一种新的用户登录可信认证方案的设计与实现

用户登录身份认证是建立操作系统可信性中一个非常重要的环节。操作系统采用口令、智能卡、USBKEY，甚至还采用了指纹、虹膜等认证方式来确认用户的身份，除了存在密码容易被遗忘、猜测、截获等一系列安全隐患外，还存在身份信息的存储安全和单向认证问题。基于可信计算联盟的规范，分析了操作系统用户登录传统认证方式的缺陷，提出了一种新的用户登录认证方式：基于可信平台模块(TPM)的用户登录可信认证。该认证方式是利用PC机USB接口外接TPM，将用户的身份信息、相关的密钥信息等存储在TPM中，并利用USBKEY技术、动态的口令技术来确保用户身份的真实可信。该认证方式克服了操作系统用户登录传统认证方式的缺陷，支持双向认证，为计算机获得更高的安全保障，进一步建立可信计算环境提供了基础。     

基于CPK的可信平台用户登录认证方案

用户登录身份认证是建立操作系统可信性的一个非常重要的环节,是建立可信计算环境的基础。首先讨论了认证的相关技术,介绍了CPK（组合公钥）原理,然后根据可信计算组织的规范,利用CPK算法和动态验证码的技术,提出了一种基于CPK的可信平台用户登录认证方案,该方案属于双因素认证方案,将认证和授权严格分开,并启发式分析了方案的特色和安全,最后在串空间模型下证明了方案的安全性,取得了比TCG标准中引用的方案更好的性能。     

对称密钥结合椭圆曲线加密的网络认证和密码更新方案

针对不稳定网络环境下的远程登录管理不能有效进行安全密码认证和密码更新的问题,提出一种对称密钥结合椭圆曲线加密(Elliptic curve cryptography, ECC)的网络认证和密码更新方案。主要贡献在于弥补现有方案的一些漏洞,并给出改进方案。新方案包含四个阶段：注册阶段、口令认证阶段、密码更新阶段和会话密钥分发阶段,提供对密码猜测攻击、服务器欺骗攻击、数据窃听、重放攻击的防御。此外,提出的方案可产生一个通用对称密钥,相比公钥加密技术,所需处理时间更少。实验结果显示,本文方案的虚拟计算时间仅为2.00035秒,只在17哈希、8 异或和4点运算方面需要计算开销。     

A password authentication scheme over insecure networks

Authentication ensures that system's resources are not obtained fraudulently by illegal users. Password authentication is one of the simplest and the most convenient authentication mechanisms over insecure networks. The problem of password authentication in an insecure networks is present in many application areas. Since computing resources have grown tremendously, password authentication is more frequently required in areas such as computer networks, wireless networks, remote login, operation systems, and database management systems. Many schemes based on cryptography have been proposed to solve the problem. However, previous schemes are vulnerable to various attacks and are neither efficient, nor user friendly. Users cannot choose and change their passwords at will. In this paper, we propose a new password authentication scheme to achieve the all proposed requirements. Furthermore, our scheme can support the Diffie–Hellman key agreement protocol over insecure networks. Users and the system can use the agreed session key to encrypt/decrypt their communicated messages using the symmetric cryptosystem.     

Seed-based authentication for mobile clients across multiple devices

Authenticating users for mobile cloud apps has been a major security issue in recent years. Traditional passwords ensure the security of mobile applications, but it also requires extra effort from users to memorize complex passwords. Seed-based authentication can simplify the process of authentication for mobile users. In the seed-based authentication, images can be used as credentials for a mobile app. A seed is extracted from an image and used to generate one-time tokens for login. Compared to complex passwords, images are more friendly to mobile users. Previous work had been done in seed-based authentication which focused on providing authentication from a single device. It is common that a mobile user may have two or more mobile devices. Authenticating the same user on different devices is challenging due to several aspects, such as maintaining the same credential for multiple devices and distinguishing different users. In this article, we aimed at developing a solution to address these issues. We proposed multiple-device authentication algorithms to identify users. We adopted a one-time token paradigm to ensure the security of mobile applications. In addition, we tried to minimize the authentication latency for better performance. Our simulation showed that the proposed algorithms can improve the average latency of authentication for 40% at most, compared to single-device solutions.     

一种简单跨域单点登录系统的实现

分布式体系架构下多站点协作网络的应用需要统一身份认证和资源访问控制机制，单点登录系统是完成这项功能的必备模块。采用一种应用于Web环境下轻量级的单点登录解决方案，它是一种基于HTTP重定向和票据，并以跨域Cookie的共享为核心的集中式认证系统。本方案在分布式数据资源共享网络建设中实现了多个站点的跨域全局登录、用户认证和用户授权等功能。通过建立规范的登录控制模块，简单地修改配置文件，就可方便地将分散网络节点加入认证体系，完成网络节点单点登录和资源访问控制问题。     

Cryptanalysis of a mutual authentication scheme based on nonce and smart cards

To prevent the forged login attacks, Liu et al. recently proposed a new mutual authentication scheme using smart cards. However, we demonstrate that the attacker without any secret information can successfully not only impersonate any user to cheat the server but also impersonate the server to cheat any user. That is, Liu et al.’s scheme fails to defend the forged login attack as the previous version. Our cryptanalysis result is important for security engineers, who are responsible for the design and development of smart card-based user authentication systems.     

一种基于证书的统一身份管理技术研究

文章提出了一种移动安全接入方案,并针对移动安全接入方案中存在终端登陆、无线VPDN接入、IPSecVPN接入和应用访问等多类用户认证过程,采用基于数字证书的统一身份管理,对用户和智能手机终端进行用户信息标识,可提高移动终端安全接入系统的可管理性和安全性,     

Access control management for ubiquitous computing

The purpose of ubiquitous computing is anywhere and anytime access to information within computing infrastructures that is blended into a background and no longer be reminded. This ubiquitous computing poses new security challenges while the information can be accessed at anywhere and anytime because it may be applied by criminal users. Additionally, the information may contain private information that cannot be shared by all user communities. Several approaches are developed to protect information for pervasive environments against malicious users. However, ad hoc mechanisms or protocols are typically added in the approaches by compromising disorganized policies or additional components to protect from unauthorized access.In this paper, we present a usage control model to protect services and devices in ubiquitous computing environments, which allows the access restrictions directly on services and object documents. The model not only supports complex constraints for pervasive computing, such as services, devices and data types but also provides a mechanism to build rich reuse relationships between models and objects. Finally, comparisons with related works are analysed.     

“科研在线”平台文档的移动客户端

云计算和移动智能终端的发展极大地改变了人们的生活,也为协同工作带来更多的便利。科研在线平台中的协同文档库是基于云存储的协同工具,为用户提供面向团队的文档协作与管理服务。本文的工作是设计并实现了基于 iOS 的协同文档库移动客户端。通过对用户使用场景的分析,得出系统功能。根据移动应用的特点,设计系统框架。本文主要从网络编程、数据缓存和登录认证这三个方面的关键技术来描述系统的实现。     

基于区块链的物联网认证机制综述

随着物联网(Internet of Things, IoT)技术的高速发展,各类智能设备数量激增,身份认证成为保障IoT安全的首要需求.区块链作为一种分布式账本技术,提供了去信任的协作环境和安全的数据管理平台,使用区块链技术驱动IoT认证成为学术界和工业界关注的热点.基于云计算和云边协同两种架构分析IoT身份认证机制设计的主要需求,总结区块链技术应用于IoT场景面临的挑战;梳理现有IoT身份认证机制的工作,并将其归结为基于密钥的认证、基于证书的认证和基于身份的认证;分析应用区块链技术的IoT认证工作,并根据认证对象和附加属性对相关文献进行归纳和总结.从形式化和非形式化两个方向总结基于区块链的IoT认证机制的安全性分析方法.最后展望了未来研究方向.     

A countable and time-bound password-based user authentication scheme for the applications of electronic commerce

In this paper, we propose a secure and efficient user authentication scheme with countable and time-bound features. The countable feature is to limit the use to a certain number of times, which means that the users are able to successfully log into the system in a fixed number of times. The feature of the time-bound allows each login ticket to have a period of expiration. In other words, if a login request is overdue, it would not be available anymore. These features make our scheme more reliable for applications in the field of electronic commerce, such as on-line games, pay-TV, and so on. Since our scheme does not require any password or verification table and can avoid replay attacks, it is under firm security. Moreover, our scheme shows a lower computational overhead on the user side. Therefore, it offers an efficient and adequate alternative for the implementations in the mobile environment with limited computing capability.     

Seamless User-Level Handoff in Ubiquitous Multimedia Service Delivery

Advancing mobile computing technologies are enabling ubiquitous personal computing environment. In this paper, we focus on an important problem in such environment: user mobility. In the case of user mobility, a user is free to access his/her personalized service at anytime, anywhere, through any possible mobile/fixed devices. Providing mobility support in this scenario poses a series of challenges. The most essential problem is to preserve the user's access to the same service despite changes of the accessing host or service provider. Existing system-level mobility solutions are insufficient to address this issue since it is not aware of the application semantics. On the other hand, making each application to be mobility-aware will greatly increase the development overhead. We argue that the middleware layer is the best place to address this problem. On one hand, it is aware of application semantics. On the other hand, by building application-neutral mobility functions in the middleware layer, we eliminate the need to make each application mobility-aware. In this paper, we design a middleware framework to support user mobility in the ubiquitous computing environment. Its major mobility functions include user-level handoff management and service instantiation across heterogeneous computing platforms. We validate the major mobility functions using our prototype middleware system, and test them on two multimedia applications (Mobile Video Player and Mobile Audio Player). To maximally approximate the real-world user-mobility scenario, we have conducted experiments on a variety of computing platforms and communication paradigms, ranging from T1-connected high-end PC to handheld devices with wireless networks. The results show that our middleware framework is able to provide efficient user mobility support in the heterogeneous computing environment.     

Secured Health Data Transmission Using Lagrange Interpolation and Artificial Neural Network

In recent decades, the cloud computing contributes a prominent role in health care sector as the patient health records are transferred and collected using cloud computing services. The doctors have switched to cloud computing as it provides multiple advantageous measures including wide storage space and easy availability without any limitations. This necessitates the medical field to be redesigned by cloud technology to preserve information about patient’s critical diseases, electrocardiogram (ECG) reports, and payment details. The proposed work utilizes a hybrid cloud pattern to share Massachusetts Institute of Technology-Beth Israel Hospital (MIT-BIH) resources over the private and public cloud. The stored data are categorized as significant and non-significant by Artificial Neural Networks (ANN). The significant data undergoes encryption by Lagrange key management which automatically generates the key and stores it in the hidden layer. Upon receiving the request from a secondary user, the primary user verifies the authentication of the request and transmits the key via Gmail to the secondary user. Once the key matches the key in the hidden layer, the preserved information will be shared between the users. Due to the enhanced privacy preserving key generation, the proposed work prevents the tracking of keys by malicious users. The outcomes reveal that the introduced work provides improved success rate with reduced computational time.     

An improved timestamp-based remote user authentication scheme

To protect the remote server from various malicious attacks, many authentication schemes have been proposed. Some schemes have to maintain a password verification table in the remote server for checking the legitimacy of the login users. To overcome potential risks of verification tables, researchers proposed remote user authentication schemes using smartcard, in which the remote server only keeps a secret key for computing the user’s passwords and does not need any verification table for verifying legal user. In 2003 Shen, Lin, and Hwang proposed a timestamp-based password authentication scheme using smartcards in which the remote server does not need to store the passwords or verification table for user authentication. Unfortunately, this scheme is vulnerable to some deadly attacks. In this paper, we analyze few attacks and finally propose an improved timestamp-based remote user authentication scheme. The modified scheme is more efficient and secure than original scheme.     

Remote login authentication scheme based on a geometric approach

A smart card-oriented remote login authentication scheme is presented. The proposed scheme can be divided into three phases: registration, login and authentication. In the registration phase, the registering user chooses a password only known to himself. The central authority (CA) assigns an identity for the user, and delivers a smart card to the registered user. The smart card contains some necessary public parameters used in the login and authentication phases. Based on some simple properties of Euclidean geometry, the login and authentication phases can be achieved easily. Impersonation and replay attacks on the proposed scheme are discussed.     

普适计算的信任认证

在普适计算环境中,用户能够在任何时间、任何地点访问资源,获得服务。但是这种无处不在性和移动性的环境带来了新的安全问题。资源的拥有者和请求者一般互相不知道。认证是安全的基石,没有认证,系统的保密性、完整性和可用性都将受到影响。可是传统认证是基于身份的认证,不适合普适环境中对陌生实体的认证。本文在分析普适计算的认证要求后,指出了在普适计算环境中应该先在陌生的实体间建立信任关系,然后可以用几乎所有的标准密钥交换协议进行安全认证。提出了用资源限制信任协商技术在陌生人之间建立信任关系。由于它避免了大量的公钥密码操作所带来的计算负担,因此比较适合计算能力有限的设备之间建立信任关系。     

Look, Ma, My homepage is Mobile!

Much of the ongoing research in ubiquitous computing has concentrated on providing context information, e.g. location information, to the level of services and applications. Typically, mobile clients obtain location information from their environment which is used to provide “locally optimal” services. In contrast, it may be of interest to obtain information about the current context a mobile user or device is in, from a client somewhere on the Web, i.e. to use the mobile device as an information provider for Internet clients. As an instance of such services we propose the metaphor of a “location-aware” Web homepage of mobile users providing information about, e.g. the current location a mobile user is at. Requesting this homepage can be as easy as typing a URL containing the mobile user's phone number such ashttp://mhp.net/+49123456789 in an off-the-shelf browser. The homepage is dynamically constructed as Web users access it and it can be configured in various ways that are controlled by the mobile user. We present the architecture and implementation and discuss issues around this example of “inverse” ubiquitous computing.     

面向移动云计算弹性应用的安全模型

根据云计算资源建立了资源受限设备弹性应用的安全模型。首先介绍了由一个或多个Weblet组成的一个弹性应用程序,每个Weblet可在移动设备端或云端启动,Weblet之间可根据所处的计算环境的动态变化或用户的配置进行迁移。分析了该模式的安全性,提出建立弹性应用程序的安全设计模型,包括实现Weblet运行所在的移动设备端和云端之间的身份验证、安全会话管理和通过外部网络的访问服务。该模型解决了Weblet之间的安全迁移和授权云Weblet通过外部Web网络去访问敏感用户数据的问题。该方案能应用在云计算场景,如在企业应用环境下的私有云和公有云之间的应用集成。     

面向普适计算环境的嵌入式系统研究

服务提供与用户界面自适应问题是普适计算中的重要研究课题。嵌入式系统提供的服务对普适计算的服务起到了重要的支持作用;普适计算任务要获取用户的服务也需要自适应的用户界面来显示服务项目,嵌入式系统的自适应界面是合适的选择。但是,传统的嵌入式系统服务软件不能很好地实现上述目标。针对传统嵌入式系统服务模型的不足,首先总结了面向普适计算的嵌入式系统硬件结构,并将这种结构命名为计算元。随后提出了一种新的嵌入式系统服务提供模型,统一了用户上下文交互的标准信息格式。最后研究了该服务模型的实现。