An efficient dynamic-identity based signature scheme for secure network coding

The network coding based applications are vulnerable to possible malicious pollution attacks. Signature schemes have been well-recognized as the most effective approach to address this security issue. However, existing homomorphic signature schemes for network coding either incur high transmission/computation overhead, or are vulnerable to random forgery attacks. In this paper, we propose a novel dynamic-identity based signature scheme for network coding by signing linear vector subspaces. The scheme can rapidly detect/drop the packets that are generated from pollution attacks, and efficiently thwart random forgery attack. By employing fast packet-based and generation-based batch verification approaches, a forwarding node can verify multiple received packets synchronously with dramatically reduced total verification cost. In addition, the proposed scheme provides one-way identity authentication without requiring any extra secure channels or separate certificates, so that the transmission cost can be significantly reduced. Simulation results demonstrate the practicality and efficiency of the proposed schemes.     

多源网络编码同态签名方案*

由于网络编码的系统很容易受到污染攻击,提出了一个适用于多源网络编码应对污染攻击的同态签名方案.该方案使用了同态哈希函数,能够阻止恶意修改的数据分组.被污染的数据分组会被验证者丢弃,从而保证了系统的安全性.该方案是同态的且是为多源网络编码特别设计的,与文件和分组的大小无关,而且方案中的公钥和每个分组的开销是常量.     

一种安全的多源网络编码签名算法

网络编码已被证明在提高网络传输速率、减少网络拥塞、增强网络可靠性以及降低结点能耗等方面有着巨大优势,因此可被广泛用于计算机网络、无线传感器网络以及p2p系统中。但是,网络编码也面临着多方面的安全威胁,其中污染攻击是其最主要的安全威胁之一。目前,绝大部分的签名方案均只能适用于对单源网络编码中的污染攻击,无法满足普遍存在的多源网络编码的安全要求。对多源网络编码中的污染攻击进行了更深入的分析,给出了安全的多源网络编码所需要满足的条件,提出了一个安全高效的多源网络编码签名算法来预防网络中的污染攻击,该算法可以满足多源网络编码的全部安全要求。     

Short signature scheme for multi-source network coding

It has been proven that network coding can provide significant benefits to networks. However, network coding is very vulnerable to pollution attacks. In recent years, many schemes have been designed to defend against these attacks, but as far as we know almost all of them are inapplicable for multi-source network coding system. This paper proposed a novel homomorphic signature scheme based on bilinear pairings to stand against pollution attacks for multi-source network coding, which has a broader application background than single-source network coding. Our signatures are publicly verifiable and the public keys are independent of the files so that our scheme can be used to authenticate multiple files without having to update public keys. The signature length of our proposed scheme is as short as the shortest signatures of a single-source network coding. The verification speed of our scheme is faster than those signature schemes based on elliptic curves in the single-source network.     

基于数字签名的防污染网络编码方案

网络编码技术对于提高网络吞吐量、均衡网络负载、提高带宽利用率、增强网络的鲁棒性等方面都有明显的优势,但是无法直接抵抗污染攻击.最近,学者提出了基于同态哈希函数的签名方案,可以较好检测污染攻击,但是很难定位被污染的节点.本文结合两者的优势提出了一个基于数字签名的网络编码方案,该方案不仅能够抵抗污染攻击,而且能有效地确定出攻击源的位置,从而降低污染攻击对网络造成的影响,并提升网络的健壮性.     

An efficient homomorphic MAC-based scheme against data and tag pollution attacks in network coding-enabled wireless networks

Recent research efforts have shown that wireless networks can benefit from network coding (NC) technology in terms of bandwidth, robustness to packet losses, delay and energy consumption. However, NC-enabled wireless networks are susceptible to a severe security threat, known as data pollution attack, where a malicious node injects into the network polluted packets that prevent the destination nodes from decoding correctly. Due to recoding, occurred at the intermediate nodes, according to the core principle of NC, the polluted packets propagate quickly into other packets and corrupt bunches of legitimate packets leading to network resource waste. Hence, a lot of research effort has been devoted to schemes against data pollution attacks. Homomorphic MAC-based schemes are a promising solution against data pollution attacks. However, most of them are susceptible to a new type of pollution attack, called tag pollution attack, where an adversary node randomly modifies tags appended to the end of the transmitted packets. Therefore, in this paper, we propose an efficient homomorphic message authentication code-based scheme, called HMAC, providing resistance against data pollution attacks and tag pollution attacks in NC-enabled wireless networks. Our proposed scheme makes use of three types of homomorphic tags (i.e., MACs, D-MACs and one signature) which are appended to the end of the coded packet. Our results show that the proposed HMAC scheme is more efficient compared to other competitive tag pollution immune schemes in terms of complexity, communication overhead and key storage overhead.     

Adaptive approach to restraining content pollution in peer-to-peer networks

Peer-to-Peer (P2P) networks face the challenge of frequent pollution attacks. In such attacks, malicious peers pollute the network by sharing mislabeled, corrupt or infected content in an attempt to disrupt the system and waste network resources. When faced by such phenomenon, regular peers get discouraged from participating in the P2P network as they find less value in the system. In this work, we investigate the amount of resources required to restrain pollution attacks by means of content validation. We introduce multiple adaptive techniques that can minimize the spread of polluted content, while at the same time reduce the cost of content validation for peers participating in the network. Furthermore, the proposed pollution-restraint techniques are resistant to collusion from malicious peers, and they do not contribute to excessive communication overhead in the P2P network.     

一种可确认身份的网络编码签名方案

网络编码理论的提出在提高网络吞吐量、构建网络的鲁棒性等方面都有着明显的优势,但是极易受到污染攻击。很多学者提出了使用同态函数的性质来构造安全方案,能够有效地抵抗污染攻击。但是很少能够确定出污染攻击所发生的网络节点。针对确定污染攻击所发生的节点问题,设计出一个基于同态哈希函数的签名方案,能够抵抗污染攻击并有效地确定出攻击所发生的节点位置。     

延迟容忍网络的安全网络编码方案

当前针对污染攻击的解决方案需要公钥基础设施支持,但这对于移动Ad hoc网络而言并不可取,因此提出了无需公钥基础设施的网络编码方案。所提方案允许数据包相互验证,从而使中间节点可判断这些包是否可以未经源验证即可共同编码。分析和比较了其他签名方案,表明无需公钥的网络编码签名功能足以防止污染攻击。     

基于RSA的多源网络编码签名方案

由于网络编码极易遭受污染攻击的破坏,文中基于RSA问题的难解性提出了一种适用于多源网络编码同态签名方案,以应对污染攻击和重放攻击.该方案能够阻止恶意修改的数据分组,被污染的数据分组会被验证者丢弃,从而保证了系统的安全性.由于方案是为多源网络编码设计的,不需要额外的安全信道,且采用线性计算,大大降低了对结点计算能力的要求,节省了结点的验证时间.此外,通过引入消息代序号,该方案可以防止代间重放攻击.     

一种节点信誉相关的P2P网络信任管理模型

现有的P2P系统中存在大量的欺诈行为和不可靠的服务.本文通过模拟社会关系网络中信任的形成机制,提出P2P网络信任管理模型TMMRN,TMMRN通过考察节点的信誉值来进行安全交易,节点的信誉主要来自于其他节点对它的加权信任反馈,在信誉计算中增加了激励机制.TMMRN还可减少交易时的网络负担.实验表明TMMRN可提高信誉值的计算效率,能有效抵抗恶意节点的攻击,还可激励懒惰节点主动参与到系统中来.     

一种基于差评散布的P2P网络信任机制

面对各种网络攻击,P2P网络需要有效的信任机制隔离恶意节点,保证节点的成功交易。考虑节点行为特征和差评的重要性,提出基于差评散布的信任机制。服务节点一旦提供的服务被给出差评,对其近期交易的相关节点进行差评的散布,加大差评对服务节点声誉的影响力度。经过二次计算的节点声誉值能真实反映节点近期的声誉水平与交易趋势。实验结果表明,该信任机制能保证正常节点的交易成功率,有效对抗各种攻击行为。     

Detection and mitigation of localized attacks in a widely deployed P2P network

Several large scale P2P networks operating on the Internet are based on a Distributed Hash Table. These networks offer valuable services, but they all suffer from a critical issue allowing malicious nodes to be inserted in specific places on the DHT for undesirable purposes (monitoring, distributed denial of service, pollution, etc.). While several attacks and attack scenarios have been documented, few studies have measured the actual deployment of such attacks and none of the documented countermeasures have been tested for compatibility with an already deployed network. In this article, we focus on the KAD network. Based on large scale monitoring campaigns, we show that the world-wide deployed KAD network suffers large number of suspicious insertions around shared contents and we quantify them. To cope with these peers, we propose a new efficient protection algorithm based on analyzing the distribution of the peers’ ID found around an entry after a DHT lookup. We evaluate our solution and show that it detects the most efficient configurations of inserted peers with a very small false-negative rate, and that the countermeasures successfully filter almost all the suspicious peers. We demonstrate the direct applicability of our approach by implementing and testing our solution in real P2P networks.     

P2P文件共享系统中的分组信誉驱动机制

在P2P文件共享系统中,常会出现许多有策略的欺骗行为,而现有的信任模型并不能完全消除交易的风险。综合局部信任机制和全局信任机制,根据节点间相关的共享记录数据提出一种新的信誉计算方法,并进一步提出受信誉驱动的分组组织管理和节点搜索算法。仿真结果证明该信誉驱动机制能搜索到信誉值高的节点作为交易对象,并能有效降低系统面对合谋恶意节点和具有交易策略的恶意节点攻击时的交易风险。     

P2P网络的恶意节点检测模型

为了解决分布式结构给P2P网络带来的安全问题,提出了一种适用于P2P网络的恶意节点检测机制,在此基础上设计了P2P网络恶意节点检测模型。在网络中定义针对不同攻击的节点行为规范(NBS),并根据NBS对节点之间发送的消息进行比较,找出与多数节点发送消息具有不同内容的节点,定义为恶意节点,然后利用分布式证书机制将恶意节点清除出网络。实验结果表明,该机制具有较好的可靠性和有效性。     

两种门限签名方案在点对点电子商务中的应用

在JXTA协议基础上,针对基于松散一致结构化的点对点电子商务网络中,缺少可信中心和可能存在恶意节点的情况下,考虑对节点进行可信性分析是建立授权等服务的重要环节,提出在系统中应用RSA和DSA门限签名算法,以适应网络动态性强等特点的节点认证和访问控制方案,从而能够抵抗合谋等攻击,理论分析证明增强了系统安全性.模拟实验表明,门限方案提高了系统对节点识别的效率和认证的准确度,同时比较了门限RSA方案和门限DSA方案的运行效率.     

抗合谋攻击的服务器辅助验证签名方案

服务器辅助验证签名能有效降低签名验证的计算量,非常适用于计算能力较弱的低端计算设备,但大多数标准模型下的服务器辅助验证签名方案不能抵抗服务器和签名者的合谋攻击。为了改进服务器辅助验证签名方案的安全性能,提出了一个新的服务器辅助验证签名方案,并在标准模型下证明了新方案在合谋攻击和选择消息攻击下是安全的。分析结果表明,新方案有效减少了双线性对的计算量,大大降低了签名验证算法的计算复杂度,在效率上优于已有的同类签名方案。     

P2P文件污染与防御

文件污染是P2P文件共享系统面临的主要安全威胁之一。由于没有中心机构监督用户行为及其共享的内容,恶意节点可以通过P2P传播病毒,木马等恶意内容,这些行为严重影响了P2P文件共享的系统性能。本文对P2P文件污染的研究现状进行综述,调查现有P2P系统中存在的文件污染现象及防御方法,分析了目前防御机制面临的问题。     

基于信任的P2P拓扑进化机制

现有的非结构Peer-to-Peer(P2P)系统缺乏对拓扑公平性的考虑,并且不能对某些节点的恶意行为进行有效的抑制。其主要原因在于构造的拓扑对节点信任度的不敏感性,忽略了P2P网络中各节点的异构性。据此,首先给出了基于反馈可信度的节点全局信任度计算模型,然后在此基础上提出了一种针对非结构化P2P网络的自适应拓扑进化机制。利用该机制,可使高可信节点占据拓扑的有利位置,低可信节点处于不利位置,从而体现拓扑的公平性。该机制同时能够对节点的恶意行为进行有效的抑制,并具有激励性质,鼓励节点提供更好的服务,以获得更高的响应率。分析和仿真结果表明,该机制较之现有机制,在拓扑的有效性和激励性上有较大的提高。     

基于P2P网络的可验证门限群签名方案

对所有的计算机系统而言,安全都是一个非常关键的问题,P2P对等网络系统也不例外.门限签名是一类重要的数字签名,目前常见的门限群签名方案最大的弱点是当恶意成员不小于门限时,能以高概率获取系统秘密,并由此伪造签名.提出一种基于P2P网络的可验证门限群签名方案,该方案的安全性基于求离散对数和RSA大整数因式分解,群内成员合谋无法获得系统秘密参数,从而可以抵制合谋攻击.