即时消息传递系统的安全性

即时消息传递(IM——Installt messaging)是Internet上日渐普及的一种通信方法。在介绍IM系统工作方式的基础上，讨论了当前IM系统由于设计上的脆弱性而导致的各种潜在的安全威胁，对如何保障IM系统的安全提出了一些方法和建议。     

在线招投标Web系统安全结构及关键技术的研究

分析了网上在线招投标系统的安全性需求，提出了一种新的用于在线招投标Web应用系统的四层安全体系结构，并定义了其各层次的功能，描述了其安全认证过程，解决了传统三层体系结构在信息系统的安全性上存在的问题和不足。同时就系统中的数据安全性、系统的认证等关键安全技术，综合应用加密和Hash算法，给出了一种在传输和存储过程中保护数据的保密性和完整性的设计方法，以防止在数据库的应用中数据被非法窃取和篡改；给出了一种基于网上在线招投标系统的不可否认数字签名认证方案，使得可在不暴露用户安全信息的前提下实现其身份认证。     

基于联盟链的跨域认证方案

针对传统跨域认证易单点失效、过度依赖第三方等安全问题,提出了一种结合基于身份的密码（IBC,identity-based cryptography）体制与联盟链的跨域认证方案。通过设计包括实体层、代理层、区块链层、存储层在内的分层跨域认证架构,在跨域认证场景中引入联盟链,从而能够使两者较好地融合,增加了联盟链在跨域认证场景中的适应性。在存储层,设计摘要数据格式,将其存储于链上,摘要数据对应的完整数据存储于链下的星际文件系统,从而形成一种安全可靠的链上链下分布式存储方案,解决引入区块链后存在的链上存储受到限制的问题。提出一种基于永久自主权身份和临时身份的身份管理方案,解决结合IBC体制后身份难以注销和匿名身份难以监管的问题。在此基础上,设计完整的跨域全认证、重认证以及密钥协商协议以实现跨域认证流程。在安全性方面,使用 SVO 逻辑对认证协议进行分析,证明了跨域认证协议的安全性。通过仿真对计算负载性能、通信负载以及联盟链性能进行了测试与分析。分析表明,与相关方案相比,协议在满足安全性的同时,在服务端和用户端均有较好的计算负载表现。在通信效率上,相较于其他方案有不错的表现。通过联盟链工具对链上读写时延进行了测试,结果表明所提方案有良好的可用性。     

远程教学系统中身份认证的研究与其应用

文章对一种基于离散对数的公开密钥认证方案进行了分析，指出它存在安全问题，在此基础上提出了一种更安全，认证更简单的新方案，并将新方案应用于虚拟物理实验远程教学系统中，实现远程用户的身份认证。     

一种中小型企业身份认证系统的设计

本文探讨了一种可以方便可靠实现的中小型企业身份认证系统。它能较好的解决在两层结构中,信息系统中身份认证存在的问题。最后给出该方案实现的一些关键代码,实践证明本文提出的方法有一定实用价值。     

一种基于便携式指纹仪的远程认证设计

提出了一种利用便携式指纹仪提取指纹细节点信息，产生一组数字特征值，并根据这组数字特征值结合通行字双向认证方案提出了一种安全认证方案；在该方案中系统管理员无法推导出用户的任何指纹特征，入侵者也不能导出任何用户的通行字和任何保密信息，系统可对来访的用户进行认证，用户也可以对系统的真实性进行认证；该方案能抵御重试攻击，能防止系统内部人员伪造访问记录。     

独立于二层链路的接入认证

对IETF提出的PANA草案以及EAP标准分析，给出了一种使用独立于二层链路技术的PANA协议承载EAP认证协议来进行接入认证的实现方案，并以PANA承载EAP-TLS认证为例给出了该方案的具体实现过程。     

一种有效的一次性口令身份认证方案

分析了几种常用的一次性口令认证方案，在质询响应方案基础上，基于单钥体制设计了一种实用有效的一次性口令身份认证方案。该方案克服了通常的质询响应认证方案的弱点，可以用在网络环境下，实现通信双方的相互认证，防止重放攻击和冒充攻击，实现简单，执行效率高。可与应用系统集成，用于应用系统本身的身份认证，以增强应用系统的安全性。     

基于即时通信的安全保护策略

分析了IM面临的主要安全威胁及其特点，阐述并借鉴了现有的解决方案，提出了一套即时通信(IM)安全保护策略，利用公钥基础设施机制、“安全套接字层”、CAPTCHA等技术，通过加密、签名、验证签名、解密、CAPTCHA验证和IM消息流量监控等方法，保障了IM的连接安全和数据交换安全，保护了IM系统的配置信息和通信记录，减轻了病毒和蠕虫的威胁。     

一种改进的PoC系统接入鉴权方法

为实现PoC系统安全的身份认证,本文提出了一种应用层绑定接入层的双重认证方案,该方案依靠核心网中的公共鉴权服务器和服务网络中的SIP代理服务器完成了接入层和应用层的鉴权,实现了用户IP地址和手机号码的有效绑定和客户端与服务器的双向鉴权功能,在相同安全等级的情况下,降低了认证信息交换次数和系统开销,较好的实现了身份认证功能。     

Pseudo Trust: Zero-Knowledge Authentication in Anonymous P2Ps

Most of the current trust models in peer-to-peer (P2P) systems are identity based, which means that in order for one peer to trust another, it needs to know the other peer's identity. Hence, there exists an inherent tradeoff between trust and anonymity. To the best of our knowledge, there is currently no P2P protocol that provides complete mutual anonymity as well as authentication and trust management. We propose a zero-knowledge authentication scheme called Pseudo Trust (PT), where each peer, instead of using its real identity, generates an unforgeable and verifiable pseudonym using a one-way hash function. A novel authentication scheme based on Zero-Knowledge Proof is designed so that peers can be authenticated without leaking any sensitive information. With the help of PT, most existing identity-based trust management schemes become applicable in mutual anonymous P2P systems. We analyze the security and the anonymity in PT, and evaluate its performance using trace-driven simulations and a prototype PT-enabled P2P network. The strengths of our design include 1) no need for a centralized trusted party or CA, 2) high scalability and security, 3) low traffic and cryptography processing overheads, and 4) man-in-middle attack resistance.     

One-to-many authentication for access control in mobile pay-TV systems面向移动付费电视系统中访问控制的一对多认证协议

In traditional authentication schemes for access control in mobile pay-TV systems, one-to-one delivery is used, i.e., one authentication message per request is delivered from a head-end system (HES) to a subscriber. The performance of one-to-one delivery for authentication is not satisfactory as it requires frequent operations which results in high bandwidth consumption. To address this issue, one-to-many authentication for access control in mobile pay-TV systems was developed. It requires only one broadcasted authentication message from a HES to subscribers if there are many requests for the same service in a short period of time. However, later it was revealed that the one-to-many authentication scheme was vulnerable to an impersonation attack, i.e., an attacker without any secret key could not only impersonate the mobile set (MS) to the HES but also impersonate the HES to the MS. Then, a new scheme has been recently introduced for secure operations of one-to-many authentication. However, as shown in this paper, the recent work for one-to-many authentication is still vulnerable to the impersonation attack. To mitigate this attack, in this paper, a new scheme for one-to-many authentication using bilinear pairing is proposed that eliminates security weaknesses in the previous work. Results obtained depict that the new improved scheme in this paper provides better performance in terms of computation and communication overheads.     

A provably secure and efficient authentication scheme for access control in mobile pay-TV systems

To guarantee the secure access by authorized subscribers in mobile pay-TV systems, user authentication is required. User authentication is a security mechanism used to verify the identity of a legal subscriber. In 2012, Yeh and Tsaur proposed an authentication scheme for access control in mobile pay-TV systems to improve the Sun and Leu’s scheme. Yeh and Tsaur claimed that their scheme meets all security requirements for mobile pay-TV systems. However, this paper indicates that Yeh and Tsaur’s scheme suffers from some critical weaknesses. An attacker without knowing secret information can successfully impersonate both mobile sets and head-end system. As a remedy, we propose an improved authentication scheme for mobile pay-TV systems using bilinear pairings. The proposed scheme maintains the merits and covers the demerits of the previous schemes, and provides a higher level of the efficiency for mobile pay-TV systems.     

Improving the security of ‘a flexible biometrics remote user authentication scheme’

Recently, Lin–Lai proposed ‘a flexible biometrics remote user authentication scheme,’ which is based on El Gamal's cryptosystem and fingerprint verification, and does not need to maintain verification tables on the server. They claimed that their scheme is secured from attacks and suitable for high security applications; however, we point out that their scheme is vulnerable and can easily be cryptanalyzed. We demonstrate that their scheme performs only unilateral authentication (only client authentication) and there is no mutual authentication between user and remote system, thus their scheme is susceptible to the server spoofing attack. To fill this security gap, we present an improvement which overcomes the weakness of Lin–Lai's scheme. As a result, our improved security patch establishes trust between client and remote system in the form of mutual authentication. Moreover, some standards for biometric-based authentication are also discussed, which should be followed during the development of biometric systems.     

Analysis of the Desynchronization Attack Impact on the E2EA Scheme

The healthcare IoT system is considered to be a significant and modern medical system. There is broad consensus that these systems will play a vital role in the achievement of economic growth in numerous growth countries. Among the major challenges preventing the fast and widespread adoption of such systems is the failure to maintain the data privacy of patients and the integrity of remote clinical diagnostics. Recently, the author proposed an end-to-end authentication scheme for healthcare IoT systems (E2EA), to provide a mutual authentication with a high data rate between the communication nodes of the healthcare IoT systems. Although the E2EA authentication scheme supports numerous attractive security services to resist various types of attack, there is an ambiguous view of the impact of the desynchronization attack on the E2EA authentication scheme. In general, the performance of the authentication scheme is considered a critical issue when evaluating the applicability of such schemes, along with the security services that can be achieved. Therefore, this paper discusses how the E2EA authentication scheme can resist the desynchronization attack through all possible attack scenarios. Additionally, the effect of the desynchronization attack on the E2EA scheme performance is analyzed in terms of its computation and communication costs, based on a comparison with the recently related authentication schemes that can prevent such attack. Moreover, this research paper finds that the E2EA authentication scheme can not only prevent the desynchronization attack, but also offers a low cost in terms of computations and communications, and can maintain consistency and synchronization between the communication nodes of the healthcare IoT systems during the next authentication sessions.     

基于智能卡的电子报税系统安全认证方案

针对现有电子报税系统中在身份认证方面存在的安全问题,提出了基于智能卡的电子报税系统的安全增强型认证方案。该方案在电子报税终端引入智能卡技术,保证密钥等机密信息的安全,系统认证过程中基于动态密钥实现双向认证,提高了电子报税系统中身份认证和信息传输的安全性。     

基于智能卡和指纹识别的电子报税认证系统

针对目前报警信息关联技术中存在的问题，提出了基于入侵意图的报警信息关联分析技术。该技术不仅继承了基于入侵策略的报警信息关联分析方法所具有的时效性、预见性强等优点，而且提高了入侵策略模型的泛化能力，并通过建立“跳步”分析机制，提高了系统对入侵的理解能力。     

Attacks on “a provably secure and efficient authentication scheme for access control in mobile pay-TV systems”

Mobile pay-TV systems represent an application of important electronic commerce, providing mobile users with the multimedia services. In 2016, Farash and Attari employed the elliptic curves and bilinear pairing technologies to design a one-to-many authentication scheme for mobile pay-TV systems. They claimed that their scheme provides a high level of efficiency and can resist most attacks on mobile pay-TV systems. In this paper, we point out their scheme cannot achieve the fundamental requirement of authentication that is, the mutual authentication. In addition, their scheme still suffers from three security weaknesses.     

一种双向动态口令认证系统的研究

在研究现有身份认证系统中存在的安全问题的基础上,提出了一种双向动态口令认证方案,给出了方案的实现过程,并对方案进行了安全性分析。本方案的特点是:提供了服务器和客户的双向认证,能够抵御假冒攻击;双向认证的实现不需要依赖于第三方认证中心来实现;认证信息保持动态性,能有效防止重放攻击。