田沅蕊, 杨小宝,王瑞刚 ,谢璇,贡维雪

在智能卡进行多行业应用时,存在跨行业数据访问、数据泄露以及破坏等安全问题.针对此类问题,结合当前智能卡安全机制和跨行业多应用的文件系统特征,提出了对多应用智能卡数据完整性校验的一种方法.该方法构建了一个文件加密与访问控制模型,其主要功能包括保障各行业应用系统的独立性,实现数据的访问控制和密钥的安全存储等.最后分析并验证了该安全模型的可行性与安全性.该方案在陕西省社会公共服务卡验证平台上得到了验证,提高了卡内数据信息的安全级别.     

MIFARE系统的若干安全性分析

MIFARE Classic是市面上使用最广泛的非接触智能卡,而它的安全性也是目前人们关注的焦点。文中介绍了MIFARE Classic卡的基本特征,针对基本认证协议的三种使用方式,分别提出了破译密钥的具体实现方法,进而攻击者可以成功地复制或篡改卡内的数据。文中还简要介绍了一些其他的攻击方法,并最终从系统的安全角度提出一些可能的改进思路。     

移动数据业务讲座第五讲基于STK的SIM卡业务

1概述 早期的手机智能卡（包括GSM使用的SIM卡和CDMA使用的UIM卡）受卡内处理器能力所限,仅用于用户身份识别、语音加密、电话号码与短信的存储。随着卡内CPU运算能力的提高和内存容量的增加,诞生了智能卡应用开发工具箱（STK／UTK）技术。它提供了在规范环境下开发智能卡应用的新途径。     

ETCS中IC卡动态密钥机制的设计

本文分析了高速公路收费系统(ETCS)中非接触IC卡一卡一密的安全机制,提出了一种改进的动态密钥机制, 实现非接触IC卡一次一密和卡内收费信息的验证。该机制较好地弥补了一卡一密制存在的不足。     

基于NTRU算法的USIM卡安全个人化协议

第三代移动通信对于数据安全提出了更高要求,也对USIM卡用户密钥的安全提出了新的挑战。基于NTRU公钥密码算法的USIM卡安全个人化协议对于传统协议进行了安全相关的改进,使用在卡内生成用户密钥信息并进行保存,然后将它用运营商的NTRU公钥加密后导出,交付给运营商解密后进行入网登记。这样不仅满足了USIM卡密钥全程安全的需求,而且在个人化速度上也比基于RSA的安全协议有了2倍多的提高。     

智能卡——未来标准化的安全器件

智能卡的许多概念是出自近20年来银行业务的电子化和自动服务的发展。未来的智能卡是一种金融支付工具,它不仅仅是传统信用卡的简单的改进,而是一种多功能、防窃密的一种器件。智能卡被认为是一种抗病毒攻击的最终不易损坏的器件,它是继超级计算机、主机、小型计算机、个人计算机和微型计算机之后的第6代计算机。在未来的岁月里将进入千家万户,将是人们手中的一个重要工具,也将是芯片技术的一个重要应用场所。智能卡实际上已得到广泛应用.嵌入微处理器的智能卡在安全方面要比传统的信用卡优越得多。在智能卡的保密区内可以存贮长的密钥,同时在智能卡中能够正确地实现密码术的基本要求——实现复杂的计算程序.由于密码术已渗透到我们日常生活中,将会对各种领域的安全问题严生极大的影响,这不仅仅在银行业、卫星领域,而且在收费电视、电话、家用计算机、数据处理、通信网络以及众多的常用信息技术领域中也是如此。除了安全方面的优点之外,智能卡也是一种存贮的处理数据的介质。用智能卡可在一个被称之为应用数据文件(ADF)的单独的存贮区内实现所谓的“应用提供者”提出的各种应用。因此这种卡又称为多功能卡。由于智能卡有在安全方面、数据存贮和处理方面、用户友好技术方面的优点,今后不仅会逐步代替传统的冲压凸型字卡、磁条卡,而且在信息安全领域内也将得到广泛的应用。本文将介绍什么是智能卡?智能卡的标准化、智能卡的安全、智能卡的鉴别以及智能卡的应用等方面,以期使读者对智能卡有一个较为全面的了解。     

基于智能卡技术的安全电子邮件系统

针对目前常用的电子邮件系统存在密钥产生、传递和保管且不能安全方便地随身携带问题,论文提出了一个基于智能卡技术的安全电子邮件系统,该系统在邮件收发终端引入智能卡技术,保证了密钥等机密信息的安全,通过对邮件进行加密、解密和认证,有效地解决了邮件在存储和传输过程中的安全性问题。     

基于智能卡的强安全认证与密钥协商协议

将认证与密钥协商(Authenticated Key Agreement,AKA)协议所需的一种强安全属性——抗临时密钥泄露攻击引入到基于智能卡和口令的AKA协议中,基于NAXOS方法分别提出了基于智能卡的两方强安全AKA协议和三方强安全AKA协议.同时,首次给出了包含临时密钥泄露攻击的基于智能卡和口令的AKA协议的安全模型,并在该模型下给了所提出协议的安全性证明.此外,文中还分析了抗临时密钥泄露攻击不能在仅使用口令的AKA协议中实现的原因.     

基于虚拟机的OpenSSH秘钥数据隔离方法

OpenSSH密钥数据保存在文件系统中,在主机遭受攻击后容易暴露,需要对这些重要数据进行保护.为此提出使用虚拟机将密钥数据保存到隔离空间,并提供安全访问方法.这种方式使得即使主机在被攻陷的时候,攻击人员仍然无法获得相应的秘钥信息.使用虚拟机的方式提供了一个完全隔离的安全空间,对OpenSSH秘钥数据起到了保护作用.     

安全网络视频会议系统的设计

为网络视频会议传输提供有效的通信安全,采用一个会议密钥分配的智能卡系统,来解决使用者身份认证和通信安全问题.在语音和图像方面,分别采用GSM6.10语音压缩和JPEG图像压缩来降低数据量.在智能卡系统内引入多种对称式加密算法以供使用者选择,在多人与会的环境下,利用该智能卡系统来分配一个共同的会议密钥,让与会者可经由这个共同的会议密钥来对资料作加密保护及数字签名.     

Robust smart‐card‐based remote user password authentication scheme

Smart‐card‐based remote user password authentication schemes are commonly used for providing authorized users a secure method for remotely accessing resources over insecure networks. In 2009, Xu et al. proposed a smart‐card‐based password authentication scheme. They claimed their scheme can withstand attacks when the information stored on the smart card is disclosed. Recently, Sood et al. and Song discovered that the smart‐card‐based password authentication scheme of Xu et al. is vulnerable to impersonation and internal attacks. They then proposed their respective improved schemes. However, we found that there are still flaws in their schemes: the scheme of Sood et al. does not achieve mutual authentication and the secret key in the login phase of Song's scheme is permanent and thus vulnerable to stolen‐smart‐card and off‐line guessing attacks. In this paper, we will propose an improved and efficient smart‐card‐based password authentication and key agreement scheme. According to our analysis, the proposed scheme not only maintains the original secret requirement but also achieves mutual authentication and withstands the stolen‐smart‐card attack. Copyright © 2012 John Wiley & Sons, Ltd.     

基于智能卡的轻量级非平衡型口令认证方案

智能卡与口令相结合的身份认证方式既可保留使用强密钥优势,又具有使用方便的特点,是一种理想的安全双因子认证方式。当前许多公开的口令认证方案,要么需要较强的计算环境而难于采用智能卡快速实现,要么不能抵抗离线口令猜测攻击或服务端内部攻击而存在安全缺陷。提出一种非平衡型口令认证方案,基于智能卡和用户口令双因子设计,具有简便高效、口令安全、双向认证特点,能够抵御离线口令猜测攻击和服务端内部攻击,可用于满足设备开机时的安全认证需求。     

Authentication scheme for multi-cloud environment based on smart card

To solve the problem of the access keys stored in a smart card increasing linearly with the number of registered clouds without third party participated in authentication,an authentication scheme was proposed for multi-cloud environment based on smart card.In the proposed scheme,the authentication was realized between user and multiple clouds without third party participation when the smart card only stored two access key.Thus the storage cost of smart card was reduced effectively.Because there was no public key cryptography,the authentication messages was generated by using XOR homomorphic function and Hash function,thus the computational cost of the smart card and the cloud servers was reduced effectively.Moreover,the proposed scheme also didn’t need to store any user’s information on the cloud servers,thereby reducing the storage and management costs of the cloud servers.The security analysis and the performance analysis show that the proposed scheme is able to resist multiple attacks,which is secure and efficient.     

Lightweight authentication protocol for e-health clouds in IoT-based applications through 5G technology

Modern information technology has been utilized progressively to store and distribute a large amount of healthcare data to reduce costs and improve medical facilities. In this context, the emergence of e-Health clouds offers novel opportunities, like easy and remote accessibility of medical data. However, this achievement produces plenty of new risks and challenges like how to provide integrity, security, and confidentiality to the highly susceptible e-Health data. Among these challenges, authentication is a major issue that ensures that the susceptible medical data in clouds is not available to illegal participants. The smart card, password and biometrics are three factors of authentication which fulfill the requirement of giving high security. Numerous three-factor ECC-based authentication protocols on e-Health clouds have been presented so far. However, most of the protocols have serious security flaws and produce high computation and communication overheads. Therefore, we introduce a novel protocol for the e-Health cloud, which thwarts some major attacks, such as user anonymity, offline password guessing, impersonation, and stolen smart card attacks. Moreover, we evaluate our protocol through formal security analysis using the Random Oracle Model (ROM). The analysis shows that our proposed protocol is more efficient than many existing protocols in terms of computation and communication costs. Thus, our proposed protocol is proved to be more efficient, robust and secure.     

A lightweight password‐based authentication protocol using smart card

With its simplicity and feasibility, password‐based remote user authentication becomes a popular way to control remote access to network. These years, numerous password‐based authentication schemes have been proposed. Recently, Maitra et al proposed a smart card–based scheme which claims to be resistant to various attacks. Unfortunately, we found some important flaws in this scheme. Therefore, in this paper, we will demonstrate that the scheme of Maitra et al is not secure enough as claimed: neither resisting against off‐line password guessing attack and insider attack nor preserve forward secrecy. To overcome those flaws, we put forward an improved new scheme which not only is resistant to all known attacks but also provides many attractive attributes, such as user revocation and re‐register. Also, we compared the scheme with other related schemes, the result proved the superiority of our scheme. Particularly, we show a new way (beyond the conventional Deffie‐Hellman approach) to achieve forward secrecy. Furthermore, we put some efforts into exploring the design principle of authentication schemes.     

Provable analysis and improvement of smart card–based anonymous authentication protocols

Nowadays, authentication protocols are essential for secure communications specially for roaming networks, distributed computer networks, and remote wireless communication. The numerous users in these networks rise vulnerabilities. Thus, privacy‐preserving methods have to be run to provide more reliable services and sustain privacy. Anonymous authentication is a method to remotely authenticate users with no revelation about their identity. In this paper, we analyze 2 smart card–based protocols that the user's identity is anonymous. However, we represent that they are vulnerable to privileged insider attack. It means that the servers can compromise the users' identity for breaking their privacy. Also, we highlight that the Wen et al protocol has flaws in both stolen smart card and stolen server attacks and the Odelu et al protocol is traceable. Then, we propose 2 modified anonymous authentication protocols. Finally, we analyze our improved protocols with both heuristic and formal methods.     

基于电子钥匙的双向身份鉴别方案

通过改进鉴别方案的安全策略和身份鉴别信息,提出了一种基于USB Key的可有效对抗离线口令猜测攻击和内部攻击的改进方案。安全性分析表明,改进后的方案保持了非存储数据型鉴别方案特点,且没有增加计算代价,具有更好的安全性和实用性。     

An Improved and Secure Two-factor Dynamic ID Based Authenticated Key Agreement Scheme for Multiserver Environment

The smart card based password authentication scheme is one of the most important and efficient security mechanism, which is used for providing security to authorized users over an insecure network. In this paper, we analyzed major security flaws of Jangirala et al.’s scheme and proved that it is vulnerable to forgery attack, replay attack, user impersonation attack. Also, Jangirala et al.’s scheme fail to achieve mutual authentication as it claimed. We proposed an improved two factor based dynamic ID based authenticated key agreement protocol for the multiserver environment. The proposed scheme has been simulated using widely accepted AVISPA tool. Furthermore, mutual authentication is proved through BAN logic. The rigorous security and performance analysis depicts that the proposed scheme provides users anonymity, mutual authentication, session key agreement and secure against various active attacks.     

网络融合下的鉴权技术研究

为提供整体鉴权管理机制以实现固网与移动网络的融合,在对现有通信网络及IMS的安全鉴权进行研究的基础上,提出以EAP-AKA协议加上SIM卡的鉴权机制和只使用SIM卡的用户识别功能两种方案,形成融合网络的整体鉴权。最后对融合网络的未来鉴权机制做了探讨。