等保2.0下5G+工业控制系统的安全防护研究

分析5G引入后对于传统的工业控制系统面临的访问控制、数据传输、病毒木马等新风险,结合网络安全等级保护2.0中对工业控制系统的通用及扩展安全要求,以三级等级保护要求为例,从终端访问控制、传输加密、边缘云安全能力等方面入手,应用切片接入认证、终端入网二次认证、终端电子围栏、机卡绑定、空口传输加密、IPSec（互联网安全协议）隧道加密等技术,构建针对“5G+工业控制系统”的多重安全防护机制,为5G专网在工业企业中的安全部署提供指导。     

一种适用于工业控制系统的加密传输方案

随着工业物联网(IoT)、云计算等信息技术与工业控制系统(ICS)的整合,工业数据的安全正面临着极大风险。为了能在这样一个复杂的分布式环境中保护数据的机密性和完整性,该文采用基于属性的加密(ABE)算法,设计一种集数据加密、访问控制、解密外包、数据验证为一体的通信方案,同时具有密文长度恒定的特点。最后,从正确性、安全性和性能开销3个方面对方案进行详细的分析,并通过仿真验证得出该算法具有低解密开销的优势。     

增强无线局域网的安全性能

802.11b的安全措施IEEE802.11b协议定义了几种服务来提供一个安全的操作环境。依赖于WEP协议的安全服务，保护客户端与AP之间无线传输链路层的数据。WEP只提供无线连接之间“point-to-point”的安全，并没有提供“end-to-end”的安全。802.11b为无线局域网络定义以下三种基本的安全服务：* 认证-WEP的主要目标，验证通信用户的身份。通过访问控制，拒绝没有通过认证的用户对网络的访问；* 隐私性-WEP的第二目标，提供一个与有线网络等效的构架，防止信息被偷听；* 完整性-WEP的第三个目标，确保信息在无线客户端之间和AP之间传输…     

基于商密SM9算法的物联网安全平台设计与应用

物联网普遍存在遭受网络攻击类型多样化、没有安全保护标准、数据极易被截获或破解等安全风险,核心问题在于缺乏设备、服务提供者、应用、数据、交易等物的安全认证机制。因此,有必要建立一种提供认证鉴权和数据保护的方案体系,建立物与物、物与人之间的信任。密码技术是解决核心安全问题的基础理论和技术,而传统的证书体系并不适应于物联网环境,基于商密SM9的算法才是目前物联网安全认证的最佳选择。物联网安全平台依赖商密SM9算法的优势,有效克服了传统算法中密钥分发安全性弱等问题,深入物联网行业终端与应用层面,建立了面向物联网业务的端到端安全。     

一种支持完整性验证的隐私保护直方图融合算法

针对无线传感器网络隐私保护数据融合和完整性验证难以同时兼顾问题,提出一种支持完整性验证的隐私保护直方图融合算法（iPPHA ）。构建两棵融合树,分别传输融合数据和冗余信息,在基站处对融合结果的完整性进行验证。针对数据包丢失问题,设计了一种ID传输方案来提高可靠性。仿真结果显示,算法可以在不明显增加网络资源消耗的前提下,进行完整性验证。改进型ID传输方案可节约70％的通信开销。     

WLAN电信级应用安全系统设计方案

本文WLAN网络技术的背景以及可能存在的风险威胁出发,通过分析当前WLAN的若干种常用认证方法的优劣,最后提出了一种较为安全并且具备可操作性的解决方案,即以IEEE802.11i-2004国际标准为核心,在IEEE802.11i标准框架下,采用802.1X/EAP方式实现强壮网络联合安全的强身份认证,完成身份认证后,使用基于AES算法(FIPS PUB 197-2001)的CCMP实现数据保密性与完整性保护。     

无线局域网的安全策略研究

针对无线局域网上资源面临的危险,标准的安全缺陷以及无线局域网欺诈、劫持等安全漏洞,提出了无线局域网的安全策略方案。在信息传输安全隐患上,通过数据加密和数据完整性校验就可以为无线局域网提供一个类似有线网的物理安全的保护。在网络标准上,一方面,可以采用新一代安全标准IEEE 802.11i,通过扩展认证协议EAP和3种加密机制(临时密匙完整性协议TKIP,以及基于高级加密标准AES的CCMP和WRAP)保障无线局域网的安全性;另一方面,采用中国无线局域网安全标准WAPI,通过公开密钥体制的椭圆曲线密码算法和秘密密钥体制的分组密码算法,实现了WLAN在多种安全机制下的兼容性。结果表明,以上针对无线局域网的安全策略,为提高无线局域网的相对安全性以及与其他网络实现互联互通提供了技术保障。     

商用密码算法在网络安全保护中的应用

为解决信息系统长期存在的身份认证方式单一、系统内重要数据明文传输、重要数据明文存储等问题,文章利用商用密码检测认证的数字证书体系和密码设备,结合信息系统,构建一个基于商用密码算法的安全认证、加密保护的技术、产品和服务的安全防护体系。     

中华卫士SJW84 IPSEC VPN系统

1．系统简介中华卫士SJW84 IPSEC VPN系统为用户提供了在不可信的公共网络中信息传输的机密性、完整性、数据源认证及部分抗重放功能。采用国际标准IPSEC协议族、所有安全保护算法都通过了国家主管部门的审批,系统遵循国家密码管理局（（IPSEC VPN技术规范》。     

轻量级身份认证及安全通信技术研究

针对资源受限且通信不稳定的嵌入式设备网络信息安全传输问题,提出了一种基于国密算法的轻量级身份认证及基于认证技术的加密传输技术。首先,对嵌入式节点进行安全度量并生成SM2数字证书。然后,通信双方可以基于生成的数字证书进行身份认证,节点认证成功后协商出通信使用的会话密钥。最后,合法节点可以使用协商出的会话密钥,使用SM4-CTR模式完成信息传输,在保障信息安全传输的同时,也保障了通信过程的健壮性。实验结果表明,技术可以防止恶意节点的非法接入,在认证完成后能够生成可用的会话密钥,以密文形式进行信息安全交互,且能以较高速率实现加解密传输。     

3G系统全网安全体制的探讨与分析

文章基于3GPP体制探讨了3G系统的安全机制，重点分析了3G认证与密钥分配协议、加密与完整性保护的过程及其安全性，并针对核心网部分，从ATMPRM出发讨论了将安全功能置于ATM协议栈中不同位置时的几种安全方案。     

基于国家标准的SSL VPN安全网关研究与实现

SSL VPN安全网关为传输层和应用层协议提供安全隧道,利用安全隧道技术,在传输层实现互联网网络信息的安全保护,能够利用公共网络为用户建立虚拟的专用网络,提供比专网更加安全的通信信道。SSL VPN安全网关以国家密码管理局审批的密码卡为基础密码器件,为其提供密钥运算、密钥保护、密钥备份恢复等功能;操作系统采用裁剪的Linux系统,同时,严格遵循国家密码管理政策和相关设计规范,实现了基于传输层的SSL VPN安全网关,为各种应用提供了身份认证和安全传输的需求。在政府、金融、运营商、能源、交通等领域具有广泛的用途,有明显的社会效益和经济效益。文章对此展开了分析。     

ECC-CoAP: Elliptic Curve Cryptography Based Constraint Application Protocol for Internet of Things

Constraint Application Protocol (CoAP), an application layer based protocol, is a compressed version of HTTP protocol that is used for communication between lightweight resource constraint devices in Internet of Things (IoT) network. The CoAP protocol is generally associated with connectionless User Datagram Protocol (UDP) and works based on Representational State Transfer architecture. The CoAP is associated with Datagram Transport Layer Security (DTLS) protocol for establishing a secure session using the existing algorithms like Lightweight Establishment of Secure Session for communication between various IoT devices and remote server. However, several limitations regarding the key management, session establishment and multi-cast message communication within the DTLS layer are present in CoAP. Hence, development of an efficient protocol for secure session establishment of CoAP is required for IoT communication. Thus, to overcome the existing limitations related to key management and multicast security in CoAP, we have proposed an efficient and secure communication scheme to establish secure session key between IoT devices and remote server using lightweight elliptic curve cryptography (ECC). The proposed ECC-based CoAP is referred to as ECC-CoAP that provides a CoAP implementation for authentication in IoT network. A number of well-known cryptographic attacks are analyzed for validating the security strength of the ECC-CoAP and found that all these attacks are well defended. The performance analysis of the ECC-CoAP shows that our scheme is lightweight and secure.

     

七号信令网MTP3层安全机制分析

七号信令网络由于缺乏安全机制而存在诸多安全漏洞。通过分析攻击者如何利用MTP3层的网络管理消息对七号信令网实施攻击,提出用密钥交换协议和认证头协议对MTP3层进行安全保护,从而实现了信令节点间的相互认证和对消息的完整性保护,增强了七号信令网络的安全性。     

LPPA: Lightweight privacy‐preservation access authentication scheme for massive devices in fifth Generation (5G) cellular networks

Because of the requirements of stringent latency, high‐connection density, and massive devices concurrent connection, the design of the security and efficient access authentication for massive devices is the key point to guarantee the application security under the future fifth Generation (5G) systems. The current access authentication mechanism proposed by 3rd Generation Partnership Project (3GPP) requires each device to execute the full access authentication process, which can not only incur a lot of protocol attacks but also result in signaling congestion on key nodes in 5G core networks when sea of devices concurrently request to access into the networks. In this paper, we design an efficient and secure privacy‐preservation access authentication scheme for massive devices in 5G wireless networks based on aggregation message authentication code (AMAC) technique. Our proposed scheme can accomplish the access authentication between massive devices and the network at the same time negotiate a distinct secret key between each device and the network. In addition, our proposed scheme can withstand a lot of protocol attacks including interior forgery attacks and DoS attacks and achieve identity privacy protection and group member update without sacrificing the efficiency. The Burrows Abadi Needham (BAN) logic and the formal verification tool: Automated Validation of Internet Security Protocols and Applications (AVISPA) and Security Protocol ANimator for AVISPA (SPAN) are employed to demonstrate the security of our proposed scheme.     

User centric three‐factor authentication protocol for cloud‐assisted wearable devices

Wearable devices, which provide the services of collecting personal data, monitoring health conditions, and so on, are widely used in many fields, ranging from sports to healthcare. Although wearable devices bring convenience to people's lives, they bring about significant security concerns, such as personal privacy disclosure and unauthorized access to wearable devices. To ensure the privacy and security of the sensitive data, it is critical to design an efficient authentication protocol suitable for wearable devices. Recently, Das et al proposed a lightweight authentication protocol, which achieves secure communication between the wearable device and the mobile terminal. However, we find that their protocol is vulnerable to offline password guessing attack and desynchronization attack. Therefore, we put forward a user centric three‐factor authentication scheme for wearable devices assisted by cloud server. Informal security analysis and formal analysis using ProVerif is executed to demonstrate that our protocol not only remedies the flaws of the protocol of Das et al but also meets desired security properties. Comparison with related schemes shows that our protocol satisfies security and usability simultaneously.     

无线传感器网络的安全技术研究

无线传感器网络（WSN）是通过无线通信方式形成的一个多跳自组织网络,是集信息采集、信息传输、信息处理于一体的智能化信息系统。由于其本身资源方面存在的局限性和脆弱性,使其安全问题成为一大挑战。文中分析了无线传感器网络的安全需求、可能受到的安全攻击,给出了防御方法和解决方案。通过安全加密协议、认证流广播和多种密钥机制实现传感器网络的数据机密性、完整性和系统鲁棒性。     

SEAI: Secrecy and Efficiency Aware Inter-gNB Handover Authentication and Key Agreement Protocol in 5G Communication Network

Recently, the Third Generation Partnership Project (3GPP) has initiated the research in the Fifth Generation (5G) network to fulfill the security characteristics of IoT-based services. 3GPP has proposed the 5G handover key structure and framework in a recently published technical report. In this paper, we evaluate the handover authentication mechanisms reported in the literature and identify the security vulnerabilities such as violation of global base-station attack, failure of key forward/backward secrecy, de-synchronization attack, and huge network congestion. Also, these protocols suffer from high bandwidth consumption that doesn’t suitable for energy-efficient mobile devices in the 5G communication network. To overcome these issues, we introduce Secrecy and Efficiency Aware Inter-gNB (SEAI) handover Authentication and Key Agreement (AKA) protocol. The formal security proof of the protocol is carried out by Random Oracle Model (ROM) to achieve the session key secrecy, confidentiality, and integrity. For the protocol correctness and achieve the mutual authentication, simulation is performed using the AVISPA tool. Also, the informal security evaluation represents that the protocol defeats all the possible attacks and achieves the necessary security properties.Moreover, the performance evaluation of the earlier 5G handover schemes and proposed SEAI handover AKA protocol is carried out in terms of communication, transmission, computation overhead, handover delay, and energy consumption. From the evaluations, it is observed that the SEAI handover AKA protocol obtains significant results and strengthens the security of the 5G network during handover scenarios.

     

无线网络中基于量子隐形传态的鲁棒安全通信协议

该文在深入研究无线网络802.11i鲁棒安全通信的基础上,提出基于量子隐形传态的无线网络鲁棒安全通信协议,利用量子纠缠对的非定域关联性保证数据链路层的安全。首先,对量子隐形传态理论进行描述,并着重分析临时密钥完整性协议和计数器模式及密码块链消息认证协议的成对密钥、组密钥的层次结构;其次,给出了嵌入量子隐形传态的成对密钥、组密钥的层次结构方案;最后,在理论上给出安全证明。该协议不需要变动用户、接入点、认证服务器等基础网络设备,只需增加产生和处理纠缠对的设备,即可进行量子化的密钥认证工作,网络整体框架变动较小。     

WLAN security processor

A novel wireless local area network (WLAN) security processor is described in this paper. It is designed to offload security encapsulation processing from the host microprocessor in an IEEE 802.11i compliant medium access control layer to a programmable hardware accelerator. The unique design, which comprises dedicated cryptographic instructions and hardware coprocessors, is capable of performing wired equivalent privacy, temporal key integrity protocol, counter mode with cipher block chaining message authentication code protocol, and wireless robust authentication protocol. Existing solutions to wireless security have been implemented on hardware devices and target specific WLAN protocols whereas the programmable security processor proposed in this paper provides support for all WLAN protocols and thus, can offer backwards compatibility as well as future upgrade ability as standards evolve. It provides this additional functionality while still achieving equivalent throughput rates to existing architectures.