一种新的无证书可认证多方密钥协商协议

Joux提出的三方密钥协商方案虽然简洁、高效,但不能抵抗中间人攻击。基于无证书公钥密码体制,提出一种新的无证书可认证多方密钥协商方案,新方案将Joux的三方协议拓展至多方,并且具有认证功能。由于新方案中所用的签名为短签名,所以整个认证过程计算效率较高,另外,新方案还具有简单证书管理、无密钥托管的优点,新方案满足无密钥控制、抗中间人的主动攻击、前向安全性和抗密钥泄露伪装攻击等多种安全特性。     

Efficient and low‐cost defense against distributed denial‐of‐service attacks in SDN‐based networks

Distributed are common threats in many networks, where attackers attempt to make victim servers unavailable to other users by flooding them with worthless requests. These attacks cannot be easily stopped by firewalls, since they forge lots of connections to victims with various IP addresses. The paper aims to exploit the software‐defined networking (SDN) technique to defend against DDoS attacks. However, the controller has to handle lots of connections launched by DDoS attacks, which burdens it with a heavy load and degrades SDN's performance. Therefore, the paper proposes an efficient and low‐cost DDoS defense (ELD) mechanism for SDN. It adopts a nested reverse‐exponential data storage scheme to help the controller efficiently record the information of packets in the limited memory. Once there are many packets with high IP variability sent to a certain server and this situation lasts for a while, then a DDoS attack is likely happening. In this case, the controller asks switches to block malicious connections by installing flow rules. Experimental results verify that the ELD mechanism rapidly recognizes protocol‐based DDoS attacks and stops them in time, including TCP SYN flood, UDP flood, and ICMP flood, and also greatly reduces the overhead for the controller to defend against attacks. Moreover, ELD can distinguish DDoS flows from legitimate ones with similar features such as elephant flows and impulse flows, thereby eliminating false alarms.     

A pairing‐free certificateless authenticated key agreement protocol

Many certificateless two‐party authenticated key agreement schemes using bilinear pairings have been proposed. But the relative computation cost of the pairing is approximately twenty times higher than that of the scalar multiplication over elliptic curve group In order to improve the performance we propose a certificateless two‐party authenticated key agreement scheme without bilinear pairings in this paper. A security proof under random oracle model is also provided. Copyright © 2011 John Wiley & Sons, Ltd.     

Application of entropy formulas in detection of denial‐of‐service attacks

The paper compares five entropy formulas (Shannon, Tsallis, Rényi, Bhatia‐Singh, and Ubriaco) and their application in the detection of distributed denial‐of‐service (DDoS) attacks. The Shannon formula has been used extensively for this purpose for more than a decade. The use of the Tsallis and Rényi formulas in this context has also been proposed. Bhatia‐Singh entropy is a novel information metric with promising results in initial applications in this area. Ubriaco proposed an entropy function based on the fractional calculus. In this paper, flow size distribution was used as the input for detection. The type of DDoS attack is SYN flood, and simulation was used to obtain the input dataset. The results show that the Rényi and Bhatia‐Singh detectors perform better than the rest. Rényi and Tsallis performed similarly with respect to the true positive rate, but Rényi had a much lower false positive rate. The Bhatia‐Singh detector had the best true positive rate but a higher false positive rate than Rényi. The Ubriaco detector performed similar to the Shannon detector. With respect to detection delay, Tsallis, Ubriaco, and Shannon produced similar results, with a slight advantage associated with the Ubriaco detector, while Rényi and Bhatia‐Singh had a larger detection delay than the former three.     

Efficient ID-based authenticated key agreement protocol based on Weil pairing

The weaknesses of a recently proposed Smart's (see idid., vol. 38, no.13, p.630-632, 2002) ID-based authenticated two-pass key agreement protocol are discussed. An efficient ID-based authenticated key agreement protocol with the optimal number of evaluations of Weil pairing is proposed.     

Modeling denial‐of‐service against pending interest table in named data networking

Named data networking (NDN) has attracted much attention on the design for next generation Internet architecture. Although it embeds some security primitives in its original architecture, it may suffer from denial‐of‐service (DoS) attacks. In this paper, we model one representative type of NDN‐specific DoS attacks named DoS against pending interest table (PIT), or DoS‐PIT, which floods malicious Interests that request nonexistent content to bypass cached content at routers and to exhaust the memory resource for PIT, bringing in severe service degradation. In our proposed analytical model, the closed‐form expressions for the DoS probability for users suffering DoS‐PIT are derived, while considering several important factors of NDN networks such as PIT size, time‐to‐live of each PIT entry, popularity of content, and cache size. Moreover, extensive simulation experiments demonstrate the accuracy of the proposed model on evaluating the damage effect of DoS‐PIT. In addition, the proposed model can be chosen to guide designing effective countermeasures for DoS‐PIT (or attacks with similar way to harm NDN) by properly setting the values of some parameters (e.g., cache size) of each NDN router. Copyright © 2013 John Wiley & Sons, Ltd.     

Efficient one round tripartite authenticated key agreement protocol from Weil pairing

An efficient one round tripartite authenticated key agreement protocol which makes use of the Weil pairing is presented. Its security properties are discussed.     

A new security model to prevent denial‐of‐service attacks and violation of availability in wireless networks

Wireless networks are deployed in many critical areas, such as health care centers, hospitals, police departments, and airports. In these areas, communication through the networks plays a vital role, and real‐time connectivity along with constant availability of the networks is highly important. However, one of the most serious threats against the networks availability is the denial‐of‐service attacks. In wireless networks, clear text form of control frames is a security flaw that can be exploited by the attackers to bring the wireless networks to a complete halt. To prevent the denial‐of‐service attacks against the wireless networks, we propose two distinct security models. The models are capable of preventing the attacks by detecting and discarding the forgery control frames belonging to the attackers. The models are implemented and evaluated under various experiments and trials. The results have proved that the proposed models significantly improve the security performance of the wireless networks. This gives advantage of safe communication that can substantially enhance the network availability while maintaining the quality of the network performance. Copyright © 2011 John Wiley & Sons, Ltd.     

An efficient pairing‐free identity‐based authenticated group key agreement protocol

An authenticated group key agreement protocol allows participants to agree on a group key that will be subsequently used to provide secure group communication over an insecure network. In this paper, we give a security analysis on a pairing‐free identity‐based authenticated group key agreement because of Islam et al. We show that the protocol of Islam et al. cannot satisfy the minimal security requirements of the key agreement protocols. We propose an efficient pairing‐free identity‐based authenticated group key agreement for imbalanced mobile network. The proposed protocol can be implemented easily for practical application in mobile networks as it is free from bilinear. Under the difficulty of the InvCDH and CDH we demonstrate that the proposed protocol provides perfect forward secrecy, implicit key authentication and the dynamic functionality. As compared with the group key agreement protocols for imbalanced mobile network, the proposed protocol provides stronger security properties and high efficiency. Copyright © 2013 John Wiley & Sons, Ltd.     

A privacy‐preserving biometrics based authenticated key agreement scheme using ECC

To ensure secure communication over the insecure public network, this work presents a privacy‐preserving biometrics‐based authenticated key agreement scheme using elliptic curve cryptography, making full use of the advantages that the biometrics can be used to uniquely identify a particular human, and the elliptic curve cryptography can provide the same level security with far less key size compared with other public key cryptography. The proposed scheme realizes the mutual authentication of participants, session key agreement, and various security properties and also can resist kinds of known attacks. Moreover, the proposed scheme has perfect user experience in the aspect of changing password by not interacting with the server. In addition, the security features of our new designed scheme are formally proved under the widely used BPR adversary model. Therefore, from the viewpoint of the authors, the proposed scheme can be considered as the authenticated key agreement scheme for mobile users.     

Machine learning approach for secure communication in wireless video sensor networks against denial‐of‐service attacks

Mobile ad hoc networks (MANETs) own a flexible framework with the absence of a server, where conventional security components fail to compensate the level of MANET security conditions since it is confined to a particular environment, its data transfer potential, and battery and memory constrains. MANET provides a well‐grounded path and an efficiency in communication, but the confidentiality of the trust parameters remains a great challenge since it may be overheard by the impostor. This demands the need of exchanging the encrypted mathematical values. The proposed machine learning security paradigm provides firm and trustworthy network in spite of establishment over additional network platform. The QoS is improved through support vector machine for denial‐of‐service attack. The node has to be clustered to accomplish its respective task. The clustering is done with the help of LEACH protocol, where cluster head and Cluster member are fixed to transfer the data in the network. Low Energy adaptive clustering heirarchy (LEACH) propagates energy to abstain from draining of battery and malignant network. A secure framework is built along with encryption and decoding to protect from denial‐of‐service attack. Acknowledgement‐based flooding attack has been focused with the help of support vector machine algorithm. The messages are encoded in from the source node and coded again during transmission phase to obtain the original message. Defending the traditional methodologies, the proposed work provides excellent QoS when compared and tested with other protocols. The results obtained ensure its efficiency when support vector machine technique is combined with encryption scheme.     

An anonymous biometric‐based remote user‐authenticated key agreement scheme for multimedia systems

We analyze the security of the Li et al . authentication scheme and show its vulnerability to off‐line password‐guessing and replay attacks. We design a new anonymous authentication scheme. The proposed scheme not only removes the drawback of the scheme of the Li et al . scheme but also protects user's anonymity. Moreover, we show validity of our proposed scheme using Burrows, Abadi, and Needham logic. Our scheme is comparable in terms of the communication and computational overhead with related schemes. Copyright © 2015 John Wiley & Sons, Ltd.     

Strongly secure ID‐based authenticated key agreement protocol for mobile multi‐server environments

To provide mutual authentication and communication confidentiality between mobile clients and servers, numerous identity‐based authenticated key agreement (ID‐AKA) protocols were proposed to authenticate each other while constructing a common session key. In most of the existing ID‐AKA protocols, ephemeral secrets (random values) are involved in the computations of the common session key between mobile client and server. Thus, these ID‐AKA protocols might become vulnerable because of the ephemeral‐secret‐leakage (ESL) attacks in the sense that if the involved ephemeral secrets are compromised, an adversary could compute session keys and reveal the private keys of participants in an AKA protocol. Very recently, 2 ID‐AKA protocols were proposed to withstand the ESL attacks. One of them is suitable for single server environment and requires no pairing operations on the mobile client side. The other one fits multi‐server environments, but requires 2 expensive pairing operations. In this article, we present a strongly secure ID‐AKA protocol resisting ESL attacks under mobile multi‐server environments. By performance analysis and comparisons, we demonstrate that our protocol requires the lowest communication overhead, does not require any pairing operations, and is well suitable for mobile devices with limited computing capability. For security analysis, our protocol is provably secure under the computational Diffie‐Hellman assumption in the random oracle model.     

A chaotic map‐based anonymous multi‐server authenticated key agreement protocol using smart card

Authenticated key agreement protocols play an important role for network‐connected servers to authenticate remote users in Internet environment. In recent years, several authenticated key agreement protocols for single‐server environment have been developed based on chaotic maps. In modern societies, people usually have to access multiple websites or enterprise servers to accomplish their daily personal matters or duties on work; therefore, how to increase user's convenience by offering multi‐server authentication protocol becomes a practical research topic. In this study, a novel chaotic map‐based anonymous multi‐server authenticated key agreement protocol using smart card is proposed. In this protocol, a legal user can access multiple servers using only a single secret key obtained from a trusted third party, known as the registration center. Security analysis shows this protocol is secure against well‐known attacks. In addition, protocol efficiency analysis is conducted by comparing the proposed protocol with two recently proposed schemes in terms of computational cost during one authentication session. We have shown that the proposed protocol is twice faster than the one proposed by Khan and He while preserving the same security properties as their protocol has. Copyright © 2014 John Wiley & Sons, Ltd.     

A new authenticated group key agreement in a mobile environment

A group key agreement protocol enables a group of communicating parties over an untrusted, open network to come up with a common secret key. It is designed to achieve secure group communication, which is an important research issue for mobile communication. In 2007, Tseng proposed a new group key agreement protocol to achieve secure group communication for a mobile environment. Its security is based on the decisional Diffie–Hellman assumption. It remedies the security weakness of the protocol of Nam et al. in which participants cannot confirm that their contributions were actually involved in the group key. Unfortunately, Tseng’s protocol is a nonauthenticated protocol that cannot ensure the validity of the transmitted messages. In this paper, the authors shall propose a new authenticated group key agreement to remedy it. It is based on bilinear pairings. We shall prove the security of the proposed protocol under the bilinear computational Diffie–Hellman assumption. It is also proven to a contributory group key agreement protocol.     

An innovative approach to identify the IP address in denial‐of‐service (DoS) attacks based on Cauchy's integral theorem

Denial‐of‐service (DoS) and distributed denial‐of‐service (DDoS) are two of the most severe attacks against computer networks, especially the Internet. Despite its destructive effect, planning these attacks is a feasible task. Given that most attackers usually spoof the source address in packet headers, countermeasures can be based on two steps. First of all, some information from the attack space of the offender must be gathered. Fortunately, packets that reach a victim carry important data that can be acquired by means of a data collection process. One possibility is to use the probabilistic packet marking (PPM) approach for data acquisition. Once this is achieved, the next step consists of reconstructing the attack path, which can be carried out by several methods available in the literature. However, none of them provides a precise solution. In this paper, a new theoretical tracking model for the identification of DoS attackers is presented. The model unites the PPM approach and the concept of winding number, derived from the well‐known Cauchy's integral theorem. The winding number is a hydraulic analogy of the amount of attacking packets growing from a router. A suitable transformation allows seeing the packet traffic, in the attack environment, as a fluid flux in the space of complex variables. The method of solving the tracking problem and identifying the sources of attack presents an additional motivation: the use of continuous techniques when approaching a problem that occurs in a discrete environment. Such association will contribute to the development of further solutions possibly more robust than the one dealt with here. This paper shows that the new model can correctly identify the IP address of the router from which the attack comes by using an integral equation derived from the winding number expression. Copyright © 2008 John Wiley & Sons, Ltd.     

无证书两方认证密钥协商协议攻击及改进

分析了Kim等人提出的不依赖于双线性对运算的无证书两方认证密钥协商协议,指出该协议在公钥替换攻击下不满足基本伪装攻击安全性,并给出了一个具体攻击。针对该协议存在的安全性缺陷,提出了一个改进的无证书两方认证密钥协商协议。分析表明,所提出的改进协议能够有效地抵抗公钥替换攻击并满足一些必要的安全属性。     

An efficient hash-based authenticated key agreement scheme for multi-server architecture resilient to key compromise impersonation

During the past decade, rapid advances in wireless communication technologies have made it possible for users to access desired services using hand-held devices. Service providers have hosted multiple servers to ensure seamless online services to end-users. To ensure the security of this online communication, researchers have proposed several multi-server authentication schemes incorporating various cryptographic primitives. Due to the low power and computational capacities of mobile devices, the hash-based multi-server authenticated key agreement schemes with offline Registration Server (RS) are the most efficient choice. Recently, Kumar-Om presented such a scheme and proved its security against all renowned attacks. However, we find that their scheme bears an incorrect login phase, and is unsafe to the trace attack, the Session-Specific Temporary Information Attack (SSTIA), and the Key Compromise Impersonation Attack (KCIA). In fact, all of the existing multi-server authentication schemes (hash-based with offline RS) do not withstand KCIA. To deal with this situation, we propose an improved hash-based multi-server authentication scheme (with offline RS). We analyze the security of the proposed scheme under the random oracle model and use the ‘‘Automated Validation of Internet Security Protocols and Applications’’ (AVISPA) tool. The comparative analysis of communication overhead and computational complexity metrics shows the efficiency of the proposed scheme.     

Smart card–based password authenticated key agreement protocol using chaotic maps

In 2015, Lee proposed time stamp–based and nonce‐based password authenticated key agreement protocols based on the Chebyshev chaotic map to enhance the security of relevant schemes. However, in this paper, we demonstrate that Lee's protocols are vulnerable to user impersonation and stolen verifier attacks. To overcome these security problems, we thus provide an improved version using a smart card. Security analysis and comparisons show that the proposed protocol is more secure and maintains better performance. Furthermore, we perform a formal verification of the proposed protocol using the widely accepted AVISPA tool for error detection.     

Analysis and improvement of a new authenticated group key agreement in a mobile environment

In 2009, Lee et al. (Ann Telecommun 64:735–744, 2009) proposed a new authenticated group key agreement protocol for imbalanced wireless networks. Their protocol based on bilinear pairing was proven the security under computational Diffie–Hellman assumption. It remedies the security weakness of Tseng’s nonauthenticated protocol that cannot ensure the validity of the transmitted messages. In this paper, the authors will show that Lee et al.’s authenticated protocol also is insecure. An adversary can impersonate any mobile users to cheat the powerful node. Furthermore, the authors propose an improvement of Lee et al.’s protocol and prove its security in the Manulis et al.’s model. The new protocol can provide mutual authentication and resist ephemeral key compromise attack via binding user’s static private key and ephemeral key.