基于手机令牌的移动应用双向身份认证方案研究

随着移动信息化的发展,移动应用的安全问题已成为用户关注的焦点。身份认证存在多种解决方案,其中动态口令技术是目前身份认证问题的最有效解决方案。在分析目前动态口令存在缺陷的基础上,提出了一种改进的基于手机令牌的挑战/应答动态口令身份认证方案,它以指纹作为令牌使用凭证,能双向可信认证,并以分段双通道方式进行加密通信。此外,对新方案进行了安全性分析。分析结果表明该方案具有安全性高、使用简便、成本低的特点,完全满足移动应用通信中安全级别较高的身份认证要求。     

基于手机动态密码的银行卡接入认证系统

传统的银行卡接入认证采取＂卡号＋静态密码＂的方式,由于密码固定,给不法分子提供了窃取用户个人存款的机会。文中提出了一种基于AES算法的动态密码生成机制,并根据此机制设计与实现了一个基于手机动态密码的银行卡接入认证系统。通过实验分析表明,提出的机制生成的动态密码重复率很低,实现了一次一密的动态登录,提高了银行卡接入的安全性。     

远程接入短信动态口令系统的阻塞攻击分析及其对策

动态口令是目前常用于替代静态口令的一种强身份鉴别技术,基于短信的动态口令又是动态口令系统中的一种低成本、易管理的实现模式。远程接入系统认证时常使用短信动态口令来加强对账号安全的保障,目前广泛使用的远程接入短信动态口令系统中,由于动态口令的触发产生机制简单无保护,易于形成阻塞攻击,论文详细分析了短信动态口令的触发机制,并提出一种改进方法,用于降低阻塞攻击对远程访问系统带来的风险。     

一种基于动态口令的FTP双向认证方案

FTP协议是一种简单易用的文件传输协议,应用十分广泛,但它以明文形式传输口令和文件,带有与生俱来的不安全性,随着网络的不断发展应用,FTP已成为政府机关和企事业单位传送信息的一种主要手段,以明文形式传输敏感信息,缺乏有效的身份认证以及安全传输机制等这样的隐患将会给国家和企业造成巨大的损失和危害,因此FTP通信系统的安全性研究显得尤为重要。以构建FTP安全通信系统为背景,分析了传统FTP身份认证的缺陷,对比了当前常用的认证技术。在此基础上,提出了一种结合HASH函数、对称密码机制以及挑战/应答机制的基于动态口令的双向认证方案。最后对该方案进行了性能分析。结果表明：该方案具有保护用户身份信息,防止诸如重放、假冒等常见身份认证攻击,实现双向认证的优点。     

动态口令身份认证机制的研究

基于口令的身份认证机制是目前多数应用系统采用的安全机制,动态口令相较于静态口令具有很多优点,是未来身份认证机制的发展方向。本文以实例剖析动态口令身份认证机制的实现。     

一类密钥同步更新的组合校验认证方法

针对一对多通报关系实体认证与密钥协商应用环境的无线目标身份识别同步认证问题，该文设计了双密钥组合校验定理，提出并证明了交互式动态认证与工作密钥同步更新定理，基于可信标识动态密钥匹配规则构建了密钥同步更新的组合校验认证模型，提出了一类密钥同步更新的组合校验认证方法，给出了双密钥组合校验、消息适度重传、模拟信道信噪比合理仿真等无线目标身份识别协议设计准则，突破了无线目标身份识别协议同步认证难的关键技术，解决了实体认证与密钥协商中实体身份动态认证、工作密钥同步更新难题。以一类无线目标身份识别协议为例，分析说明了该类方法的具体应用。基于串空间理论构造攻击方法给出了该协议的形式化证明，并通过常规攻击方法分析了该协议的实际安全性。与其他交互式密码协议同步认证设计方法相比较，该方法具有动态可认证性，由该方法设计的交互式密码协议同步认证方案，安全性高，计算量小，仅进行一次迭代运算，可应用于大规模复杂环境中的无线目标身份识别。     

一种面向Android机顶盒的家庭网关系统设计

为了使家庭物联网接入以太网,将机顶盒升级为家庭网关。在Android系统上嵌入Web服务器,通过连接ZigBee模块建立并管理无线传感器网络,在应用框架层建立异步消息数据通道完成ZigBee协议与TCP/IP协议转换。在安全性上使用SSL协议和用户口令认证,符合家庭网络信息保密性、完整性、鉴别性的需求。结果表明基于Android系统实现家庭网关可扩展性强、安全性高,为智能家居提供广阔的发展前景。     

基于TEA算法的企业网动态口令安全系统研究

提出一个基于TEA加密算法和短信息动态口令+用户静态口令的企业办公网双因子安全体系系统.该系统通过架构短信息服务器平台,由TEA算法生成动态口令并对其实现加密、解密过程;以短信形式将动态口令发送到用户手机,用户利用收到的动态口令+用户名和用户密码登陆办公网.该系统无须改变企业现有网络架构,可有效验证用户身份的合法性,提高企业办公网的安全性.     

基于可信证书验证代理的无线接入认证方案

PKI认证机制由于效率原因,不宜直接应用于无线网络环境.本文引入可信证书验证代理(TCVP),设计了一个基于公钥密码的无线接入认证协议.该协议中,TCVP基于PKI认证无线移动节点的身份,并为其签发证书有效性凭据(CVT).在无线接入过程中,移动节点仅需出示CVT,即可证明其身份,无需在线验证接入网关证书的有效性,减少了认证协议的消息数量和大小.与SSL和WTLS的对比分析表明,该协议具有更高的效率.     

基于AES的远程访问认证协议

论文提出一种基于AES的口令认证协议。协议不使用公开密钥算法,仅采用AES进行远程用户的身份认证,具有速度快、安全性高的特点,易于采用令牌(Token)或IC卡硬件实现。最后,对认证协议的安全性进行了讨论。     

Openstack authentication protocol based on digital certificate

As the industry standard for open source cloud platforms,openstack uses the single-factor authentication method based on username and password that provides by keystone components to identity authentication mechanism,while it is not suitable for application scenarios with high security level requirements.A digital certificate-based identity authentication protocol which had cloud user identification protocol and authentication protocol was designed to meet the requirements.With expending the keystone component to achieve a digital certificate-based identity authentication system,a combination of authentication server,UKey technology,encryption technology and well-established key management and so on was used.According to the research,the system can effectively resist multiple cyber-attacks and improve the security of cloud users when they log in to the cloud platform.     

协议组合逻辑安全的4G无线网络接入认证方案

针对4G无线网络中移动终端的接入认证问题,基于自证实公钥系统设计了新的安全接入认证方案,并运用协议演绎系统演示了该方案形成的过程和步骤,用协议组合逻辑对该方案的安全属性进行了形式化证明.通过安全性证明和综合分析,表明该方案具有会话认证性和密钥机密性,能抵御伪基站攻击和重放攻击,并能提供不可否认服务和身份隐私性,同时提高了移动终端的接入效率     

On certificate-based security protocols for wireless mobilecommunication systems

Mutual authentication and session key exchange protocols based on certificates for the wireless mobile communication/computing system are proposed. First, two improved versions for the conventional certificate-based systems are proposed, and an offline authentication mechanism based on the dynamic certificate is introduced. Then, an end-to-end internetwork-authenticated session key exchange protocol, which preserves a private communication between two mobile users, is finally proposed. In designing the security protocols proposed, the low computational power of the mobile stations and the low bandwidth of the wireless networks are considered     

Lightweight and provably secure user authentication with anonymity for the global mobility network

Seamless roaming in the global mobility network (GLOMONET) is highly desirable for mobile users, although their proper authentication is challenging. This is because not only are wireless networks susceptible to attacks, but also mobile terminals have limited computational power. Recently, some authentication schemes with anonymity for the GLOMONET have been proposed. This paper shows some security weaknesses in those schemes. Furthermore, a lightweight and provably secure user authentication scheme with anonymity for the GLOMONET is proposed. It uses only symmetric cryptographic and hash operation primitives for secure authentication. Besides, it takes only four message exchanges among the user, foreign agent and home agent. We also demonstrate that this protocol enjoys important security attributes including prevention of various attacks, single registration, user anonymity, user friendly, no password/verifier table, and use of one‐time session key between mobile user and foreign agent. The security properties of the proposed protocol are formally validated by a model checking tool called AVISPA. Furthermore, as one of the new features in our protocol, it can defend smart card security breaches. Copyright © 2010 John Wiley & Sons, Ltd.     

一种适用于NFC移动设备的双向认证安全方案

近场无线通信(NFC)是一种已经被广泛应用的短距无线通信技术.其中最常见的是将NFC技术应用于移动支付和门禁访问控制等应用.从技术上讲,这些应用利用NFC模拟卡模式将NFC设备模拟成银行卡或门禁卡,然后等待外部阅读器验证.在这类应用场景下,选取合适的安全认证方案是非常重要的.首先,介绍了现有的NFC认证系统和安全方案并分析了系统安全需求和潜在的安全风险.然后,采用Hash、AES和口令Key动态更新机制,提出了一种适用于NFC移动设备的双向认证安全方案,并设计了自同步机制.最后,利用GNY逻辑以形式化证明的形式证明了方案的安全性,分析表明该方案能解决伪造、重放攻击、窃听、篡改、异步攻击等安全问题.     

End-to-End Security Protocol for Mobile Communications with End-User Identification/Authentication

As great progress has been made in mobile communications, many related researches on this topic have been proposed. In most of the proposed protocols so far, it has been assumed that the person using the mobile station is the registrar of the SIM card; as a matter of, the previous protocols for authentication and session key distribution are built upon this assumption. This way, the mobile user can only verify the identity of the owner of the SIM card. This means that the mobile user can only know that who registers the SIM card with which he communicates. Note that the human voice can be forged. To make sure that the speaker at the other end is the right owner of the SIM card, concept of the password is involved to construct the end-to-end security authentication protocol. In the proposed protocol, each mobile user can choose a password. When two mobile users want to communicate with each other, either user can request to perform a end-user identification process. Only when both of the end users input the correct passwords can the correct common session key be established.     

一种改进的双向认证的动态密码

在物联网和电子商务的快速发展下,安全问题日益凸显,首先要解决的就是身份认证问题,而动态密码技术能有效解决这一问题。文中对一动态密码算法进行改进,实现了双向认证。方案基于CPK算法,采用挑战/应答机制,提供更加安全的身份认证。     

Design and Validation of an Efficient Authentication Scheme with Anonymity for Roaming Service in Global Mobility Networks

Designing a user authentication protocol with anonymity for the global mobility network (GLOMONET) is a difficult task because wireless networks are susceptible to attacks and each mobile user has limited power, processing and storage resources. In this paper, a secure and lightweight user authentication protocol with anonymity for roaming service in the GLOMONET is proposed. Compared with other related approaches, our proposal has many advantages. Firstly, it uses low-cost functions such as one-way hash functions and exclusive-OR operations to achieve security goals. Having this feature, it is more suitable for battery-powered mobile devices. Secondly, it uses nonces instead of timestamps to avoid the clock synchronization problem. Therefore, an additional clock synchronization mechanism is not needed. Thirdly, it only requires four message exchanges between the user, foreign agent and home agent. Further, the security properties of our protocol are formally validated by a model checking tool called AVISPA. We also demonstrate that this protocol enjoys important security attributes including prevention of various attacks, single registration, user anonymity, no password table, and high efficiency in password authentication. Security and performance analyses show that compared with other related authentication schemes, the proposed scheme is more secure and efficient.     

基于国家标准的SSL VPN安全网关研究与实现

SSL VPN安全网关为传输层和应用层协议提供安全隧道,利用安全隧道技术,在传输层实现互联网网络信息的安全保护,能够利用公共网络为用户建立虚拟的专用网络,提供比专网更加安全的通信信道。SSL VPN安全网关以国家密码管理局审批的密码卡为基础密码器件,为其提供密钥运算、密钥保护、密钥备份恢复等功能;操作系统采用裁剪的Linux系统,同时,严格遵循国家密码管理政策和相关设计规范,实现了基于传输层的SSL VPN安全网关,为各种应用提供了身份认证和安全传输的需求。在政府、金融、运营商、能源、交通等领域具有广泛的用途,有明显的社会效益和经济效益。文章对此展开了分析。