可防范词典攻击的密钥分发协议

在密钥分发协议中,一般都通过在参与协议的实体之间共享秘密来提供认证服务。因为用户倾向于选择容易记忆的口令,而这种弱口令容易遭受词典攻击,因此由用户选择的口令不应是共享秘密。在许多协议中,人们使用不同的方法来解决这个问题。提出了一个基于单向函数实现的密钥分发协议。安全分析表明,该协议可以防范词典攻击。     

Comparing passwords, tokens, and biometrics for user authentication

For decades, the password has been the standard means for user authentication on computers. However, as users are required to remember more, longer, and changing passwords, it is evident that a more convenient and secure solution to user authentication is necessary. This paper examines passwords, security tokens, and biometrics-which we collectively call authenticators-and compares these authenticators and their combinations. We examine their effectiveness against several attacks and suitability for particular security specifications such as compromise detection and nonrepudiation. Examples of authenticator combinations and protocols are described to show tradeoffs and solutions that meet chosen, practical requirements. The paper endeavors to offer a comprehensive picture of user authentication solutions for the purposes of evaluating options for use and identifying deficiencies requiring further research.     

Trapdoor Hard-to-Invert Group Isomorphisms and Their Application to Password-Based Authentication

In the security chain the weakest link is definitely the human one: human beings cannot remember long secrets and often resort to rather insecure solutions to keep track of their passwords or pass-phrases. For this reason it is very desirable to have protocols that do not require long passwords to guarantee security, even in the case in which exhaustive search is feasible. This is actually the goal of password-based key exchange protocols, secure against off-line dictionary attacks: two people share a password (possibly a very small one, say a 4-digit number), and after the protocol execution, they end up sharing a large secret session key (known to both of them, but nobody else). Then an adversary attacking the system should try several connections (on average 5000 for the above short password) in order to be able to get the correct password. Such a large number of erroneous connections can be prevented by various means. Our results can be highlighted as follows. First we define a new primitive that we call trapdoor hard-to-invert group isomorphisms, and give some candidates. Then we present a generic password-based key exchange construction that admits a security proof assuming that these objects exist. Finally, we instantiate our general scheme with some concrete examples, such as the Diffie-Hellman function and the RSA function, but more interestingly the modular square-root function, which leads to the first scheme with security related to the integer factorization problem. Furthermore, the latter variant is very efficient for one party (the server). Our results hold in the random-oracle model.     

一种基于智能卡的有效远程双向鉴别方案

提出了一种基于智能卡的有效远程双向身份鉴别方案。用户可自由地选择和改变登录口令,无需维护口令目录表或验证表。此外,该方案不仅能够提供通信双方的相互鉴别,而且引入质询随机数代替时间戳,既可保证每次身份鉴别信息的随机性,有效防止重放攻击,又避免了复杂的时间同步问题,极大地增强了应用系统的安全性和实用性。     

PUFPass: A password management mechanism based on software/hardware codesign

Secure passwords need high entropy, but are difficult for users to remember. Password managers minimize the memory burden by storing site passwords locally or generating secure site passwords from a master password through hashing or key stretching. Unfortunately, they are threatened by the single point of failure introduced by the master password which is vulnerable to various attacks such as offline attack and shoulder surfing attack. To handle these issues, this paper proposes the PUFPass, a secure password management mechanism based on software/hardware codesign. By introducing the hardware primitive, Physical Unclonable Function (PUF), into PUFPass, the random physical disorder is exploited to strengthen site passwords. An illustration of PUFPass in the Android operating system is given. PUFPass is evaluated from aspects of both security and preliminary usability. The security of the passwords is evaluated using a compound heuristic algorithm based PUF attack software and an open source password cracking software, respectively. Finally, PUFPass is compared with other password management mechanisms using the Usability-Deployability-Security (UDS) framework. The results show that PUFPass has great advantages in security while maintaining most benefits in usability.     

Session-Key Generation Using Human Passwords Only

We present session-key generation protocols in a model where the legitimate parties share only a human-memorizable password, and there is no additional set-up assumption in the network. Our protocol is proven secure under the assumption that enhanced trapdoor permutations exist. The security guarantee holds with respect to probabilistic polynomial-time adversaries that control the communication channel (between the parties), and may omit, insert, and modify messages at their choice. Loosely speaking, the effect of such an adversary that attacks an execution of our protocol is comparable with an attack in which an adversary is only allowed to make a constant number of queries of the form "is w the password of Party A." We stress that the result holds also in case the passwords are selected at random from a small dictionary so that it is feasible (for the adversary) to scan the entire directory. We note that prior to our result, it was not known whether or not such protocols were attainable without the use of random oracles or additional set-up assumptions.     

对基于TCP/IP协议的网络攻击的分析

首先对网络攻击的种类和所分析协议的形式进行了阐述,接着主要分析了在不需要多少攻击资源的情况下攻击者所进行的基于ICMP、TCP协议上的网络攻击,最后提醒人们要有网络安全意识。     

移动自组网中基于声誉机制的安全路由协议设计与分析

移动自组网是一种有特殊用途的对等式网络,具有无中心、自组织、可快速展开、可移动等特点,这些特点使得它在战场、救灾等特殊场合的应用日渐受到人们的重视.由于在移动自组网络中每节点既是主机又是路由器,所以容易遭受基于路由信息的攻击,而现今的路由协议基本没有考虑到该问题.本文在分析移动自组网络安全特性的基础上,综述了该方面的研究工作,建立了基于声誉机制评价体系,并给出了具体的评价方法和计算模型.在此基础上,提出了基于声誉机制的安全路由协议S-DSR.仿真结果表明在存在攻击节点的情况下S-DSR协议比DSR协议具有更好的包传输率、包丢失率等属性.     

A neural network system for authenticating remote users in multi‐server architecture

Authenticating the legitimacy of a remote user is an important issue in modern computer systems. In this paper, a neural network system for authenticating remote users is presented. The benefits of the proposed scheme include that (1) it is suitable for multi‐server environment; (2) it does not maintain a verification table; (3) users can freely choose their password; and (4) it can withstand replay attack, off‐line password guessing attack, and privileged insider attacks. Furthermore, some drawbacks, such as the users who choose the same passwords will have the same identities and unavailability for evicting a user from the system, will also be eliminated. Copyright © 2007 John Wiley & Sons, Ltd.     

End-to-End Security Protocol for Mobile Communications with End-User Identification/Authentication

As great progress has been made in mobile communications, many related researches on this topic have been proposed. In most of the proposed protocols so far, it has been assumed that the person using the mobile station is the registrar of the SIM card; as a matter of, the previous protocols for authentication and session key distribution are built upon this assumption. This way, the mobile user can only verify the identity of the owner of the SIM card. This means that the mobile user can only know that who registers the SIM card with which he communicates. Note that the human voice can be forged. To make sure that the speaker at the other end is the right owner of the SIM card, concept of the password is involved to construct the end-to-end security authentication protocol. In the proposed protocol, each mobile user can choose a password. When two mobile users want to communicate with each other, either user can request to perform a end-user identification process. Only when both of the end users input the correct passwords can the correct common session key be established.     

Secure routing in wireless sensor networks: attacks and countermeasures

We consider routing security in wireless sensor networks. Many sensor network routing protocols have been proposed, but none of them have been designed with security as a goal. We propose security goals for routing in sensor networks, show how attacks against ad-hoc and peer-to-peer networks can be adapted into powerful attacks against sensor networks, introduce two classes of novel attacks against sensor networks––sinkholes and HELLO floods, and analyze the security of all the major sensor network routing protocols. We describe crippling attacks against all of them and suggest countermeasures and design considerations. This is the first such analysis of secure routing in sensor networks.     

基于生物特征和混沌映射的多服务器身份认证方案

基于密码的用户远程认证系统已被广泛应用,近年来的研究发现,单一口令系统容易遭受字典分析、暴力破解等攻击,安全性不高.生物特征与密码相结合的认证方式逐渐加入远程认证系统中,以提高认证系统的安全水平.但现有认证系统通常工作在单一服务器环境中,扩展到多服务器环境中时会遇到生物特征模板和密码容易被单点突破、交叉破解的问题.为了克服以上问题,提出了一种基于生物特征和混沌映射的多服务器密钥认证方案,该方案基于智能卡、密码和生物特征,可明显提高多服务器身份认证系统的安全性及抗密码猜解的能力.     

ELAKA: Energy-Efficient and Lightweight Multi-Server Authentication and Key Agreement Protocol Based on Dynamic Biometrics

Authentication and key agreement (AKA) provides flexible and convenient sercices. Most traditional AKA protocols are designed to apply in single-server environment, where a user has to register at different servers to access different types of network services and the user have to remember or manage a large number of usernames and passwords. Later, multi-server AKA protocols resolve the repeated registration problem of single-server AKA protocols, where a user can access different servers to get different services using a single registration and the same username and password. Recently, in 2015, Lu et al proposed a light-weight ID based authentication and key agreement protocol for multi-server architecture, referred to as LAKA protocol. They claimed their protocol can overcome all shortcomings which existed in Xue et al’s protocol. Unfortunately, our further research shows that LAKA protocol still suffers from server spoofing attack, stolen smart card attack etc. To overcome the weakness of LAKA protocol, an energy-efficient and lightweight authentication and key agreement protocol for multi-server architecture is proposed (abbreviated to ELAKA). The ELAKA protocol not only provides the security features declared by LAKA protocol, but also has some other advantages. First, the ELAKA protocol can realize authentication and key agreement just by three handshakes with extremely low communication cost and computation cost between users and servers, which can achieve a delicate balance of security and performance. Second, ELAKA protocol can enable the user enjoy the remote services with privacy protection. Finally the ELAKA protocol is proved secure against known possible attacks by using BAN logic. As a result, these features make ELAKA protocol is very suitable for computation-limited mobile devices (such as smartphone, PAD, tablets) in comparison to other related existing protocols.     

一种基于指纹的远程双向身份鉴别方案

文中分析了Khan等人提出的基于指纹和智能卡的远程双向身份鉴别方案,指出原方案不能抵抗伪造服务攻击、不能及时验证用户输入口令的正确性。提出了基于Rabin密码体制和nonce的改进方案,改进方案克服了原方案中存在的安全漏洞,保留了原方案中对指纹和智能卡的使用,且具有更高的安全性。     

A survey of routing attacks in mobile ad hoc networks

Recently, mobile ad hoc networks became a hot research topic among researchers due to their flexibility and independence of network infrastructures, such as base stations. Due to unique characteristics, such as dynamic network topology, limited bandwidth, and limited battery power, routing in a MANET is a particularly challenging task compared to a conventional network. Early work in MANET research has mainly focused on developing an efficient routing mechanism in such a highly dynamic and resource-constrained network. At present, several efficient routing protocols have been proposed for MANET. Most of these protocols assume a trusted and cooperative environment. However, in the presence of malicious nodes, the networks are vulnerable to various kinds of attacks. In MANET, routing attacks are particularly serious. In this article, we investigate the state-of-the-art of security issues in MANET. In particular, we examine routing attacks, such as link spoofing and colluding misrelay attacks, as well as countermeasures against such attacks in existing MANET protocols.     

IP通信网络安全攻击与防范

随着移动通信和互联网络的融合、演进,IP通信网络发展日益迅速,网络安全问题日趋复杂。详细分析了IP通信网络存在的典型安全攻击方式及表现形式,如各种形式的拒绝服务攻击,并对RIP、OSPF、ISIS三大路由协议的攻击进行了分析,最后给出了网络安全管理的防范措施建议和组网安全保障措施。     

A Smart Card Based Efficient and Secured Multi-Server Authentication Scheme

Increasing popularity of the multi-server architecture has propelled the research on the multi-server authentication schemes. Current dominating authentication schemes are smartcard based, verification table free schemes with passwords. Although these schemes have developed to be robust against most of the popular malicious attacks, they still have security weaknesses and their efficiency is generally low. In this paper, we analyze and formulate security issues in previously proposed schemes. And based on the formulation, an enhanced efficient and secure scheme is proposed. In the proposal, a novel “redundant key protection” is proposed to utilize. The proposed scheme is validated and verified by Colored Petri Nets.     

Security analysis of the IEEE 802.15.6 standard

A wireless body area network (WBAN) consists of low‐power devices that are capable of sensing, processing, and wireless communication. WBANs can be used in many applications such as military, ubiquitous health care, entertainment, and sport. The IEEE Std 802.15.6‐2012 is the latest international standard for WBAN. In this paper, we scrutinize the security structure of the IEEE 802.15.6‐2012 standard and perform a security analysis on the cryptographic protocols in the standard. We show that some protocols have subtle security problems and are vulnerable to different attacks. Such vulnerabilities neutralize the security provisions in the standard specifically for medical applications that deal with sensitive information and security problems can be life‐threatening. Copyright © 2016 John Wiley & Sons, Ltd.     

Secure multicast routing protocols in mobile ad‐hoc networks

A mobile ad‐hoc network (MANET) is a collection of autonomous nodes that communicate with each other by forming a multi‐hop radio network. Routing protocols in MANETs define how routes between source and destination nodes are established and maintained. Multicast routing provides a bandwidth‐efficient means for supporting group‐oriented applications. The increasing demand for such applications coupled with the inherent characteristics of MANETs (e.g., lack of infrastructure and node mobility) have made secure multicast routing a crucial yet challenging issue. Recently, several multicast routing protocols (MRP) have been proposed in MANETs. Depending on whether security is built‐in or added, MRP can be classified into two types: secure and security‐enhanced routing protocols, respectively. This paper presents a survey on secure and security‐enhanced MRP along with their security techniques and the types of attacks they can confront. A detailed comparison for the capability of the various routing protocols against some known attacks is also presented and analyzed. Copyright © 2013 John Wiley & Sons, Ltd.