分布式文件交互系统节点身份认证方案

基于分布式云存储系统利用椭圆曲线和散列函数等内容,提出了一种云环境下的双向身份认证方案,实现双向认证过程。新方案的优点在于产生对通信双方公正的会话密钥,同时设计了2种不同类型的认证: 本地网内认证和跨网络认证。最后对该方案进行了安全性和性能分析,证明了本方案具有很强的安全性,能够保护用户的隐私性和抗抵赖性,且具有较低的计算量。该方案满足云存储在通信环境中的需求。     

云计算环境下基于无证书的匿名用户认证协议

云计算的安全问题是云计算技术的核心问题之一。近年来,针对云计算中用户访问的安全问题提出了多个安全认证方案。但是,这些方案大都存在安全漏洞、流程复杂等缺陷,因此不适用于云计算环境。文章首先对一个高效的基于身份云计算认证协议进行分析,指出其算法的错误,并对其进行修正。其次提出一个适用于云计算环境下安全的用户认证方案。方案基于无对运算的无证书密码体系,避免基于身份认证方案的密钥泄露问题。在尽可能简化运算的前提下,提升了安全性。同时,方案使用临时身份代替用户真实身份,从而实现了用户匿名性。为了避免重放攻击,在方案中使用时戳以进一步增强了安全性。与现有相关协议相比,提出的方案有更高的安全级别和尽可能小的认证时延,因此更适合于云计算环境。     

“沃互联”统一认证技术研究

近年来,网络用户信息泄露事件愈演愈烈,为保障网络用户个人数据安全,研究了网络场景下用户电子账户所面临的安全风险与威胁,分析了网络用户账号相关安全需求,提出了一种网络强身份认证方式——“沃互联”统一认证方案,该方案是以手机号码为用户唯一身份标识,为网络业务提供商提供统一的安全认证能力,使用户获得安全、便捷的用户认证和授权体验.     

一种改进的动态用户认证协议

针对用户快速认证问题,对动态用户认证协议作了介绍,并指出了其可能的安全隐患.提出了对动态用户认证协议的改进方案,并对改进协议的性能进行讨论,并论述了该协议在异构环境下无线传感器网络中的应用.     

关于具有恢复消息功能的认证方案的一点注记

简述了基本的Nyberg-Rueppel认证方案和HMP认证方案,指出了LC认证方案是HMP认证方案的一个特例。     

基于格理论的装备保障信息网络快速身份认证方案

量子算法和量子计算机对装备保障信息网络的认证方案已构成严重的潜在威胁。针对当前装备保障信息网络身份认证方案无法抵抗量子计算机攻击、认证效率相对较低的问题,引入格理论的本原格抽样算法和双峰高斯抽样技术,提出了装备保障信息网络在量子环境下安全且快速的身份认证方案,给出了方案的正确性、安全性的理论证明以及方案运行效率的比较分析。结果表明,基于随机预言机证明模型,该方案在小整数解问题困难性假设下达到了适应性选择身份和选择消息攻击的存在性不可伪造性;在保证安全的前提下,新方案在私钥提取阶段和身份认证阶段的运行效率均高于已有的几个同类格基身份认证方案。这为提高我国装备保障信息网络安全认证能力提供了新的思路和方法。     

基于数字签名的交互式用户身份鉴别方案

该文首先利用Harn数字签名方案建立了基于身份的交互式用户认证与双向认证方案,并首次将这种基于身份的交互式用户认证方案推广为基于身份的交互式共享认证方案,使得认证系统的n名验证者中t名以上验证者才能验证用户身份的有效性,从而可以有效地防止认证系统个别管理人员的作弊行为,提高了认证系统的安全级别与可用性。     

基于事件的一次性口令双向认证的实现

针对静态口令身份认证技术易受攻击的安全缺陷,在事件同步一次性口令产生机制的基础上,结合公钥密码体制,设计并实现了一种新的一次性口令双向认证方案。与传统的挑战／响应双向认证方案相比,该方案实现简单、执行效率高,适用于电子商务过程中的身份认证,能够实现网络环境下用户和服务器的双向认证,避免各种攻击,可以大大提高用户访问的安全性,有效保护用户信息。     

基于多播的身份认证技术研究

传统的身份认证技术对于多播身份认证并不适用,因为多播身份认证有它自身的特殊要求.主要阐述了几种针对多播身份认证独特特点的解决方案,并分别总结了这些方案的优点,并指出了他们的缺点,最后对这些方案进行了比较,并介绍了一种可能用于改进多播的身份认证的技术.     

基于联盟身份认证和CALIS联合认证的图书馆资源访问方案

针对图书馆电子资源的访问控制问题,对国际上广泛采用的联盟身份认证技术和在国内图书馆大范围部署的CALIS联合认证进行了分析,提出了将联盟身份认证与CALIS联合认证相结合的方案,并在CARSI联盟的平台上进行了开发、部署和验证,实验结果表明,联盟身份认证与CALIS联合认证相结合的方案可以有效、灵活地对电子资源进行访问控制。     

基于量子特性的身份认证

利用量子特性实现量子保密通信是目前量子信息学界和密码学界关注的热点问题之一,文章根据利用量子特性提出了一个量子身份认证方案,实现了通信中通信双方的身份认证.该方案实施申采用了动态工作方式,易于实现,具有可证明安全性.     

WCDMA系统鉴权机制的研究

首先介绍了WCDMA系统鉴权的概念，具体分析了他的过程，重点介绍了鉴权与密钥协商(AKA)、算法协商、密钥管理等几个关键问题，分析了其对WCDMA系统安全特性的实现。     

HIKES: Hierarchical key establishment scheme for wireless sensor networks

This paper presents a hierarchical key establishment scheme called HIKES. The base station in this scheme, acting as the central trust authority, empowers randomly selected sensors to act as local trust authorities authenticating, on its behalf, the cluster members and issuing private keys. HIKES uses a partial key escrow scheme that enables any sensor node selected as a cluster head to generate all the cryptographic keys needed to authenticate other sensors within its cluster. This scheme localizes secret key issuance and reduces the communication cost with the base station. HIKES provides an efficient broadcast authentication in which source authentication is achieved in a single transmission and a good defense for the routing mechanism. HIKES defends the routing mechanism against most known attacks and is robust against node compromise. HIKES also provides high addressing flexibility and network connectivity to all sensors in the network, allowing sensor addition and deletion. Simulation results have shown that HIKES provides an energy‐efficient and scalable solution to the key management problem. Copyright © 2012 John Wiley & Sons, Ltd.     

一种存在于IKE协议中的DoS攻击安全漏洞

文章分析了IETF的因特网密钥交换(IKE)标准,指出对于IKE阶段1的野蛮模式存在一个容易导致拒绝服务(DoS)攻击的安全漏洞.文章认为这是由于响应方的安全联盟载荷没有加入到认证数据的计算中,使安全联盟载荷容易被篡改,从而导致双方可能协商出一个参数不相同的阶段1安全联盟载荷.     

Two-factor authenticated key agreement protocol based on biometric feature and password

A new two-factor authenticated key agreement protocol based on biometric feature and password was proposed.The protocol took advantages of the user’s biological information and password to achieve the secure communication without bringing the smart card.The biometric feature was not stored in the server by using the fuzzy extractor technique,so the sensitive information of the user cannot be leaked when the server was corrupted.The authentication messages of the user were protected by the server’s public key,so the protocol can resist the off-line dictionary attack which often appears in the authentication protocols based on password.The security of the proposed protocol was given in the random oracle model provided the elliptic computational Diffie-Hellman assumption holds.The performance analysis shows the proposed protocol has better security.     

云计算中基于认证数据结构的数据外包认证模型

利用认证数据结构(ADS,authenticated data structures)的安全特性,分析并设计了面向云计算的基于ADS的数据外包认证模型,给出了模型的形式化定义、数据查询认证协议与数据更新认证协议;对ADS在模型实际应用时遇到的关键问题进行分析,设计了扩展数据一致性证据生成算法和扩展验证算法,从而实现了ADS在模型中的有效融入。最后从安全性和效率两方面对模型的性能进行分析比较,结果表明模型以较高效率实现了数据的正确性与一致性认证。     

Cryptanalysis and improvement of the YAK protocol with formal security proof and security verification via Scyther

Hao proposed the YAK as a robust key agreement based on public‐key authentication, and the author claimed that the YAK protocol withstands all known attacks and therefore is secure against an extremely strong adversary. However, Toorani showed the security flaws in the YAK protocol. This paper shows that the YAK protocol cannot withstand the known key security attack, and its consequences lead us to introduce a new key compromise impersonation attack, where an adversary is allowed to reveal both the shared static secret key between two‐party participation and the ephemeral private key of the initiator party in order to mount this attack. In addition, we present a new security model that covers these attacks against an extremely strong adversary. Moreover, we propose an improved YAK protocol to remedy these attacks and the previous attacks mentioned by Toorani on the YAK protocol, and the proposed protocol uses a verification mechanism in its block design that provides entity authentication and key confirmation. Meanwhile, we show that the proposed protocol is secure in the proposed formal security model under the gap Diffie‐Hellman assumption and the random oracle assumption. Moreover, we verify the security of the proposed protocol and YAK protocol by using an automatic verification method such as the Scyther tool, and the verification result shows that the security claims of the proposed protocol are proven, in contrast to those of the YAK protocol, which are not proven. The security and performance comparisons show that the improved YAK protocol outperforms previous related protocols.     

新型组织隐藏的认证密钥交换协议

提出了一个实现组织集合交集认证策略的新型组织隐藏的密钥协商协议,2个匿名用户从属的组织集合存在交集且元素个数至少为一个门限值时可以完成一次成功的秘密认证和密钥协商,同时保证集合交集之外的组织信息机密性。新协议在随机预言机模型下可证安全,并且在计算和通信性能上仍具备一定的优势。     

移动漫游中强安全的两方匿名认证密钥协商方案

由于低功耗的移动设备计算和存储能力较低,设计一种高效且强安全的两方匿名漫游认证与密钥协商方案是一项挑战性的工作.现有方案不仅计算开销较高,而且不能抵抗临时秘密泄露攻击.针对这两点不足,提出一种新的两方匿名漫游认证与密钥协商方案.在新方案中,基于Schnorr签名机制,设计了一种高效的基于身份签密算法,利用签密的特性实现实体的相互认证和不可追踪;利用认证双方的公私钥直接构造了一个计算Diffie-Hellman（Computational Diffie-Hellman,CDH）问题实例,能抵抗临时秘密泄露攻击.新方案实现了可证明安全,在eCK（extended Canetti-Krawczyk）模型基础上,探讨两方漫游认证密钥协商方案安全证明过程中可能出现的情形,进行归纳和拓展,并给出新方案的安全性证明,其安全性被规约为多项式时间敌手求解椭圆曲线上的CDH问题.对比分析表明：新方案安全性更强,需要实现的算法库更少,计算和通信开销较低.新方案可应用于移动通信网络、物联网或泛在网络,为资源约束型移动终端提供漫游接入服务.     

A chaotic map‐based anonymous multi‐server authenticated key agreement protocol using smart card

Authenticated key agreement protocols play an important role for network‐connected servers to authenticate remote users in Internet environment. In recent years, several authenticated key agreement protocols for single‐server environment have been developed based on chaotic maps. In modern societies, people usually have to access multiple websites or enterprise servers to accomplish their daily personal matters or duties on work; therefore, how to increase user's convenience by offering multi‐server authentication protocol becomes a practical research topic. In this study, a novel chaotic map‐based anonymous multi‐server authenticated key agreement protocol using smart card is proposed. In this protocol, a legal user can access multiple servers using only a single secret key obtained from a trusted third party, known as the registration center. Security analysis shows this protocol is secure against well‐known attacks. In addition, protocol efficiency analysis is conducted by comparing the proposed protocol with two recently proposed schemes in terms of computational cost during one authentication session. We have shown that the proposed protocol is twice faster than the one proposed by Khan and He while preserving the same security properties as their protocol has. Copyright © 2014 John Wiley & Sons, Ltd.