Efficient revocable certificateless remote anonymous authentication protocol for wireless body area network

To ensure the security and privacy of patients’ health data in wireless body area network (WBAN),communication parties must be mutual authenticated.Now some bilinear pairings led to a larger computation cost for users and tree structure revocation would lead to larger user storage cost.In order to achieve revocation and reduce the cost of the user side,a novel revocable certificate less remote anonymous authentication protocol for WBAN was proposed by using elliptic curve cryptography and revoke algorithm that could revoke users by updating their time-private-keys.Security requirements including anonymity,mutual authentication and session key establishment were satisfied in proposed scheme.Compared with the existing schemes,the experimental analysis shows that the computation cost and storage cost of the authentication protocol are greatly reduced,which is more suitable for resource-constrained WBAN.Security analysis also shows that the protocol is secure in the random oracle model.     

A self-encryption mechanism for authentication of roaming and teleconference services

A simple authentication technique for use in the global mobility network (GLOMONET) is proposed. This technique is based on the concept of distributed security management, i.e., the original security manager administrates the original authentication key (long-term secret key) acquired when a user makes a contract with his home network, while a temporary security manager is generated for a roaming user in the visited network that provides roaming services. The temporary security manager will take the place of the original security manager when the roaming user stays in the service area of the visited network. In the proposed authentication protocol for the regular communication phase, the procedures of the original security manager and the temporary security manager are the same except for introducing different parameters. Furthermore, the proposed technique not only reduces the number of transmissions during the authentication phase, but it also can decrease the complexity of mobile equipment. The idea behind the proposed technique is to introduce a simple mechanism which is called "self-encryption". We also suggest that this mechanism can be easily adopted as the authentication function for the secure teleconference service.     

一种泛在网络的安全认证协议

泛在网络是标准的异质异构网络,保证用户在网络间的切换安全是当前泛在网的一个研究热点。该文对适用于异构网络间切换的认证协议EAP-AKA进行分析,指出该协议有着高认证时延,且面临着用户身份泄露、中间人攻击、DoS攻击等安全威胁,此外接入网络接入点的有效性在EAP-AKA协议中也没有得到验证,使得用户终端即使经过了复杂的认证过程也不能避免多种攻击。针对以上安全漏洞,该文提出一种改进的安全认证协议,将传统EAP-AKA的适用性从3G系统扩展到泛在网络中。新协议对传播时延和效率进行完善,为用户和接入点的身份信息提供有效性保护,避免主会话密钥泄露,采用椭圆曲线Diffie Hellman算法生成对称密钥,在每次认证会话时生成随机的共享密钥,并实现用户终端与家乡域网络的相互认证。通过开展实验,对协议进行比较分析,验证了新协议的有效性及高效率。     

基于MGC的软交换安全认证机制研究

分析了软交换网络安全认证的特点和相关协议,结合工程实践提出了基于媒体网关控制器(Media GatewayControllor,MGC)的软交换网络安全认证机制,并对该机制实现的基本原理、使用协议和认证信息流程分别进行了阐述和说明,实现了软交换系统设备注册、动态接入识别、用户授权访问等安全认证功能。     

无线网络中基于量子隐形传态的鲁棒安全通信协议

该文在深入研究无线网络802.11i鲁棒安全通信的基础上,提出基于量子隐形传态的无线网络鲁棒安全通信协议,利用量子纠缠对的非定域关联性保证数据链路层的安全。首先,对量子隐形传态理论进行描述,并着重分析临时密钥完整性协议和计数器模式及密码块链消息认证协议的成对密钥、组密钥的层次结构;其次,给出了嵌入量子隐形传态的成对密钥、组密钥的层次结构方案;最后,在理论上给出安全证明。该协议不需要变动用户、接入点、认证服务器等基础网络设备,只需增加产生和处理纠缠对的设备,即可进行量子化的密钥认证工作,网络整体框架变动较小。     

个人通信系统中的一种移动用户登记认证协议

假冒和窃听攻击是无线通信面临的主要威胁。在个人通信系统中,为了对无线链路提供安全保护,必须对链路上所传送的数据/话音进行加密,而且在用户与服务网络之间必须进行相互认证。近年来,人们在不同的移动通信网络(如GSM,IS-41,CDPD,Wireless LAN等)中提出了许多安全协议。然而,这些协议在个人通信环境中应用时存在不同的弱点。本文基于个人通信系统的双钥保密与认证模型,设计了用户位置登记认证协议;并采用BAN认证逻辑对协议的安全性进行了形式化证明,也对协议的计算复杂性进行了定性分析。分析表明,所提出的协议与现有的协议相比具有许多新的安全特性。     

异构无线网络中基于标识的匿名认证协议

针对异构无线网络中的认证协议的安全问题,提出一种基于CPK算法和改进的ECDH算法的双向认证和密钥协商协议,引入用户的临时认证身份和临时通信身份实现用户的身份匿名;提出采用临时通信身份有序对防止重认证过程中的重放攻击,并且在协议设计中规避了密钥泄漏带来的风险。分析表明该协议具有身份认证、会话密钥安全、匿名性等安全属性。     

3G认证和密钥分配协议的形式化分析及改进

介绍了第三代移动通信系统所采用的认证和密钥分配(AKA)协议,网络归属位置寄存器/访问位置寄存器(HLR/VLR)对用户UE(用户设备)的认证过程和用户UE对网络HLR/VLR的认证过程分别采用了两种不同的认证方式,前者采用基于"询问-应答"式的认证过程,后者采用基于"知识证明"式的认证过程.使用BAN形式化逻辑分析方法分别对这两种认证过程进行了分析,指出在假定HLR与VLR之间系统安全的前提下,基于"知识证明"式的认证过程仍然存在安全漏洞.3GPP采取基于顺序号的补充措施;同时,文中指出了另一种改进方案.     

User centric three‐factor authentication protocol for cloud‐assisted wearable devices

Wearable devices, which provide the services of collecting personal data, monitoring health conditions, and so on, are widely used in many fields, ranging from sports to healthcare. Although wearable devices bring convenience to people's lives, they bring about significant security concerns, such as personal privacy disclosure and unauthorized access to wearable devices. To ensure the privacy and security of the sensitive data, it is critical to design an efficient authentication protocol suitable for wearable devices. Recently, Das et al proposed a lightweight authentication protocol, which achieves secure communication between the wearable device and the mobile terminal. However, we find that their protocol is vulnerable to offline password guessing attack and desynchronization attack. Therefore, we put forward a user centric three‐factor authentication scheme for wearable devices assisted by cloud server. Informal security analysis and formal analysis using ProVerif is executed to demonstrate that our protocol not only remedies the flaws of the protocol of Das et al but also meets desired security properties. Comparison with related schemes shows that our protocol satisfies security and usability simultaneously.     

Lightweight and provably secure user authentication with anonymity for the global mobility network

Seamless roaming in the global mobility network (GLOMONET) is highly desirable for mobile users, although their proper authentication is challenging. This is because not only are wireless networks susceptible to attacks, but also mobile terminals have limited computational power. Recently, some authentication schemes with anonymity for the GLOMONET have been proposed. This paper shows some security weaknesses in those schemes. Furthermore, a lightweight and provably secure user authentication scheme with anonymity for the GLOMONET is proposed. It uses only symmetric cryptographic and hash operation primitives for secure authentication. Besides, it takes only four message exchanges among the user, foreign agent and home agent. We also demonstrate that this protocol enjoys important security attributes including prevention of various attacks, single registration, user anonymity, user friendly, no password/verifier table, and use of one‐time session key between mobile user and foreign agent. The security properties of the proposed protocol are formally validated by a model checking tool called AVISPA. Furthermore, as one of the new features in our protocol, it can defend smart card security breaches. Copyright © 2010 John Wiley & Sons, Ltd.     

An efficient and secure 3‐factor user‐authentication protocol for multiserver environment

In the last decade, the number of web‐based applications is increasing rapidly, which leads to high demand for user authentication protocol for multiserver environment. Many user‐authentication protocols have been proposed for different applications. Unfortunately, most of them either have some security weaknesses or suffer from unsatisfactory performance. Recently, Ali and Pal proposed a three‐factor user‐authentication protocol for multiserver environment. They claimed that their protocol can provide mutual authentication and is secure against many kinds of attacks. However, we find that Ali and Pal's protocol cannot provide user anonymity and is vulnerable to 4 kinds of attacks. To enhance security, we propose a new user‐authentication protocol for multiserver environment. Then, we provide a formal security analysis and a security discussion, which indicate our protocol is provably secure and can withstand various attacks. Besides, we present a performance analysis to show that our protocol is efficient and practical for real industrial environment.     

Secure multi‐factor remote user authentication scheme for Internet of Things environments

Because of the exponential growth of Internet of Things (IoT), several services are being developed. These services can be accessed through smart gadgets by the user at any place, every time and anywhere. This makes security and privacy central to IoT environments. In this paper, we propose a lightweight, robust, and multi‐factor remote user authentication and key agreement scheme for IoT environments. Using this protocol, any authorized user can access and gather real‐time sensor data from the IoT nodes. Before gaining access to any IoT node, the user must first get authenticated by the gateway node as well as the IoT node. The proposed protocol is based on XOR and hash operations, and includes: (i) a 3‐factor authentication (ie, password, biometrics, and smart device); (ii) mutual authentication ; (iii) shared session key ; and (iv) key freshness . It satisfies desirable security attributes and maintains acceptable efficiency in terms of the computational overheads for resource constrained IoT environment. Further, the informal and formal security analysis using AVISPA proves security strength of the protocol and its robustness against all possible security threats. Simulation results also prove that the scheme is secure against attacks.     

Design and Validation of an Efficient Authentication Scheme with Anonymity for Roaming Service in Global Mobility Networks

Designing a user authentication protocol with anonymity for the global mobility network (GLOMONET) is a difficult task because wireless networks are susceptible to attacks and each mobile user has limited power, processing and storage resources. In this paper, a secure and lightweight user authentication protocol with anonymity for roaming service in the GLOMONET is proposed. Compared with other related approaches, our proposal has many advantages. Firstly, it uses low-cost functions such as one-way hash functions and exclusive-OR operations to achieve security goals. Having this feature, it is more suitable for battery-powered mobile devices. Secondly, it uses nonces instead of timestamps to avoid the clock synchronization problem. Therefore, an additional clock synchronization mechanism is not needed. Thirdly, it only requires four message exchanges between the user, foreign agent and home agent. Further, the security properties of our protocol are formally validated by a model checking tool called AVISPA. We also demonstrate that this protocol enjoys important security attributes including prevention of various attacks, single registration, user anonymity, no password table, and high efficiency in password authentication. Security and performance analyses show that compared with other related authentication schemes, the proposed scheme is more secure and efficient.     

多群组和设备侧密钥分发的安全认证和密钥协商

随着MTC（Machine Type Communication）移动终端数量不断增长,网络拥塞问题日益严重。本文提出了一种多群组和设备侧密钥分发的安全认证和密钥协商（Multi-based and Device Side Key Distribution Secure Authentication and Key Agreement, MGDK-AKA）协议。该协议首先将大量请求接入设备按照一定的规则分成多个群组。组首对组成员的请求信息进行聚合,组首与核心网完成整个认证和密钥协商过程,组成员仅与组首之间完成相互认证,避免了大量设备同时访问核心网络。同时将原核心网侧的密钥分发转移到设备侧完成,进一步克服网络拥塞,并保证数据的安全传输。安全性分析表明了提出的方案可以完成安全目标,并抵抗一些攻击。仿真结果验证了该协议在网络拥塞避免的可行性。      

Secure Handover Authentication Protocol Based on Bilinear Pairings

Handover authentication protocol enables a mobile node to switch from one base station to another without loss or interruption of service when the node exits the transmission area of his or her current base station. This paper proposes a secure prime-order handover authentication protocol based on bilinear pairings. The proposed protocol adapts the concept of pseudonyms to provide user anonymity and user unlinkability. It withstands well-known security threats and achieves mutual authentication, user unlinkability. A batch signature verification mechanism to verify a mass of signatures is presented in our scheme. We also prove that our scheme is secure under random oracle.     

基于生物特征标识的无线传感器网络三因素用户认证协议

为满足高安全级别场景（如军事、国家安全、银行等）的应用需求,进一步提高无线传感器网络用户认证协议的安全性,提出了基于生物特征识别的三因素用户认证协议.针对Althobaiti协议无法防御节点妥协攻击、模拟攻击、中间人攻击和内部特权攻击的安全缺陷,增加智能卡和密码作为协议基本安全因素,并利用生物特征标识信息生成函数与回复函数处理的生物特征标识作为附加安全因素;在密钥管理中,为每个节点配置了与网关节点共享唯一密钥,保证认证过程的独立性与安全性;实现用户自主选择与网关节点的共享密钥,提高公共信道通信的安全性;在网关节点不参与的情况下,设计密码和生物特征标识更新机制,保证二者的新鲜性.通过Dolev-Yao拓展威胁模型的分析与AVISPA的OFMC分析终端的仿真,结果证明该认证协议克服了Althobaiti协议安全缺陷,且对计算能力的需求小于公钥加密.权衡安全性与计算成本,该协议适用于资源受限且安全需求高的无线传感器网络应用.     

基于用户身份认证的安全计费系统的研究

网络规模的扩大、用户数量的增加,给网络管理、安全、计费都提出了新的需求.在方便用户的基础上,通过对数据采集模式、认证协议和一些网络安全性的探讨,构建了一个稳定、可靠、廉价、安全的网络计费系统,解决了IP地址的不足和用户移动性的增强的问题.     

一种改进的基于ECC双因子身份认证协议

随着信息技术和网络技术的快速发展,互联网实名制已经成为网络监督和管理的重要趋势,而用户身份认证又是实名制管理体系中的关键技术。首先介绍了基于智能卡的身份认证协议,讨论了该协议存在的不足,并在此基础上,提出了一种基于ECC双因子的身份认证协议,通过椭圆曲线离散对数难题和时间戳因素确保协议的安全性,解决了丢失智能卡攻击的问题,并且保持了协议的高效性。     

TEE based session key establishment protocol for secure infotainment systems

Most vehicles are now produced with infotainment features. However, as reported in various security conferences, security vulnerabilities associated with an infotainment system can cause serious security issues, e.g., an attacker can control in-vehicle systems through the infotainment system. To address such security issues, in this paper, we propose a session key establishment protocol using Elliptic Curve Cryptography. The proposed protocol enables secure authentication and key distribution between a user device and a telematics control unit. We also shows how a trusted execution environment is used for the proposed protocol. We present detailed protocol operations with conducted security analysis results.     

Ubiquitous One-Time Password Service Using the Generic Authentication Architecture

The Generic Authentication Architecture (GAA) is a standardised extension to the mobile authentication infrastructure that enables the provision of security services, such as key establishment, to network applications. In this paper we first show how Trusted Computing can be extended in a GAA-like framework to offer new security services. We then propose a general scheme that converts a simple static password authentication mechanism into a one-time password (OTP) system using the GAA key establishment service. The scheme employs a GAA-enabled user device and a GAA-aware server. Most importantly, unlike most OTP systems using a dedicated key-bearing token, the user device does not need to be user or server specific, and can be used in the protocol with no registration or configuration (except for the installation of the necessary application software). We also give two practical instantiations of the general scheme, building firstly on the mobile authentication infrastructure and secondly on Trusted Computing. The practical systems are secure, scalable, fit well to the multi-institution scenario, and enable the provision of ubiquitous and on-demand OTP services.