普适环境下基于生物加密的认证机制

普适计算的出现对网络通信中的安全和隐私提出了新的挑战,传统的认证技术已经不能满足普适环境的安全需求。提出了一种普适环境中用于完成服务使用者与提供者之间双向认证及密钥建立的机制。该机制高度融合了生物加密技术和Diffie-Hellman密钥交换技术,在不泄露用户隐私的情况完成双向认证。该机制提供了安全的建立密钥的算法,并且通过使用生物加密技术实现了访问控制策略的区别对待。经分析证明,该协议能很好地抵抗各种攻击,尤其是拒绝服务（DoS）攻击。     

基于CP-ABE和XACML多权限安全云存储访问控制方案

为了保护云存储系统中用户数据的机密性和用户隐私,提出了一种基于属性加密结合XACML框架的多权限安全云存储访问控制方案。通过CP-ABE加密来保证用户数据的机密性,通过XACML框架实现基于属性细粒度访问控制。云存储系统中的用户数据通过对称加密机制进行加密,对称密钥采用CP-ABE加密。仿真实验表明,该方案是高效灵活并且安全的。安全性分析表明,该方案能够抵抗共谋攻击,具有数据机密性以及后向前向保密性。     

Secure biometric template generation for multi-factor authentication

In the light of recent security incidents, leading to compromise of services using single factor authentication mechanisms, industry and academia researchers are actively investigating novel multi-factor authentication schemes. Moreover, exposure of unprotected authentication data is a high risk threat for organizations with online presence. The challenge is how to ensure security of multi-factor authentication data without deteriorating the performance of an identity verification system? To solve this problem, we present a novel framework that applies random projections to biometric data (inherence factor), using secure keys derived from passwords (knowledge factor), to generate inherently secure, efficient and revocable/renewable biometric templates for users? verification. We evaluate the security strength of the framework against possible attacks by adversaries. We also undertake a case study of deploying the proposed framework in a two-factor authentication setup that uses users? passwords and dynamic handwritten signatures. Our system preserves the important biometric information even when the user specific password is compromised – a highly desirable feature but not existent in the state-of-the-art transformation techniques. We have evaluated the performance of the framework on three publicly available signature datasets. The results prove that the proposed framework does not undermine the discriminating features of genuine and forged signatures and the verification performance is comparable to that of the state-of-the-art benchmark results.     

A hybrid encryption/hiding method for secure transmission of biometric data in multimodal authentication system

Biometric security is a fast growing area that gains an increasing interest in the last decades. Digital encryption and hiding techniques provide an efficient solution to protect biometric data from accidental or intentional attacks. In this paper, a highly secure encryption/hiding scheme is proposed to ensure secure transmission of biometric data in multimodal biometric identification/authentication system. The secret fingerprint and iris vectors are sparsely approximated using accelerated iterative hard thresholding technique and then embedded in the host Slantlet-SVD domain of face image. Experiments demonstrate the efficiency of our technique for both encryption and hiding purpose, where the secret biometric information is well encrypted and still extractable with high fidelity even though the carrier image is seriously corrupted. Our experimental results show the efficiency of the proposed technique in term of robustness to attacks, Invisibility, and security.

     

Embedded access points for trusted data and resources access in HPC systems

Biometric authentication systems represent a valid alternative to the conventional username–password based approach for user authentication. However, authentication systems composed of a biometric reader, a smartcard reader, and a networked workstation which perform user authentication via software algorithms have been found to be vulnerable in two areas: firstly in their communication channels between readers and workstation (communication attacks) and secondly through their processing algorithms and/or matching results overriding (replay attacks, confidentiality and integrity threats related to the stored information of the networked workstation). In this paper, a full hardware access point for HPC environments is proposed. The access point is composed of a fingerprint scanner, a smartcard reader, and a hardware core for fingerprint processing and matching. The hardware processing core can be described as a Handel-C algorithmic-like hardware programming language and prototyped via a Field Programmable Gate Array (FPGA) based board. The known indexes False Acceptance Rate (FAR) and False Rejection Rate (FRR) have been used to test the prototype authentication accuracy. Experimental trials conducted on several fingerprint DBs show that the hardware prototype achieves a working point with FAR=1.07% and FRR=8.33% on a proprietary DB which was acquired via a capacitive scanner, a working point with FAR=0.66% and FRR=6.13% on a proprietary DB which was acquired via an optical scanner, and a working point with FAR=1.52% and FRR=9.64% on the official FVC2002_DB2B database. In the best case scenario (depending on fingerprint image size), the execution time of the proposed recognizer is 183.32 ms.     

基于SSH2-RSA密钥验证的SFTP服务器配置和应用

SSH2是一套信息加密传递的协议,它加密了所有的网络信息,可以有效地防御嗅探等网络攻击方式,保障信息在网络中传输时的安全。该文介绍使用Xlight在网络中建立基于SSH2密钥验证的SFTP服务器并登陆访问的方法。     

Secure Data Sharing with Confidentiality,Integrity and Access Control in Cloud Environment

Cloud storage is an incipient technology in today’s world. Lack of security in cloud environment is one of the primary challenges faced these days. This scenario poses new security issues and it forms the crux of the current work. The current study proposes Secure Interactional Proof System (SIPS) to address this challenge. This methodology has a few key essential components listed herewith to strengthen the security such as authentication, confidentiality, access control, integrity and the group of components such as AVK Scheme (Access List, Verifier and Key Generator). It is challenging for every user to prove their identity to the verifier who maintains the access list. Verification is conducted by following Gulliou-Quisquater protocol which determines the security level of the user in multi-step authentication process. Here, RSA algorithm performs the key generation process while the proposed methodology provides data integrity as well as confidentiality using asymmetric encryption. Various methodological operations such as time consumption have been used as performance evaluators in the proposed SIPS protocol. The proposed solution provides a secure system for firm data sharing in cloud environment with confidentiality, authentication and access control. Stochastic Timed Petri (STPN) Net evaluation tool was used to verify and prove the formal analysis of SIPS methodology. This evidence established the effectiveness of the proposed methodology in secure data sharing in cloud environment.     

普适环境下的一种跨域认证机制

由于普适计算的高度移动性,通信的双方经常位于不同的区域,为了保证服务的合法访问以及消息的安全传输,需要进行跨域认证以及安全会话密钥建立。提出了一种新的跨域认证与密钥建立协议,该协议采用生物加密技术省去了证书管理的负担,合理设计了通信双方及其各自服务器之间的交互,完成了跨域双向认证,并采用签密技术为通信双方派生密钥。对协议进行了安全及性能的分析,并用经典的SVO逻辑证明了其正确性。     

An extended JADE-S based framework for developing secure Multi-Agent Systems

Agent communities are self-organized virtual spaces consisting of a large number of agents and their dynamic environments. Within a community, agents group together offering special e-services for effective, reliable, and mutual benefits. Usually, an agent community is composed of specialized agents performing one or more tasks in a single domain/sub-domain, or in highly intersecting domains. However, secure Multi-Agent Systems require severe mechanisms in order to prevent malicious attacks. Several limits affect exiting secure agents platform, such as the lack of a strong authentication system, the lack of a flexible distributed mechanism for access control and the lack of a system for storing past behaviors of agent/user. Biometric owner agents authentication, agent/users policies to regulate agent's behavior and actions, and agent/users reputation level to select trusted agents can be used to overcome the above limits and enhance the level of security for these applications. In this paper an extended JADE-S based framework for developing secure Multi-Agent Systems is proposed. The framework functionalities are extended by self-contained FPGA biometric sensors providing secure and fast user authentication service. Each agent owner, by means of biometric authentication, acquires his/her own X.509v3 digital certificate. Policy files and a flexible, fast distributed Access Control Mechanism can regulate behavior and actions of any users/agent inside the platform. In addition, a mechanism based on the agent reputation is used: reputation is an attribute associated to each owner and/or agent on the basis of its past behavior and integrity. In order to prove the feasibility of the proposed framework, we have developed a multi-agent e-Banking system. System goal deals with e-Banking services such as bank account statements, account transactions and so on. In the paper, the experimental features of the biometric self-contained sensors are also outlined.     

基于入侵容忍的集成数据库安全结构

提出了一种综合的数据库安全结构，该结构利用密码学知识，设计了加密认证模块，实现了数据的完整性、机密性，并保证了源数据的合法性。该结构还具有单一错误检测修正功能，单一错误的纠正，可以容忍在数据传输过程中的错误，实现了数据库的外部级入侵容忍。内部容忍模块给出了一种基于入侵容忍的内部数据库结构，提高数据库的柔性和抵御入侵的能力。该系统不仅具有入侵容忍功能，而且还具有加密认证功能，适用于安全需求较高的领域。     

Bio-PUF-MAC authenticated encryption for iris biometrics

Biometrics is one of the ways for human authentication. Fabrication of biometrics by intruders, limits the accuracy of authentication. The user-specific keys (ie,) pseudo-random numbers give more security for biometric template protection and increase the accuracy of authentication also. The user-specific token or keys can also be fabricated by intruders by any of the prediction methods. To avoid the creation of fake biometric and fake user-specific keys, a device-specific Physical Unclonable Function (PUF) is proposed. In this article, iris authentication is provided by unclonable PUF-based true random numbers to enhance the unique authentication. Nonreversible Message Authentication Codes (MAC) are developed using PUF and Discrete Wavelet Transform features of iris biometrics. Systematically, MAC codes also created with, encryption algorithm. Encryption is additionally providing confidentiality in the individual iris. Experiments are done with CUHK Iris Image Dataset. Proposed Bio-PUF system has significant functional advantages in point of view of the unclonable pseudo-random number from PUF. Experimentally, Avalanche effect, entropy, NCPR, and UACI parameters are analyzed with PUF-based crypt functions. For 75% of matching with the Bio-PUF-MAC codes with enrolment, the accuracy for correct identification is 77.73%.     

A Comprehensive Framework for Enhancing Security in InfiniBand Architecture

The InfiniBand architecture (IBA) is a promising communication standard for building clusters and system area networks. However, the IBA specification has left out security aspects, resulting in potential security vulnerabilities, which could be exploited with moderate effort. In this paper, we view these vulnerabilities from three classical security aspects - confidentiality, authentication, and availability - and investigate the following security issues. First, as groundwork for secure services in IBA, we present partition-level and queue-pair-level key management schemes, both of which can be easily integrated into IBA. Second, for confidentiality and authentication, we present a method to incorporate a scalable encryption and authentication algorithm into IBA, with little performance overhead. Third, for better availability, we propose a stateful ingress filtering mechanism to block denial-of-service (DoS) attacks. Finally, to further improve the availability, we provide a scalable packet marking method tracing back DoS attacks. Simulation results of an IBA network show that the security performance overhead due to encryption/authentication on network latency ranges from 0.7 percent to 12.4 percent. Since the stateful ingress filtering is enabled only when a DoS attack is active, there is no performance overhead in a normal situation.     

基于tPUF的物联网设备安全接入方案

针对现有的物联网设备安全接入方案不适用于资源受限的物联网设备的问题,提出一种基于tPUF的物联网设备安全接入方案。利用物理不可克隆函数技术（Physical Unclonable Function,PUF）,物联网设备不需要存储任何秘密信息,实现设备与认证端的双向认证以及协商会话秘钥;利用可信网络连接技术（Trusted Network Connect,TNC）,完成认证端对物联网设备的身份认证、平台身份认证、完整性认证。安全性分析表明,方案能够有效抵抗篡改、复制、物理攻击等。实验结果表明,相较于其他方案,该方案明显降低了设备的资源开销。     

区块链在数据安全领域的研究进展

大数据时代,数据已成为驱动社会发展的重要的资产.但是数据在其全生命周期均面临不同种类、不同层次的安全威胁,极大降低了用户进行数据共享的意愿.区块链具有去中心化、去信任化和防篡改的安全特性,为降低信息系统单点化的风险提供了重要的解决思路,能够应用于数据安全领域.该文从数据安全的核心特性入手,介绍区块链在增强数据机密性、数...     

无线体域网中具有生物特征的基于身份的访问控制方案

针对现有无线体域网(WBANs)中的安全和隐私性问题,为了充分利用生物特征的优势来确保WBANs内数据通信的安全性,首次提出了一种具有生物特征的基于身份的隐私保护技术,然后利用该技术在WBANs中提出了一种新的访问控制方法。在安全性方面,在随机预言机模型下是可证明安全的,并且具有机密性、认证性、完整性、不可否认性和匿名性;在性能方面,与现有方案相比,提出方案在计算开销和通信开销方面都具有优势。     

A study on vulnerability and presentation attack detection in palmprint verification system

As biometric systems become ubiquitous in the domain of personal authentication, it is of utmost importance that these systems are secured against attacks. Among various types of attacks on biometric systems, the presentation attack, which involves presenting a fake copy (artefact) of the real biometric to the biometric sensor to gain illegitimate access, is the most common one. Despite the serious threat posed by these attacks, not much work has been done to address this vulnerability in palmprint-based biometric systems. This paper demonstrates the vulnerability of a palmprint verification system to presentation attacks and proposes a novel presentation attack detection (PAD) approach to discriminating between real biometric samples and artefacts. The proposed PAD approach is inspired by a work that established relationship between the surface reflectance and a set of statistical features extracted from the image. Specifically, statistical features computed from the distributions of pixel intensities, sub-band wavelet coefficients and the grey-level co-occurrence matrix form the original feature set, and CFS-based feature selection approach selects the most discriminating feature subset. A trained binary classifier utilizes the selected feature subset to determine whether the acquired image is of real hand or an artefact. For performance evaluation, an antispoofing database—PALMspoof has been developed. This database comprises left- and right-hand images of 104 subjects, and three kinds of artefacts generated from these images. In addition to PALMspoof database, the biometric system’s vulnerability has been assessed on display and print artefacts generated from two publicly available palmprint datasets. Our experimental results show that 1) the palmprint verification system is highly vulnerable with spoof acceptance of 84.56%; 2) the proposed PAD approach is effective against both print and display attacks, in both same-device and cross-device scenarios; and 3) the proposed approach for PAD provides an average improvement of 12.73 percentage points in classification error rate over local binary pattern (LBP)-based PAD approach.     

传感器网络安全数据融合

安全数据融合的目标是在融合数据的同时,实现传感器节点感知数据end-to-end机密性与可认证性。End-to-end机密性一般由秘密同态加密技术来保障针对end-to-end可认证性与数据融合的矛盾,在同态认证技术不适用于多源多消息的背景下,为了实现end-to-end可认证性,采用对称加密技术构造了一个安全的数据融合认证方案。采用该数据融合认证方案与秘密同态加密方案,构造了安全的数据融合协议。安全性分析表明,该安全数据融合协议能在融合数据的同时保障感知数据end-to-end机密性与可认证性。     

基于区块链的智能家居认证与访问控制方案

智能家居运用物联网技术为用户提供自动化的智能服务,但传统的集中式架构存在机密性和完整性等安全性问题,而现有的分布式架构又存在重复认证、高延迟等问题。针对这些问题,基于区块链和椭圆曲线集成加密技术提出了一种智能家居认证与访问控制方案,同时还引入了边缘计算,降低系统的延迟。并将基于权能的访问控制与区块链相结合,在区块链上存储权能令牌并设计了相应的智能合约以实现安全的访问控制。安全性分析表明,该方案具有去中心化、不可窜改、机密性、完整性和可扩展性等安全特性。在以太坊区块链上进行仿真,并根据计算开销、通信开销和响应时间等指标对方案进行了性能评估。评估结果表明,相比其他方案,该方案计算开销和通信开销更小,响应时间更短,具有明显的优势。     

一种安全的无线传感器节点结构设计方案

提出了一种提高无线传感器网络中传感节点安全性的系统结构,通过在传感节点上增加安全存储模块,可靠地保证了传感节点中所存储密钥信息的机密性、完整性,并可有效地对节点上关键应用程序的合法性进行验证,从而保证了传感网络中安全协议、认证方案的有效性、鲁棒性。和传统的传感节点相比,只是增加了节点的少量成本,但传感节点以及传感网络的安全性能得到了大幅度的提升。     

主动网络安全结构模型设计

绍了主动网络安全系统的假设模型和威胁模型.基于上述模型和主动网络的安全需要提出了一种安全系统结构模型.该安全模型包括授权、认证、完整性检查和加密等.使用加密和数字签名方法来保护主动网络报文的完整性,使用授权和政策来阻止非法访问以及主动节点的资源请求和行为.