CPK-based login authentication for electricity operation information system

Login authentication security is indispensable to applications of client/server (C/S) structure. Although some security technology in login authentication is relatively mature after years of development, it cannot meet high security requirements for the system in the case of limited resources. To deal with it, this paper proposes a new login authentication solution and applies it in electricity operation information system (EOIS), an application aiming at electrical equipment overhaul and report. The authors firstly discuss the reason why combined public key (CPK) is adopted as the key technology instead of the common one public key infrastructure (PKI). Secondly, they expatiate on CPK generation mechanism and the realizing process of login authentication, including local authentication using CPK-based digital signature and remote authentication using web service. Then, some results from three encryption methods (message-digest algorithm 5(MD5), secure hash algorithm (SHA-1) and CPK-based digital signature) to test EOIS are given, which show that the new solution builds its security on Hash function chosen and protection of combined private key. Finally, the security analysis reveals that CPK-based login authentication is safer to ensure the certainty of user identity, the integrality and non-repudiation of messages, and the confidentiality of transmission.     

基于CPK的IMS认证与密钥协商协议

针对3G及4G网络发展中IMS系统的广泛应用及其AKA认证协议安全强度的不足,在分析CPK及IMSAKA认证机制的基础上,设计了一种基于CPK机制的IMS认证与密钥协商协议。经分析表明,该协议在提高强IMS智能终端的认证强度基础上,为引入额外的通信,并且扩展了IMS系统支持的认证机制。     

基于CPK的可证安全组群密钥交换协议

CPK组合公钥密码体制无需证书来保证公钥的真实性,克服了用户私钥完全由密钥管理中心生成的问题。丈中基于CPK设计了一个高效常数轮的组群密钥交挟协议,并且协议在CDH假设下可证安全和具有完美的前向安全性。该协议只需两轮通信即可协商一个组群会话密钥,无论在通信以及计算方面均很高效。此外该协议提供了一个设计组群密钥交换协议的方法,大部分的秘密共享体制均可直接应用于该协议。     

Grid authentication from identity-based cryptography without random oracles

As a critical component of grid security, secure and efficient grid authentication needs to be well addressed. However, the most widely accepted and applied grid authentication is based on public key infrastructure （PKI） and X.509 certificates, which make the system have low processing efficiency and poor anti-attack capability. To accommodate the challenge of grid authentication, this article aims at designing a secure and efficient method for grid authentication by employing identity-based cryptography （IBC）. Motivated by a recently proposed secure and efficient identity-based encryption （IBE） scheme without random oracles, an identity-based signature （IBS） scheme is first proposed for the generation of private key during grid authentication. Based on the proposed IBS and the former IBE schemes, the structure of a novel grid authentication model is given, followed by a grid authentication protocol described in detail. According to the theoretical analysis of the model and the protocol, it can be argued that the new system has improved both the security and efficiency of the grid authentication when compared with the traditional PKI-based and some current IBC-based models.     

Provably secure and efficient PUF‐based broadcast authentication schemes for smart grid applications

Many smart grid applications need broadcast communications. Because of the critical role of the broadcasted messages in these applications, their authentication is very important to prevent message forgery attacks. Smart grid consists of plenty of low‐resource devices such as smart meters or phasor measurement units (PMUs) that are located in physically unprotected environments. Therefore, the storage and computational constraints of these devices as well as their security against physical attacks must be considered in designing broadcast authentication schemes. In this paper, we consider two communication models based on the resources of the broadcasters and receivers and propose a physical unclonable function (PUF)–based broadcast authentication scheme for each of them including Broadcast Authentication with High‐Resource Broadcaster (BA‐HRB) and Broadcast Authentication with Low‐Resource Broadcaster (BA‐LRB). We formally prove that both schemes are unforgeable and memory leakage resilient. Moreover, we analyze the performance of our proposed schemes and compare them with related works. The comparison results demonstrate a significant improvement in the storage and computational overhead of our schemes compared with the related works.     

计算集成身份认证机制

研究集成口令认证、令牌认证、以及生物认证的机制,其创新在于利用协议消息还原用户的信任状,再利用传统的认证技术完成对后者的鉴别,从而提供一种把应用系统与其用户认证技术分离的集成身份认证机制。该机制易于标准化及推广应用,可为多租户的云环境的安全提供更好的安全保障。     

匿名无线认证协议的匿名性缺陷和改进

分析了朱建明,马建峰提出的匿名无线认证协议的匿名性安全缺陷,提出了一种改进的匿名无线认证协议(IWAA),并用对其匿名性进行了形式化的安全分析。分析表明改进后的协议不仅实现了身份认证,而且具有很强的匿名性,满足无线网络环境匿名性的安全需求。     

Weaknesses and improvements of a remote user authentication scheme using smart cards

In 2005, Liu et al.proposed an improvement to Chien et al.'s remote user authentication scheme, using smart cards, to prevent parallel session attack.This article, however, will demonstrate that Liu et al.'s scheme is vulnerable to masquerading server attack and has the system's secret key forward secrecy problem.Therefore, an improved scheme with better security strength, by using counters instead of timestamps, is proposed.The proposed scheme does not only achieve their scheme's advantages, but also enhances its security by withstanding the weaknesses just mentioned.     

WLAN认证系统的安全性研究

本文简要介绍了WLAN认证系统的安全性研究,主要涉及安全组网、Web安全、设备自身安全、业务逻辑安全及日常审计及安全应急响应等。     

An efficient authentication and key agreement scheme for secure smart grid communication services

The smart grid is a new and promising technology integrating new information and communication technologies to improve the distribution and consumption of electricity between energy suppliers and their end customers. However, this advanced solution is facing a serious security problem as regards the interception and falsification of power consumption data, hence generating falsified electricity consumption bills. This issue of security needs to be promptly and efficiently handled. Clearly, it is of paramount importance to have a security mechanism to avoid such losses. Our work focuses on this issue. It particularly concerns the development of a security mechanism to ensure a completely secure communication between energy suppliers and their consumers while preserving the privacy of end customers in terms of protection of their personal information including their identities. The experimental results underscore that our solution outperforms those of the literature in terms of computation cost and robustness against various types of attacks.     

基于预认证的无线Mesh网络快速切换认证技术方案

为了保证无线Mesh网络链路切换过程的快速与安全性,运用了CPK标识认证技术,参照了IKEv2认证与密钥交换协议的设计方法,按照安全协议设计原则,设计了基于预认证的无线Mesh网络快速认证技术方案,包括基于预认证的端到端认证与加密方案和快速重认证方案。通过方案性能与安全性分析,方案在实现安全快速的同时还兼具了很好的性能。     

量子消息认证协议

研究了在量子信道上实现经典消息和量子消息认证的方法。给出了一个基于量子单向函数的非交互式经典消息认证加密协议。证明了给出的协议既是一个安全的加密方案,也是一个安全的认证方案。利用该认证加密协议作为子协议,构造了一个量子消息认证方案,并证明了其安全性。与BARNUM等给出的认证方案相比,该方案缩减了通信双方共享密钥的数量。     

一种读写器参与计算的RFID认证协议

伴随着物联网技术的兴起,射频识别（RFID）技术受到更为广泛的关注,其安全特性与面临的隐私问题制约了其应用。针对这些问题,学者提出诸多安全协议以应对,然而现有协议大都将RFID读写器作为传递数据的工具,而没有充分开发读写器在协议中的运算作用。本文设计了一个读写器参与识别计算的协议,标签和后端数据库存储不同的秘密,并通过读写器建立联系,这样不仅可以抵抗常见的攻击,而且可以抵抗因后端数据库所存储的识别表意外失窃所带来的对整个系统的危险。     

UC安全的基于一次签名的广播认证

研究了基于一次签名的广播认证协议的可证明安全问题.在通用可组合安全框架下,提出了基于一次签名的广播认证的安全模型.首先,形式化定义了一次签名理想函数FOTS和广播认证理想函数FBAUTH.其次,设计了一次签名算法HORS+.然后,在(FOTS,FREG)-混合模型下设计了广播认证方案πBAUTH.组合协议HORS+,在πBAUTH的基础上可以构造出新的基于一次签名的广播认证协议.结果表明,HORS+能够安全实现FOTS:在(FOTS,FREG)-混合模型下,πBAUTH安全实现理想函数FBAUTH的广播认证方案πBAUTH.根据组合定理,新的广播认证协议具有通用可组合安全性适用于能量受限网络中广播消息的认证.     

基于802.1x/EAP的WLAN安全认证机制

目前飞机与地面机场之间WLAN的应用部署日益广泛，但对其安全接入通信却没有提过较为合理的设计和规划，由WLAN引起的安全漏洞给飞机与地面之间信息传递带来很大的隐患。主要介绍EAP认证方法以及基于802.1x/EAP无线局域网的安全认证机制。     

网格计算中的安全问题探讨

介绍了网格计算环境的特点、安全需求及其安全问题研究现状，对网格计算中的安全标准、安全认证、公有与私有资源的安全利用、应用安全、恶意攻击的检测与防范等安全问题进行了分析和讨论，提出了在研究和解决网格计算的安全问题时，一方面可以借鉴传统网络的安全策略和技术并加以改进，另一方面要充分考虑网格计算环境的特殊性，研究和构建“特殊．的安全策略和技术”。     

HEAP: A packet authentication scheme for mobile ad hoc networks

In mobile ad hoc networks (MANETs) and wireless sensor networks (WSNs), it is easy to launch various sophisticated attacks such as wormhole, man-in-the-middle and denial of service (DoS), or to impersonate another node. To combat such attacks from outsider nodes, we study packet authentication in wireless networks and propose a hop-by-hop, efficient authentication protocol, called HEAP. HEAP authenticates packets at every hop by using a modified HMAC-based algorithm along with two keys and drops any packets that originate from outsiders. HEAP can be used with multicast, unicast or broadcast applications. We ran several simulations to compare HEAP with existing authentication schemes, such as TESLA, LHAP and Lu and Pooch’s algorithm. We measured metrics such as latency, throughput, packet delivery ratio, CPU and memory utilization and show that HEAP performs very well compared to other schemes while guarding against outsider attacks.     

Mobile device integration of a fingerprint biometric remote authentication scheme

Various user authentication schemes with smart cards have been proposed. Generally, researchers implicitly assume that the contents of a smart card cannot be revealed. However, this is not true. An attacker can analyze the leaked information and obtain the secret values in a smart card. To improve on this drawback, we involve a fingerprint biometric and password to enhance the security level of the remote authentication scheme Our scheme uses only hashing functions to implement a robust authentication with a low computation property. Copyright © 2011 John Wiley & Sons, Ltd.     

网格环境下的安全

网格技术是一门新兴的信息技术,是Internet发展的必然结果。简述了网格技术的基本概念和特点,就信息网格面临的安全问题,给出了相应的解决方案。