An Identity-Based Group Key Agreement Proto col for Low-Power Mobile Devices

In wireless mobile networks, group mem-bers join and leave the group frequently, a dynamic group key agreement protocol is required to provide a group of users with a shared secret key to achieve cryptographic goal. Most of previous group key agreement protocols for wireless mobile networks are static and employ traditional PKI. This paper presents an ID-based dynamic authen-ticated group key agreement protocol for wireless mobile networks. In Setup and Join algorithms, the protocol re-quires two rounds and each low-power node transmits con-stant size of messages. Furthermore, in Leave algorithm, only one round is required and none of low-power nodes is required to transmit any message, which improves the e?-ciency of the entire protocol. The protocol’s AKE-security with forward secrecy is proved under Decisional bilinear in-verse Di?e-Hellman (DBIDH) assumption. It is addition-ally proved to be contributory.     

一种新的适于Ad hoc网可认证密钥协商协议

提出一种新的适于Ad hoc网可认证密钥协商协议。基于签密技术。在同一逻辑步内同时实现了认证和加密功能,提高了密钥协商效率;基于身份的公钥密码系统,降低了建立和管理公钥基础设施的代价;应用椭圆曲线上双线性对,使得该协议能以短的密钥和小的计算量实现同等安全要求。与已有密钥协商协议相比,新协议计算和传输量小,带宽要求低,安全性高,适合能源和带宽受限的Ad hoc网络。     

针对动态群组及应用的扩展非对称群密钥协商协议

Group Key Agreement (GKA) is a cryptographic primitive allowing two or more entities to negotiate a shared session key over public networks. In existing GKA models, it is an open problem to construct a one round multi party GKA protocol. Wuet al. recently proposed the concept of asymmetric group key agreement (ASGKA) and realized a one round ASGKA protocol, which affirmatively answers the above open problem in a relaxed way. However, the ASGKA protocol only applies to static groups. To fill this gap, this paper proposes an extended ASGKA protocol based on the Wuet al. protocol. The extension allows any member to join and leave at any point, provided that the resulting group size is not greater thann. To validate the proposal, extensive experiments are performed and the experimental results show that our protocol is more effective than a plain realization of the Wuet al. protocol for dynamic groups. The extended protocol is also more efficient than the up to date dynamic GKA protocol in terms of communication and computation.     

支持用户撤销的属性认证密钥协商协议

用户撤销是基于属性的认证密钥协商(ABAKA, attribute-based authenticated key agreement)协议在实际应用中所必需解决的问题。通过将Waters的基于属性的加密方案和Boneh-Gentry-Waters的广播加密方案相结合,提出了一个支持用户撤销的ABAKA协议。该协议能够实现对用户的即时撤销且不需要密钥权威对所有未被撤销的用户私钥进行定期更新。相比于现有的协议,该协议具有较高的通信效率,并能够在标准模型和修改的ABCK模型下可证安全,具有弱的完美前向安全性,并能够抵抗密钥泄露伪装攻击。     

Fine-grained data access control for distributed sensor networks

Distributed sensor networks are becoming a robust solution that allows users to directly access data generated by individual sensors. In many practical scenarios, fine-grained access control is a pivotal security requirement to enhance usability and protect sensitive sensor information from unauthorized access. Recently, there have been proposed many schemes to adapt public key cryptosystems into sensor systems consisting of high-end sensor nodes in order to enforce security policy efficiently. However, the drawback of these approaches is that the complexity of computation increases linear to the expressiveness of the access policy. Key-policy attribute-based encryption is a promising cryptographic solution to enforce fine-grained access policies on the sensor data. However, the problem of applying it to distributed sensor networks introduces several challenges with regard to the attribute and user revocation. In this paper, we propose an access control scheme using KP-ABE with efficient attribute and user revocation capability for distributed sensor networks that are composed of high-end sensor devices. They can be achieved by the proxy encryption mechanism which takes advantage of attribute-based encryption and selective group key distribution. The analysis results indicate that the proposed scheme achieves efficient user access control while requiring the same computation overhead at each sensor as the previous schemes.     

Provably Secure Constant Round Contributory Group Key Agreement in Dynamic Setting

In this paper, we present and analyze a variant of Burmester-Desmedt group key agreement protocol (BD) and enhance it to dynamic setting where a set of users can leave or join the group at any time during protocol execution with updated keys. In contrast to BD protocol, let us refer to our protocol as DB protocol. Although the DB protocol is similar to BD protocol, there are subtle differences between them: 1) Key computation in DB protocol is different and simpler than in BD protocol with same complexity of BD protocol; 2) Number of rounds required in our authenticated DB protocol is one less than that in authenticated BD protocol introduced by Katz-Yung; 3) DB protocol is more flexible than BD protocol in the sense that DB protocol is dynamic. The reusability of user's precomputed data in previous session enables the join and leave algorithms of our DB protocol to reduce most user's computation complexities which can be useful in real life applications; and 4) DB protocol has the ability to detect the presence of corrupted group members, although one can not detect who among the group members are behaving improperly.     

基于WEP协议的网络安全性研究

无线网络的迅猛发展,让用户真正体会到了随时、随地的网络接入.但伴随而来的网络安全问题也显得越来越突出.对有线等效保密(WEP)协议进行了较为详细的介绍,并分析了该加密协议中存在的不足.最终提出了相应的解决方案,并针对隐患提出了安全策略.     

An efficient pairing‐free identity‐based authenticated group key agreement protocol

An authenticated group key agreement protocol allows participants to agree on a group key that will be subsequently used to provide secure group communication over an insecure network. In this paper, we give a security analysis on a pairing‐free identity‐based authenticated group key agreement because of Islam et al. We show that the protocol of Islam et al. cannot satisfy the minimal security requirements of the key agreement protocols. We propose an efficient pairing‐free identity‐based authenticated group key agreement for imbalanced mobile network. The proposed protocol can be implemented easily for practical application in mobile networks as it is free from bilinear. Under the difficulty of the InvCDH and CDH we demonstrate that the proposed protocol provides perfect forward secrecy, implicit key authentication and the dynamic functionality. As compared with the group key agreement protocols for imbalanced mobile network, the proposed protocol provides stronger security properties and high efficiency. Copyright © 2013 John Wiley & Sons, Ltd.     

A novel self‐healing key distribution scheme based on vector space access structure and MDS codes

Self‐healing group key distribution protocols are useful in applications that have a dynamic group structure. These include broadcast transmission systems and multicast networks such as pay‐per‐view television, embedded and sensor networks, and cellular and wireless networks. To cater to the requirements of these applications, several self‐healing group key distribution protocols are proposed in the literature. Many of these schemes are vulnerable to polynomial factorization or insider replay attacks. Some other schemes impose constraints on the users joining the group or revoked from the group. Motivated by these and other shortcomings of the existing schemes, we hereby propose a novel self‐healing group key distribution protocol. Some of the features of this scheme include that (a) the number and the set of revoked users is not constrained, (b) the communication group can consist of any set of users, and (c) a revoked user is allowed to rejoin the group in any of the later sessions. The scheme is analyzed for its security, and it is found to provide anywise forward and backward secrecy. It is also found to resist anywise collusion attack. Communication and computation complexity of the scheme is analyzed; while doing so, various possible realizations of the scheme is discussed. In addition to the theoretical analysis, the proposed scheme is experimentally verified for its correctness using OMNET++ network simulator.     

Securing multimedia services over satellite ATM networks

In recent years there has been increasing interest in interconnecting satellite and ATM networks, because both share common characteristics of the ability to provide bandwidth-on-demand and flexibility of integrating voice, video and data services. There are several new satellite constellation proposals that support multimedia service and transport ATM traffic. For a successful implementation of such systems it is essential to address the security requirements of users, satellite ATM network operators and multimedia service providers. In order to minimize delay and the cost of implementing security systems for satellite ATM networks, the network operator role (in security services) can be limited to the mutual authentication with satellite users during call set-up periods. In this paper a mutual authentication protocol between the user and the satellite network is presented using digital signature and public key systems. Also, another mutual authentication protocol between the user and the service provider is presented to provide end-to-end authentication and negotiation of security options such as selecting a secret key system and the key length. Finally, a detailed hardware implementation of ATM cell payload encryption is presented using the DES/TripleDES secret key system. © 1998 John Wiley & Sons, Ltd.     

Privacy-preserving authenticated key agreement scheme based on biometrics for session initiation protocol

A secure key agreement scheme plays a major role in protecting communications between the users using voice over internet protocol over a public network like the internet. In this paper we present a strong security authenticated key agreement scheme for session initiation protocol (SIP) by using biometrics, passwords and smart cards. The proposed scheme realizes biometric data protection through key agreement process meanwhile achieving the verification of the biometric value on the SIP server side which is very important in designing a practical authenticated key agreement for SIP. The main merits of our proposed scheme are: (1) the SIP server does not need to maintain any password or verification table; (2) the scheme can provide user identity protection—the user’s real identity is protected by a secure symmetric encryption algorithm and the elliptic curve discrete logarithm problem, and it is transmitted in code; (3) the scheme can preserve the privacy of the user’s biometric data while the biometric matching algorithm is performed at the SIP server side, even if the server does not know the biometric data in the authentication process. Performance and security analysis shows that our proposed scheme increases efficiency significantly in comparison with other related schemes.     

基于统一通信技术的异构网络穿越安全算法研究

在统一通信异构网络环境中,由于统一的协议规范、加密以及防火墙等安全措施的存在,在网络环境内部进行的通信具有良好的可用性和安全性。当前的电力通信网,由于业务网络众多、网络层级明显,异构网络环境被广泛地应用在其通信的各个方面。但异构网络之间的通信,为了保证其可用性,安全性却被降低。在研究了异构网络穿越的问题和现状之后,又对对称密钥密码体制、非对称密钥密码体制进行了深入的研究,并且提出了一种基于RSA算法和改进型DES算法的混合加密算法。最后,运用实例分析表明,该算法具有很好的安全性。     

Autonomic Group Key Management in Deep Space DTN

In deep space delay tolerant networks rekeying expend vast amounts of energy and delay time as a reliable end-to-end communication is very difficult to be available between members and key management center. In order to deal with the question, this paper puts forwards an autonomic group key management scheme for deep space DTN, in which a logical key tree based on one-encryption-key multi-decryption-key key protocol is presented. Each leaf node with a secret decryption key corresponds to a network member and each non-leaf node corresponds to a public encryption key generated by all leaf node’s decryption keys that belong to the non-leaf node’s sub tree. In the proposed scheme, each legitimate member has the same capability of modifying public encryption key with himself decryption key as key management center, so rekeying can be fulfilled successfully by a local leaving or joining member in lack of key management center support. In the security aspect, forward security and backward security are guaranteed. In the efficiency aspect, our proposed scheme’s rekeying message cost is half of LKH scheme when a new member joins, furthermore in member leaving event a leaving member makes tradeoff between computation cost and message cost except for rekeying message cost is constant and is not related to network scale. Therefore, our proposed scheme is more suitable for deep space DTN than LKH and the localization of rekeying is realized securely.     

Multi-authority attribute-based encryption scheme with policy dynamic updating

Attribute-based encryption (ABE) is a new cryptographic technique which guarantees fine-grained access control of outsourced encrypted data in the cloud environment.However,a key limitation remains,namely policy updating.Thus,a multi-authority attribute-based encryption scheme with policy dynamic updating was proposed.In the scheme,an anonymous key issuing protocol was introduced to protect users’ privacy and resist collusion attack of attribute authority.The scheme with dynamic policy updating technique was secure against chosen plaintext attack under the standard model and can support any types of policy updating.Compared to the existing related schemes,the size of ciphertext and users’ secret key is reduced and can significantly reduce the computation and communication costs of updating ciphertext.It is more effective in the practical application.     

A Trusted Waterfall Framework Based Peer to Peer Protocol for Reliable and Energy Efficient Data Transmission in MANETs

Advances in lattice-based cryptography are enabling the use of public key algorithms (PKAs) in power-constrained ad hoc and sensor network devices. Unfortunately, while many wireless networks are dominated by group communications, PKAs are inherently unicast—i.e., public/private key pairs are generated by data destinations. To fully realize public key cryptography in these networks, lightweight PKAs should be augmented with energy efficient mechanisms for group key agreement. Recently, many key management schemes for the WSNs have been proposed, but the computation and communication costs of these protocols are too high to suitable for WSNs. This paper proposes a key establish protocol for the WSNs based on combined key. The protocol adopts seed key mapping technology to achieve two-party and multi-party key establish in the WSNs, it can generate a large number of combination keys with little resources. So it effectively solve the contradiction between the sensor nodes need large storage space to store shared key with their neighbors and their limited storage space. It can also achieve mutual authentication between nodes when they establish shared key. Analysis shows that the proposed protocol has the advantages in storage efficiency, computation consumption and Communication consumption and suitable for wireless networks.     

Identity Based Broadcast Encryption Scheme with Shorter Decryption Keys for Open Networks

In Broadcast Encryption schemes, a sender can broadcast the encrypted message securely in a threatening network to a set of legitimate system users only. In IBE scheme any sender can encrypt the desired message using his/her identity without attaining the public key certificate. Here, we have presented an efficient ID-based broadcast encryption scheme (IBBE) for open networks. In this scheme, desired messages can be broadcasted to any subset of the users by any sender but only authorized receivers are capable in retrieving the encrypted messages. This scheme has shorter decryption keys in comparison with other primitive of IBBE scheme for open networks. Moreover, the proposed scheme intends to achieve the lower cost for computation as well as transmission in comparison to earlier existing IBBE schemes.

     

Identity-based key agreement and encryption for wireless sensor networks

1 Introduction WSN has received considerable attention during last decade [1?4] (see, for example, the proceedings of the ACM and IEEE Workshops on WSN). It has wide variety of applications, including military sensing and tracking, environment and securit…     

CAKA: a novel certificateless-based cross-domain authenticated key agreement protocol for wireless mesh networks

Due to the flexibility of wireless mesh networks (WMNs) to form the backhaul subnetworks, future generation networks may have to integrate various kinds of WMNs under possibly various administrative domains. Aiming at establishing secure access and communications among the communication entities in a multi-domain WMN environment, in this paper, we intend to address the cross-domain authentication and key agreement problem. We present a light-weight cross-domain authentication and key agreement protocol, namely CAKA, under certificateless-based public key cryptosystem. CAKA has a few attractive features. First, mutual authentication and key agreement between any pair of users from different WMN domains can be easily achieved with two-round interactions. Second, no central domain authentication server is required and fast authentication for various roaming scenarios is supported by using a repeated cross-domain algorithm. Third, no revocation and renewal of certificates and key escrow are needed. Finally, it provides relatively more security features without increasing too much overhead of computation and storage. Our analysis shows that the proposed CAKA protocol is highly efficient in terms of communication overhead and resilient to various kinds of attacks.     

A Cluster-Based Random Key Revocation Protocol for Wireless Sensor Networks

In recent years,several random key pre-distribution schemes have been proposed to bootstrap keys for encryption,but the problem of key and node revocation has received relatively little attention.In this paper,based on a random key pre-distribution scheme using clustering,we present a novel random key revoca-tion protocol,which is suitable for large scale networks greatly and removes compromised information efficiently.The revocation protocol can guarantee network security by using less memory consumption and communication load,and combined by centralized and distributed revoca-tion,having virtues of timeliness and veracity for revoca-tion at the same time.     

一个适合物联网环境的物品信息匿名传输方案

针对传统物联网物品信息传输过程中存在的不足,借鉴洋葱路由的思想,提出了基于双线性对和哈希运算的一种新的物联网物品信息匿名传输方案.方案使用了基于伪名的密钥协商机制,采用对称密钥机制替代公钥签密机制,采用异或运算进行身份确认,经分析表明新的方案解决了向前机密性和时钟同步问题,具有更高的效率和安全性.