一种基于文件共享的P2P节点认证方案

身份认证是P2P（peertopeer）网络安全的重要组成部分,但传统的PKI（金钥基础设施）认证方式因为具有静态的集中化控制和固定的证书内容等特点,不能很好地满足P2P网络安全认证的需要,且在公钥的分发过程中容易遭受中间人攻击。为此,提出了一种新型的公钥管理架构和身份认证方案,每个节点可以自己产生并分发公私钥,认证服务器仅在节点加入网络时参与完成公钥的分发。超级节点负责管理本组内全部节点的公钥,节点在相互认证时无需认证服务器的参与,仅通过超级节点来完成。分析结果表明,这种认证方案可以有效地抵抗中间人攻击,在保持高效率的基础上又保证了认证的安全性。     

基于公钥的可证明安全的异构无线网络认证方案

该文针对3G-WLAN异构网络的接入安全,对异构网络的实体进行抽象,建立了一种通用的认证模型。在该模型的基础上,利用Canetti-Krawczyk (CK)模型设计了一种新的接入认证与密钥协商方案。该方案利用公钥基础设施分配公钥,简化接入端服务器和归属端服务器间的认证过程和认证信息;利用椭圆曲线密码机制,减少了移动终端的认证计算量;最后利用CK模型对提出的协议进行了形式化分析和证明。分析表明该方案是安全有效的。     

Efficient revocable attribute-based encryption scheme

In the existing solutions,the time-based scheme is difficult to achieve immediate revocation,and the third-party-based scheme often requires re-encryption,which needs large amount of calculation and doesn’t apply to mas-sive data.To solve the problem,an efficient and immediate CP-ABE scheme was proposed to support user and attribute lev-els revocation.The scheme was based on the classic LSSS access structure,introducing RSA key management mechanism and attribute authentication.By means of a semi-trusted third party,the user could be authenticated before decryption.Com-pared with the existing revocation schemes,The proposed scheme didn’t need the user to update the key or re-encrypt the ciphertext.The semi-trusted third party wasn’t required to update the RSA attribute authentication key.The scheme greatly reduced the amount of computation and traffic caused by revocation,while ensuring anti-collusion attacks and forward and backward security.Finally,the security analysis and experimental simulation show that the scheme has higher revocation ef-ficiency.     

SA-IBE:一种安全可追责的基于身份加密方案

基于身份加密(Identity-Based Encryption, IBE)方案中,用户公钥直接由用户身份得到,可以避免公钥基础设施(Public Key Infrastructure, PKI)系统的证书管理负担。但IBE存在密钥托管问题,即私钥生成器(Private Key Generator, PKG)能够解密用户密文或泄漏用户私钥,而现有解决方案一般需要安全信道传输私钥,且存在用户身份认证开销大或不能彻底解决密钥托管问题的缺陷。该文提出一种安全可追责的基于身份加密方案,即SA-IBE方案,用户原私钥由PKG颁发,然后由多个密钥隐私机构并行地加固私钥隐私,使得各机构无法获取用户私钥,也不能单独解密用户密文;设计了高效可追责的单点PKG认证方案;并采用遮蔽技术取消了传输私钥的安全信道。文中基于标准的Diffie-Hellman假设证明了SA-IBE方案的安全性、解决密钥托管问题的有效性以及身份认证的可追责性。     

Secure and efficient token based roaming authentication scheme for space-earth integration network

Aiming at the problem of prolongation and instability of satellite and terrestrial physical communication links in the space-earth integration network,a two-way token based roaming authentication scheme was proposed.The scheme used the characteristics of the computing capability of the satellite nodes in the network to advance the user authentication process from the network control center (NCC) to the access satellite.The satellite directly verified the token issued by the NCC to verify the user's identity.At the same time,the token mechanism based on the one-way accumulator achieved the user's dynamic join,lightweight user self-service customization and billing,and the introduction of Bloom Filter enabled effective user revocation and malicious access management.Compared with the existing scheme,the scheme can guarantee the security of roaming authentication and significantly reduce the calculation and communication overhead of the authentication and key negotiation process.     

基于区块链技术的跨域认证方案

针对现有交互频繁的信息服务信任域（PKI域和IBC域）之间不能实现信息服务实体（ISE）安全高效的跨域认证的问题,提出一种基于区块链的跨异构域认证方案.在IBC域设置区块链域代理服务器参与SM9（国产标识密码）算法中密钥生成,并与PKI域区块链证书服务器等构成联盟链模型,利用区块链技术去中心化信任、数据不易篡改等优点保证模型内第三方服务器的可信性.基于此设计了跨域认证协议与重认证协议,并进行SOV逻辑证明.分析表明,与目前相关方案相比,协议在满足安全需求的前提下,降低了用户终端的计算量、通信量和存储负担,简化了重认证过程,实现域间安全通信,在信息服务跨异构域身份认证过程中具有良好的实用性.     

HIKES: Hierarchical key establishment scheme for wireless sensor networks

This paper presents a hierarchical key establishment scheme called HIKES. The base station in this scheme, acting as the central trust authority, empowers randomly selected sensors to act as local trust authorities authenticating, on its behalf, the cluster members and issuing private keys. HIKES uses a partial key escrow scheme that enables any sensor node selected as a cluster head to generate all the cryptographic keys needed to authenticate other sensors within its cluster. This scheme localizes secret key issuance and reduces the communication cost with the base station. HIKES provides an efficient broadcast authentication in which source authentication is achieved in a single transmission and a good defense for the routing mechanism. HIKES defends the routing mechanism against most known attacks and is robust against node compromise. HIKES also provides high addressing flexibility and network connectivity to all sensors in the network, allowing sensor addition and deletion. Simulation results have shown that HIKES provides an energy‐efficient and scalable solution to the key management problem. Copyright © 2012 John Wiley & Sons, Ltd.     

Efficient revocable certificateless remote anonymous authentication protocol for wireless body area network

To ensure the security and privacy of patients’ health data in wireless body area network (WBAN),communication parties must be mutual authenticated.Now some bilinear pairings led to a larger computation cost for users and tree structure revocation would lead to larger user storage cost.In order to achieve revocation and reduce the cost of the user side,a novel revocable certificate less remote anonymous authentication protocol for WBAN was proposed by using elliptic curve cryptography and revoke algorithm that could revoke users by updating their time-private-keys.Security requirements including anonymity,mutual authentication and session key establishment were satisfied in proposed scheme.Compared with the existing schemes,the experimental analysis shows that the computation cost and storage cost of the authentication protocol are greatly reduced,which is more suitable for resource-constrained WBAN.Security analysis also shows that the protocol is secure in the random oracle model.     

A pairing‐free identity‐based handover AKE protocol with anonymity in the heterogeneous wireless networks

Nowadays, seamless roaming service in heterogeneous wireless networks attracts more and more attention. When a mobile user roams into a foreign domain, the process of secure handover authentication and key exchange (AKE) plays an important role to verify the authenticity and establish a secure communication between the user and the access point. Meanwhile, to prevent the user's current location and moving history information from being tracked, privacy preservation should be also considered. However, existing handover AKE schemes have more or less defects in security aspects or efficiency. In this paper, a secure pairing‐free identity‐based handover AKE protocol with privacy preservation is proposed. In our scheme, users' temporary identities will be used to conceal their real identities during the handover process, and the foreign server can verify the legitimacy of the user with the home server's assistance. Besides, to resist ephemeral private key leakage attack, the session key is generated from the static private keys and the ephemeral private keys together. Security analysis shows that our protocol is provably secure in extended Canetti‐Krawczyk (eCK) model under the computational Diffie‐Hellman (CDH) assumption and can capture desirable security properties including key‐compromise impersonation resistance, ephemeral secrets reveal resistance, strong anonymity, etc. Furthermore, the efficiency of our identity‐based protocol is improved by removing pairings, which not only simplifies the complex management of public key infrastructure (PKI) but also reduces the computation overhead of ID‐based cryptosystem with pairings. It is shown that our proposed handover AKE protocol provides better security assurance and higher computational efficiency for roaming authentication in heterogeneous wireless networks.     

一种基于KeyRev的无线传感器网络密钥撤销方案

KeyRev密钥撤销方案可以在一定程度上销毁无线传感网络中的受损节点,并可以生成新一轮通信中会话密钥,已生成会话密钥的节点即可生成数据加密密钥和MAC校验密钥。但因其是采用明文广播受损节点信息。使遭受攻击的节点很容易发现自己身份暴露,从而采取欺骗、篡改等手段依然参与网络通信。对此方案予以改进优化,对广播信息隐蔽处理,更加安全有效地剔除网络中的受损节点。     

基于身份的具有否认认证的关键字可搜索加密方案

云存储技术的发展实现了资源共享,为用户节省了数据管理开销.可搜索加密技术,既保护用户隐私又支持密文检索,方便了用户查找云端密文数据.现有的公钥关键字可搜索加密方案虽然支持身份认证,但未实现否认的属性.为了更好地保护发送者的身份隐私,该文将否认认证与公钥关键字可搜索加密技术相结合,提出一种基于身份的具有否认认证的关键字可...     

Authentication with P2P Agents

The problem of network security is now heavily focused on user and agent authentication. In particular, higher levels of automated management and autonomous behaviour are economically necessary within security services. This work focuses on a peer-to-peer (P2P) network architecture in support of an authentication service application. The paper considers whether the key properties of P2P systems, such as scalability, robustness and resilience, may be of significant value in the context of designing a secure agent-based user authentication service. The task of authenticating legitimate network users across distributed systems and services remains a challenging process. The proposed solution is to use a distributed agent-based application to address the process of client authentication and the maintenance of user credentials. Using an agent-to-agent platform, an autonomous and scalable defence mechanism has been constructed. The agent architecture provides a number of security services with the goal of automating the process of user authentication and trust management. In particular, the agents handle all password, encryption keys and certificate management. This revised version was published online in July 2006 with corrections to the Cover Date.     

A group key exchange and secure data sharing based on privacy protection for federated learning in edge-cloud collaborative computing environment

Federated learning (FL) is widely used in internet of things (IoT) scenarios such as health research, automotive autopilot, and smart home systems. In the process of model training of FL, each round of model training requires rigorous decryption training and encryption uploading steps. The efficiency of FL is seriously affected by frequent encryption and decryption operations. A scheme of key computation and key management with high efficiency is urgently needed. Therefore, we propose a group key agreement technique to keep private information and confidential data from being leaked, which is used to encrypt and decrypt the transmitted data among IoT terminals. The key agreement scheme includes hidden attribute authentication, multipolicy access, and ciphertext storage. Key agreement is designed with edge-cloud collaborative network architecture. Firstly, the terminal generates its own public and private keys through the key algorithm then confirms the authenticity and mapping relationship of its private and public keys to the cloud server. Secondly, IoT terminals can confirm their cryptographic attributes to the cloud and obtain the permissions corresponding to each attribute by encrypting the attributes. The terminal uses these permissions to encrypt the FL model parameters and uploads the secret parameters to the edge server. Through the storage of the edge server, these ciphertext decryption parameters are shared with the other terminal models of FL. Finally, other terminal models are trained by downloading and decrypting the shared model parameters for the purpose of FL. The performance analysis shows that this model has a better performance in computational complexity and computational time compared with the cited literature.     

IEEE 802.16规范中的安全机制

无线城域网(WMAN)面临着各种安全威胁,其规范IEEE 802.16中定义了保密子层实现认证、密钥协商与数据保密.早期规范中的认证与密钥管理协议为保密密钥管理(PKM),数据保密机制包含基于DES-CBC和AES-CCM的两个解决方案.PKM协议存在单向认证、PKI部署困难、无法实现基于用户的认证、缺乏组播密钥协商等缺陷.DES-CBC加密方案也有算法脆弱性、缺乏完整性保护、无抗重放保护等不足.最新的移动性规范IEEE802.16e中引入了灵活的EAP认证框架,消除旧的PMK协议的缺陷,并可满足移动性带来的新安全需求.     

An Integrated Handover Authentication for FMIPv6 Over Heterogeneous Access Link Technologies

This paper proposes an integrated handover authentication for NGN equipped with FMIPv6-based IP mobility over various kinds of access links. In ITU-T, an integrated authentication model has been introduced to support network attachment with mobility in NGN. Since existing studies for handover authentication have focused on the link layer or network layer respectively, there are additional authentication overhead such as duplicated authentication procedures and authentication messages delivery cost. The proposed integrated handover authentication contributes to reducing complexity of the authentication procedure and to enhancing the efficiency of it by means of the combined key management architecture; a mobile node generates a handover key to transfer it to the next access router through the AAA server, and hierarchical key management scheme addresses the locality of movement to authenticate the mobile node at the link layer. The evaluation of the handover authentication costs shows that it reduces the average number of handover authentication events and the authentication message delivery cost during moves in mobile networks. Also, the security aspects of the proposed scheme are discussed.     

Security in service-oriented vehicular networks - [Service-oriented broadband wireless network architecture]

Service-oriented vehicular networks support diverse infrastructure-based commercial services including Internet access, real-time traffic concerns, video streaming, and content distribution. The success of service delivery in vehicular networks depends on the underlying communication system to enable the user devices to connect to a large number of communicating peers and even to the Internet. This poses many new research challenges, especially in the aspects of security, user privacy, and billing. In this article we first identify the key requirements of authentication, privacy preservation, and billing for service delivery in vehicular networks. We then review the existing industrial and academic efforts on service- oriented vehicular networks. We also point out two security challenges, minimizing vehicleto- infrastructure authentication latency and distributed public key revocation, which are considered among the most challenging design objectives in service-oriented vehicular networks. A novel fast vehicle-to-infrastructure authentication based on a vehicle mobility prediction scheme and an infrastructure-based short-time certificate management scheme are then proposed to address these two challenges.     

MUQAMI+: a scalable and locally distributed key management scheme for clustered sensor networks

Wireless sensor networks (WSN) are susceptible to node capture and many network levels attacks. In order to provide protection against such threats, WSNs require lightweight and scalable key management schemes because the nodes are resource-constrained and high in number. Also, the effect of node compromise should be minimized and node capture should not hamper the normal working of a network. In this paper, we present an exclusion basis system-based key management scheme called MUQAMI+ for large-scale clustered sensor networks. We have distributed the responsibility of key management to multiple nodes within clusters, avoiding single points of failure and getting rid of costly inter-cluster communication. Our scheme is scalable and highly efficient in terms of re-keying and compromised node revocation.     

基于PKI和PMI的生物认证系统研究

生物认证技术作为一种准确高效的身份认证方法越来越广泛的应用于身份认证领域。但是目前还没有一种面向开放式网络的通用生物认证系统出现。由于在开放式网络中,基于X.509的公钥基础设施和权限管理基础设施(PMI)是目前应用广泛且有效的身份认证技术和权限管理技术,所以在PKI和PMI技术基础上,该文创新性的提出了一种基于生物证书的能实现身份认证和权限管理的通用生物认证系统。最后通过设计一个能实现身份认证和权限管理系统的高安全性生物智能卡,验证了基于PKI和PMI生物认证系统的可行性和可操作性。     

Group key management scheme for large-scale sensor networks

Wireless sensor networks are inherently collaborative environments in which sensor nodes self-organize and operate in groups that typically are dynamic and mission-driven. Secure communications in wireless sensor networks under this collaborative model calls for efficient group key management. However, providing key management services in wireless sensor networks is complicated by their ad-hoc nature, intermittent connectivity, large scale, and resource limitations. To address these issues, this paper proposes a new energy-efficient key management scheme for networks consisting of a large number of commodity sensor nodes that are randomly deployed. All sensor nodes in the network are anonymous and are preloaded with identical state information. The proposed scheme leverages a location-based virtual network infrastructure and is built upon a combinatorial formulation of the group key management problem. Secure and efficient group key initialization is achieved in the proposed scheme by nodes autonomously computing, without any communications, their respective initial group keys. The key server, in turn, uses a simple location-based hash function to autonomously deduce the mapping of the nodes to their group keys. The scheme enables dynamic setup and management of arbitrary secure group structures with dynamic group membership.     

一种后向撤销隐私安全的车载自组织网络快速匿名消息认证协议

该文提出适用于车载自组织网络的快速匿名消息认证协议。通过使用基于身份的签密技术,车辆行驶至某区域后,与该区域中心相互认证,获取其所维护的周期性群签名系统密钥材料。之后,该车辆能够使用获取的密钥材料对向网络中广播的携带有群签名的消息,实现消息的匿名认证。网络中的车辆收到其它车辆广播消息之后,仅需验证群签名的合法性,避免验证消息的签发者是否是撤销用户。此外,所采用的群签名算法支持批验证运算,能够快速处理短期内收到的多个消息。除了避免撤销验证特性之外,与已有的文献相比,文中的方案能够完善地保护撤销用户的后向隐私安全性。