结合双线性对和DLP的无证书两方认证协议

为解决无线通信网络中不同用户之间的通信安全问题,通常会采用身份认证协议来确保通信双方身份的合法性。该认证协议应能抵抗重放攻击、延时攻击等威胁,同时认证过程中的计算量应尽量小。本文针对SEAHA (secure and efficient handover authentication)认证方案存在的计算量大、不能抵抗伪装攻击的问题提出了一种基于双线性对和离散对数难题（DLP）的无证书两方认证协议。该协议中基站和节点共同生成节点密钥对来抵抗伪装攻击,利用离散对数难题生成会话密钥降低认证过程中的计算量。安全分析和性能分析结果表明,提出协议在保证安全性的前提下,有效降低了认证过程计算量。      

一种新的无证书可认证多方密钥协商协议

Joux提出的三方密钥协商方案虽然简洁、高效,但不能抵抗中间人攻击。基于无证书公钥密码体制,提出一种新的无证书可认证多方密钥协商方案,新方案将Joux的三方协议拓展至多方,并且具有认证功能。由于新方案中所用的签名为短签名,所以整个认证过程计算效率较高,另外,新方案还具有简单证书管理、无密钥托管的优点,新方案满足无密钥控制、抗中间人的主动攻击、前向安全性和抗密钥泄露伪装攻击等多种安全特性。     

基于身份认证的无线安全密钥交换

认证密钥协商使得通信双方在共享一个安全会话密钥的同时实现相互认证。针对无线网络,基于口令认证的密钥协商算法也许能降低系统资源开销,但通常不能有效抵抗字典攻击。针对无线设备的资源有限性,文中提出一种可证安全的、基于身份的、认证的密钥协商方案,所提出方案需要计算量少,能够抵抗冒充攻击并且满足密钥协商协议所要求的其它安全属性。     

基于属性的多授权中心身份认证方案

针对现有的基于属性的身份认证方案均是基于单授权中心实现的,存在密钥托管问题,即密钥生成中心知道所有用户的私钥,提出了一种基于属性的多授权中心的身份认证方案。所提方案结合分布式密钥生成技术实现用户属性私钥的(t,n)门限生成机制,可以抵抗最多来自t-1个授权中心的合谋攻击。利用双线性映射构造了所提方案,分析了所提方案的安全性、计算开销和通信开销,并与同类型方案做比较。最后,以多因子身份认证为例,分析了所提方案在电子凭据应用场景中的可行性。分析结果表明,所提方案具有更优的综合性能。     

基于相互认证和密钥协商机制的智能卡远程安全认证方案

分析2011年Muniyandi等人提出的一种基于椭圆曲线密码(ECC)体制的智能卡进行远程认证方案,发现该方案缺乏密钥协商机制,不能有效抵抗伪装攻击、认证表盗窃攻击、离线猜测攻击和智能卡丢失等攻击。提出一种改进方案,融入相互认证和密钥协商机制来克服以上缺陷,确保前向和后向保密性,且用户能够自由修改密码,同时对用户信息进行匿名保护。与现有智能卡认证方案相比,该方案具有较高的安全性能,且具有较小的计算开销。     

一种新型基于环上带误差学习问题的认证密钥交换方案

利用格上判定带误差学习问题(Ring-DLWE)困难假设,该文基于Peikert的调和技术构造认证密钥交换方案。在标准模型下,该方案是CK模型中可证明安全的,并达到弱前向安全性(wPFS)。与现有的基于LWE的密钥交换方案相比,该方案使用平衡的密钥提取函数,因而保护共享会话密钥,同时因其基于格中困难问题,所以能抵抗量子攻击。     

基于验证元的三方口令认证密钥交换协议

基于验证元的口令认证密钥交换协议的最基本安全目标是抵抗字典攻击和服务器泄露攻击.利用双线性对的性质给出了一个基于验证元的三方口令认证密钥交换协议,有如下特点:能够抵抗字典攻击和服务器泄露攻击;保持密钥秘密性,提供前向安全性;确保无密钥控制;抵抗已知密钥攻击和中间人攻击;协议执行一次可以生成4个会话密钥等.     

无线传感器网络的轻量级安全体系研究

结合无线传感器网络现有的安全方案存在密钥管理和安全认证效率低等问题的特点,提出了无线传感器网络的轻量级安全体系和安全算法。采用门限秘密共享机制的思想解决了无线传感器网络组网中遭遇恶意节点的问题;采用轻量化ECC算法改造传统ECC算法,优化基于ECC的CPK体制的思想,在无需第三方认证中心CA的参与下,可减少认证过程中的计算开销和通信开销,密钥管理适应无线传感器网络的资源受限和传输能耗相当于计算能耗千倍等特点,安全性依赖于椭圆离散对数的指数级分解计算复杂度;并采用双向认证的方式改造,保证普通节点与簇头节点间的通信安全,抵御中间人攻击。     

校园网络身份认证技术平台研究

研究校园网络平台中安全身份认证技术问题,提出基于快速密钥生成算法的身份认证方式.这种认证方式只需要在初次进行身份认证时从网络平台服务方得到密钥,运用奇数筛选理论减少了身份验证的计算量,提高了校园网络平台中安全身份认证的效率.实验证明,该算法能够实时认证操作者的身份,进一步保证校园网络平台的安全.     

基于Montgomery型椭圆曲线密码的RFID安全认证方案

针对现有基于椭圆曲线密码（elliptic curve cryptography,ECC）体制的 RFID（radio frequency identification device）安全认证方案不能满足相互认证、隐私保护和前向安全性等要求,提出一种基于Montgomery型椭圆曲线密码的认证方案。利用Montgomery型椭圆曲线来降低计算量,并提供标签和服务器之间的相互认证,具有匿名性和前向安全性。通过分析表明,该方案能够抵抗重放攻击、标签伪装攻击、服务器欺骗攻击、DoS攻击、位置跟踪攻击和克隆攻击。与现有方案相比,该方案在保证较低的内存、计算和通信需求的情况下,提供了较高的安全性能,能够满足RFID系统的安全性要求。     

Blockchain-inspired lightweight trust-based system in vehicular networks

A decentralized application runs on the blockchain network without the intervention of a central authority. Transparency in transactions and security in vehicular networks are the issues for central systems. The proposed system uses blockchain-based smart contracts, which eliminate the requirement for any third-party verification. Additionally, with signature verification and reduced overhead, smart contracts also help in a fast and secure transaction. This study suggests a trust-based system paradigm where certificate authority (CA) is employed for vehicle registration. We also propose a blockchain-based system that provides efficient two-way authentication and key agreement through encryption and digital signatures. The analysis of the proposed model reveals that it is an efficient way of establishing distributed trust management, which helps in preserving vehicle privacy. The proposed scheme is tested in Automated Validation of Internet Security-sensitive Protocols (AVISPA), and security parameters verification in Network Simulator 2(NS2) also shows that the proposed scheme is more effective in comparison with existing schemes in terms of authentication cost, storage cost, and overhead.     

On the design of secure user authenticated key management scheme for multigateway‐based wireless sensor networks using ECC

In wireless sensor networks (WSNs), there are many critical applications (for example, healthcare, vehicle tracking, and battlefield), where the online streaming data generated from different sensor nodes need to be analyzed with respect to quick control decisions. However, as the data generated by these sensor nodes usually flow through open channel, so there are higher chances of various types of attacks either on the nodes or on to the data captured by these nodes. In this paper, we aim to design a new elliptic curve cryptography–based user authenticated key agreement protocol in a hierarchical WSN so that a legal user can only access the streaming data from generated from different sensor nodes. The proposed scheme is based upon 3‐factor authentication, as it applies smart card, password, and personal biometrics of a user (for ticket generation). The proposed scheme maintains low computation cost for resource‐constrained sensor nodes, as it uses efficient 1‐way cryptographic hash function and bitwise exclusive‐OR operations for secure key establishment between different sensor nodes. The security analysis using the broadly accepted Burrows‐Abadi‐Needham logic, formal security verification using the popular simulation tool (automated validation of Internet security protocols and applications), and informal security show that the proposed scheme is resilient against several well‐known attacks needed for a user authentication scheme in WSNs. The comparison of security and functionality requirements, communication and computation costs of the proposed scheme, and other related existing user authentication schemes shows the superior performance of the proposed scheme.     

A Smart Card Based Efficient and Secured Multi-Server Authentication Scheme

Increasing popularity of the multi-server architecture has propelled the research on the multi-server authentication schemes. Current dominating authentication schemes are smartcard based, verification table free schemes with passwords. Although these schemes have developed to be robust against most of the popular malicious attacks, they still have security weaknesses and their efficiency is generally low. In this paper, we analyze and formulate security issues in previously proposed schemes. And based on the formulation, an enhanced efficient and secure scheme is proposed. In the proposal, a novel “redundant key protection” is proposed to utilize. The proposed scheme is validated and verified by Colored Petri Nets.     

移动漫游中强安全的两方匿名认证密钥协商方案

由于低功耗的移动设备计算和存储能力较低,设计一种高效且强安全的两方匿名漫游认证与密钥协商方案是一项挑战性的工作.现有方案不仅计算开销较高,而且不能抵抗临时秘密泄露攻击.针对这两点不足,提出一种新的两方匿名漫游认证与密钥协商方案.在新方案中,基于Schnorr签名机制,设计了一种高效的基于身份签密算法,利用签密的特性实现实体的相互认证和不可追踪;利用认证双方的公私钥直接构造了一个计算Diffie-Hellman（Computational Diffie-Hellman,CDH）问题实例,能抵抗临时秘密泄露攻击.新方案实现了可证明安全,在eCK（extended Canetti-Krawczyk）模型基础上,探讨两方漫游认证密钥协商方案安全证明过程中可能出现的情形,进行归纳和拓展,并给出新方案的安全性证明,其安全性被规约为多项式时间敌手求解椭圆曲线上的CDH问题.对比分析表明：新方案安全性更强,需要实现的算法库更少,计算和通信开销较低.新方案可应用于移动通信网络、物联网或泛在网络,为资源约束型移动终端提供漫游接入服务.     

适用于车载边缘计算网络的高效匿名认证协议

为了解决车载边缘计算网络中无线网络传输特性导致的窃听、重放、拦截、篡改等安全威胁,考虑到车载终端资源有限的特点,提出了一种轻量级匿名高效身份认证协议。基于切比雪夫混沌映射算法,避免了多数方案所采用的指数、双线性映射等复杂算法,有效降低了身份认证与密钥协商过程中的计算复杂度。此外,在实现接入认证及切换认证的同时,能够实现终端匿名性及可追溯、可撤销等安全功能。通过Scyther工具验证结果表明该协议能够满足认证过程中的安全需求并且能够抵抗多种协议攻击。相比已有方案,所提接入认证方案总计算开销最低可节省67%,带宽开销最低可节省11%。此外,相比于接入认证方案,所提域内切换认证方案总计算开销可节省99.8%,带宽开销可节省52%;域间切换认证方案总计算开销可节省80%,带宽开销可节省37%。性能分析结果表明该协议具备更良好的计算和通信性能,因此可以解决车载边缘计算网络中的终端高效安全接入及切换问题。     

A secure and effective biometric‐based user authentication scheme for wireless sensor networks using smart card and fuzzy extractor

User authentication is a prominent security requirement in wireless sensor networks (WSNs) for accessing the real‐time data from the sensors directly by a legitimate user (external party). Several user authentication schemes are proposed in the literature. However, most of them are either vulnerable to different known attacks or they are inefficient. Recently, Althobaiti et al. presented a biometric‐based user authentication scheme for WSNs. Although their scheme is efficient in computation, in this paper, we first show that their scheme has several security pitfalls such as (i) it is not resilient against node capture attack; (ii) it is insecure against impersonation attack; and (iii) it is insecure against man‐in‐the‐middle attack. We then aim to propose a novel biometric‐based user authentication scheme suitable for WSNs in order to withstand the security pitfalls found in Althobaiti et al. scheme. We show through the rigorous security analysis that our scheme is secure and satisfies the desirable security requirements. Furthermore, the simulation results for the formal security verification using the most widely used and accepted Automated Validation of Internet Security Protocols and Applications tool indicate that our scheme is secure. Our scheme is also efficient compared with existing related schemes. Copyright © 2015 John Wiley & Sons, Ltd.     

A Strong Authentication Scheme with User Privacy for Wireless Sensor Networks

Wireless sensor networks (WSNs) are used for many real‐time applications. User authentication is an important security service for WSNs to ensure only legitimate users can access the sensor data within the network. In 2012, Yoo and others proposed a security‐performance‐balanced user authentication scheme for WSNs, which is an enhancement of existing schemes. In this paper, we show that Yoo and others' scheme has security flaws, and it is not efficient for real WSNs. In addition, this paper proposes a new strong authentication scheme with user privacy for WSNs. The proposed scheme not only achieves end‐party mutual authentication (that is, between the user and the sensor node) but also establishes a dynamic session key. The proposed scheme preserves the security features of Yoo and others' scheme and other existing schemes and provides more practical security services. Additionally, the efficiency of the proposed scheme is more appropriate for real‐world WSNs applications.     

Handover authentication between different types of eNBs in LTE networks

There are two types of base stations in the long term evolution (LTE) wireless networks, home eNodeB (HeNB) and eNodeB (eNB). It is critical to achieve seamless handovers between the HeNB and the eNB in order to support mobility in the LTE networks. A handover from an eNB/HeNB to a new eNB/HeNB, suggested by the third generation partnership project (3GPP), requires distinct procedures for different mobility scenarios, which will increase the system complexity. Besides, the existing handover schemes for other wireless networks are not suitable for the mobility scenarios in the LTE networks due to their inherent vulnerabilities. In this paper, we propose a fast and secure handover authentication scheme, which is to fit in with most of the mobility scenarios in the LTE networks. Compared with other handover schemes, our scheme cannot only achieve a simple authentication process with desirable efficiency, but also provide several security features including perfect forward/backward secrecy (PFS/PBS), which have never been achieved by the previous works. The experiment results and formal verification by using the automated validation of internet security protocols and applications (AVISPA) tool show that the proposed scheme is efficient and secure against various malicious attacks.     

Efficient revocable attribute-based encryption scheme

In the existing solutions,the time-based scheme is difficult to achieve immediate revocation,and the third-party-based scheme often requires re-encryption,which needs large amount of calculation and doesn’t apply to mas-sive data.To solve the problem,an efficient and immediate CP-ABE scheme was proposed to support user and attribute lev-els revocation.The scheme was based on the classic LSSS access structure,introducing RSA key management mechanism and attribute authentication.By means of a semi-trusted third party,the user could be authenticated before decryption.Com-pared with the existing revocation schemes,The proposed scheme didn’t need the user to update the key or re-encrypt the ciphertext.The semi-trusted third party wasn’t required to update the RSA attribute authentication key.The scheme greatly reduced the amount of computation and traffic caused by revocation,while ensuring anti-collusion attacks and forward and backward security.Finally,the security analysis and experimental simulation show that the scheme has higher revocation ef-ficiency.     

An efficient and attack‐resistant key agreement scheme for secure group communications in mobile ad‐hoc networks

As a result of the growing popularity of wireless networks, in particular mobile ad hoc networks (MANET), security over such networks has become very important. Trust establishment, key management, authentication, and authorization are important areas that need to be thoroughly researched before security in MANETs becomes a reality. This work studies the problem of secure group communications (SGCs) and key management over MANETs. It identifies the key features of any SGC scheme over such networks. AUTH‐CRTDH, an efficient key agreement scheme with authentication capability for SGC over MANETs, is proposed. Compared to the existing schemes, the proposed scheme has many desirable features such as contributory and efficient computation of group key, uniform work load for all members, few rounds of rekeying, efficient support for user dynamics, key agreement without member serialization and defense against the Man‐in‐the‐Middle attack, and the Least Common Multiple (LCM) attack. These properties make the proposed scheme well suited for MANETs. The implementation results show that the proposed scheme is computationally efficient and scales well to a large number of mobile users. Copyright © 2007 John Wiley & Sons, Ltd.