A Practical Electronic Payment System for Message Delivery Service in the Mobile Environment

Instead of the traditional credit card payment system, we propose a new electronic payment system for use in a mobile environment. The idea behind this payment service is that a user (customer) applies a message delivery service to obtain a varied authentication token from a servicing bank through his cell phone. The token is used to ensure the validity of the transaction and the legality of the user. On the other hand, because only the user knows the authentication token, he/her cannot later deny that he/her made the transaction. Therefore, in addition to authentication, the property of non-repudiation can also be achieved by using our proposed scheme. Most importantly, our scheme does not require any credit card or tamper-resistant device (i.e. smart card) to store critical information. Consequently, the electronic payment system enhances the security of the traditional credit card payment system. The proposed scheme eliminates the risks of losing a card and duplicating the content of a user’s card by a dishonest merchant.     

Ubiquitous One-Time Password Service Using the Generic Authentication Architecture

The Generic Authentication Architecture (GAA) is a standardised extension to the mobile authentication infrastructure that enables the provision of security services, such as key establishment, to network applications. In this paper we first show how Trusted Computing can be extended in a GAA-like framework to offer new security services. We then propose a general scheme that converts a simple static password authentication mechanism into a one-time password (OTP) system using the GAA key establishment service. The scheme employs a GAA-enabled user device and a GAA-aware server. Most importantly, unlike most OTP systems using a dedicated key-bearing token, the user device does not need to be user or server specific, and can be used in the protocol with no registration or configuration (except for the installation of the necessary application software). We also give two practical instantiations of the general scheme, building firstly on the mobile authentication infrastructure and secondly on Trusted Computing. The practical systems are secure, scalable, fit well to the multi-institution scenario, and enable the provision of ubiquitous and on-demand OTP services.     

Mobile Payment Based on Transaction Certificate Using Cloud Self‐Proxy Server

Recently, mobile phones have been recognized as the most convenient type of mobile payment device. However, they have some security problems; therefore, mobile devices cannot be used for unauthorized transactions using anonymous data by unauthenticated users in a cloud environment. This paper suggests a mobile payment system that uses a certificate mode in which a user receives a paperless receipt of a product purchase in a cloud environment. To address mobile payment system security, we propose the transaction certificate mode (TCM), which supports mutual authentication and key management for transaction parties. TCM provides a software token, the transaction certificate token (TCT), which interacts with a cloud self‐proxy server (CSPS). The CSPS shares key management with the TCT and provides simple data authentication without complex encryption. The proposed self‐creating protocol supports TCM, which can interactively communicate with the transaction parties without accessing a user's personal information. Therefore, the system can support verification for anonymous data and transaction parties and provides user‐based mobile payments with a paperless receipt.     

Secure and efficient token based roaming authentication scheme for space-earth integration network

Aiming at the problem of prolongation and instability of satellite and terrestrial physical communication links in the space-earth integration network,a two-way token based roaming authentication scheme was proposed.The scheme used the characteristics of the computing capability of the satellite nodes in the network to advance the user authentication process from the network control center (NCC) to the access satellite.The satellite directly verified the token issued by the NCC to verify the user's identity.At the same time,the token mechanism based on the one-way accumulator achieved the user's dynamic join,lightweight user self-service customization and billing,and the introduction of Bloom Filter enabled effective user revocation and malicious access management.Compared with the existing scheme,the scheme can guarantee the security of roaming authentication and significantly reduce the calculation and communication overhead of the authentication and key negotiation process.     

计算集成身份认证机制

研究集成口令认证、令牌认证、以及生物认证的机制,其创新在于利用协议消息还原用户的信任状,再利用传统的认证技术完成对后者的鉴别,从而提供一种把应用系统与其用户认证技术分离的集成身份认证机制。该机制易于标准化及推广应用,可为多租户的云环境的安全提供更好的安全保障。     

Using trusted computing for privacy preserving keystroke-based authentication in smartphones

Smartphones are increasingly being used to store personal information as well as to access sensitive data from the Internet and the cloud. Establishment of the identity of a user requesting information from smartphones is a prerequisite for secure systems in such scenarios. In the past, keystroke-based user identification has been successfully deployed on production-level mobile devices to mitigate the risks associated with naïve username/password based authentication. However, these approaches have two major limitations: they are not applicable to services where authentication occurs outside the domain of the mobile device—such as web-based services; and they often overly tax the limited computational capabilities of mobile devices. In this paper, we propose a protocol for keystroke dynamics analysis which allows web-based applications to make use of remote attestation and delegated keystroke analysis. The end result is an efficient keystroke-based user identification mechanism that strengthens traditional password protected services while mitigating the risks of user profiling by collaborating malicious web services. We present a prototype implementation of our protocol using the popular Android operating system for smartphones.     

An efficient authentication system of smart device using multi factors in mobile cloud service architecture

Mobile cloud computing environments have overcome the performance limitation of mobile devices and provide use environments not restricted by places. However, user information protection mechanisms are required because of both the security vulnerability of mobile devices and the security vulnerability of cloud computing. In this paper, a multifactor mobile device authentication system is proposed to provide safety, efficiency, and user convenience for mobile device use in cloud service architectures. This system improves security by reinforcing the user authentication required before using cloud computing services. Furthermore, to reinforce user convenience, the system proposed increases the strength of authentication keys by establishing multiple factors for authentication. For efficient entries in mobile device use environments, this system combines mobile device identification number entries, basic ID/password type authentication methods, and the authentication of diverse user bio‐information. This system also enhances authentication efficiency by processing the authentication factors of a user's authentication attempt in a lump instead of one by one in the cloud computing service environment. These authentication factors can be continuously added, and this authentication system provides authentication efficiency even when authentication factors are added. The main contribution is to improve high security level by through authentication of mobile devices with multifactors simultaneously and to use the mobile cloud service architecture for its efficient processing with respect to execution time of it. Copyright © 2013 John Wiley & Sons, Ltd.     

面向移动智能设备的多特征融合隐式鉴别机制研究

隐式鉴别机制在解决移动智能设备的安全性与易用性冲突方面具有重要而独特的作用.然而,已有工作通常基于单一特征或动作进行隐式鉴别,仅适合于特定动作、场景和范围.为了解决此问题,本文利用用户使用设备时存在位置、环境、状态、生物和行为特征,提出了一种基于多特征融合的隐式鉴别方案.该方案采集设备内置传感器、生物和行为数据,通过支持向量机方法训练和提取特征,设计多特征融合模型和构建隐式鉴别框架,计算用户身份信任水平,设计差异化安全策略并持续透明地鉴别用户身份.实验验证了该方案的有效性,并且能够平衡安全性与易用性和资源消耗.     

Asynchronous Group Authentication

Group authentication usually checks whether an individual user belongs to a pre-defined group each time but cannot authenticate all users at once with-out public key system. The paper proposes a Randomized component-based asynchronous (t, m, n) group authentica-tion ((t, m, n)-RCAGA) scheme. In the scheme, each user employs the share of (t, n)-threshold secret sharing as the token, constructs a Randomized component (RC) with the share and verifies whether all users belong to a pre-defined group at once without requiring all users to release ran-domized components simultaneously. The proposed scheme is simple and flexible because each group member just uses a single share as the token and the scheme does not depend on any public key system. Analyses show the proposed scheme can resist up to t?1 group members conspiring to forge a token, and an adversary is unable to forge a valid token or derive a token from a RC.     

A secure and effective biometric‐based user authentication scheme for wireless sensor networks using smart card and fuzzy extractor

User authentication is a prominent security requirement in wireless sensor networks (WSNs) for accessing the real‐time data from the sensors directly by a legitimate user (external party). Several user authentication schemes are proposed in the literature. However, most of them are either vulnerable to different known attacks or they are inefficient. Recently, Althobaiti et al. presented a biometric‐based user authentication scheme for WSNs. Although their scheme is efficient in computation, in this paper, we first show that their scheme has several security pitfalls such as (i) it is not resilient against node capture attack; (ii) it is insecure against impersonation attack; and (iii) it is insecure against man‐in‐the‐middle attack. We then aim to propose a novel biometric‐based user authentication scheme suitable for WSNs in order to withstand the security pitfalls found in Althobaiti et al. scheme. We show through the rigorous security analysis that our scheme is secure and satisfies the desirable security requirements. Furthermore, the simulation results for the formal security verification using the most widely used and accepted Automated Validation of Internet Security Protocols and Applications tool indicate that our scheme is secure. Our scheme is also efficient compared with existing related schemes. Copyright © 2015 John Wiley & Sons, Ltd.     

Remote access virtual private network architecture for high‐speed wireless internet users

The new emerging broadband wireless network (BWN) technologies with high‐speed wireless internet access promotes corporations to provide their roaming employees with high‐speed wireless access to the computing resources on their corporate networks. Thus, a value added service to broadband wireless network is the remote access virtual private network (VPN), where the corporate legitimate users can connect to their offices wirelessly from different locations and get secure services as if they were connected to the corporate local area network (LAN). One of the most important challenges is to block out illegitimate user requests, which are wirelessly received, to protect corporate privacy. Registration (adding new users) and authentication (accepting current users) functions should be implemented with highly secured wireless connection. These functions are accomplished by encapsulating (i.e. tunneling) the user information in a secured form to the corporate authentication server through the internet traffic. The corporate authentication server then grants or denies the user access. In this paper, we propose a new operational design algorithm for remote access wireless VPN authentication and registration protocols that depends on modifying tunnel establishment as compared to existing dial‐in VPN mechanisms. The modifications proposed in this paper are made to support successful deployment of the remote access VPN services over high‐speed wireless network. The paper presents an overview of two tunneling approaches using Layer 3 and Layer 2 separately for implementing these functions. Then we propose how we establish the tunnel in both approaches, and compare it to similar operation steps previously reported for the dial‐in VPN protocols. The proposed algorithms are distinguished from previously developed dial‐in VPN protocols by using L2TP and IPSEC instead of mobile IP. It is also shown that the steps involved in the establishment of the tunnel are functionally different and more appropriate to our applications using communication environment of the BWN. Finally, a qualitative analysis of the added functions, and a comparison between L2TP‐based and IPSec‐based approaches are established. Copyright © 2004 John Wiley & Sons, Ltd.     

Privacy-enhanced,Attack-resilient Access Control in Pervasive Computing Environments with Optional Context Authentication Capability

In pervasive computing environments (PCEs), privacy and security are two important but contradictory objectives. Users enjoy services provided in PCEs only after their privacy issues being sufficiently addressed. That is, users could not be tracked down for wherever they are and whatever they are doing. However, service providers always want to authenticate the users and make sure they are accessing only authorized services in a legitimate way. In PCEs, such user authentication may include context authentication in addition to the entity authentication. In this paper, we propose a novel privacy enhanced anonymous authentication and access control scheme to secure the interactions between mobile users and services in PCEs with optional context authentication capability. The proposed scheme seamlessly integrates two underlying cryptographic primitives, blind signature and hash chain, into a highly flexible and lightweight authentication and key establishment protocol. It provides explicit mutual authentication and allows multiple current sessions between a user and a service, while allowing the user to anonymously interact with the service. The proposed scheme is also designed to be DoS resilient by requiring the user to prove her legitimacy when initializing a service session.

一种基于指纹的身份认证协议

提出一种基于指纹的身份认证协议,它对stolen-verifier(攻击者使用从认证服务器中盗窃的用户指纹信息冒充合法用户)和重发攻击 (Replay Attack)[1]是安全的,保证了用户指纹信息的保密性和真实性。认证用户可以从中获得的最大好处就是:当他们登录服务系统时,他们不需要除了指纹以外的其它任何东西。1     

基于Android的电视终端开机认证系统设计

提出基于智能电视一体机的开机认证系统设计,包括3个模块,分别是终端激活模块、终端登录模块以及用户自动登录模块。在终端激活模块和终端登录模块设计过程中,利用MD5算法计算出终端登录模块和用户登录模块访问网络服务器所需的终端令牌,进而获取认证信息。利用数据库技术将这些认证信息存储到相应的数据库中去,并通过基于该数据库jar包的形式为商店产品提供获取这些认证信息的API方法。系统测试表明,该设计实现了智能TV终端与网络服务器之间的信息认证交互,数据正确,实时可靠。同时,为第三方商店产品提供的API方法正确可行,测试效果良好。     

无线传感器网络中的“双重”身份验证

如今,无线传感器网络是一种新的和有前途的下一代实时无线监控应用的解决方案。如果在考虑部署传感器网络之前没有适当的安全考虑,可以成为一个威胁。但是,如果有任何安全漏洞,即可能向攻击者敞开了大门并且危害应用。因此,用户身份验证的核心要求之一,以防止未经授权的无线传感器网络的数据访问用户。在这方面提出一个有效的双重身份验证的无线传感器网络,它是基于密码和智能卡（双重）。计划提供了相互认证,使用户能够选择和频繁地改变自己密码。再者,通过合理计算成本,提供强大的保护防止不同类型的攻击。     

基于EAP/RADIUS的WLAN认证和密钥分配协议

研究了无线局域网的认证机制,描述了EAP/RADIUS协议在IEEE802.1x标准中的消息封装格式,针对基于端口访问控制协议的缺陷,提出一种新的应用于WLAN的认证和密钥分配方案,并设计详细协议流程.该协议基于EAP/RADIUS认证框架,使用服务令牌将认证和授权结合起来,授权校验的同时进行密钥分配,完善了WLAN的访问控制机制.     

A Time and Location Information Assisted OTP Scheme

As the mobile networks are springing up, mobile devices become a must gadget in our daily life. People can easily access Internet application services anytime and anywhere via the hand-carried mobile devices. Most of modern mobile devices are equipped with a GPS module, which can help get the real-time location of the mobile device. In this paper, we propose a novel authentication scheme which exploits volatile passwords—One-Time Passwords (OTPs) based on the time and location information of the mobile device to transparently and securely authenticate users while accessing Internet services, such as online banking services and e-commerce transactions. Compared to a permanent password base scheme, an OTP based one can prevent users from being eavesdropped. In addition to a memoryless feature, the scheme restricts the validness of the OTP password not only in a certain time period but also in a tolerant geometric region to increase the security protection. However, if a legitimate user is not in the anticipated tolerant region, the user may fail to be authenticated. Hence, a Short Message Service based mutual authentication mechanism is also proposed in the article to supplement the unexpected misjudgement. The proposed method with a volatile time/location-based password features more secure and more convenient for user authentication.     

Continuous User Authentication System: A Risk Analysis Based Approach

With the expansion of smart device users, the security mechanism of these devices in terms of user authentication has been advanced a lot. These mechanisms consist of a pattern based authentication, biometric based authentication, etc. For security purpose whenever a user fails to authenticate themselves, these devices get locked. But as these devices consist of numerous applications (document creator, pdf viewer, e-banking, Social networking app, etc.), locking of the whole devices prevents the user from using any of the applications. Since the variety of applications provided by the devices have different security needs, we feel it is better to have application level security rather than device level. Here, in this paper, we have proposed a behavioral biometric based user authentication mechanism for application level security. First, we have performed a risk assessment of different applications. Then for complete protection, static multi-modal (keystroke and mouse dynamics) authentication at the start of an interactive session, and a continuous keystroke authentication during this session is performed. An analysis of the proposed authentication mechanism has been conducted on the basis of false acceptance rate (FAR), false rejection rate (FRR) and equal error rate (EER). The static multi-modal authentication achieved a FAR of 0.89%, FRR of 1.2% and EER of 1.04% using J48 classification algorithm. Whereas the continuous keystroke authentication has been analyzed by the time (no. of keystrokes pressed) taken to capture an intruder.

     

一种安全可靠性高的全新IP核保护方法

提出了一种基于3DES加(解)密双方认证系统的IP核保护方法,主要用于保护基于SRAMD工艺FPGA设计的IP核电路。在配置好的FPGA中,通过IP核外附加的内部保护电路和外部验证设备之间的互相通信认证,确认使用者的合法性,可有效防止IP核信息配置到FPGA过程中的非法盗取。详细介绍了这种新IP核保护方法的原理、结构和实现过程,并设计了一套基于此技术的简化双方认证系统。     

基于MGC的软交换安全认证机制研究

分析了软交换网络安全认证的特点和相关协议,结合工程实践提出了基于媒体网关控制器(Media GatewayControllor,MGC)的软交换网络安全认证机制,并对该机制实现的基本原理、使用协议和认证信息流程分别进行了阐述和说明,实现了软交换系统设备注册、动态接入识别、用户授权访问等安全认证功能。