面向边远地区内容分发的DTN密钥管理方案

边远地区内容分发系统由卫星及便携终端混合网络组成,针对其中的特殊DTN环境,以及现有密钥管理方案不适用的问题,提出了一种新的密钥管理方案。利用系统中卫星网络接收服务器为用户颁发数字身份证,用户产生密钥对并将其与数字身份证绑定产生盲数字身份证,从而进行身份验证及公钥获取。在验证数据中加入密钥生存期,实现了用户密钥定期更新并且可以防止对公钥获取进行的重放攻击。分析了该方案的安全性并与其他方案进行了对比,分析表明该方案达到了安全性需求并适用于卫星及便携终端混合网络内容分发的DTN。     

公钥密码算法识别技术研究

嵌入式设备在网络中引发了很多安全隐患,针对嵌入式系统的网络安全问题,识别其中的公钥密码算法是分析系统安全性的一个重要方面。在对公钥密码算法加密原理的研究以及在汇编级算法特征分析的基础上,提出了一种基于语义的公钥密码算法加密行为分析方法,可以对算法的加密行为进行准确地刻画,并结合模型检测技术完成对嵌入式系统中可能包含的公钥密码算法的识别。测试结果表明,该方法具有较好的准确性和稳定性。     

数字孪生网络(DTN): 概念、架构及关键技术

随着5G商用规模部署、下一代互联网IPv6的深化应用, 新一代网络技术的发展引发产业界的关注. 网络的智能化被认为是新一代网络发展的趋势. 网络为数字化社会的信息传输提供了基础, 而网络本身的数字化是智能化发展的先决条件. 面向数字化、智能化的新一代网络发展目标, 本文首次系统化提出了 “数字孪生网络(DTN: Digital twin network)” 的概念, 给出了系统架构设计, 分析了DTN的关键技术. 通过对DTN发展挑战的分析, 本文指出了未来 “数字孪生网络” 的发展方向.     

高效安全的无证书密钥协商方案*

在网络信息安全领域,服务器与客户机之间的密钥协商显得非常必要。无证书公钥密码是为了克服基于身份密码的密钥托管性质提出来的,它结合了传统公钥证书密码体系和基于身份的公钥体系的优点。应用椭圆曲线的配对运算,提出了一个两方的无证书密钥协商协议,其中每一方只需计算一个配对,并证明了它在ECK模型下的安全性。与其他无证书密钥协商协议相比,安全性和效率都更好。     

An optimized authentication protocol for mobile networks

Practical secure communication of mobile systems with low communication cost has become one of the major research directions. An established public key infrastructure (PKI) provides key management and key distribution mechanisms, which can lead to authentication and secure communication. Adding public key cryptography to Kerberos provides a nice congruence to public key protocols, which can obviate the human users’ burden to manage strong passwords. This paper emphasizes on authentication as a considerable issue related to security. Additionally, an efficient and secure hybrid authentication protocol for large mobile network is proposed. Its infrastructure accommodates explosive growth of the large mobile network. It reduces the communication cost for providing secure network access in inter-domain communication. This method is based on symmetric cryptosystem, PKI, challenge–response and hash chaining.     

Key management systems for sensor networks in the context of the Internet of Things

If a wireless sensor network (WSN) is to be completely integrated into the Internet as part of the Internet of Things (IoT), it is necessary to consider various security challenges, such as the creation of a secure channel between an Internet host and a sensor node. In order to create such a channel, it is necessary to provide key management mechanisms that allow two remote devices to negotiate certain security credentials (e.g. secret keys) that will be used to protect the information flow. In this paper we will analyse not only the applicability of existing mechanisms such as public key cryptography and pre-shared keys for sensor nodes in the IoT context, but also the applicability of those link-layer oriented key management systems (KMS) whose original purpose is to provide shared keys for sensor nodes belonging to the same WSN.     

Large scale wireless sensor networks with multi-level dynamic key management scheme

Cyber-Physical Systems (CPSs) have emerged as a promising approach to facilitate the integration of the cyber and physical worlds in highly interconnected and complex ways. CPSs consist of several components, such as sensors, actuators, controllers, etc., and their structures are being complicated, and their scales are increasing day by day. Therefore, the data reliability and security have emerged as critical challenges between physical and virtual components of these systems. Wireless Sensor Networks (WSNs) are accepted as one of the most crucial technologies for building future CPSs. Because of their wireless and dynamic nature, WSNs are more vulnerable to security attacks than wired networks. The main solution for this problem is the usage of signed messages with symmetric or asymmetric key cryptography. Although, asymmetric key cryptography increases network security, it also causes severe computational, memory, and energy overhead for sensor nodes. On the other hand, symmetric key cryptography has the difficulty of providing high-level security and efficient key management scheme; however, it is better in terms of speed and low energy cost. In this paper, it is aimed to build a multi-level dynamic key management system for WSNs with the aid of an Unmanned Aerial Vehicle (UAV), which is a key distribution and coordination center for asymmetric keys. After that, each sensor node constructs different symmetric keys with its neighbors, and communication security is achieved by data encryption and mutual authentication with these keys. Evaluation results show the proposed system is scalable, and its performance is significantly better than asymmetric key management systems.     

The NHS as a proving ground for cryptosystems

This paper examines the challenges that the National Health Service poses as an environment for public key cryptography systems.The NHS is Europe’s largest single employer, with over 1.2 million staff. It provides lifetime healthcare for most of its population, and has done so for 55 years. In the last decade, it has launched several major programmes to develop NHS-wide information systems.Just the scale of the NHS is daunting. But systems that handle patients’ medical records are subject to a plethora of laws, policies, guidelines and practices for controlling the access, use and storage of the information. Taken together, the rules are complex and sometimes contradictory and, in addition, must be balanced against both patients’ express wishes and their clinical needs.Cryptography is an obvious means to secure and protect confidential information. Recently, identity-based public key cryptography schemes not only seem easier to deploy than previous schemes, but also seem equal to the challenges. In this paper, we give a detailed overview of the features and challenges that the NHS environment presents to uses of cryptography, to qualify our impressions of our cryptosystem and to guide our future efforts to develop it.     

基于门限完全分布式密钥管理方案

adhoc网络作为一种无线移动网络正成为网络研究中的热点之一。针对移动adhoc网络的特性和对目前已有的移动adhoe网络密钥管理方案的分析,提出了一种基于信任图和门限密码技术的全分布、自组织的移动adhoc网络密钥管理新方案。该方案允许节点发布公钥证书并且通过证书链实施认证,有效地解决了网络节点之间的信任,同时又阻止恶意节点发布错误公钥证书欺骗认证服务。该方案具有较高的可靠性、扩展性和安全性,适用于大规模移动ad hoc网络。     

无证书公钥密码体制研究

无证书公钥密码体制(certificateless public key cryptography,简称CL-PKC)是在基于身份的公钥密码体制(identity-based public key cryptography,简称ID-PKC)的基础上提出来的一种新型公钥密码体制,没有密钥托管问题、不需要使用公钥证书,使得无证书公钥密码体制从其概念提出的初始就受到了学术界和工业界的极大关注.从2003年至今,它一直是密码学和信息安全领域非常活跃的研究热点.其理论和技术在不断地丰富和发展.到目前为止,已经积累了大量的研究成果.将对这些成果进行较为系统的整理、分析、比较和简要的评述,并探讨该领域研究尚存在的不足及值得进一步研究的问题.     

无线局域网网络安全措施的改进

为应用公钥密码系统增强无线局域网网络的安全,采用基于身份的公钥密码系统的、WLAN认证方案,将基于身份的公钥系统引入WLAN的认证结构中,用于STA和AP之间的认证和密钥协商的方法.WLAN中的数据通过射频无线电传输,对于恶意的攻击者实施窃听是十分有利的,更好的提高的无线网络的安全.对传统的无线局域网基于身份的公钥系统进行了研究,结合身份为基础的公钥思想和Weil对技术,提出了一种新的身份公钥方案.方案将有效保护在WLAN中传输数据的机密性、完整性和不可否认性,同时对请求接入WLAN的用户进行身份认证和访问控制.     

DTN拥塞控制研究进展*

容迟容断网络（DTN）专注于解决星际网等下一代网络的数据传输,拥塞控制是其核心问题之一。传统的TCP拥塞控制机制不适用于具有延时长且抖动严重、连接频繁中断、非对称数据流、资源受限等特征的DTN网络,特别是保管传递模式不同于尽力而为服务模型,给拥塞控制机制带来了新的挑战。分析了应对这些挑战已提出的方案,基于节点级拥塞、链路级拥塞和区域级拥塞分别阐述各方案基本思想及其之间的关系,最后进行了总结并给出了DTN拥塞控制技术未来的研究方向。     

基于动态多簇密钥管理模型的安全数据聚合方案

军事领域需要强有力的安全措施,但由于环境恶劣,缺乏物理保护,难以展开固定的通信设施。设计了一种基于身份的动态多簇密钥管理模型。该模型以簇为单位进行密钥管理,每个成员节点只需存储本簇的公钥因子矩阵,极大地节省了密钥存储空间,且可抵抗同谋攻击;密钥分发过程安全高效,节点加入和退出时密钥更新开销小;不依赖可信第三方便可实现身份认证,且不需要固定基础设施的支持。基于该模型提出了一种安全数据聚合方案。列举了部分可以抵御的攻击;讨论了该方案握手过程需要消耗的能量。结果显示,在新模型下将公钥密码体制用于无线传感器网络是可行的。     

容迟网络中的路由算法研究及比较

容迟网络是一类新型的网络,根据不同的网络环境,容迟网络呈现不同的形式。在该类网络中,由于其具有较大且不定的时延以及网络拓扑结构频繁分裂的特性,使得传统的路由协议不能得到有效的利用。为此,路由问题即给出适合于容迟网络中有效的路由协议就成为容迟网络中的关键问题。本文主要针对近年来所提出的多种路由算法,进行分类剖析比较,并给出当前路由协议存在的有待研究解决的问题。     

A systematic technical survey of DTN and VDTN routing protocols

There are major challenges in establishing effective communications between nodes in Vehicular Ad Hoc Networks (VANETs). In them the systems are subject to wireless interference and disconnections, thus hindering the availability and reliability of source-destination connections. Another major problem arises when VANETs are sparse, causing excessive retransmissions and delays due to long periods without maintaing connection between pair of vehicles. In these environments traditional routing protocols proposed for VANETs suffer from the absence of end-to-end connections. From intensive studies and analysis, it was found that these problems are best overcome by using Delay Tolerant Network (DTN) routing protocols that can endure huge delays, connection disruptions and embolden applications to use a minimum number of roundtrip response confirmations. DTN routing protocols are considered to be the most suitable alternative to traditional routing protocols in VANET environments. They are designed for storing and forwarding messages through a series of forwarders to maintain network connectivity. Thus, we present a systematic technical survey and a comparative analysis of a taxonomy of DTN routing protocols, which we extended and adapted it to include a new set of VDTN (VANET/DTN) routing protocol categories with results.     

区块链数据安全服务综述

区块链是由一系列网络节点构建的一种分布式账本,本身具有不可篡改性、去中心化、去信任化、密码算法安全性和不可否认性等安全属性,对基于区块链实现的安全服务进行了综述,这些安全服务包括数据机密性、数据完整性、身份认证、数据隐私、数据可信删除.首先介绍了区块链和公钥密码学的基础知识,并围绕上述5种安全服务,给出了用户真实场景中面临的安全问题以及传统的解决方案,讨论了这些传统实现方案所面临的问题,之后介绍了使用区块链技术解决相关问题的实现方案,最后讨论了区块链的价值以及面临的问题.     

A certificateless approach to onion routing

Onion routing protocols allow users to establish anonymous channels to preserve their privacy over a public network. Several protocols implementing this primitive have been proposed in recent years, and The onion routing network (Tor), a real-life implementation, provides an onion routing service to thousands of users over the Internet. This paper presents Certificateless Onion Routing a new approach to the problem. Starting from the identity-based solution (PB-OR) of Kate et al. (ACM TISSEC 2000), we adopt the certificateless setting introduced by Al-Riyami and Paterson in 2003. Such a setting is particularly well suited in practice as it retains the good aspects of identity-based cryptography (no PKI is required) and traditional public key cryptography (there is no key escrow). Next, we present a novel certificateless key-encapsulation mechanism and we show how to turn it into a very efficient (and provably secure!) certificateless onion routing protocol. When compared with Tor and PB-OR, our protocol offers better performances, especially when current security levels (i.e., 128 bits) are considered. In particular, our scheme significantly improves the computational costs required from each router. In this sense, our solution is up to 7 times faster than PB-OR and up to 11 times faster than Tor.     

新的无证书代理盲签名方案

无证书公钥密码学既不存在传统的公钥密码系统的证书管理耗费,也不存在基于身份的密码系统中的密钥托管问题,安全且高效。研究了代理盲签名方案的构造和应用,发现现有的无证书代理盲签名方案较少,而在无证书密码系统中研究代理盲签名会更容易满足其在电子投票、电子银行等应用领域中对安全性和高效性的要求。 基于双线性对知识和离散对数困难问题,提出了一种无证书代理盲签名方案,该方案满足盲性、不可伪造性、可鉴别性、不可否认性等性质。     

On the implications of routing metric staleness in delay tolerant networks

Delay Tolerant Network (DTN) routing addresses challenges of providing end-to-end service where end-to-end data forwarding paths may not exist. The performance of current DTN routing protocols is often limited by routing metric “staleness”, i.e., routing information that becomes out-of-date or inaccurate because of long propagation delays. Our previous work, ParaNets, proposed a new opportunistic network architecture in which the data channel is augmented by a thin end-to-end control channel. The control channel is adequate for the exchange of control traffic, but not data. In this paper we present Cloud Routing, a routing solution for the ParaNets architecture. We motivate the need for such a solution, not only because of stale routing metrics, but also because of congestion that can occur in DTNs. Unable to use up-to-date routing metrics to limit congestion, existing DTN routing solutions suffer from low goodput and long data delivery delays. We show how Cloud Routing avoids congestion by smart use of forwarding opportunities based on up-to-date routing metrics. We evaluate our solution using extensive OPNET simulations. Cloud Routing extends network performance past what is currently possible and motivates a new class of globally cognizant DTN routing solutions.