自认证公钥的无线传感器网络密钥协商协议

自认证公钥密码不需要证书管理,不存在密钥托管问题,非常适用于资源受限的无线传感器网络.但现有的自认证公钥传感网密钥协商协议存在安全性低和能量消耗大的缺点.首先分析并指出Yoon等人提出的协议不能抵抗密钥泄漏伪装攻击;然后采用MTI协议族的"隐式认证"的思想,基于椭圆曲线Diffie-Hellman假设,设计了一个新的基于自认证公钥体制的认证密钥协商协议WSN-AKA.该协议是第1个可证明安全的传感器网络自认证公钥体制密钥协商协议.与现有协议相比,该协议不仅安全性更高,而且因其密钥协商只需两次消息传递,其通信效率也最高而能耗最少.     

A lightweight anonymous routing protocol without public key en/decryptions for wireless ad hoc networks

More attention should be paid to anonymous routing protocols in secure wireless ad hoc networks. However, as far as we know, only a few papers on secure routing protocols have addressed both issues of anonymity and efficiency. Most recent protocols adopted public key Infrastructure (PKI) solutions to ensure the anonymity and security of route constructing mechanisms. Since PKI solution requires huge and expensive infrastructure with complex computations and the resource constraints of small ad hoc devices; a two-layer authentication protocol with anonymous routing (TAPAR) is proposed in this paper. TAPAR does not adopt public key computations to provide secure and anonymous communications between source and destination nodes over wireless ad hoc networks. Moreover, TAPAR accomplishes mutual authentication, session key agreement, and forward secrecy among communicating nodes; along with integration of non-PKI techniques into the routing protocol allowing the source node to anonymously interact with the destination node through a number of intermediate nodes. Without adopting PKI en/decryptions, our proposed TAPAR can be efficiently implemented on small ad hoc devices while at least reducing the computational overhead of participating nodes in TAPAR by 21.75%. Our protocol is certainly favorable when compared with other related protocols.     

On the design of secure ATM networks

Asynchronous Transfer Mode (ATM) is seen to be a technology that allows flexibility, efficiency and manageable bandwidth on demand to be achieved in high-speed networks. ATM is able to support a variety of applications including voice, video, image and data with different quality of service requirements. This paper addresses the design and implementation of security services and mechanisms in ATM networks. The paper examines the various design options for the placement of security services within the ATM protocol reference model and considers their advantages and disadvantages. The option of placing the security layer between the ATM Adaptation Layer (AAL) and the ATM layer is selected and the design of security services such as confidentiality, integrity and data origin authentication services in the user plane are described. The paper then presents an authentication scheme and key establishment protocol. This protocol is integrated with the existing ATM signaling protocols as part of the call setup procedures in the control plane. Then the paper discusses a public key infrastructure for the ATM environment and considers the design of public key management protocols between ATM nodes and Certification Authority for initializing, retrieving and distributing public key certificates. Finally, the paper considers the design of access control service for ATM networks and discusses the issues involved in the provision of access control mechanisms both at the connection setup phase and during the user data transfer phase. It seems that the developed security design can be transparently integrated to secure ATM networks.     

身份签名技术在无线Mesh网络的接入应用

针对无线Mesh网络的特点和安全缺陷,提出将基于身份密码学机制应用到无线Mesh网络的思想,设计了IBS-EAP接入认证协议和IBS-RP漫游认证协议,实现快速接入,避免了多次认证;对新协议进行安全性分析和效率分析,证明了新协议的优越性。设计了IBS-EAP接入认证协议,实现了快速接入的目的,基于IBS签名技术完成双向认证,一个节点的公钥可以通过身份标识和IBS系统的公开参数直接获得,无需采用复杂的技术维护公钥证书和证书撤销列表CRL。     

具有可扩展性的无线Mesh网络接入方法

分析了无线Mesh网络的特点和安全机制,给出了无线Mesh客户端的接入过程,通过面向方面编程AOP、依赖注入DI和软插件技术实现接入系统的认证协议、密钥协商协议和物理网络适配能力的可扩展性。设计了双向身份认证协议和会话密钥协商协议,能够抵抗反射攻击并保证会话的前向保密性。     

A secure and privacy-preserving lightweight authentication protocol for wireless communications

In wireless networks, seamless roaming allows a mobile user (MU) to utilize its services through a foreign server (FS) when outside his home server (HS). However, security and efficiency of the authentication protocol as well as privacy of MUs are of great concern to achieve an efficient authentication protocol. Conventionally, authentication involves the participation of three entities (MU, HS, and FS); however, involving an HS in the authentication process incurs heavy computational burden on it due to huge amount of roaming requests. Moreover, wireless networks are often susceptible to various forms of passive and active attacks. Similarly, mobile devices have low processing, communication, and power capabilities.

In this paper, we propose an efficient, secure, and privacy-preserving lightweight authentication protocol for roaming MUs in wireless networks without engaging an HS. The proposed authentication protocol uses unlinkable pseudo-IDs and lightweight time-bound group signature to provide strong user anonymity, and a cost-effective cryptographic scheme to achieve security of the authentication protocol. Similarly, we implement a better billing system for MUs and a computationally efficient revocation scheme. Our analysis shows that the protocol has better performance than other related authentication protocols in wireless communications in terms of security, privacy, and efficiency.     

高速网络PPP协议的实现及其安全机制的研究

研究了PPP协议在高速SDH／SONET光纤网络上的实现技术,并将其应用到高速路由器的工程实践中,实现的PPP协议软件向下和底层硬件驱动程序接口处理收到的PPP报文;向上和网络层协议IP,IPX接口将IP／IPX报文送交IP／IPX协议处理,形成发送网络层报文的控制机制。还研究了PPP协议的安全问题,包括协议的加密和认证机制,确保报文转发过程中的高速和安全性。     

无线传感器网络节点间认证及密钥协商协议

无线传感器网络的特性使它面临着比传统无线网络更大的安全挑战,其安全解决方案必须兼顾安全性和系统性能等因素。节点间认证及密钥协商是构建安全网络最基本的协议,是密钥管理协议和安全路由协议等的实现基础。很明显,包括传统Adhoc在内的各种无线网络领域中的安全认证及密钥协商机制都无法适用于无线传感器网络。为此,在充分考虑无线网络攻击方法和无线传感器网络自身特点的基础上,结合基于ID的公钥密码技术,提出了椭圆曲线双线性对上的无线传感器网络节点安全认证及密钥协商协议。分析发现,该协议不仅满足安全性要求,同时,能够适合无线传感器网络的特殊应用要求。     

WMN中基于轻量级CA的双向认证和密钥协商协议

针对无线Mesh网节点间认证过程复杂,效率低的问题,提出一种新的无线Mesh网双向认证和密钥协商协议。该协议使用椭圆曲线密码算法并结合轻量级CA公钥认证机制,降低了认证过程中的计算和通信开销。采用BAN逻辑对该协议进行形式化有效性验证,并对其安全性和性能进行分析,结果表明该协议具有较高的安全性和较高的通信效率。     

Simple password-based three-party authenticated key exchange without server public keys

Password-based three-party authenticated key exchange protocols are extremely important to secure communications and are now extensively adopted in network communications. These protocols allow users to communicate securely over public networks simply by using easy-to-remember passwords. In considering authentication between a server and user, this study categorizes password-based three-party authenticated key exchange protocols into explicit server authentication and implicit server authentication. The former must achieve mutual authentication between a server and users while executing the protocol, while the latter only achieves authentication among users. This study presents two novel, simple and efficient three-party authenticated key exchange protocols. One protocol provides explicit server authentication, and the other provides implicit server authentication. The proposed protocols do not require server public keys. Additionally, both protocols have proven secure in the random oracle model. Compared with existing protocols, the proposed protocols are more efficient and provide greater security.     

对两个无线传感器网络中匿名身份认证协议的安全性分析

针对设计安全高效的无线传感器网络环境下匿名认证协议的问题,基于广泛接受的攻击者能力假设,采用基于场景的攻击技术,对新近提出的两个无线传感器网络环境下的双因子匿名身份认证协议进行了安全性分析。指出刘聪等提出的协议(刘聪,高峰修,马传贵,等.无线传感器网络中具有匿名性的用户认证协议.计算机工程,2012,38(22):99-103)无法实现所声称的抗离线口令猜测攻击,且在协议可用性方面存在根本性设计缺陷;指出闫丽丽等提出的协议(闫丽丽,张仕斌,昌燕.一种传感器网络用户认证与密钥协商协议.小型微型计算机系统,2013,34(10):2342-2344)不能抵抗用户仿冒攻击和离线口令猜测攻击,且无法实现用户不可追踪性。结果表明,这两个匿名身份认证协议都存在严重安全缺陷,不适于在实际无线传感器网络环境中应用。     

Timestamp-Based Digital Envelope for Secure Communication Using HECC

ABSTRACT

Secure communication in wireless network is necessary to access remote resources in a controlled and efficient way. For validation and authentication in e-banking and e-commerce transactions, digital signatures using public key cryptography is extensively employed. To maintain confidentiality, Digital Envelope, which is the combination of the encrypted message and signature with the encrypted symmetric key, is also used. In this paper we propose a timestamp-based authentication scheme with a modified Digital Envelope using hyperelliptic curve cryptosystem. HECC have advantages over the existing public key cryptosystems for its small key size and high security in wireless networks where resources are constrained. We have compared the performance of the proposed scheme with that of ECC and present a security analysis to show that our scheme can resist various attacks related to wireless networks.     

Multicast receiver access control by IGMP-AC

IP multicast is best-known for its bandwidth conservation and lower resource utilization. The present service model of multicast makes it difficult to restrict access to authorized End Users (EUs) or paying customers. Without an effective receiver access control, an adversary may exploit the existing IP multicast model, where a host or EU can join any multicast group by sending an Internet Group Management Protocol (IGMP) join message without prior authentication and authorization. We have developed a novel, scalable and secured access control architecture for IP multicast that deploys Authentication Authorization and Accounting (AAA) protocols to control group membership.The principal feature of the access control architecture, receiver access control, is addressed in this paper. The EU or host informs the multicast Access Router (AR) of its interest in receiving multicast traffic using the IGMP protocol. We propose the necessary extensions of IGMPv3 to carry AAA information, called IGMP with Access Control (IGMP-AC). For EU authentication, IGMP-AC encapsulates Extensible Authentication Protocol (EAP) packets. EAP is an authentication framework to provide some common functions and a negotiation of the desired authentication mechanism. Thus, IGMP-AC can support a variety of authentications by encapsulating different EAP methods. Furthermore, we have modeled the IGMP-AC protocol in PROMELA, and also verified the model using SPIN. We have illustrated the EAP encapsulation method with an example EAP method, EAP Internet Key Exchange (EAP-IKEv2). We have used AVISPA to validate the security properties of the EAP-IKEv2 method in pass-through mode, which fits within the IGMP-AC architecture. Finally, we have extended our previously developed access control architecture to accomplish inter-domain receiver access control and demonstrated the applicability of IGMP-AC in a multi-domain environment.     

无线传感器网络单播安全协议架构研究

单播安全是无线传感器网络能够正常工作的基础。SNEP协议和TinySec协议凭借其低成本高效率的加密技术和安全框架能够满足无线传感器网络的基本安全需求。通过对这两个协议的深入分析,提出了一种更加高效和安全的改进型单播安全架构:UniSec。框架中设计了一种计数器优化模式—末尾保留,降低了执行计数器再同步协议的可能性;并通过结合更加先进的加密认证一体化模式XCBCC-XOR,进一步减少了安全开销。研究结果表明,该框架可有效的改善原始协议的能效性和容错性。     

A trusted access method in software-defined network

In software-defined networks (SDN), most controllers do not have an established control function for endpoint users and access terminals to access network, which may lead to many attacks. In order to address the problem of security check on access terminals, a secure trusted access method in SDN is designed and implemented in this paper. The method includes an access architecture design and a security access authentication protocol. The access architecture combines the characteristics of the trusted access technology and SDN architecture, and enhances the access security of SDN. The security access authentication protocol specifies the specific structure and implementation of data exchange in the access process. The architecture and protocol implemented in this paper can complete the credibility judgment of the access device and user's identification. Furthermore, it provides different trusted users with different network access permissions. Experiments show that the proposed access method is more secure than the access method that is based on IP address, MAC address and user identity authentication only, thus can effectively guarantee the access security of SDN.     

Physical layer authentication for automotive cyber physical systems based on modified HB protocol

Automotive cyber physical systems (CPSs) are ever more utilizing wireless technology for V2X communication as a potential way out for challenges regarding collision detection, wire strap up troubles and collision avoidance. However, security is constrained as a result of the energy and performance limitations of modern wireless systems. Accordingly, the need for efficient secret key generation and management mechanism for secured communication among computationally weak wireless devices has motivated the introduction of new authentication protocols. Recently, there has been a great interest in physical layer based secret key generation schemes by utilizing channel reciprocity. Consequently, it is observed that the sequence generated by two communicating parties contain mismatched bits which need to be reconciled by exchanging information over a public channel. This can be an immense security threat as it may let an adversary attain and recover segments of the key in known channel conditions. We proposed Hopper-Blum based physical layer (HB-PL) authentication scheme in which an enhanced physical layer key generation method integrates the Hopper-Blum (HB) authentication protocol. The information collected from the shared channel is used as secret keys for the HB protocol and the mismatched bits are used as the induced noise for learning parity with noise (LPN) problem. The proposed scheme aims to provide a way out for bit reconciliation process without leakage of information over a public channel. Moreover, HB protocol is computationally efficient and simple which helps to reduce the number of exchange messages during the authentication process. We have performed several experiments which show that our proposed design can generate secret keys with improved security strength and high performance in comparison to the current authentication techniques. Our scheme requires less than 55 exchange messages to achieve more than 95% of correct authentication.     

Side-Channel Analysis for the Authentication Protocols of CDMA Cellular Networks

Time-division multiple access (TDMA) and code-division multiple access (CDMA) are two technologies used in digital cellular networks. The authentication protocols of TDMA networks have been proven to be vulnerable to side-channel analysis (SCA), giving rise to a series of powerful SCA-based attacks against unprotected subscriber identity module (SIM) cards. CDMA networks have two authentication protocols, cellular authentication and voice encryption (CAVE) based authentication protocol and authentication and key agreement (AKA) based authentication protocol, which are used in different phases of the networks. However, there has been no SCA attack for these two protocols so far. In this paper, in order to figure out if the authentication protocols of CDMA networks are sufficiently secure against SCA, we investigate the two existing protocols and their cryptographic algorithms. We find the side-channel weaknesses of the two protocols when they are implemented on embedded systems. Based on these weaknesses, we propose specific attack strategies to recover their authentication keys for the two protocols, respectively. We verify our strategies on an 8-bit microcontroller and a real-world SIM card, showing that the authentication keys can be fully recovered within a few minutes with a limited number of power measurements. The successful experiments demonstrate the correctness and the effectiveness of our proposed strategies and prove that the unprotected implementations of the authentication protocols of CDMA networks cannot resist SCA.     

A novel DNA based password authentication system for global roaming in resource-limited mobile environments

Mobile environments are highly vulnerable to security threats and pose a great challenge for the wireless and mobile networks being used today. Because the mode of a wireless channel is open, these networks do not carry any inherent security and hence are more prone to attacks. Therefore, designing a secure and robust protocol for authentication in a global mobile network is always a challenging. In these networks, it is crucial to provide authentication to establish a secure communication between the Mobile User (MU), Foreign Agent (FA) and Home Agent (HA). In order to secure communication among these entities, a number of authentication protocols have been proposed. The main security flaw of the existing authentication protocols is that attackers have the ability to impersonate a legal user at any time. Moreover, the existing authentication protocols in the literature are exposed to various kind of cryptographic attacks. Besides, the authentication protocols require larger key length and more computation overhead. To remedy these weaknesses in mobility networks, DNA (Deoxyribo Nucleic Acid) based authentication scheme using Hyper Elliptic Curve Cryptosystem (HECC) is introduced. It offers greater security and allows an MU, FA and HA to establish a secure communication channel, in order to exchange the sensitive information over the radio link. The proposed system derive benefit from HECC, which is smaller in terms of key size, more computational efficiency. In addition, the security strength of this authentication system is validated through widely accepted security verification tool called ProVerif. Further, the performance analysis shows that the DNA based authentication system using HECC is secure and practically implementable in the resource-constrained mobility nodes.

     

PEACE: A Novel Privacy-Enhanced Yet Accountable Security Framework for Metropolitan Wireless Mesh Networks

Recently, multihop wireless mesh networks (WMNs) have attracted increasing attention and deployment as a low-cost approach to provide broadband Internet access at metropolitan scale. Security and privacy issues are of most concern in pushing the success of WMNs for their wide deployment and for supporting service-oriented applications. Despite the necessity, limited security research has been conducted toward privacy preservation in WMNs. This motivates us to develop PEACE, a novel Privacy-Enhanced yet Accountable seCurity framEwork, tailored for WMNs. On one hand, PEACE enforces strict user access control to cope with both free riders and malicious users. On the other hand, PEACE offers sophisticated user privacy protection against both adversaries and various other network entities. PEACE is presented as a suite of authentication and key agreement protocols built upon our proposed short group signature variation. Our analysis shows that PEACE is resilient to a number of security and privacy related attacks. Additional techniques were also discussed to further enhance scheme efficiency.     

An efficient user authentication and key exchange protocol for mobile client–server environment

Considering the low-power computing capability of mobile devices, the security scheme design is a nontrivial challenge. The identity (ID)-based public-key system with bilinear pairings defined on elliptic curves offers a flexible approach to achieve simplifying the certificate management. In the past, many user authentication schemes with bilinear pairings have been proposed. In 2009, Goriparthi et al. also proposed a new user authentication scheme for mobile client–server environment. However, these schemes do not provide mutual authentication and key exchange between the client and the server that are necessary for mobile wireless networks. In this paper, we present a new user authentication and key exchange protocol using bilinear pairings for mobile client–server environment. As compared with the recently proposed pairing-based user authentication schemes, our protocol provides both mutual authentication and key exchange. Performance analysis is made to show that our presented protocol is well suited for mobile client–server environment. Security analysis is given to demonstrate that our proposed protocol is provably secure against previous attacks.