certificate. It is typically a hexadecimal string derived from the certificate’s contents using a hash function. The most commonly used hash algorithm for generating certificate thumbprints is SHA-1 (Secure Hash Algorithm 1). However, due to the vulnerabilities of SHA-1, more secure algorithms like SHA-256 are now being adopted.The Significance of Certificate ThumbprintsCertificate thumbprints serve as a unique identifier for digital certificates. They are used to verify the integrity and authenticity ofa certificate. By comparing the thumbprint of a received certificatewith the expected thumbprint, one can ensure that the certificate hasnot been tampered with during transmission.Generating a Certificate ThumbprintTo generate a certificate thumbprint, the following steps are typically followed:1.Retrieve the digital certificate: Obtain the digital certificatefor which the thumbprint needs to be generated. This certificateis usually in the form of a file or obtained from a certificateauthority.2.Extract the certificate’s contents: Extract the relevantinformation from the certificate, such as the public key, issuer,and subject.3.Apply the chosen hash algorithm: Apply the chosen hash algorithm,such as SHA-1 or SHA-256, to the extracted certificate contents.This results in a hash value.4.Convert the hash value to a thumbprint: Convert the hash value toa hexadecimal string representation. This string represents thecertificate thumbprint.Verifying Certificate ThumbprintsVerifying a certificate thumbprint involves comparing the received thumbprint with the expected thumbprint. This process ensures that the certificate has not been tampered with and that it is indeed the expected certificate.To verify a certificate thumbprint, the following steps are typically followed:1.Retrieve the received certificate: Obtain the digital certificatethat has been received.2.Extract the received thumbprint: Extract the thumbprint from thereceived certificate. This thumbprint is typically provided in the certificate details or metadata.pare the received thumbprint: Compare the received thumbprintwith the expected thumbprint. If they match, the certificate canbe considered valid and trusted.Applications of Certificate ThumbprintsCertificate thumbprints find applications in various domains, including: 1. Secure CommunicationIn secure communication protocols like Transport Layer Security (TLS) and Secure Sockets Layer (SSL), certificate thumbprints are used to verify the authenticity of the server’s certificate. By comparing the thumbprint of the received certificate with the expected thumbprint, clients can ensure that they are communicating with the intended server and not a malicious imposter.2. Code SigningCertificate thumbprints are used in code signing to verify the authenticity and integrity of software. Software developers sign theircode with a digital certificate, and the thumbprint of this certificate is embedded in the signed code. When users or systems encounter the signed code, they can verify its authenticity by comparing the thumbprint with the one provided by the software developer.3. Certificate Revocation CheckingCertificate thumbprints are used in certificate revocation checking mechanisms. Certificate authorities maintain lists of revoked certificates, known as Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) responders. By comparing the thumbprint of a certificate with the thumbprints in these lists, systems can ensure that the certificate has not been revoked and is still valid.4. Digital ForensicsIn digital forensics, certificate thumbprints can be used to analyze and investigate digital artifacts. By examining the thumbprints of certificates found on a suspect’s system, investigators can gather evidence about the suspect’s online activities and in teractions.ConclusionCertificate thumbprints are an essential component of digital security. They provide a unique identifier for digital certificates and ensure their integrity and authenticity. By comparing thumbprints, entities can establish trust and mitigate the risks associated with malicious activities. Whether in secure communication, code signing, certificate revocation checking, or digital forensics, certificate thumbprints play a vital role in maintaining a secure digital environment.。