基于认证可信度的角色访问控制模型

提出一种基于认证可信度的角色访问控制模型(AT-RBAC).该模型将可信度技术与访问控制相结合,将身份认证的结果用可信度值来度量,以此来强化身份认证与访问控制的联系.用户必须通过角色、权限的可信激活约束才能获得相应权限.实践表明,AT-RBAC模型可实现灵活的系统授权,达到对高安全级资源有效保护的目的.     

基于身份认证的医疗信息数据库访问控制

传统的数据库访问控制方法会绑定访问请求与访问目的,增加医疗信息系统运行负担。为此,提出基于身份认证技术的医疗信息系统数据库访问控制方法。采用文档对象模型描述医疗信息系统;利用电子钥匙与X.509标准协议相结合的身份认证技术,根据信息发送、接收、加密、解密、随机数生成、证书验证六个步骤认证用户身份;根据认证结果定义数据库时间函数、授权、规则和授权基,并判断访问用户是否合法。实验结果表明：相比于系统原访问耗时,文中方法的总耗时更短,有效减轻了系统的运行负担。     

网格身份认证和访问控制的研究

网格安全是影响网格应用的主要问题,文中主要在身份认证和访问控制上做了研究.针对网格环境下分别采用PKI和Kerberos作为认证机制的不同域,在交互时所面临的信任证转换问题,设计了一个双向的信任证转换方案,并在此基础上设计了完整的身份认证策略,有效解决了身份认证复杂性的问题;针对现有网格访问控制繁琐的特性,利用信息安全中黑伯名单机制简洁、高效的特点,建立了新的、动态的网格访问控制模型,使得访问控制更具有灵活性.     

WDPF系统中认证授权流程的设计与实现

WDPF（Wireless Digital Picture Frame,无线数码相框平台）系统是一个平台与终端紧密结合的新型业务。安全性是所有可以用来对资源或信息进行保护和验证的机制。认证授权处于业务核心层,用于识别用户身份,允许特定用户访问特定资源或信息,起访问控制作用,保证系统资源和信息的安全。该文介绍了业务平台中不同模块采用不同认证方式,重点介绍基本认证、摘要认证和OAuth认证在业务平台中的设计与实现。     

物联网移动RFID系统匿名访问控制认证密钥交换协议

针对物联网移动RFID系统标签隐私信息的访问控制以及用户身份隐私保护问题,本文采用身份加密和属性加密相结合的方法,建立了IB-AB-eCK安全模型,设计了基于身份及属性的认证密钥交换协议IB-AB-AKE。基于IB-AB-AKE协议,提出了移动RFID手机与信息服务器之间认证密钥交换协议,实现了在保护移动RFID手机用户身份隐私的同时,根据标签所有者定制的访问控制策略进行标签信息的访问控制认证和会话密钥交换,防止了隐私信息被非法访问。分析表明,IB-AB-AKE协议在IB-AB-eCK模型下是安全的,且在通信次数、通信量及计算量方面具有优势。      

基于Agent的认证与网络访问控制系统

身份认证与网络访问控制验证用户的合法身份,授权网络资源的访问.针对目前相关系统的缺陷,设计并实现了基于Agent技术的多因素认证与粗、细粒度网络访问控制系统.通过分析和设计Agent软件的通信安全性、认证和访问控制的关键环节和流程,结合硬件特征属性密钥和用户信息,实现多因素认证,并根据网络服务资源的敏感和保密程度,划分不同密级的用户.以Windows XP为例,具体论述Agent软件利用HOOK技术实现以上关键功能.实验结果表明,该系统效率高,可扩展性、通用性好.     

基于ECC算法的Intranet身份认证系统设计

身份认证是保障信息安全的关键一环,是提供访问控制的第一步。本文介绍了ECC算法和身份认证的相关理论,提出一种基于ECC算法的身份认证系统方案,其适用于Intranet内联网之中,使用混合密码体制和软硬件协同的工作方式,提供高速、安全可靠的身份认证服务。     

基于直接匿名证明的可追踪匿名认证方案

属性认证是一种特殊的身份认证方案,旨在解决各类云服务中的细粒度访问控制问题。然而,此类系统的设计必须有效解决用户隐私保护和恶意用户的追责问题。基于直接匿名证明、Boneh-Boyen签名、Waters签名等技术对Liu等人的属性签名方案进行扩展,得到新的可追踪匿名认证方案。新方案允许用户在方案的各个阶段保持匿名,并且能在身份认证阶段隐藏自己的属性值。新方案继承了底层属性签名方案的身份追踪机制,从而允许云服务提供商对恶意用户的失信行为进行问责。此外,新方案的设计引入了可信计算技术,可以在系统被攻破的情况下确保用户端的行为可信。     

基于Ajax和图形验证码的身份认证实现

为了保证Web系统的安全,传统的模式一般采用用户名和密码来进行身份认证,这种模式以同步方式运行,以文本格式存储,效率低,安全性差,Ajax技术的异步能力、图形验证码的点阵存储、权限访问控制三者相结合,高效实现了Web系统身份认证功能,安全性能大有改善。     

基于J2EE过滤器技术的统一身份认证与访问控制技术

为了解决信息化应用系统的安全性问题，特别是用户身份认证与访问控制自身的安全性问题，通过分析、研究用户身份认证、访问控制原理及J2EE Servlet过滤器技术，在基于Web应用系统特点和J2EE Servlet过滤器技术的基础上，提出了企业信息化应用系统的统一用户身份认证与访问控制的实现方法，并在J2EE应用框架中得到了应用。结果表明：该方法满足设计要求，提高了企业信息化应用系统的安全性。     

AAA authentication for network mobility

Network mobility (NEMO) is a protocol proposed for the mobility management of a whole network.It offers seamless Internet connectivity to the mobile end users.However,the NEMO protocol has not been wid...     

An improved password‐based authentication scheme for session initiation protocol using smart cards without verification table

Authentication schemes have been widely deployed access control and mobility management in various communication networks. Especially, the schemes that are based on multifactor authentication such as on password and smart card come to be more practical. One of the standard authentication schemes that have been widely used for secure communication over the Internet is session initiation protocol (SIP). The original authentication scheme proposed for SIP was vulnerable to some crucial security weaknesses. To overcome the security problems, various improved authentication schemes have been developed, especially based on elliptic curve cryptography (ECC). Very recently, Zhang et al . proposed an improved authentication scheme for SIP based on ECC using smart cards to overcome the security flaws of the related protocols. Zhang et al . claimed that their protocol is secure against all known security attacks. However, this paper indicates that Zhang et al . protocol is still insecure against impersonation attack. We show that an active attacker can easily masquerade as a legal server to fool users. As a remedy, we also improve Zhang et al . protocol by imposing a little extra computation cost. Copyright © 2014 John Wiley & Sons, Ltd.     

CPK-based grid authentication:a step forward

Effective grid authentication plays a critical role in grid security, which has been recognized as a key issue in the designing and extension of grid technologies. At present, public key infrastructure (PKI) has been widely applied for grid authentication, and this article proposes a novel grid authentication mechanism, which is based on combined public key (CPK) employing elliptic curve cryptography (ECC). The designing structure of the new grid authentication mechanism and its implementation procedure are described in details. Property analysis of the new mechanism is also made in comparison with that of the globus security infrastructure (GSI) authentication, which leads to the conclusion that CPK-based grid authentication, may be applied as an optimized approach towards efficient and effective grid authentication.     

New entity authentication and access control scheme in satellite communication network

With the increasing global demand for satellite communications,the problem of entity authentication and access control of the satellite communication network needs to be solved urgently.To solve this problem,a new multiple center-based entity authentication and cross-domain access control scheme was proposed.The scheme divided the multiple centers into two layers for entity authentication,and maped the authorization of the multiple domains to achieve access control.Simulation experiments show that the proposed scheme support the entity authentication for 100 million users.Furthermore,it also allows 1 million users to access in parallel.     

VPN用户认证技术

虚拟专用网络绕开防火墙的安全保障机制提供对内网资源的访问,因此高强度的用户认证功能是必须的。目前常用的认证技术包括无中心式的基于签名技术的认证机制以及基于数字证书的中心式认证机制。文章对这两类认证技术在ＶＰＮ中的应用进行了细致的研究和分析,为ＶＰＮ用户认证技术的实现提供了技术框架。     

声纹识别技术在电子商务安全认证中的应用

随着公用网络基础设施的逐步完善及各种新兴的宽带接入技术的涌现,在线支付的商务方式以其特有的优势迅猛的发展起来。因而电子商务成为近年来人们关注的焦点,它使社会的商务方式发生了变革,但是电子商务的软肋也阻碍了其迅速的发展,即电子商务的安全性问题是其亟待解决的核心问题,现提出了一种基于声纹识别与数字加密相结合的技术来实现安全的电子商务身份认证,与此同时也简单介绍了声纹识别算法的改进措施及认证技术的实现过程。     

A mutual authentication and privacy mechanism for WLAN security

IEEE 802.11 wireless local area networks (WLAN) has been increasingly deployed in various locations because of the convenience of wireless communication and decreasing costs of the underlying technology. However, the existing security mechanisms in wireless communication are vulnerable to be attacked and seriously threat the data authentication and confidentiality. In this paper, we mainly focus on two issues. First, the vulnerabilities of security protocols specified in IEEE 802.11 and 802.1X standards are analyzed in detail. Second, a new mutual authentication and privacy scheme for WLAN is proposed to address these security issues. The proposed scheme improves the security mechanisms of IEEE 802.11 and 802.1X by providing a mandatory mutual authentication mechanism between mobile station and access point (AP) based on public key infrastructure (PKI), offering data integrity check and improving data confidentiality with symmetric cipher block chain (CBC) encryption. In addition, this scheme also provides some other new security mechanisms, such as dynamic session key negotiation and multicast key notification. Hence, with these new security mechanisms, it should be much more secure than the original security scheme. Copyright © 2006 John Wiley & Sons, Ltd.     

AuthFlow: authentication and access control mechanism for software defined networking

Software-defined networking (SDN) is being widely adopted by enterprise networks, whereas providing security features in these next generation networks is a challenge. In this article, we present the main security threats in software-defined networking and we propose AuthFlow, an authentication and access control mechanism based on host credentials. The main contributions of our proposal are threefold: (i) a host authentication mechanism just above the MAC layer in an OpenFlow network, which guarantees a low overhead and ensures a fine-grained access control; (ii) a credential-based authentication to perform an access control according to the privilege level of each host, through mapping the host credentials to the set of flows that belongs to the host; (iii) a new framework for control applications, enabling software-defined network controllers to use the host identity as a new flow field to define forwarding rules. A prototype of the proposed mechanism was implemented on top of POX controller. The results show that AuthFlow denies the access of hosts either without valid credentials or with revoked authorization. Finally, we show that our scheme allows, for each host, different levels of access to network resources according to its credential.     

面向移动IPv6层次化网络的快速接入认证方案

提出了一个面向移动IPv6层次化网络的快速接入认证方案,从效率和安全性2个方面提高移动IPv6层次化网络接入认证的性能。首先,利用向量网络地址编码方法实现网络数据传输,提高家乡注册性能;其次,提出一种基于格的层次化签名方案,在接入认证过程中实现双向认证,提高认证过程的安全性。方案分析表明,所提出的接入认证方案具有强不可伪造性并可以抵御网络中的重放攻击,同时可以减少整个接入认证过程的延迟时间。     

基于PRESENT算法的RFID安全认证协议

物联网中RFID技术的应用非常广泛,但是RFID系统的安全性却存在着很大隐患。在RFID系统中标签与读写器间的通信信道是最易受到攻击,传输数据的完整性与保密性得不到保障,因而需要加强RFID系统通信的安全机制。考虑到RFID系统的硬件条件与成本限制,需要建立一个适合RFID系统的安全认证协议,来解决在RFID系统中信息传输所遇到的安全问题。PRESENT算法是轻量级的分组加密算法,将PRESENT结合到RFID系统的安全认证协议中,形成了新的RFID安全认证协议PRSA(PRESENT based RFID security authentication)。此协议可以增强RFID系统的安全性而又不会占用过多的硬件资源,从而能够适用于低成本的RFID系统的通信安全。