Ubiquitous One-Time Password Service Using the Generic Authentication Architecture

The Generic Authentication Architecture (GAA) is a standardised extension to the mobile authentication infrastructure that enables the provision of security services, such as key establishment, to network applications. In this paper we first show how Trusted Computing can be extended in a GAA-like framework to offer new security services. We then propose a general scheme that converts a simple static password authentication mechanism into a one-time password (OTP) system using the GAA key establishment service. The scheme employs a GAA-enabled user device and a GAA-aware server. Most importantly, unlike most OTP systems using a dedicated key-bearing token, the user device does not need to be user or server specific, and can be used in the protocol with no registration or configuration (except for the installation of the necessary application software). We also give two practical instantiations of the general scheme, building firstly on the mobile authentication infrastructure and secondly on Trusted Computing. The practical systems are secure, scalable, fit well to the multi-institution scenario, and enable the provision of ubiquitous and on-demand OTP services.     

ISO 8802/5 token ring local-area networks

Token ring networks are the second most commonly used type of local-area network (LAN). The second version of the formal token ring multiple access mechanism, ISO 8802/5, was released in late 1995 and this rationalised many of the new developments, e.g. the 16 Mbit/s solutions. The latest innovations are the full duplex dedicated token ring and the development of a 100 Mbit/s high-speed token ring solution. To many people's surprise there is an extensive legacy of token ring installations and the latest innovations, such as token ring switching, are an attempt to maintain and support this significant market presence. Token ring is designed to provide high throughput under heavy loads (something which is normally impossible for Ethernet to sustain) but in most cases it is used in typical office environments where there is infrequent occurrence of heavy loads     

一种多信道的分簇式短波令牌协议

传统的短波令牌协议( HFTP)调度方式单一,在没有数据传送时,信道资源会被各节点间的令牌传递所占用,且令牌在通信质量较差时易丢失。基于此,提出一种多信道的分簇式短波令牌协议( CHFTP),通过以通信质量评估为标准的分簇算法和基于预约的动态令牌调度,减小了令牌丢失的概率和令牌传递、处理的开销,并给出了仿真分析。仿真结果表明,该协议的端到端平均时延和网络吞吐量明显优于短波令牌协议, CHFTP 的平均时延最多可减少75%,网络吞吐量最多可增加66.7%,适合在短波通信网络中使用。     

基于云模型的无线传感器网络恶意节点识别技术的研究

 无线传感器网络(Wireless Sensor Network,简称WSN)是一种没有基础设施的自组织无线网络.和其它网络一样,WSN需要安全措施来保证网络通信的安全.但是,在无线传感器网络中,基于密码的安全体系不能有效处理来自网络内部的攻击,识别出恶意节点.因此,信任模型被用于无线传感器网络恶意节点识别.在信任模型和云理论的研究基础上,本文构建了一个基于云理论的无线传感器网络信任模型——云信任模型(CTM,Cloud-based Trust Model).实验结果表明,云信任模型能够有效识别恶意节点.     

无线动态令牌协议及性能分析

 本文在无线令牌环协议(WTRP)的基础上,提出了一种无线动态令牌协议(WDTP),以解决其网络拓扑适应能力差和管理控制复杂的问题.本文首先介绍了WDTP协议的工作原理,然后详细阐述了令牌的动态传递算法、子网的建立过程和令牌的管理维护技术,对WDTP协议和WTRP协议的性能进行了分析比较,并通过模拟仿真比较了两种协议对网络拓扑结构的适应能力.仿真结果表明,WDTP具有良好的网络拓扑适应能力,并因此提高了频率资源的利用率.     

统一身份认证平台技术开发与应用

通过介绍信息系统中普遍存在的信息安全问题和普遍使用的身份认证技术,阐述了能够解决当前信息安全问题的、最先进的统一身份认证平台技术。它是基于动态令牌能够实现全程通信加密的、适用于对称和非对称加密算法的身份认证平台,并对非对称加密算法的数字签名加解密的完整过程用算法模型予以说明。平台在多个领域的实施效果不错,经检测是目前国内加密效果最好的统一身份认征安全管理平台。     

动态口令的安全脆弱性分析及对策

动态口令是替代通常的静态口令的一种身份鉴别技术,文章介绍了一种行业标准动态口令算法的基本原理,并在其基础上分析了动态口令的安全脆弱性,指出动态口令存在中间人攻击、客户端攻击和服务器攻击的风险。针对这些安全风险,文章介绍了相应的安全措施,比如采用SSL技术对动态口令进行保护等。     

Security Enhancements of a Mutual Authentication Protocol Used in a HF Full-Fledged RFID Tag

Radio Frequency IDentification (RFID) is used in many applications such as access control, transport, ticketing and contactless payment. The full-fledged High Frequency (HF) tags are the most popular RFID tags for these applications that require relatively high cost security operations. However, these HF tags are threatened by many passive attacks such as eavesdropping, desynchronization and ElectroMagnetic (EM) Side Channel Attacks (SCA). In this article, we propose the implementation and the validation of a full-fledged HF tag architecture using an enhanced mutual authentication protocol. This is achieved using a FPGA platform. Security analysis against Electromagnetic Attack (EMA) and desynchronization attacks on the original protocol are presented. Then enhancements at the protocol level are proposed to overcome these attacks. The implementation of these security enhancements shows a low overhead (+22 LUTs) compared to previous existing security hardware solutions (+598 LUTs).     

Low‐Power Design of Hardware One‐Time Password Generators for Card‐Type OTPs

Since card‐type one‐time password (OTP) generators became available, power and area consumption has been one of the main issues of hardware OTPs. Because relatively smaller batteries and smaller chip areas are available for this type of OTP compared to existing token‐type OTPs, it is necessary to implement power‐efficient and compact dedicated OTP hardware modules. In this paper, we design and implement a low‐power small‐area hardware OTP generator based on the Advanced Encryption Standard (AES). First, we implement a prototype AES hardware module using a 350 nm process to verify the effectiveness of our optimization techniques for the SubBytes transform and data storage. Next, we apply the optimized AES to a real‐world OTP hardware module which is implemented using a 180 nm process. Our experimental results show the power consumption of our OTP module using the new AES implementation is only 49.4% and 15.0% of those of an HOTP and software‐based OTP, respectively.     

Inherent Security-aware Resource Utilizing Methodology for Cloud Environments

Wireless Personal Communications - Cloud-based environments utilize a different kind of security services on the Internet in a cost effective manner. The cloud-based service providers may diminish...     

量子密钥分发系统的现实无条件安全性

量子密钥分发系统由于能够提供一种物理上安全的密钥分发方式,因此成为量子信息领域的研究热点,其中如何在现实条件下保证量子密钥分发的无条件安全性是该领域的一个重要研究课题。本文从经典保密通信系统中具有完善保密性的一次一密体制出发,介绍了量子密钥分发系统的应用模型和整体保密通信系统的安全性基础,以及自量子密钥分发协议被提出以来量子密钥传输现实无条件安全性的研究进展,重点介绍了针对现实条件安全漏洞的各种类型的量子黑客攻击方案、防御方式,以及最近两年被广泛重视的与测量设备无关的量子密钥分发系统的理论和实验进展。     

Adaptive Defense Against Various Network Attacks

In defending against various network attacks, such as distributed denial-of-service (DDoS) attacks or worm attacks, a defense system needs to deal with various network conditions and dynamically changing attacks. Therefore, a good defense system needs to have a built-in “adaptive defense” functionality based on cost minimization—adaptively adjusting its configurations according to the network condition and attack severity in order to minimize the combined cost introduced by false positives (misidentify normal traffic as attack) and false negatives (misidentify attack traffic as normal) at any time. In this way, the adaptive defense system can generate fewer false alarms in normal situations or under light attacks with relaxed defense configurations, while protecting a network or a server more vigorously under severe attacks. In this paper, we present concrete adaptive defense system designs for defending against two major network attacks: SYN flood DDoS attack and Internet worm infection. The adaptive defense is a high-level system design that can be built on various underlying nonadaptive detection and filtering algorithms, which makes it applicable for a wide range of security defenses.     

ExpressMAN: Exploiting Traffic Locality in Expressnet

ExpressMAN is a metropolitan area network architecture which connects users grouped in different clusters. It retains all the positive features of LAN's, but in addition, allows for parallel transmission of local traffic. The overall network structure is halfway between a linear bus and a two-level hierarchical structure in which several subnetworks are connected by a backbone network. However, it does not need complex routing facilities like bridges. Based on the Expressnet access mechanism, it can be dynamically configured either as a unique bus or as several different local buses which allow the circulation of long distance and local trains, respectively. Routing is performed by the transmitting stations choosing the correct train. Local communications can take the bandwidth not used by long distance trains, and thus increase bandwidth efficiency by means of parallel transmissions. In this paper, the performance of ExpressMAN is evaluated and compared to that achieved by the aforementioned two-level structure based on Express networks. Although the Expressnet mechanism has been chosen as the simplest and most efficient mechanism available for LAN's the principle underlying ExpressMAN could be applied to other token schemes such as the token ring.     

The use of service limits for efficient operation of multistationsingle-medium communication systems

Time limits are the major mechanisms used for controlling a large variety of multistation single-medium computer-communication systems like the FDDI network and the IEEE 802.4 Token Bus. The proper use of these mechanisms is still not understood and rules for efficient system operation are not available. The authors' objective is the derivation of such rules. They use a cyclic polling model with different service limits (k-limited service) at the different queues, thus emulating time limits. They are interested in determining these k-limit values so as to minimize the mean waiting cost of messages in the system. A simple approximative approach is proposed for two major problems: one in which a limit is set on the token rotation time and one in which no limits are imposed. The approach is tested for a variety of cases and is shown to be very effective     

基于手机令牌的动态口令身份认证系统

随着无线网络的日益完善,通过手机无线接入Internet的用户不断增加,因此解决无线接入用户的身份认证问题极为重要。动态12令已经成为认证机制新的发展趋势,它提供了比传统静态口令更高的安全性。文中设计了一种基于挑战／应答机制的动态口令认证协议,并根据此协议设计了一个基于手机令牌的动态口令身份认证系统,论述了系统的组成、认证过程,分析了系统的安全性。分析表明,该系统具有安全性高、适用面广、使用方便、系统成本低的特点。     

基于AES的远程访问认证协议

论文提出一种基于AES的口令认证协议。协议不使用公开密钥算法,仅采用AES进行远程用户的身份认证,具有速度快、安全性高的特点,易于采用令牌(Token)或IC卡硬件实现。最后,对认证协议的安全性进行了讨论。     

Review of fuse and antifuse solutions for advanced standard CMOS technologies

Specific applications require large amounts of high-performance, dense and low-cost non-volatile memories with CMOS standard process compatibility. There exists numerous structures for one-time-programming (OTP) bitcells, exploiting various physical phenomena as programming modes. Not all of these physical phenomena will behave in a satisfactory manner with the CMOS technology shrink. Moreover, it is not easy to evaluate the effect of geometry and technology on the trade-off between density and reliability of the OTP bitcells.This paper aims to review literature about OTP memories and show that metal fuse, polyfuse and antifuse are the best candidates so far. Other memories require either additional masks with regards to core process, additional technological steps or unaffordable programming conditions. Significant results will be listed in comparison tables.This paper also wishes to give a summary of the physical phenomena involved in bitcell architectures. Opinions are given about the suitability of OTP architectures for specific applications, the most suitable bitcell architectures have been layouted in 65 and 45 nm for density comparison purpose. Particularly, promising structures are manufactured and characterized as they present fair trade offs for standard CMOS process. Discussion and conclusion are intended to give a comprehensive review about the parameters impacting the performances, the density and the cost of the OTP bitcell. Comparison tables are edited with the most pertinent parameters and available results.     

SAT-solving approaches to context-aware enterprise network security management

Enterprise network security management is a complex task of balancing security and usability, with trade-offs often necessary between the two. Past work has provided ways to identify intricate attack paths due to misconfiguration and vulnerabilities in an enterprise system, but little has been done to address how to correct the security problems within the context of various other requirements such as usability, ease of access, and cost of countermeasures. This paper presents an approach based on Boolean satisfiability solving (SAT solving) that can reason about attacks, usability requirements, cost of actions, etc. in a unified, logical framework. Preliminary results show that the approach is both effective and efficient.     

A 32-KB Standard CMOS Antifuse One-Time Programmable ROM Embedded in a 16-bit Microcontroller

A 32-KB standard CMOS antifuse one-time programmable (OTP) ROM embedded in a 16-bit microcontroller as its program memory is designed and implemented in 0.18-$muhbox m$standard CMOS technology. The proposed 32-KB OTP ROM cell array consists of 4.2$muhbox m^2$three-transistor (3T) OTP cells where each cell utilizes a thin gate-oxide antifuse, a high-voltage blocking transistor, and an access transistor, which are all compatible with standard CMOS process. In order for high density implementation, the size of the 3T cell has been reduced by 80% in comparison to previous work. The fabricated total chip size, including 32-KB OTP ROM, which can be programmed via external$hboxI^2hboxC$master device such as universal$hboxI^2hboxC$serial EEPROM programmer, 16-bit microcontroller with 16-KB program SRAM and 8-KB data SRAM, peripheral circuits to interface other system building blocks, and bonding pads, is 9.9$hbox mm^2$. This paper describes the cell, design, and implementation of high-density CMOS OTP ROM, and shows its promising possibilities in embedded applications.     

A scalable and energy‐efficient MAC protocol for sensor and actor networks

A scalable energy‐efficient MAC protocol is proposed for wireless sensor and actor networks (WSAN) to improve the network performance. Actor's placement has computed using midpoint K‐mean technique. These actors perform as the cluster heads and collect the information from its members. Cluster head computes the shortest path to all of its cluster members. Further, it divides the cluster into multiple subtrees and assigns a noninterference channel to every subtree. A token is assigned to each subtree for intracluster communication. Token handling and token processing mechanisms are proposed to transfer token from one node to next eligible node. Finally, a throughput‐based channel selection mechanism has proposed for actor‐actor communication. The proposed protocol is simulated in NS2 and compared with its competitive MAC protocols. The results describe that the existing protocols are out beaten by the proposed mechanism.