基于椭圆曲线密码系统的组合公钥技术

提出了一种基于椭圆曲线密码系统的组合公钥技术。组合公钥技术将一定数量的私钥因子和公钥因子组成私钥因子矩阵和公钥因子矩阵,并通过映射算法和组合因子矩阵分别计算出用户的公钥和私钥,试图解决大型专用网中大规模密钥管理的难题。     

基于SM2的无证书加密算法

无证书密码系统中无需证书来管理公钥,同时没有标识密码系统中的密钥委托功能.本文描述一种基于SM2加密算法构造的无证书加密算法,并在随机谕示和代数群模型下证明其安全性可以规约到Gap-Diffie-Hellman复杂性假设.因此构造的算法具有可证明安全性,并可基于已有SM2算法部件快速部署等优势.采用该算法的密码系统具有简洁的密钥管理、高效的算法实现,非常适合物联网等需要轻量级公钥算法的应用场景.     

Breaking the short certificateless signature scheme

Certificateless cryptography eliminates the need of certificates in the Public Key Infrastructure and solves the inherent key escrow problem in the identity-based cryptography. Recently, Huang et al. proposed two certificateless signature schemes from pairings. They claimed that their first short certificateless signature scheme is provably secure against a normal type I adversary and a super type II adversary. In this paper, we show that their short certificateless signature scheme is broken by a type I adversary who can replace users’ public keys and access to the signing oracle under the replaced public keys.     

园区网PKI的设计与实现

大多数的安全应用现在都引入公钥密码算法,而公钥密码算法需要公钥基础设施PKI来支持公钥的分发。该文提出一种适合于园区网的单CA多RA加交叉认证的PKI模型的设计及实现。为了研究公钥证书管理流程,引进了证书生命周期,并讨论了园区网公钥管理中的交叉认证和证书撤销列表问题。     

A PKI approach for deploying modern secure distributed e-learning and m-learning environments

While public key cryptography is continuously evolving and its installed base is growing significantly, recent research works examine its potential use in e-learning or m-learning environments. Public key infrastructure (PKI) and attribute certificates (ACs) can provide the appropriate framework to effectively support authentication and authorization services, offering mutual trust to both learners and service providers. Considering PKI requirements for online distance learning networks, this paper discusses the potential application of ACs in a proposed trust model. Typical e-learning trust interactions between e-learners and providers are presented, demonstrating that robust security mechanisms and effective trust control can be obtained and implemented. The application of ACs to support m-learning is also presented and evaluated through an experimental test-bed setup, using the general packet radio service network. The results showed that AC issuing is attainable in service times while simultaneously can deliver flexible and scalable solutions to both learners and e-learning providers.     

Certificateless multi-proxy signature

Multi-proxy signature is a scheme that an original signer authorizes a proxy group as his proxy agent and later only the cooperation of all proxy signers in the proxy group could sign messages on behalf of the original signer. To our best knowledge, most of the existing multi-proxy signature schemes are proposed in public key infrastructure or identity-based setting. However, due to avoiding the inherent escrow problem of identity-based cryptography and yet not requiring certificates to guarantee the authenticity of public keys, certificateless public key cryptography has become an attractive paradigm on which many cryptographical primitives are based. In this paper, a generic construction and a formal security model of certificateless multi-proxy signature (CLMPS) are firstly defined. A concrete CLMPS scheme is also proposed, which is proven to be existentially unforgeable against adaptively chosen warrant attacks and chosen message and identity attacks in the random oracle model under the computational Diffie-Hellman assumption.     

视觉密码的彩色栅格地图分存算法

目的 现有栅格地图安全保护技术主要有：基于混沌理论的图像加密技术、数字图像置乱技术和图像信息隐藏技术,这些技术不适用于丢失容忍、解密简单、共享份图像顺序可交换、权限控制等应用场合。图像分存技术可应用于上述场合,其中基于视觉密码的图像分存技术秘密图像恢复时运算简单,仅利用人眼视觉系统或借助简单计算设备,便可以获得恢复图像的信息。但运用于彩色栅格地图分存的彩色视觉密码方案,存在像素扩展度较大、秘密图像颜色受限等问题。为解决该问题,基于异或运算给出了概率型彩色视觉密码方案定义,并构造了一种概率型（k,n）彩色视觉密码方案。方法 在方案设计前,首先给出RGB颜色集合、彩色像素异或运算、共享份异或运算和基于异或运算的概率型（k,n）彩色视觉密码方案等定义。基于异或运算的概率型（k,n）彩色视觉密码方案定义包括对比条件、安全性条件和防串扰条件3个部分。根据定义,给出概率型（k,n）-CVCS（color visual cryptography scheme）的详细构造方法,该方法以（k,k）彩色视觉密码方案为基础,通过设计扩展变换算子f,将k个共享份随机等概地扩充到n个共享份,实现了（k,n）彩色栅格地图分存算法,解决了彩色栅格地图分存算法存在像素扩展度大、恢复图像视觉效果差的问题。随后,从定义的对比条件、安全性条件和防串扰条件3个方面,对本文方案有效性进行了理论证明。结果 为验证方案的有效性,利用本文算法构造出的（3,4）方案对具体的栅格地图进行分存,随机选择3个共享份XOR（exclusive or异或）后可以得到原栅格地图,而任意单个、两个共享份XOR只能得到杂乱无章的噪声图像,无法获取原栅格地图的任何信息。同时,运用其他彩色视觉密码方案对相同栅格地图进行分存,实验结果表明,本文方案像素不扩展,在视觉效果上具有更优的结果,计算得到的恢复图像峰值信噪比也优于其他相关方案。结论 本文方案无像素扩展,在减小系统开销的同时,改善了栅格地图的视觉效果,且无需对栅格地图进行半色调处理。     

基于身份的数字签名方案研究

基于身份的密码系统简化了公钥钥证书的管理,目前基于身份的数字签名已成为公钥加密的的一个研究热点,而安全性是构建基于身份的数字签名方案的重要因素。介绍了基于身份的数字签名技术,并给出了方案模型和安全模型。应用该模型可构建安全而又高效的基于身份的数字签名方案。     

对一个公钥密码体制的连分式攻击算法

公钥密码是实现网络安全和信息安全的重要技术之一,而传统的公钥密码算法速度较慢。为克服这一缺点,一些快速公钥密码算法被提出。对其中一个快速公钥密码算法的安全性进行分析,指出该算法的解密无须通过整数分解,使用连分数算法就可以在多项式时间内求解出该方案的一个等价密钥,使用该等价密钥就能对任意密文进行解密。因此,该公钥密码算法是不安全的,从而提出一种新的连分式攻击算法,实验结果证明了该算法的有效性。     

基于ECC组合公钥的GSM双向认证

针对目前GSM网络认证和密钥协商过程中存在的安全隐患,提出了基于椭圆曲线组合公钥技术的GSM离线双向认证,在引入了非对称密钥加密的同时却不需要引入可信任第三方CA机构,能有效解决大规模网络环境中密钥生产、分发、存储管理与证书验证难等问题。实验分析表明,该方案不仅实现了GSM的双向认证,而且与其它方案相比,节省了网络带宽,降低了对存储空间的要求,且每次认证都实现了加密密钥刷新。     

The Use of Context-Free Probabilistic Grammar to Anonymise Statistical Data

Abstract

In the following article, a proprietary method of anonymisation of identifiable statistical data using context-free probabilistic grammar is proposed. The advantage of this method is that it is simple and thanks to this, the identifier is easy to retrieve after masking the identifiable data, e.g. when it is necessary to modify or update the micro-data. This can be done using public-key cryptography, i.e. encrypting some probabilistic context-free grammar with this method. In the case of public statistics, there is often a need to use an anonymised source value, for example when economic operators’ reports are verified by statistical officers. With appropriate information generated by context-free grammar, the verifier can easily identify an economic operator or a natural person. The idea of the anonymising algorithm used in the proposed method is presented by means of an example. According to the authors, the combination of the proposed method with asymmetric encryption of the definition of context-free grammar using public key infrastructure, makes it probable that its resistance to attacks will be quite high. This is because statistical methods that are used in the analysis of natural languages are not susceptible to attacks.     

Timestamp-Based Digital Envelope for Secure Communication Using HECC

ABSTRACT

Secure communication in wireless network is necessary to access remote resources in a controlled and efficient way. For validation and authentication in e-banking and e-commerce transactions, digital signatures using public key cryptography is extensively employed. To maintain confidentiality, Digital Envelope, which is the combination of the encrypted message and signature with the encrypted symmetric key, is also used. In this paper we propose a timestamp-based authentication scheme with a modified Digital Envelope using hyperelliptic curve cryptosystem. HECC have advantages over the existing public key cryptosystems for its small key size and high security in wireless networks where resources are constrained. We have compared the performance of the proposed scheme with that of ECC and present a security analysis to show that our scheme can resist various attacks related to wireless networks.     

COACH: COllaborative certificate stAtus CHecking mechanism for VANETs

Vehicular Ad Hoc Networks (VANETs) require mechanisms to authenticate messages, identify valid vehicles, and remove misbehaving vehicles. A public key infrastructure (PKI) can be used to provide these functionalities using digital certificates. However, if a vehicle is no longer trusted, its certificates have to be revoked and this status information has to be made available to other vehicles as soon as possible. In this paper, we propose a collaborative certificate status checking mechanism called COACH to efficiently distribute certificate revocation information in VANETs. In COACH, we embed a hash tree in each standard Certificate Revocation List (CRL). This dual structure is called extended-CRL. A node possessing an extended-CRL can respond to certificate status requests without having to send the complete CRL. Instead, the node can send a short response (less than 1 kB) that fits in a single UDP message. Obviously, the substructures included in the short responses are authenticated. This means that any node possessing an extended-CRL can produce short responses that can be authenticated (including Road Side Units or intermediate vehicles). We also propose an extension to the COACH mechanism called EvCOACH that is more efficient than COACH in scenarios with relatively low revocation rates per CRL validity period. To build EvCOACH, we embed an additional hash chain in the extended-CRL. Finally, by conducting a detailed performance evaluation, COACH and EvCOACH are proved to be reliable, efficient, and scalable.     

一种集成化的PKI数字证书验证安全增强方案

近年来,PKI数字证书服务出现了多次安全事件：CA机构由于攻击等原因签发虚假的TLS服务器数字证书,将攻击者的公钥绑定在被攻击网站的域名上。因此,研究人员提出了多种PKI数字证书验证安全增强方案,用于消除虚假数字证书的影响,现有各种方案在安全性和效率上各有优劣。提出了一种集成化的PKI数字证书验证安全增强方案,以Pinning方案为基础,利用其他方案来改进Pinning方案的缺陷。当浏览器面临TLS服务器数字证书的三种Pinning方案不同状态（初始化、正常使用、更新）,兼顾安全性和执行效率、分别综合使用不同的安全增强方案,整体上达到了最优的安全性和执行效率。完成的集成化PKI数字证书验证安全增强方案能够有效解决虚假数字证书的攻击威胁。     

Certificate sharing system for secure certificate distribution in mobile environment

As mobile and Internet technologies evolve, mobile services (e.g., Internet banking, social commerce) continuously expand and diversify. In order to use these mobile services, it is essential that security services, especially distribution certificates (e.g., bank certificates), relevant to mobile devices be provided. Some approaches to providing distribution certificates between a user's mobile device and a personal computer (PC) have been proposed. However, the existing approaches do not guarantee that the certificate in the mobile devices same with the issued one from the PC, causing constraints on mobile services such as mobile phone banking and mobile commerce (M-commerce).In this paper, we propose a novel approach that shares certificates securely without modification of the existing standard certificate format between a smartphone and a PC. We also implemented the certificate sharing system (CSS) in a virtual private network (VPN). The CSS provides strong end-to-end data security for the certificate with a key size of 192-bits which is able to guarantee an expiration date of three years. It also provides strong data security on physical devices with the use of device ID. The certificate that is shared between devices is available only through the CSS's authorization process. In addition, the CSS provides a flexible and extensible system for sharing certificates in enterprise environments. The CSS module of a PC was implemented by way of a standard web language, and the CSS module of a smartphone was developed with the assistance of mobile applications with a small size of 1210KB.     

Design and implementation of a public key-based group collaboration system

We present PubKey-Wiki, a public key-based wiki group collaboration system. PubKey-Wiki allows users to authenticate themselves using public-key cryptography and gain authorizations using digital certificates. By using public key-based user authentication, users’ passwords are not sent across the network and are not stored on the web server’s host machine. Using digital certificates to authorize users to access protected files facilitates delegation of authority and simpler access control list (ACL) management, and allows the ability of a user to pass authorizations onto other users without needing to connect to the wiki’s server. The paper introduces a new approach to revocation in which revocation of certificates and revocation of public keys are handled separately and take effect immediately.The paper also introduces an algorithm, CertClosure, that computes the transitive closure of a set of certificates that contain authorization information. When a user adds or removes a certificate from his certificate directory in PubKey-Wiki, PubKey-Wiki uses the CertClosure algorithm to derive authorization rules. PubKey-Wiki stores these authorization rules in a lookup table where they can be easily referenced. When a user tries to access a protected file, PubKey-Wiki looks up and uses the relevant authorization rules to efficiently make an access control decision.     

辫子群混合加密下的按需装配Agent系统

量子计算机技术的进步,使传统公钥密码系统受到了巨大的威胁,特别对基于传统公钥加密的应用系统带来不可估量的损失。与此同时,辫子群公钥密码算法的提出,有效地防止了量子技术对公钥密码的破译而且可以抵抗已知的各种攻击。在研究辫子群密码算法和传统公钥算法、按需装配Agent的概念和系统模型特点的基础上,提出了一种辫子群混合加密方法并有效地应用到按需装配Agent的系统中,从而大大提高了Agent系统的安全性。     

A New Rabin-type Trapdoor Permutation Equivalent to Factoring

Public key cryptography has been invented to overcome some key management problems in open networks. Although nearly all aspects of public key cryptography rely on the existence of trapdoor one-way functions, only a very few candidates for this primitive have been observed yet. In this paper, we introduce a new trapdoor one-way permutation based on the hardness of factoring integers of p²q-type. We point out that there are some similarities between Rabin's trapdoor permutation and our proposal. Although our function is less efficient, it possesses a nice feature which is not known for modular squaring, namely there is a variant with a different and easy-to-handle domain. Thus it provides some advantages for practical applications. To confirm this statement, we develop a simple hybrid encryption scheme based on our proposed trapdoor permutation that is CCA-secure in the random oracle model.     

映射结合聚类的视频关键帧提取

目的 视频摘要技术在多媒体数据处理和计算机视觉中都扮演着重要的角色。基于聚类的摘要方法多结合图像全局或局部特征,对视频帧进行集群分类操作,再从各类中获取具有代表性的关键帧。然而这些方法多需要提前确定集群的数目,自适应的方法也不能高效的获取聚类的中心。为此,提出一种基于映射和聚类的图像密度值分析的关键帧选取方法。方法 首先利用各图像间存在的差异,提出将其映射至2维空间对应点的度量方法,再依据点对间的相对位置和邻域密度值进行集群的聚类,提出根据聚类的结果从视频中获取具有代表性的关键帧的提取方法。结果 分别使用提出的度量方法对Olivetti人脸库内图像和使用关键帧提取方法对Open Video库进行测试,本文关键帧提取方法的平均查准率达到66%、查全率达到74%,且F值较其他方法高出11%左右达到了69%。结论 本文提出的图像映射后聚类的方法可有效进行图像类别的识别,并可有效地获取视频中的关键帧,进而构成视频的摘要内容。