A new method for using hash functions to solve remote user authentication

Recently, Peyravian and Zunic proposed the remote password authentication schemes only based on the collision-resistant hash function. The schemes are, therefore, easy to implement and simple to use. The attractive properties cause a series of discussion. Several security flaws are found and remedied. Unfortunately, most of the remedies either are insecure or violate the original advantages because of involving public-key cryptosystems or modular exponential operations. Hence, it is still a challenge to design a secure scheme abiding by the beneficial assumption of the Peyravian-Zunic schemes. The proposed scheme not only keeps the original advantages (user friendness and computational cheapness) but also highlights certain of valuable features, such as (1) mutual authentication (higher security level), (2) server’s ignorance of users’ passwords (further security guaranee to users, specially for financial services), (3) immunity from maintaining security-sensitive table (maintaining burden reduction to servers), and so forth.     

利用Kerberos增强Linux用户注册安全性的探讨

通过分析Linux用户注册过程中存在的安全漏洞,阐述了以Kerberos为代表的基于对称密钥的第三方验证的过程及其特点,提出了一种将Kerberos应用于Linux用户注册的安全模型。     

高考远程录取中的用户管理技术

高考远程录取是一个复杂的Web应用系统，具有大量的不同级别的用户和敏感机密的数据，所以有必要对用户的管理提出系统的解决方案。该文详细介绍了开发的高考远程录取系统中的用户管理、身份认证和用户访问控制的具体方法和技术。     

基于动态口令的身份认证机制及其安全性分析

身份认证是网络安全技术的一个重要组成部分,文章在基于挑战／应答认证机制的基础上提出了基于动态口令的认证机制,并对的安全性进行了剖析。     

Cognitive passwords: The key to easy access control

This paper suggests the use of cognitive passwords as a method of overcoming the difficulty of creating passwords that are simultaneously memorable and difficult to guess. Cognitive passwords involve a dialogue between a user and a system, where a user answers a rotating set of questions about highly personal facts and opinions. A set of such brief responses replace a single password.The findings of this empirical investigation, focusing on memorability and ease-of-guessing of cognitive passwords, are reported. These findings show that cognitive passwords were easier to recall than conventional passwords, while they were difficult for others to guess, even others who were socially close to the users.     

An analysis of BioHashing and its variants

As a result of the growing demand for accurate and reliable personal authentication, biometric recognition, a substitute for or complement to existing authentication technologies, has attracted considerable attention. It has recently been reported that, along with its variants, BioHashing, a new technique that combines biometric features and a tokenized (pseudo-) random number (TRN), has achieved perfect accuracy, having zero equal error rates (EER) for faces, fingerprints and palmprints. There are, however, anomalies in this approach. These are identified in this paper, in which we systematically analyze the details of the approach and conclude that the claim of having achieved a zero EER is based upon an impractical hidden assumption. We simulate the claimants’ experiments and find that it is not possible to achieve their reported performance without the hidden assumption and that, indeed, the results are worse than when using the biometric alone.     

无线传感器网络安全认证技术综述

作为安全机制的核心与重要基础环节,如何在无线传感网的各种限制下,安全、高效、低能耗地实现认证,始终是无线传感网安全研究领域的热点.敌对环境下的无线传感网应用中,为了防止恶意节点注入非法信息或篡改数据等攻击,在节点的身份认证和控制信息的发布中必须引入认证密钥.同时,安全认证还需要考虑到随着不可信节点的被发现、旧节点能量耗尽以及新节点的加入等新情况的出现.系统介绍了无线传感网安全认证问题的研究内容及研究现状,就当前主要解决方案进行了深入阐述,针对当前研究中的优缺点,给出了进一步的研究方向.     

Graphical One-Time Password (GOTPass): A usability evaluation

ABSTRACT

Complying with a security policy often requires users to create long and complex passwords to protect their accounts. However, remembering such passwords is difficult for many and may lead to insecure practices, such as choosing weak passwords or writing them down. In addition, they are vulnerable to various types of attacks, such as shoulder surfing, replay, and keylogger attacks (Gupta, Sahni, Sabbu, Varma, & Gangashetty, 2012) One-Time Passwords (OTPs) aim to overcome such problems (Gupta et al., 2012); however, most implemented OTP techniques require special hardware, which not only adds cost, but there are also issues regarding its availability (Brostoff, Inglesant, & Sasse, 2010). In contrast, the use of graphical passwords is an alternative authentication mechanism designed to aid memorability and ease of use, often forming part of a multifactor authentication process. This article is complementary to the earlier work that introduced and evaluated the security of the new hybrid user-authentication approach: Graphical One-Time Password (GOTPass) (Alsaiari et al., 2015). The scheme aims to combine the usability of recognition-based and draw-based graphical passwords with the security of OTP. The article presents the results of an empirical user study that investigates the usability features of the proposed approach, as well as pretest and posttest questionnaires. The experiment was conducted during three separate sessions, which took place over five weeks, to measure the efficiency, effectiveness, memorability, and user satisfaction of the new scheme. The results showed that users were able to easily create and enter their credentials as well as remember them over time. Participants carried out a total of 1,302 login attempts with a 93% success rate and an average login time of 24.5 s.     

A fingerprint-based user authentication protocol considering both the mobility and security in the telematics environment

With the advance of the Internet and mobile communication techniques, the telematics environment where users in vehicles can use the Internet service has been realized. For the safe driving, however, we propose that user authentication for the Internet service is performed by using the driver's fingerprint, instead of typing his/her password. Since the driver's fingerprint is private information to be protected and the size of the fingerprint information is much larger than that of a typical password, we need a different user authentication protocol for the telematics environment. That is, in addition to the compliance with the standard X9.84 protocol to protect the fingerprint information transmitted, we use the watermarking technique to lessen the privacy threat, and propose a secure and efficient protocol between Access Points (APs) considering the possible hand-off during the authentication in the mobile telematics environment. Based on the experimental measurement of the proposed protocol, we confirm that the fingerprint-based user authentication can be performed in real-time in the telematics environment.     

A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards

Advancement in communication technology provides a scalable platform for various services, where a remote user can access the server from anywhere without moving from its place. It provides a unique opportunity for online services such that a user does not need to be physically present at the service center. These services adopt authentication and key agreement protocols in order to ensure authorized and secure access to the resources. Most of the authentication schemes proposed in the literature support a single-server environment, where the user has to register with each server. If a user wishes to access multiple application servers, he/she requires to register with each server. The multi-server authentication introduces a scalable platform such that a user can interact with any server using single registration. Recently, Chuang and Chen proposed an efficient multi-server authenticated key agreement scheme based on a user’s password and biometrics (Chuang and Chen, 2014). Their scheme is a lightweight, which requires the computation of only hash functions. In this paper, we first analyze Chuang and Chen’s scheme and then identify that their scheme does not resist stolen smart card attack which causes the user’s impersonation attack and server spoofing attack. We also show that their scheme fails to protect denial-of-service attack. We aim to propose an efficient improvement on Chuang and Chen’s scheme to overcome the weaknesses of their scheme, while also retaining the original merits of their scheme. Through the rigorous informal and formal security analysis, we show that our scheme is secure against various known attacks including the attacks found in Chuang and Chen’s scheme. Furthermore, we simulate our scheme for the formal security verification using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool and show that our scheme is secure against the replay and man-in-the-middle attacks. In addition, our scheme is comparable in terms of the communication and computational overheads with Chuang and Chen’s scheme and other related existing schemes.     

面向多认证系统的在线用户统一管控平台设计与实现

在校园网中同时部署多套上网认证系统并使用统一的账号密码是常见的上网认证部署方案。多套上网认证系统并存时如何对在线用户进行统一管控、用户上线轨迹追踪和分析,以及如何对多套上网认证系统进行统一监控管理是当前校园网管理面临的共同问题。对此设计和实现了一种面向多认证系统的统一在线用户管控平台,并在真实校园网环境中测试使用,测试结果验证了平台的有效性。     

Cryptanalysis and security enhancement of a ‘more efficient & secure dynamic ID-based remote user authentication scheme’

Remote user authentication is a method, in which remote server verifies the legitimacy of a user over an insecure communication channel. Currently, smart card-based remote user authentication schemes have been widely adopted due to their low computational cost and convenient portability for the authentication purpose. Recently, Wang et al. proposed a dynamic ID-based remote user authentication scheme using smart cards. They claimed that their scheme preserves anonymity of user, has the features of strong password chosen by the server, and protected from several attacks. However, in this paper, we point out that Wang et al.’s scheme has practical pitfalls and is not feasible for real-life implementation. We identify that their scheme: does not provide anonymity of a user during authentication, user has no choice in choosing his password, vulnerable to insider attack, no provision for revocation of lost or stolen smart card, and does provide session key agreement. To remedy these security flaws, we propose an enhanced authentication scheme, which covers all the identified weaknesses of Wang et al.’s scheme and is more secure and efficient for practical application environment.     

Using multiple data sources to get closer insights into user cost and task performance

This pilot study explores the use of combining multiple data sources (subjective, physical, physiological, and eye tracking) in understanding user cost and behavior. Specifically, we show the efficacy of such objective measurements as heart rate variability (HRV), and pupillary response in evaluating user cost in game environments, along with subjective techniques, and investigate eye and hand behavior at various levels of user cost. In addition, a method for evaluating task performance at the micro-level is developed by combining eye and hand data. Four findings indicate the great potential value of combining multiple data sources to evaluate interaction: first, spectral analysis of HRV in the low frequency band shows significant sensitivity to changes in user cost, modulated by game difficulty—the result is consistent with subjective ratings, but pupillary response fails to accord with user cost in this game environment; second, eye saccades seem to be more sensitive to user cost changes than eye fixation number and duration, or scanpath length; third, a composite index based on eye and hand movements is developed, and it shows more sensitivity to user cost changes than a single eye or hand measurement; finally, timeline analysis of the ratio of eye fixations to mouse clicks demonstrates task performance changes and learning effects over time. We conclude that combining multiple data sources has a valuable role in human–computer interaction (HCI) evaluation and design.     

基于Web的印章治安管理信息系统的设计与实现

印章管理是我国治安管理工作的一个重点。该文根据印章管理的特点,提出了一个基于Web的印章治安管理信息系统的架构设计和实现方法。系统采用多级管理模式(省厅级、市局级、县区级等)来管理印章信息的录入、查询和识别;同时工商、银行、税务、海关等部门可以在线查询印章数据。此外,该文还探讨了用户管理模式和印章图像的处理技术。最后对系统进行了分析和评价。     

一种新型一次性口令身份认证方案的设计与分析

分析了常用的几种一次性口令身份认证方案,在挑战／响应方案的基础上设计了一种新型的身份认证方案。该方案不仅能够提供通信双方的相互认证,减少服务器的开销,而且克服了传统挑战／应答方案的弱点,有效地保护了用户身份信息,能防止重放攻击等攻击手段。最后对该方案的安全性和效率进行了剖析。     

Explaining resistance to system usage in the PharmaCloud: A view of the dual-factor model

Use of the PharmaCloud can improve the quality of healthcare, but improvements are likely to be thwarted if physicians resist using the system. This study uses the dual-factor model to explain physicians’ resistance behaviors to system usage. The results of a field survey conducted in Taiwan showed that physicians’ resistance to using the PharmaCloud stemmed from regret avoidance, inertia, perceived value, and perceived threat. These results also indicate that system, information, and service qualities are the key determinants of the behavioral intention to use. This research advances the theoretical understanding of user acceptance and resistance to technology post-implementation and offers practical implications.     

组播安全性研究和实现

文章介绍了组播的概念,以及组播的三种基本的通信模式:传播通信模式、协同通信模式、集中通信模式。着重讨论了组播的安全:信息完整、源验证、密钥管理、密钥分配等问题,以及相关的研究。并通过单播系统中新一代安全标准IPSec进行分析,结合IPsec提出了组播安全的相应解决方法。     

Secur(e/ity) Management: A Continuing Uphill Climb

With ever growing and evolving threats and cyber attacks, the management of enterprise security and the security of enterprise management systems are key to business—if not a nation’s—operations and survival. Secur(e/ity) management, the moniker for the intertwined topics of secure management and security management, has evolved trying to keep pace. The history of secur(e/ity) management is traced from its origins in the disjoint silos of telecommunications, internetworking and computer security to today’s recognition as necessary, interdisciplinary, interworking technologies and operations. An overview of threats and attacks upon managed and management systems shows that occurrences of ever more sophisticated, complex and harder to detect cyber misconduct are increasing as are the severity and costs of their consequences. Introduction of new technologies, expansion of the perimeters of an enterprise and trends in collaborative business partnerships compound the number of managed system targets of cyber compromise. Technical and marketplace trends in secur(e/ity) management reveal needs that must be bridged. Research attention should focus on developing axiomatic understanding of the natural laws of security, tools to realize vulnerability-free software, metrics for assessing the efficacy of secur(e/ity) management, tools for default-deny strategies so that signature-based security management can be retired, secur(e/ity) management approaches for virtualized and service-oriented environments, and approaches for composite, holistic, secur(e/ity) management.