Kerberos: an authentication service for computer networks

When using authentication based on cryptography, an attacker listening to the network gains no information that would enable it to falsely claim another's identity. Kerberos is the most commonly used example of this type of authentication technology. The authors concentrate on authentication for real-time, interactive services that are offered on computer networks. They use the term real-time loosely to mean that a client process is waiting for a response to a query or command so that it can display the results to the user, or otherwise continue performing its intended function. This class of services includes remote login, file system reads and writes, and information retrieval for applications like Mosaic     

信息安全认证与政府采购

6月29日，我国政府采购法正式出台。在此之际，中国信息安全产品测评中心编辑出版了我国第一本《信息安全产品政府采购指南》。财政部国库司周成跃副司长在此文中献信息安全认证与政府采购问题作了详尽的阐述。     

增强WLAN安全

随着无线网络的蓬勃发展,无线网络的安全问题引起了越来越多的企业、组织和个人的关注,他们相继推出自己的解决方案。通过利用智能天线技术,提出解决网络安全的改进方案,同时提出采用分层安全结构体系对智能天线进行优化。     

GSM系统认证算法的设计与安全性分析

本文按照GSM系统认证算法的标准而构造的杂凑函数符合平衡性、高非线性度及严格雪崩特性的设计准则从而能有效地抵抗线性攻击和差分攻击。针对HansDobbertin对MD4 的有效攻击 ,我们提出右移位数不确定性的设计准则     

采用目录服务Kerberos认证实现统一身份认证

计算机安全系统所需要的是一种具备适应性,稳健性和自治性的技术。针对其适应性和自治性,在开发一个企业级的用户身份认证体系同时,依据目录服务理论,将轻量级目录访问协议和Kerberos认证技术相结合来解决密码安全和身份验证,并且应用于身份认证服务器的结构设计,进行用户统一身份认证和授权,使得整个系统的安全性有了进一步的提高。     

WLAN认证系统的安全性研究

本文简要介绍了WLAN认证系统的安全性研究,主要涉及安全组网、Web安全、设备自身安全、业务逻辑安全及日常审计及安全应急响应等。     

交互式动态网站中的用户安全认证

主要介绍了在交互式动态网站中Http协议的特点和缺陷，阐述了PHP中Session技术的工作方式，在PHP中设计实现了身份认证，并利用Session克服了HTTP协议的缺陷，又防止了信息的泄露，这种机制思想简单，易于实现，而且方便了编程者的使用，是一个比较好的解决方案。     

End-to-end WAN service availability

This paper seeks to understand how network failures affect the availability of service delivery across wide-area networks (WANs) and to evaluate classes of techniques for improving end-to-end service availability. Using several large-scale connectivity traces, we develop a model of network unavailability that includes key parameters such as failure location and failure duration. We then use trace-based simulation to evaluate several classes of techniques for coping with network unavailability. We find that caching alone is seldom effective at insulating services from failures but that the combination of mobile extension code and prefetching can improve average unavailability by as much as an order of magnitude for classes of service whose semantics support disconnected operation. We find that routing-based techniques may provide significant improvements but that the improvements of many individual techniques are limited because they do not address all significant categories of network failures. By combining the techniques we examine, some systems may be able to reduce average unavailability by as much as one or two orders of magnitude.     

A mutual authentication and privacy mechanism for WLAN security

IEEE 802.11 wireless local area networks (WLAN) has been increasingly deployed in various locations because of the convenience of wireless communication and decreasing costs of the underlying technology. However, the existing security mechanisms in wireless communication are vulnerable to be attacked and seriously threat the data authentication and confidentiality. In this paper, we mainly focus on two issues. First, the vulnerabilities of security protocols specified in IEEE 802.11 and 802.1X standards are analyzed in detail. Second, a new mutual authentication and privacy scheme for WLAN is proposed to address these security issues. The proposed scheme improves the security mechanisms of IEEE 802.11 and 802.1X by providing a mandatory mutual authentication mechanism between mobile station and access point (AP) based on public key infrastructure (PKI), offering data integrity check and improving data confidentiality with symmetric cipher block chain (CBC) encryption. In addition, this scheme also provides some other new security mechanisms, such as dynamic session key negotiation and multicast key notification. Hence, with these new security mechanisms, it should be much more secure than the original security scheme. Copyright © 2006 John Wiley & Sons, Ltd.     

无感知WLAN业务认证方式的分析

本文介绍了WLAN业务现状、业务认证方式及其应用情况,并对无感知WLAN认证的方式以及引入无感知认证方式后的业务推广进行了分析.     

一种Android应用安全审核认证系统的设计方案

针对恶意APK文件泛滥问题,综合静态、动态安全检测和APK重签名技术,设计了一套安全的Android应用审核认证系统,它由基于Web应用的安全审核平台和智能终端APK安全认证模块构成。安全审核平台利用强健的调度子系统完成了批量APK应用的提交、安全检测、重签名、发布及统计查询功能,保证了发布到官方应用商城中APK的安全性;智能终端APK安全认证模块引入了新型的重签名技术,可有效判断APK应用是否由"官方"安全认证。由此可见,该系统从"源"(应用商城)到"端"(智能终端)保障了APK文件的安全。     

User perspective and security of a new mobile authentication method

This paper describes a new mobile authentication method which is based on an Open ID Connect standard and subscriber identity module card. The proposed solution enables users to access websites, services and applications without the need to remember passwords, responses or support of any equipment. The proposed method is evaluated from the users’ perspective as well as from the security viewpoint. Moreover, we compare it with the two most popular existing authentication schemes i.e. static passwords and SMS OTP (one time password). In order to evaluate user’s view on various authentication methods a questionnaire was prepared and distributed among 40 participants. Obtained results revealed that the new authentication scheme yielded better results than the existing methods. Finally, we also performed a security analysis with respect to all abovementioned authentication solutions to assess whether there are any major risks related to the proposed method.     

基于IBC的短波自组网密钥管理方案

针对短波通信在传输过程中连通率低及容易遭受敌方截获和攻击的缺点,提出一种基于IBC体系的短波自组网密钥管理方案。该方案采用对称加密技术保证报文加解密的效率;运用公钥密码体制强安全性保证种子密钥的安全协商;引入Hash函数对报文进行认证,验证报文的真实性与完整性;基于通信双方的一次一密加密体制,保证密文的安全传输。实验结果表明,该方案能有效抵御敌方的攻击,保证网络的安全通信。     

Weaknesses in an anonymous authentication scheme for roaming service in global mobility networks

Recently, Chang, Lee, and Chiu proposed an enhanced anonymous authentication scheme which permits mobile users to anonymously enjoy roaming service in global mobile networks. In this letter, we show that their scheme fails to achieve the anonymity by providing four attack strategies. Moreover, we show that anyone can recover a mobile user?s session keys by using the identity of the mobile user. Hence, Chang et al.'s scheme cannot provide secure key establishing service since an adversary can recover the identity of a mobile user by performing one of our attacks.     

DTLS based security and two-way authentication for the Internet of Things

In this paper, we introduce the first fully implemented two-way authentication security scheme for the Internet of Things (IoT) based on existing Internet standards, specifically the Datagram Transport Layer Security (DTLS) protocol. By relying on an established standard, existing implementations, engineering techniques and security infrastructure can be reused, which enables easy security uptake. Our proposed security scheme is therefore based on RSA, the most widely used public key cryptography algorithm. It is designed to work over standard communication stacks that offer UDP/IPv6 networking for Low power Wireless Personal Area Networks (6LoWPANs). Our implementation of DTLS is presented in the context of a system architecture and the scheme’s feasibility (low overheads and high interoperability) is further demonstrated through extensive evaluation on a hardware platform suitable for the Internet of Things.     

Speech authentication and content recovery scheme for security communication and storage

With the rapid development of Internet, it brings a lot of conveniences. However, the data transmission and storage are faced with some security issues that seem to be obstacles to overcome, such as privacy protection and integrity authentication. In this paper, an efficient speech watermarking algorithm is proposed for content authentication and recovery in encrypted domain. The proposed system consists of speech encryption, watermark generation and embedding, content authentication and recovery. In the encryption process, chaotic and block cipher are combined to eliminate the positional correlation and conceal the statistical feature. In the watermark embedding process, approximation coefficients of integer wavelet transform are used to generate watermark and the detail coefficients are reserved to carry watermark. Theoretical analysis and simulation results show that the proposed scheme has high security and excellent inaudibility. Compared with previous works, the proposed scheme has strong ability to detect de-synchronization attacks and locate the corresponding tampered area without using synchronization codes. Meanwhile, the selective encryption will not influence the selective watermarking operation. Similarly, the operation of watermarking will not affect the decryption of the encrypted speech. Additionally, the tampered samples can be recovered without any auxiliary watermark information.     

一种适用于NFC移动设备的双向认证安全方案

近场无线通信(NFC)是一种已经被广泛应用的短距无线通信技术.其中最常见的是将NFC技术应用于移动支付和门禁访问控制等应用.从技术上讲,这些应用利用NFC模拟卡模式将NFC设备模拟成银行卡或门禁卡,然后等待外部阅读器验证.在这类应用场景下,选取合适的安全认证方案是非常重要的.首先,介绍了现有的NFC认证系统和安全方案并分析了系统安全需求和潜在的安全风险.然后,采用Hash、AES和口令Key动态更新机制,提出了一种适用于NFC移动设备的双向认证安全方案,并设计了自同步机制.最后,利用GNY逻辑以形式化证明的形式证明了方案的安全性,分析表明该方案能解决伪造、重放攻击、窃听、篡改、异步攻击等安全问题.     

基于Merkle哈希树的无线躯体传感器网络安全认证方案

针对无线躯体传感器网络(WBSN)数据传输的安全性,提出一种融合Merkle哈希树和网络编码的轻量级认证方案。首先,将传感器网络构建成Merkle哈希树结构,只对根节点进行数字签名;然后,在哈希树中选择一个最优层进行网络编码,形成恢复数据包,并将数据包、签名和恢复包发送给接收器;最后,接收器通过密钥对根节点签名进行验证,若存在节点丢失,则根据恢复数据包重建哈希树,从而对数据进行认证。实验结果表明,该方案能够实现对数据的安全认证,且需要较少的网络开销,满足WBSN的性能需求。     

浅析认证技术在电子商务安全中的应用

认证技术是建立电子商务安全交易系统必不可少的基本组成部分。文中分析了电子商务的网络设施不完善、信用问题及交易安全问题等存在的安全隐患,同时介绍了电子商务安全交易中常用的身份认证技术和信息认证技术,并分析认证技术如何确保电子商务信息机密性和完整性,从而为电子商务的信息安全提供理论基础。