基于自认证的LTE-R系统验证方案研究

针对当前GSM-R网络身份认证与密钥协商方案存在扩展性差、用户身份信息易泄露的问题,本文为下一代高速铁路无线通信系统LTE-R提出一种基于自认证公钥体制的认证与密钥协商协议,实现实体间双向身份认证,保护空中接口及有线通信链路.     

基于可信证书验证代理的无线接入认证方案

PKI认证机制由于效率原因,不宜直接应用于无线网络环境.本文引入可信证书验证代理(TCVP),设计了一个基于公钥密码的无线接入认证协议.该协议中,TCVP基于PKI认证无线移动节点的身份,并为其签发证书有效性凭据(CVT).在无线接入过程中,移动节点仅需出示CVT,即可证明其身份,无需在线验证接入网关证书的有效性,减少了认证协议的消息数量和大小.与SSL和WTLS的对比分析表明,该协议具有更高的效率.     

认证的密钥交换协议及SVO逻辑证明

在环境受限的无线通信网络环境中,身份认证和会话密钥的协商是确保通信双方能否建立安全会话的关键。为使认证和密钥建立协议中采用的密码技术能适合受限通信环境中的应用,提出一个基于身份的认证的密钥建立协议,并使用SVO逻辑证明设计协议的安全目标。     

强口令认证协议的组合攻击

基于强口令的身份认证机制是目前身份认证技术发展的一个重要方向.本文对IEICE上新近提出的一个优化强口令身份认证协议OSPA(Optimal Strong-Password Authentication)进行了分析,并利用本文首次提出的组合攻击方法对其进行了有效攻击.攻击结果表明该协议对凭证被窃问题、中间人攻击、重放攻击和拒绝服务攻击是脆弱的.     

异构无线网络中基于标识的匿名认证协议

针对异构无线网络中的认证协议的安全问题,提出一种基于CPK算法和改进的ECDH算法的双向认证和密钥协商协议,引入用户的临时认证身份和临时通信身份实现用户的身份匿名;提出采用临时通信身份有序对防止重认证过程中的重放攻击,并且在协议设计中规避了密钥泄漏带来的风险。分析表明该协议具有身份认证、会话密钥安全、匿名性等安全属性。     

数字移动通信系统中认证协议的设计与分析

该文针对数字移动通信系统的背景和需求, 基于公钥密码体制设计了一个端端密钥分发协议,基于对称密码体制设计了一个身份认证协议,并利用Spi演算对身份认证协议进行了分析,证明了其安全性。     

基于SIP的终端用户身份认证机制的研究

SIP协议是NGN中的重要协议,其安全性一直备受人们的关注。然而SIP协议中已存在的安全机制不能完全地确认发起SIP请求的终端用户的身份。首先分析现有的身份认证机制存在的问题,然后介绍一种增强的身份认证管理的设计方案,它能在现在的网络环境中有效地对发起请求的终端用户进行身份认证。     

数字水印在零知识身份认证中的应用

针对零知识身份认证协议存在的问题，根据数字水印能隐藏信息的特点，提出了一种新的零知识身份认证协议。在此协议中使用数字水印改善了认证的特性。在认证过程中，验证者在验证示证者身份时需要两方面的信息：一是来自网络的信息，二是本地的信息，从而有效地解决了存在的问题，提高了认证的安全性。     

基于LDAP协议与Kerberos认证机制的统一认证

为开发一个企业级的用户身份认证体系,依据目录服务理论,将LDAP协议和Kerberos认证技术相结合,应用于身份认证服务器的结构设计,进行用户统一身份认证和授权,并进一步分析了系统的安全性。     

基于非齐次线性方程组的认证协议的改进

文中主要回顾了<基于非齐次线性方程组的认证协议的研究>一文中给出的基于具有无穷多个解的非齐次线性方程组而建立的一个身份认证协议和一个消息认证协议,结合<两个认证协议的安全缺陷>一文,对这两个认证协议中存在的安全缺陷进行具体分析;然后通过引入陷门单向函数对这两个认证协议进行改进,保障其安全缺陷和可操作性;并用RSA算法作为实例,对改进后的认证协议进行讨论分析.     

一种TPM2.0密钥迁移协议及安全分析

国际规范《TPM-Rev-2.0-Part-1-Architecture-01.38》允许用户基于密钥复制接口来设计密钥迁移协议以实现芯片间密钥的共享,并在复制过程中通过innerwrap和outerwrap为复制密钥提供机密性、完整性和认证性.然而通过分析发现基于密钥复制接口设计的密钥迁移协议存在三个问题：（1）缺少交互双方TPM的相互认证,会导致密钥能够在敌手和TPM间迁移;（2）当复制密钥的属性encryptedDuplication=0且新父密钥的句柄newParentHandle=TPM_RH_NULL时,复制接口不能实施innerwrap和outerwrap,复制密钥将以明文传输而造成泄露;（3）当新父密钥是对称密钥时,innerwrap中的对称加密密钥以及outerwrap中的密钥种子如何在源TPM与目标TPM之间安全交换,《TPM-Rev-2.0-Part-1-Architecture-01.38》并没有给出具体的解决办法.不仅如此,该协议流程还非常复杂,也无法统一,容易导致复制密钥泄露.针对以上问题,本文提出了基于MAK（Migrate Authentication Key）和复制接口的新密钥迁移协议-MDKMP（Make Duplication Key Migration Protocol）.首先在TPM中的SRK下新增只用于TPM密钥迁移的非对称密钥MAK,并申请相应证书-TPM迁移认证证书;然后基于MAK证书和复制接口设计新的TPM密钥迁移协议MDKMP.MDKMP采用两阶段迁移模式,第一阶段将源TPM密钥迁移到目的TPM的MAK下,第二阶段再将密钥迁移到新父密钥下.     

Authentication of Mobile Users in Third Generation Mobile Systems

The goal of the third-generation mobile systems is to provide worldwide operation, enhance service capabilities, and improve performance over the second-generation mobile systems. In this paper, we propose an authentication procedure for third-generation mobile systems. The authentication procedure is a protocol suite consisting of two subprotocols: a certificate-based authentication (CBA) protocol and a ticket-based authentication (TBA) protocol. Only two parties, MS and VLR, are involved in executing our protocol. Our authentication procedure uses both public- and secret-key cryptosystems. Our authentication procedure not only provides uniform authentication across domains, but also reduces computational costs in the process of repeated authentication. We provide firm proof of our procedure's correctness.     

LVAP: Lightweight V2I authentication protocol using group communication in VANETs

The authentication protocol is vital for the security of the wireless sensor network to resist the known threats, such as eavesdropping, replay attack, man‐in‐the‐middle attack, etc. In this paper, a lightweight authentication protocol for vehicular ad hoc networks is proposed using the symmetric encryption, the group communication method, and the proactive authentication technique, which not only achieves the desired security goals but also guarantees the practical anonymity and the accountability. The analysis demonstrates that the proposed protocol works properly in the high‐density and the low‐density traffic environment.     

Double Delegation-Based Authentication and Key Agreement Protocol for PCSs

Many protocols have been proposed for solving the user authentication in portable communication system. One of the schemes is based on the delegation concept. Home Location Register (HLR) delegates Mobile Station (MS) to be authenticated by Visitor Location Register (VLR). The main drawback of the scheme is that the HLR is required during the online authentication phase between VLR and MS. In this paper, a double delegation-based authentication and key agreement protocol is proposed. The main advantage of our protocol is that this scheme requires only MS and VLR online. This protocol will thoroughly utilize the proxy signature features to facilitate the operation of this protocol while only requires two members (MS, VLR) to be online at the same time.     

UCAP:a PCL secure user authentication protocol in cloud computing

As the combine of cloud computing and Internet breeds many flexible IT services,cloud computing becomes more and more significant.In cloud computing,a user should be authenticated by a trusted third party or a certification authority before using cloud applications and services.Based on this,a protocol composition logic (PCL) secure user authentication protocol named UCAP for cloud computing was proposed.The protocol used a symmetric encryption symmetric encryption based on a trusted third party to achieve the authentication and confidentiality of the protocol session,which comprised the initial authentication phase and the re-authentication phase.In the initial authentication phase,the trusted third party generated a root communication session key.In the re-authentication phase,communication users negotiated a sub session key without the trusted third party.To verify the security properties of the protocol,a sequential compositional proof method was used under the protocol composition logic model.Compared with certain related works,the proposed protocol satisfies the PCL security.The performance of the initial authentication phase in the proposed scheme is slightly better than that of the existing schemes,while the performance of the re-authentication phase is better than that of other protocols due to the absence of the trusted third party.Through the analysis results,the proposed protocol is suitable for the mutual authentication in cloud computing.     

一种泛在网络的安全认证协议

泛在网络是标准的异质异构网络,保证用户在网络间的切换安全是当前泛在网的一个研究热点。该文对适用于异构网络间切换的认证协议EAP-AKA进行分析,指出该协议有着高认证时延,且面临着用户身份泄露、中间人攻击、DoS攻击等安全威胁,此外接入网络接入点的有效性在EAP-AKA协议中也没有得到验证,使得用户终端即使经过了复杂的认证过程也不能避免多种攻击。针对以上安全漏洞,该文提出一种改进的安全认证协议,将传统EAP-AKA的适用性从3G系统扩展到泛在网络中。新协议对传播时延和效率进行完善,为用户和接入点的身份信息提供有效性保护,避免主会话密钥泄露,采用椭圆曲线Diffie Hellman算法生成对称密钥,在每次认证会话时生成随机的共享密钥,并实现用户终端与家乡域网络的相互认证。通过开展实验,对协议进行比较分析,验证了新协议的有效性及高效率。     

Three-party password authenticated key agreement protocol with user anonymity based on lattice

With the rapid development of quantum theory and the existence of polynomial algorithm in quantum computation based on discrete logarithm problem and large integer decomposition problem,the security of the algorithm was seriously threatened.Therefore,two authentication key agreement protocols were proposed rely on ring-learning-with-error (RLWE) assumption including lattice-based implicit authentication key agreement scheme and lattice-based explicit authentication key agreement scheme and proved its security.The implicit authentication key agreement protocol is less to communicate and faster to authentication,the explicit authentication key agreement protocol is more to secure.At the same time,bidirectional authentication of users and servers can resist unpredictable online dictionary attacks.The new protocol has higher efficiency and shorter key length than other password authentication key agreement protocols.It can resist quantum attacks.Therefore,the protocol is efficient,secure,and suitable for large-scale network communication.     

一种混合机制的TETRA双向鉴权协议

该文详细分析了TETRA系统移动台和网络之间的鉴权协议,分析表明采用共享秘密的挑战应答协议存在若干缺陷：(1)当无法保证访问位置寄存器和归属位置寄存器之间的通信安全时会产生对已知明文攻击的开放性;(2)网络规模较大时,在网络端难于保存和维护大量的鉴权密钥。在理论分析的基础上该文给出了一种基于身份公钥的网络端对移动台和基于哈希链的移动台对网络端的鉴权协议,所提出的协议可以有效弥补上述缺陷。     

改进的3G认证与密钥分配协议

本文详细分析了3G认证与密钥分配协议的过程以及协议的安全性，找出了协议中的安全缺陷，并给出了攻击者可能进行的攻击。针对协议的安全漏洞，提出了一种改进的认证与密钥分配方案，解决了对VLR的认证以及网络端信息传输的安全性。最后，对改进方案的安全性进行了分析。