移动漫游中强安全的两方匿名认证密钥协商方案

由于低功耗的移动设备计算和存储能力较低,设计一种高效且强安全的两方匿名漫游认证与密钥协商方案是一项挑战性的工作.现有方案不仅计算开销较高,而且不能抵抗临时秘密泄露攻击.针对这两点不足,提出一种新的两方匿名漫游认证与密钥协商方案.在新方案中,基于Schnorr签名机制,设计了一种高效的基于身份签密算法,利用签密的特性实现实体的相互认证和不可追踪;利用认证双方的公私钥直接构造了一个计算Diffie-Hellman（Computational Diffie-Hellman,CDH）问题实例,能抵抗临时秘密泄露攻击.新方案实现了可证明安全,在eCK（extended Canetti-Krawczyk）模型基础上,探讨两方漫游认证密钥协商方案安全证明过程中可能出现的情形,进行归纳和拓展,并给出新方案的安全性证明,其安全性被规约为多项式时间敌手求解椭圆曲线上的CDH问题.对比分析表明：新方案安全性更强,需要实现的算法库更少,计算和通信开销较低.新方案可应用于移动通信网络、物联网或泛在网络,为资源约束型移动终端提供漫游接入服务.     

A privacy‐preserving biometrics based authenticated key agreement scheme using ECC

To ensure secure communication over the insecure public network, this work presents a privacy‐preserving biometrics‐based authenticated key agreement scheme using elliptic curve cryptography, making full use of the advantages that the biometrics can be used to uniquely identify a particular human, and the elliptic curve cryptography can provide the same level security with far less key size compared with other public key cryptography. The proposed scheme realizes the mutual authentication of participants, session key agreement, and various security properties and also can resist kinds of known attacks. Moreover, the proposed scheme has perfect user experience in the aspect of changing password by not interacting with the server. In addition, the security features of our new designed scheme are formally proved under the widely used BPR adversary model. Therefore, from the viewpoint of the authors, the proposed scheme can be considered as the authenticated key agreement scheme for mobile users.     

移动自组网中基于多跳步加密签名 函数签名的分布式认证

移动自组网Manet(Mobile Ad Hoc Network)是一种新型的无线移动网络,由于其具有网络的自组性、拓扑的动态性、控制的分布性以及路由的多跳性,所以,传统的安全机制还不能完全保证Manet的安全,必须增加一些新的安全防范措施.本文探讨了Manet所特有的各种安全威胁,提出了一种基于多跳步加密签名函数签名的安全分布式认证方案,即将移动密码学与(n,t)门槛加密分布式认证相结合,并采用了分布式容错处理算法和私钥分量刷新技术以发现和避免攻击者假冒认证私钥进行非法认证以及保护私钥分量和认证私钥不外泄.     

椭圆曲线加密结合散列函数的移动网络匿名安全认证方案

为了防止私人数据泄露并完善已有的移动网络匿名漫游认证方案,提出了一种利用椭圆曲线加密结合散列函数的移动网络匿名安全认证方案。该方案利用椭圆曲线加密,结合散列函数,以随机数代替公开密钥加密和时间戳。首先,使用外地代理（FA）的漫游服务之前,计算单向散列函数,移动用户（MU）使用本地代理（HA）注册。然后,建立认证和会话的密钥,采用椭圆曲线加密,若HA一直待在同一FA中,则MU可以用FA更新会话密钥。最后,MU通过公共信道,利用HA修改密码。性能和安全性分析表明,相比其他几种类似方案,提出的方案明显提高了效率和安全性。其中,虚拟计算时间只有2.000 85 s,显著降低了计算开销。     

Wireless Security

This paper describes the security features incorporated into the third generation (3G) mobile system developed in 3GPP, specifically the enhancements to the shared secret symmetric authentication scheme as used in GSM. The proposed security architecture for the Internet multimedia subsystem (IMS) based on and built upon Internet applications, services and protocols, is then described. Finally, the paper describes some early work by 3GPP to integrate public key security mechanisms into 3G, while maintaining the global reach and call set-up performance, that mobile users now take for granted.     

协议组合逻辑安全的4G无线网络接入认证方案

针对4G无线网络中移动终端的接入认证问题,基于自证实公钥系统设计了新的安全接入认证方案,并运用协议演绎系统演示了该方案形成的过程和步骤,用协议组合逻辑对该方案的安全属性进行了形式化证明.通过安全性证明和综合分析,表明该方案具有会话认证性和密钥机密性,能抵御伪基站攻击和重放攻击,并能提供不可否认服务和身份隐私性,同时提高了移动终端的接入效率     

一种基于移动公网的安全专网认证与密钥协商方案

针对移动公网保障端到端安全的不足,提出了一种基于改进的Diffie-Hellman密钥交换协议机制的安全专网认证和密钥协商设计方案。该方案可以在终端接入移动公网的基础上,实现通信双方端到端的相互认证,同时协商出独立于网络的密钥。性能分析表明,该方案结构简单,安全高效,符合移动通信系统的要求。     

Certificateless signature and blind signature

Certificateless public key cryptography is a new paradigm introduced by Al-Riyami and Paterson. It eliminates the need of the certificates in traditional public key cryptosystems and the key escrow problem in IDentity-based Public Key Cryptography （ID-PKC）. Due to the advantages of the certificateless public key cryptography, a new efficient certificateless pairing-based signature scheme is presented, which has some advantages over previous constructions in computational cost. Based on this new signature scheme, a certificateless blind signature scheme is proposed. The security of our schemes is proven based on the hardness of computational Diffie-Hellman problem.     

Secure user authentication scheme with novel server mutual verification for multiserver environments

The fast growth of mobile services and devices has made the conventional single‐server architecture ineffective from the point of its functional requirements. To extend the scalability and availability of mobile services to various applications, it is required to deploy multiserver architecture. In 2016, Moon et al insisted that Lu et al's scheme is weak to insiders and impersonation attack, then they proposed a biometric‐based scheme for authentication and key agreement of users in multiserver environments. Unfortunately, we analyze Moon et al's scheme and demonstrate that their scheme does not withstand various attacks from a malicious registered server. We propose a user authentication scheme with server mutual verification to overcome these security drawbacks. The proposed scheme withstands an attack from malicious insiders in multiserver environments. We use a threshold cryptography to strengthen the process of server authorization and to provide better security functionalities. We then prove the authentication and session key of the proposed scheme using Burrows‐Abadi‐Needham (BAN) logic and show that our proposed scheme is secure against various attacks.     

Grid authentication from identity-based cryptography without random oracles

As a critical component of grid security, secure and efficient grid authentication needs to be well addressed. However, the most widely accepted and applied grid authentication is based on public key infrastructure （PKI） and X.509 certificates, which make the system have low processing efficiency and poor anti-attack capability. To accommodate the challenge of grid authentication, this article aims at designing a secure and efficient method for grid authentication by employing identity-based cryptography （IBC）. Motivated by a recently proposed secure and efficient identity-based encryption （IBE） scheme without random oracles, an identity-based signature （IBS） scheme is first proposed for the generation of private key during grid authentication. Based on the proposed IBS and the former IBE schemes, the structure of a novel grid authentication model is given, followed by a grid authentication protocol described in detail. According to the theoretical analysis of the model and the protocol, it can be argued that the new system has improved both the security and efficiency of the grid authentication when compared with the traditional PKI-based and some current IBC-based models.     

Ad hoc空间网络密钥管理与认证方案

为了使一组卫星动态配置成一个具有灵活的分布式体系结构的集成网络信息系统，可以采用ad hoc组网方式，这种卫星网络的组网方式带来了新的安全挑战。提出了一个灵活的安全方案，设计了公钥基础设施和认证策略。基于完全分布式的认证中心，可以直接采用几乎所有的标准公钥认证协议。当空间节点的计算能力有限时，设计了一个轻型的基于对称密钥算法和单向散列函数的认证协议，在提供保密性和数据完整性的同时大大减小了计算量。     

DTLS based security and two-way authentication for the Internet of Things

In this paper, we introduce the first fully implemented two-way authentication security scheme for the Internet of Things (IoT) based on existing Internet standards, specifically the Datagram Transport Layer Security (DTLS) protocol. By relying on an established standard, existing implementations, engineering techniques and security infrastructure can be reused, which enables easy security uptake. Our proposed security scheme is therefore based on RSA, the most widely used public key cryptography algorithm. It is designed to work over standard communication stacks that offer UDP/IPv6 networking for Low power Wireless Personal Area Networks (6LoWPANs). Our implementation of DTLS is presented in the context of a system architecture and the scheme’s feasibility (low overheads and high interoperability) is further demonstrated through extensive evaluation on a hardware platform suitable for the Internet of Things.     

JAVA安全认证在电子政务系统中的应用研究

随着网络技术的发展，各国政府正积极推行电子政务系统，如何保证政府电子政务的安全性成为实施电子政务必须首先要解决的问题。本文主要讨论了基于公开密钥的身份认证机制，提出了双向身份认证与电子钥匙Ekey的设计方案．并给出了具体实现。实际应用证明该设计方案可为电子政务系统提供可靠的安全保障。     

Design and FPGA implementation of an efficient security mechanism for mobile pay‐TV systems

A mobile pay‐TV service is one of the ongoing services of multimedia systems. Designing an efficient mechanism for authentication and key distribution is an important security requirement in mobile pay‐TV systems. Until now, many security protocols have been proposed for mobile pay‐TV systems. However, the existing protocols for mobile pay‐TV systems are vulnerable to various security attacks. Recently, Wang and Qin proposed an authentication scheme for mobile pay‐TV systems using bilinear pairing on elliptic curve cryptography. They claimed that their scheme could withstand various attacks. In this paper, we demonstrate that Wang and Qin's scheme is vulnerable to replay attacks and impersonation attacks. Furthermore, we propose a novel security protocol for mobile pay‐TV systems using the elliptic curve cryptosystem to overcome the weaknesses of Wang and Qin's scheme. In order to improve the efficiency, the proposed scheme is designed in such a way that needs fewer scalar multiplication operations and does not use bilinear pairing, which is an expensive cryptographic operation. Detailed analyses, including verification using the Automated Validation of Internet Security Protocols and Applications tool and implementation on FPGA, demonstrate that the proposed scheme not only withstands active and passive attacks and provides user anonymity but also has a better performance than Wang and Qin's scheme.     

An efficient two‐party authentication key exchange protocol for mobile environment

The primary goal of this research is to ensure secure communications by client‐server architectures in mobile environment. Although various two‐party authentication key exchange protocols are proposed and claimed to be resistant to a variety of attacks, studies have shown that various loopholes exist in these protocols. What's more, many two‐party authentication key exchange protocols use timestamp to prevent the replay attack and transmit the user's identity in plaintext form. Obviously, these methods will lead to the clock synchronization problem and user's anonymity problem. Fortunately, the three‐way challenged‐response handshake technique and masking user's original identity with a secret hash value used in our study address these problems well. Of course, the proposed protocol based on elliptic curve cryptography supports flawless mutual authentication of participants, agreement of session key, impersonation attack resistance, replay attack resistance, and prefect forward secrecy, as well. The analyses in the aspects of efficiency and security show that the proposed protocol is a better choice for mobile users.     

公钥密码基础设施在电信运营商的应用

随着密码法的实施,我国将信息系统密码应用提升到了法律层面,要求加强公钥基础设施在网络实体互通互信方面的应用。提出了一种采用严格层次结构建设统一电信公钥基础设施的方案,即建立一个全国电信运营商根CA作为信任锚,而各大电信运营商成为独立的子CA,形成“全国电信运营商根CA－电信运营商子CA”的证书信任链,提供PKI安全服务。该方案不仅可以实现电信运营商CA之间的互通互认,也有利于统一电信公钥基础设施成为全球范围信任的电子认证服务提供商,进而在国际证书标准制定上有更大的影响力和话语权。     

车载自组网中可证明安全的无证书认证方案

认证协议的设计是目前车载自组网(VANET)安全领域的研究热点。现有的认证方案中普遍存在密钥托管带来的安全问题,以及使用计算量大的双线性对导致认证效率很低。针对以上问题,该文提出可证明安全的无证书批认证方案,方案中车辆的密钥由车辆自身和一个密钥生成中心共同生成,解决密钥需要托管给第三方维护的问题;方案的签名构造不使用计算量大的对运算,减少了计算开销;引入批认证来减少路边设施的认证负担,提高认证效率。基于求解椭圆曲线上的离散对数问题的困难性假设,在随机预言机模型中证明了该方案可以抵抗自适应选择消息和身份攻击,从而抵抗更改攻击和假冒攻击,并具有匿名性、可追踪性等特点。与现有方案相比,该方案实现了更高效的认证。     

基于公钥密码体制的Kerberos分布式认证协议

本文提出了在Kerberos认证框架内,用公钥体制的完全分布式认证方法,它将密钥分配中心(KDC)的认证工作分散到通信各方,使得新协议在安全性和公平性方面与传统的Kener V5协议相比都有很大提高,同时使Kerberos用户的隐私性也得到提高。     

一种基于混沌的量子身份认证

提出了一种新的基于混沌的量子身份认证方案,该方案将混沌系统对初值条件和参数的极度敏感性及混沌序列的良好伪随机性与量子密码的绝对安全性结合在一起,能够有效地抵抗多次身份认证中由于有限精度导致的混沌特性退化而造成对混沌系统初值和参数的攻击。在方案的实现过程中,利用量子隐形传态原理,解决了多次身份认证中出现的混沌迭代异步问题,实现了每一次身份认证中双方的同步,从而实现了“一次一密”的量子身份认证。整个身份认证过程实现简单,具有动态性和可证明的安全性。     

An efficient and attack‐resistant key agreement scheme for secure group communications in mobile ad‐hoc networks

As a result of the growing popularity of wireless networks, in particular mobile ad hoc networks (MANET), security over such networks has become very important. Trust establishment, key management, authentication, and authorization are important areas that need to be thoroughly researched before security in MANETs becomes a reality. This work studies the problem of secure group communications (SGCs) and key management over MANETs. It identifies the key features of any SGC scheme over such networks. AUTH‐CRTDH, an efficient key agreement scheme with authentication capability for SGC over MANETs, is proposed. Compared to the existing schemes, the proposed scheme has many desirable features such as contributory and efficient computation of group key, uniform work load for all members, few rounds of rekeying, efficient support for user dynamics, key agreement without member serialization and defense against the Man‐in‐the‐Middle attack, and the Least Common Multiple (LCM) attack. These properties make the proposed scheme well suited for MANETs. The implementation results show that the proposed scheme is computationally efficient and scales well to a large number of mobile users. Copyright © 2007 John Wiley & Sons, Ltd.