结合信任机制的移动IPv6网络快速跨域认证方法

在移动IPv6(MIPv6)网络中,当移动用户从外地域接入网络时,家乡域和接入域需要协作实现对移动用户的身份认证,各管理域之间存在域问信任关系是域间协作实现用户身份认证的基础,现有MIPv6网络快速认证方法在实施域间认证的过程中忽略了域间信任关系,由于缺乏域问信任而造成的认证失败在整个认证流程结束以后才能被检测到,提出一种结合信任机制的MIPv6网络快速跨域认证方法,其中在预切换阶段考虑移动用户家乡域和接入域之问的信任关系,通过移动用户和接入网络的一次交互实现用户和接入域的有效双向认证,并设计了域间信任关系的动态维护机制,基于组合公钥(CPK)算法设计了网络实体的身份签名和验证方案,用于加速双向认证过程,理论分析和数值分析结果表明,提出的方案比现有方案在减少总认证切换延时和信令开销方面更有效,同时基于CPK算法的安全性,提出的方案在有效实现用户和网络的双向认证的同时可造性.     

基于多层区块链的跨域认证方案

针对现有集中式身份认证方式在物联网应用场景下管理成本高、异构信任域之间的证书管理困难以及跨域认证场景下多信任域难以互相信任的问题,提出了一种基于多层区块链的跨域认证方案.使用本地区块链来进行物联网应用场景下分布式的节点管理,使用公共区块链来进行区块链之间的跨链身份认证,设计了跨域认证协议.针对跨域访问时存在的多个管理域相互信任问题,提出了基于信任度评价的委托权益证明(DPOS)来评估节点的可信度.最后对跨域认证方案进行了安全和效率分析,分析表明该方案在保证较好安全性和有效性的基础上,提升了跨域认证的效率.     

公钥Kerberos的跨域认证研究与性能分析

Kerberos是目前广泛被采用的成熟的认证协议,跨域认证是Kerberos在网络中的应用,实现远距离网络认证功能.传统的Kerberos基于对称密钥加密技术,为了使网络认证更加安全有效,在Kerberos认证过程中采用公钥加密.对kerberos集成公钥跨域认证进行深入研究,并对集成公钥后的Kerberos跨域过程进行模拟环境测试和性能分析.     

PAMM:一种面向基于内存共享的域间通信的优化模型

云计算平台和虚拟化技术的结合为虚拟机域间通信带来了新的需求,基于内存共享的域间通信可以提高运行在同一物理机上的虚拟机间的通信效率。但是,基于内存共享的域间过程中产生的上下文状态切换限制了其优化能力。引入一种新的内存共享模型PAMM,即通过添加一个管理模块对内存共享过程中所传递的内存页进行聚合管理,减少申请超级调用的次数,以达到减少状态切换的目的。实验表明,PAMM能够提升基于内存共享的域间通信的通信效率。     

半虚拟化I/O模型的KVM虚拟机域间通信优化方法

提出了一种半虚拟化网络模型来优化虚拟机域间通信的性能,通过共享内存建立通信通道来打破虚拟机之前的隔离屏障,减少在数据传输过程中的拷贝次数.基于内核虚拟机(kernel-based virtual machine,KVM)半虚拟化框架编程接口的实现方法可以简化设备I/O的模拟,减少特权指令模拟所需的根-非根模式的切换,提...     

基于强匿名多节点分布网络终端跨域认证研究

多节点分布网络中通常存在多种密码体系,导致异构网络跨域终端身份认证管理困难.为了提高终端跨域认证的安全和高效性,设计了一种强匿名终端跨域认证方案.方案为User与CS的双向认证方案,基于跨域认证模型,重点对认证过程进行了优化,将整个认证划分为CS对User的认证阶段、User对CS的认证阶段和会话密钥建立阶段.为提高认证过程的匿名追踪性,针对User设计了授权代理机制,同时代理通过随机数对信息采取盲签名.为降低认证过程中的计算复杂度,利用User与CS自身密钥共同确定会话密钥,并将密钥同时保存于User与CS上.为提高跨域认证的安全性,设计了一种基于共识的可信性计算方法,利用所在域内其它终端的投票,和当前终端的行为共同确定可信性,并引入事务系数防止网络新终端对可信性的干扰.安全性分析结果表明,所提方案能够有效对抗多种攻击,增强跨域认证的隐私性和匿名追踪性,提高信息和资源的安全可信;时间分析结果表明,所提方案能够降低认证过程中的通信和计算开销,有效提升跨域认证效率.     

I/O密集型虚拟机的域间通信优化方法

I/O密集型虚拟机需要频繁地进行域间通信,为解决现有虚拟机域间通信效率低、延迟大的问题,提出一种基于双环形缓冲区的用户域与驱动域域间通信优化方法。在用户域中建立与驱动域共享的双环形缓冲区,由虚拟机监控器依据I/O任务表对驱动域的访问权限进行控制,减少处理器模式切换和内存映射开销。实验结果表明,与原虚拟机域间通信机制相比,使用该优化方法后的域间通信机制具有更高的吞吐率和更低的延迟,大幅提高了用户域与驱动域的域间通信性能。     

基于联盟区块链的V2G网络跨域认证技术研究

针对车辆到电网（Vehicle-to-Grid,V2G）网络所面临的安全威胁,分析了V2G多域网络架构,给出了一个适用于该架构的网络信任模型。基于联盟区块链提出一种V2G网络跨管理域认证方案,通过本域用户与外地域服务器以及外地域服务器与其域内用户的认证实现域间用户双向认证。该方案利用区块链所具有的不易篡改特性,在数字身份验证环节采用哈希算法减少方案中的签名与验证次数,提高了方案的效率和可扩展性。该认证方案中的签名采用基于身份的密码算法SM9,在适应性选择消息攻击下具有存在性不可伪造安全。     

一种新的Hypervisor逻辑域通道设计

UltraSparc T1/T2处理器采用硬件辅助的虚拟化技术,其平台固件Hypervisor实现了虚拟机管理的主要功能。逻辑域通道(Logical Domain Channel)是Hypervisor实现的支持虚拟机间以及虚拟机与Hypervisor间通信的一种机制,其实现简单,但缺乏足够的灵活性。同时,基于逻辑域通道的数据传输需要对传输数据进行拷贝,极大地影响了数据传输性能。本文介绍了一种新的逻辑域通道技术,采用基于描述符的直接数据传递方法,数据经过逻辑域通道时不需要拷贝,其长度也不受逻辑域通道缓冲区大小的限制,实现了虚拟机间灵活高效的数据传递。     

一种基于信任度的跨异构域动态认证机制

为了适应大规模网络环境下异构域认证机制不一致、域间信任关系动态变化的特点,提出了一种基于信任度的跨异构域的动态认证方法,该方法根据交易双方的满意度打分来计算信任值,动态地建立域间信任关系。应用实例表明,该方法能够有效解决跨域认证中域间信任关系的建立问题。     

一种基于H.235协议框架的视频通信安全方案

为保障H.323系统视频通信的安全,需要在H.323框架内使用ITU-T的H.235协议所提供的安全业务。文章首先描述了H.235协议所涉及到的身份认证、数据完整性、媒体流加密、不可否认性等方面的安全服务,然后按照一个视频通信连接建立的顺序讲述H.235协议在各个环节所建议的安全措施,其中着重论述了在H.235框架下提出的身份认证和媒体流加密部分所采取的方案,分别是基于Guillou-Quisquater算法的身份认证方案和基于伪随机序列将宏块置乱的媒体流加密方案,最后介绍了H.235系统中的密钥管理部分。     

基于椭圆曲线密码的智能电网通信认证协议

为了确保通信在智能电网中的安全可靠,越来越多的认证协议被应用在通信过程中。针对Mahmood等（MAHMOOD K,CHAUDHRY S A,NAQVI H,et al.An elliptic curve cryptography based lightweight authentication scheme for smart grid communication.Future Generation Computer Systems,2018,81：557-565）提出的认证协议,指出此协议易受到内部特权人员攻击,缺少更换口令阶段,对用户缺少亲和性,无法保证用户有唯一的用户名,并有一个公式的错误。为改进此协议,提出一个基于椭圆曲线的认证协议。首先,增加用户与设备之间的登录阶段,其次,利用椭圆曲线密码学难题进行信息交互,最后补充口令更换阶段。通过BAN逻辑形式化分析,改进协议安全可行,能抵挡住内部人员攻击,并具有口令更换、用户名唯一、对用户有亲和性的特点。     

Physical layer authentication for automotive cyber physical systems based on modified HB protocol

Automotive cyber physical systems (CPSs) are ever more utilizing wireless technology for V2X communication as a potential way out for challenges regarding collision detection, wire strap up troubles and collision avoidance. However, security is constrained as a result of the energy and performance limitations of modern wireless systems. Accordingly, the need for efficient secret key generation and management mechanism for secured communication among computationally weak wireless devices has motivated the introduction of new authentication protocols. Recently, there has been a great interest in physical layer based secret key generation schemes by utilizing channel reciprocity. Consequently, it is observed that the sequence generated by two communicating parties contain mismatched bits which need to be reconciled by exchanging information over a public channel. This can be an immense security threat as it may let an adversary attain and recover segments of the key in known channel conditions. We proposed Hopper-Blum based physical layer (HB-PL) authentication scheme in which an enhanced physical layer key generation method integrates the Hopper-Blum (HB) authentication protocol. The information collected from the shared channel is used as secret keys for the HB protocol and the mismatched bits are used as the induced noise for learning parity with noise (LPN) problem. The proposed scheme aims to provide a way out for bit reconciliation process without leakage of information over a public channel. Moreover, HB protocol is computationally efficient and simple which helps to reduce the number of exchange messages during the authentication process. We have performed several experiments which show that our proposed design can generate secret keys with improved security strength and high performance in comparison to the current authentication techniques. Our scheme requires less than 55 exchange messages to achieve more than 95% of correct authentication.     

An efficient anonymous authentication protocol in multiple server communication networks (EAAM)

In a multi-server authentication environment, a user only needs to register once at a central registration place before accessing the different services on the different registered servers. Both, from a user point of view as for the management and maintenance of the infrastructure, these types of environments become more and more popular. Smartcard- or smartphone-based approaches lead to more secure systems because they offer two- or three-factor authentication, based on the strict combination of the user’s password, the user’s biometrics and the possession of the device. In this paper, we propose an efficient anonymous authentication protocol in multiple server communication networks, called the EAAM protocol, which is able to establish user anonymity, mutual authentication, and resistance against known security attacks. The novelty of the proposed scheme is that it does not require a secure channel during the registration between the user and the registration center and is resistant to a curious but honest registration system. These features are established in a highly efficient way with the minimum amount of communication flows between user and server during the establishment of the secret shared key and by using light-weight cryptographic techniques such as Chebyshev chaotic map techniques and symmetric key cryptography. The performance and security of the protocol are analyzed and compared with the latest new proposals in this field.     

服务链中可认证的组密钥管理方案*

针对不依赖于专用的硬件设施、网络拓扑结构易变化的服务链进行了研究,提出一种适用于服务链的可认证组密钥管理方案。该方案基于双线性映射的密码体制并结合 门限的思想,采用身份认证的方法,提高了协议的效率和安全性。该方案在实现组密钥更新的同时也实现了服务链中虚拟网络功能间的连接安全,并对其正确性和安全性进行证明。分析结果表明该方案在保证服务链中各实例一定安全的同时,具有轮数少、通信和计算开销小的优点,适合用于服务链的动态密钥管理。     

A novel DNA based password authentication system for global roaming in resource-limited mobile environments

Mobile environments are highly vulnerable to security threats and pose a great challenge for the wireless and mobile networks being used today. Because the mode of a wireless channel is open, these networks do not carry any inherent security and hence are more prone to attacks. Therefore, designing a secure and robust protocol for authentication in a global mobile network is always a challenging. In these networks, it is crucial to provide authentication to establish a secure communication between the Mobile User (MU), Foreign Agent (FA) and Home Agent (HA). In order to secure communication among these entities, a number of authentication protocols have been proposed. The main security flaw of the existing authentication protocols is that attackers have the ability to impersonate a legal user at any time. Moreover, the existing authentication protocols in the literature are exposed to various kind of cryptographic attacks. Besides, the authentication protocols require larger key length and more computation overhead. To remedy these weaknesses in mobility networks, DNA (Deoxyribo Nucleic Acid) based authentication scheme using Hyper Elliptic Curve Cryptosystem (HECC) is introduced. It offers greater security and allows an MU, FA and HA to establish a secure communication channel, in order to exchange the sensitive information over the radio link. The proposed system derive benefit from HECC, which is smaller in terms of key size, more computational efficiency. In addition, the security strength of this authentication system is validated through widely accepted security verification tool called ProVerif. Further, the performance analysis shows that the DNA based authentication system using HECC is secure and practically implementable in the resource-constrained mobility nodes.

     

基于SecOC的车载网络通信安全模型研究

车载电子设备的增加使得车载网络面对越来越多的威胁。车载网络中电子控制单元（ECU）无认证、控制器局域网络（CAN）通信数据无加密等缺陷使得车载网络易遭受重放、ECU注入、中间人伪造消息、窃听等恶意攻击,造成严重后果。针对车载网络面临的威胁,提出一种基于SecOC的车载网络安全通信模型,该模型使用SM4的密码算法与基于Bkake2s的改进密钥管理,实现车载ECU的认证和车载网络消息的加密与认证。最后经过分析与测试,该模型可以保护车载网络安全并更高效。     

移动通信网鉴权认证综述

随着移动通信网技术的演进,网络安全问题日益突出,如何在提供高质量通信服务的同时保护合法用户的隐私不被非法窃取、运营商网络不被入侵成为移动通信安全领域的一个重要问题。用户与网络的相互鉴权是用户和网络彼此判定对方合法性的重要手段,鉴权手段也随着网络演进而不断演进,从历代移动通信网络（GSM、CDMA、UMTS、LTE）鉴权认证技术入手,分析鉴权技术优缺点,并重点剖析了即将商用的第五代（5G）移动通信的鉴权技术、统一认证技术,最后对未来鉴权技术的发展进行了展望。     

An optimized authentication protocol for mobile networks

Practical secure communication of mobile systems with low communication cost has become one of the major research directions. An established public key infrastructure (PKI) provides key management and key distribution mechanisms, which can lead to authentication and secure communication. Adding public key cryptography to Kerberos provides a nice congruence to public key protocols, which can obviate the human users’ burden to manage strong passwords. This paper emphasizes on authentication as a considerable issue related to security. Additionally, an efficient and secure hybrid authentication protocol for large mobile network is proposed. Its infrastructure accommodates explosive growth of the large mobile network. It reduces the communication cost for providing secure network access in inter-domain communication. This method is based on symmetric cryptosystem, PKI, challenge–response and hash chaining.     

An Efficient and Practical Solution to Remote Authentication: Smart Card

The smart card-based scheme is a very promising and practical solution to remote authentication. Compared with other smart card-based schemes, our solution achieves more functionality and requires much less computational cost. These important merits include: (1) there is no verification table; (2) users can freely choose their passwords; (3) the communication cost and the computational cost is very low; and (4) it provides mutual authentication between the user and the server.