基于HMAC的认证与密钥协商协议

针对Wang方案的安全漏洞,论文提出一个基于HMAC的认证与密钥协商协议.该协议仅使用HMAC函数,降低了对物联网体系结构中终端设备的运算和存储能力的要求.安全性与性能分析结果表明,该协议可有效抵抗假冒攻击、重传攻击等常见攻击,并完成双方认证与信息安全地传输.     

基于身份加密的可认证密钥协商协议

密钥协商是安全通信的重要环节,通过密钥协商协议可在通信节点之间建立共享会话密钥,以便实现网络中的安全通信。在物联网环境下,文章提出的密钥协商协议是在基于身份的可认证密钥协商基础上的无双线性对的可认证密钥协商协议。该协议主要包括3个部分：初始化、参数提取和密钥协商。与利用双线性对的密钥协商协议相比,该协议不仅提供了相同层次的安全性与可扩展性,且在能量开销、时间开销和计算复杂度方面具有明显的优势。     

边缘计算环境下基于区块链的跨域认证与密钥协商协议

身份认证与密钥协商是接入物联网首先要考虑的安全问题.传统的物联网身份认证是基于"云中心-终端设备"的认证架构.而随着边缘计算技术的引入,认证架构转变为"边缘设备-终端设备"的架构,传统的认证方式不再适用.此外,物联网中存在多个通信域,不同域中的设备之间需要进行跨域间认证与密钥协商.针对以上问题,本文设计了边缘计算环境下...     

3GPP认证与密钥协商协议安全性分析

通用移动通信系统采用3GPP认证与密钥协商协议作为其安全框架,该协议对GSM存在的安全隐患作了有效的改进.对3GPP认证与密钥协商协议进行安全性研究,分析其容易遭受4种类型攻击方式.为了解决上述存在的安全隐患,提出在位置更新与位置不变两种情况下的基于公钥密码学的认证与密钥协商协议,采用形式化的分析方式证明了所提出算法的安全性,并将该协议与已有协议在安全性方面进行了比较.结果显示,所提出的协议算法能够极大地增强3GPP认证与密钥协商协议的安全性.     

3GPP认证与密钥协商协议安全性分析

通用移动通信系统采用3GPP认证与密钥协商协议作为其安全框架,该协议对GSM存在的安全隐患作了有效的改进.对3GPP认证与密钥协商协议进行安全性研究,分析其容易遭受4种类型攻击方式.为了解决上述存在的安全隐患,提出在位置更新与位置不变两种情况下的基于公钥密码学的认证与密钥协商协议,采用形式化的分析方式证明了所提出算法的安全性,并将该协议与已有协议在安全性方面进行了比较.结果显示,所提出的协议算法能够极大地增强3GPP认证与密钥协商协议的安全性.     

物联网中的隐私保护问题研究

在物联网中的认证和密钥协商过程中,如果用户的身份信息以明文的形式传输,攻击者可能追踪用户的行动轨迹,从而造成信息泄漏。针对大多数基于身份的认证和密钥协商协议不能保护用户隐私的问题,提出一个基于身份的匿名认证和密钥协商协议。在设计的认证和密钥协商方案中,用户的身份信息以密文的形式传输,解决了用户的隐私问题。     

UAP协议的安全性分析与改进

论文分析了一个基于椭圆曲线数字签名算法(ECDSA)的无线认证和密钥协商协议(UAP协议)的安全性,指出其安全缺陷:协议的安全性取决于服务器私钥的安全保存。使用无需求逆的椭圆曲线数字签名算法,同时将认证过程密钥和服务器参数绑定,给出了改进的无线认证和密钥协商协议,有效修复了UAP协议的缺陷,提高了服务器的使用效率,满足了无线认证和密钥协商协议的安全需求。     

一个高效的无线匿名认证和密钥协商协议

无线通信中,身份认证和密钥协商是一个重要的安全问题。文章首先指出文献[4]中构造的相关协议的安全漏洞和攻击方法;然后提出来一个半匿名基于XTR公钥体制的签密算法,基于该算法构造了一个高效的无线匿名认证和密钥协商协议;最后对该协议的安全性、计算量和通信量进行了评估。     

一种可认证的群组密钥协商协议

群组密钥协商协议可以使得所有组员协商出一个相同的密钥,该密钥可以被用到后续的组员之间的安全通信中,保证群组通信的机密性、完整性和真实性。本文在可认证双方密钥认证协议和BD群组密钥协商协议的基础上,提出了一种可认证的群组密钥协商协议(ABD)。和BD相比,ABD不仅能抵抗被动攻击还能抵抗主动攻击。     

可信计算环境下基于TPM的认证密钥协商协议

基于身份的认证密钥协商协议存在密钥托管、ID管理、ID唯一性和私钥的安全分发等问题,目前的可信计算技术为此提供了很好的解决方案。利用TPM平台中EK和tpmproof唯一性的特点,结合McCullagh-Barreto认证密钥协商协议思想,提出了一个在可信计算环境下基于TPM的认证密钥协商协议,该协议较好地解决了上述基于身份的密钥协商协议所存在的问题。用CK模型对所提协议进行了安全性分析,结果表明该协议具备已知密钥安全性,完善前向保密性及密钥泄露安全性等CK安全模型下相应的安全属性。     

基于集群架构的物联网终端动态认证仿真

为有效提高物联网终端认证的安全性,基于集群架构对物联网终端动态进行认证仿真。设计的认证策略主要基于双注册因子和对应认证结构,包括常数量和编码特征密匙,在此基础上设定集群架构下物联网双因子注册流程,第一认证因子与服务器达成一致,通过用户初始注册信息终端服务器生成注册凭证,第二因子通过SAS服务器认证,并生成注册会话密匙,完成最终双因子注册,根据注册因子,以X.509V3作为核心签发结构,构造认证数字证书,搭配公共密匙基础设置(PKI),确定身份认证协议,采用"挑战-应答"的形式完成物联网移动终端的认证实现集群架构下,当前物联网终端的整体认证工作。实验数据表明,在标准内核攻击下,设计的物联网终端认证方法可以有效保证自身数据的完整性,提高认证安全和可信性。     

物联网环境下移动节点可信接入认证协议

无线传感器网络（WSN）中的移动节点缺乏可信性验证,提出一种物联网（IoT）环境下移动节点可信接入认证协议。传感器网络中移动汇聚节点（Sink节点）同传感器节点在进行认证时,传感器节点和移动节点之间完成相互身份验证和密钥协商。传感器节点同时完成对移动节点的平台可信性验证。认证机制基于可信计算技术,给出了接入认证的具体步骤,整个过程中无需基站的参与。在认证时利用移动节点的预存的假名和对应公私钥实现移动节点的匿名性,并在CK（Canetti-Krawczyk）模型下给出了安全证明。在计算开销方面与同类移动节点认证接入方案相比,该协议快速认证的特点更适合物联网环境。     

基于轻量级加密技术建立物联网感知层信息安全的解决方案

本文提出了采用轻量级(密码编制简单、安全性高、运算速度快的单钥密码算法,如:RC4、RC5、SMS4算法等)加密技术,并采用一种安全单钥管理技术来解决轻量级密码的密钥更新管理的难题,在传感器或RFID读卡器设备端的智能芯片里和物联网认证中心端加密卡芯片里,建立传感设备认证、签名和加密协议、签名验证和解密协议,保证物联网感知层的设备可信,保证传感信息可信、完整和安全保密,从而,建立物联网感知层的信息安全系统。     

A CPK-Based Identity Authentication Scheme for IoT

As the power Internet of Things (IoT) enters the security construction stage, the massive use of perception layer devices urgently requires an identity authentication scheme that considers both security and practicality. The existing public key infrastructure (PKI)-based security authentication scheme is currently difficult to apply in many terminals in IoT. Its key distribution and management costs are high, which hinders the development of power IoT security construction. Combined Public Key (CPK) technology uses a small number of seeds to generate unlimited public keys. It is very suitable for identity authentication in the power Internet of Things. In this paper, we propose a novel identity authentication scheme for power IoT. The scheme combines the physical unclonable function (PUF) with improved CPK technology to achieve mutual identity authentication between power IoT terminals and servers. The proposed scheme does not require third-party authentication and improves the security of identity authentication for power IoT. Moreover, the scheme reduces the resource consumption of power IoT devices. The improved CPK algorithm solves the key collision problem, and the third party only needs to save the private key and the public key matrix. Experimental results show that the amount of storage resources occupied in our scheme is small. The proposed scheme is more suitable for the power IoT.     

针对Modbus协议的双重认证算法设计

随着现代化工业网络的不断发展,越来越多的工控网络安全问题层出不穷。在工控网络中Modbus协议应用最为普遍。然而Modbus工控网络却没有安全通信的机制,极易受到恶意攻击。根据文献追踪来看,目前还没有效的解决方案。为解决这些安全问题,提出了针对Modbus工控网络主从设备的认证模型、双重认证算法以及算法的配置方案。该算法利用了哈希链以及对称加密的一些特点,是针对Modbus工控网络主从设备有限的计算和存储能力而设计的轻量型认证算法。通过安全性分析可知,该认证算法能有效抵御常见Modbus工控网络的安全问题,并且算法的配置方案能有效减小认证算法对主从设备通信的干扰。     

A group key agreement protocol for intelligent internet of things system

The application of intelligent computing in Internet of Things (IoTs) makes IoTs systems such as telemedicine, in-vehicle IoT, and smart home more intelligent and efficient. Secure communication and secure resource sharing among intelligent terminals are essential. A secure communication channel for intelligent terminals can be established through group key agreement (GKA), thereby ensuring the security communication and resource sharing for intelligent terminals. Taking into account the confidentiality level of the shared resources of each terminal, and the different permissions of the resource sharing of each terminal, a GKA protocol for intelligent IoTs is proposed. Compared with previous work, this protocol mainly has the following advantages: (1) The hidden attribute identity authentication technology can achieve the security of identity authentication and protect personal privacy from being leaked; (2) Only intelligent terminals satisfying the threshold required of the GKA can participate in the GKA, which increases the security of group communication; (3) Low-level group terminals can obtain new permissions to participate in high-level group communication if they meet certain conditions. High-level group terminals can participate in low-level group communication through permission authentication, which increases the flexibility and security of group communication; (4) The intelligent terminals in the group can use their own attribute permission parameters to calculate the group key. They can verify the correctness of the calculated group key through a functional relationship, and does not need to exchange information with other members in the same group. Under the hardness assumption of inverse computational Diffie-Hellman problem and discrete logarithm problem, it is proven that the protocol has high security, and compared with the cited literatures, it has good advantages in terms of computational complexity, time cost and communication energy cost.     

Improved Key Agreement Based Kerberos Protocol for M-Health Security

The development of wireless sensor network with Internet of Things (IoT) predicts various applications in the field of healthcare and cloud computing. This can give promising results on mobile health care (M-health) and Telecare medicine information systems. M-health system on cloud Internet of Things (IoT) through wireless sensor network (WSN) becomes the rising research for the need of modern society. Sensor devices attached to the patients’ body which is connected to the mobile device can ease the medical services. Security is the key connect for optimal performance of the m-health system that share the data of patients in wireless networks in order to maintain the anonymity of the patients. This paper proposed a secure transmission of M-health data in wireless networks using proposed key agreement based Kerberos protocol. The patients processed data are stored in cloud server and accessed by doctors and caregivers. The data transfer between the patients, server and the doctors are accessed with proposed protocol in order to maintain the confidentiality and integrity of authentication. The efficiency of the proposed algorithm is compared with the existing protocols. For computing 100 devices it consumes only 91milllisecond for computation.     

A lightweight authentication and key agreement protocol for heterogeneous IoT with special attention to sensing devices and gateway

Focusing specifically on sensing devices with restricted resources, heterogeneous internet of things (HIoT) is an attractive scenario for IoT networks. Nonetheless, the very nature of wireless channels in these networks has given rise to a series of security challenges, which need to be considered while developing authentication protocols. Here, we scrutinized Yu and Park’s, Kumari et al.’s, and Ostad-sharif et al.'s protocols and illustrated their weaknesses against key compromise attacks, insider attacks, and violation of anonymity. Furthermore, for heterogeneous IoT contexts, a lightweight and secure authentication and key agreement protocol for heterogeneous IoT environments is presented. Concerning the restricted resources of sensing devices, an attempt is made to provide an efficient HIoT-based authentication protocol to enhance network security and performance. The gateway as a trusted authority with the maximum workload and sensing devices with the highest restrictions on resources are considered in the suggested protocol. As a result, the user bears the brunt of the workload in the individual session. The Burrows–Abadi–Needham (BAN) logic is used to validate the proposed protocol, and the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool is utilized to demonstrate resilience to existing active attacks. Simulation findings and performance assessment revealed that our protocol improved communication overheads by up to 110%, computation overheads by up to 83%, and sensing device maximum storage capacity by up to 51%.