基于改进的diameter/EAP-MD5的SWIM认证方法

广域信息管理(SWIM, system wide information management)采用面向服务的体系结构(SOA, service oriented architecture)提供民航信息交互与数据共享功能。在分析SWIM体系结构和基于Diameter协议的EAP-MD5应用子协议基础上,给出标准Diameter/EAP-MD5认证过程中存在的安全隐患,改进了EAP-MD5认证协议,提出基于改进的Diameter/EAP-MD5协议的SWIM用户身份认证方法,研究基于Diameter的SWIM认证服务,并在模拟的SWIM环境中对改进方法进行仿真实验和安全性分析。实验结果表明,改进的Diameter/EAP-MD5认证方法可在计算性能相当的前提下提高SWIM认证系统的安全性,为SWIM安全服务框架的构建提供保障。     

Security in service-oriented vehicular networks - [Service-oriented broadband wireless network architecture]

Service-oriented vehicular networks support diverse infrastructure-based commercial services including Internet access, real-time traffic concerns, video streaming, and content distribution. The success of service delivery in vehicular networks depends on the underlying communication system to enable the user devices to connect to a large number of communicating peers and even to the Internet. This poses many new research challenges, especially in the aspects of security, user privacy, and billing. In this article we first identify the key requirements of authentication, privacy preservation, and billing for service delivery in vehicular networks. We then review the existing industrial and academic efforts on service- oriented vehicular networks. We also point out two security challenges, minimizing vehicleto- infrastructure authentication latency and distributed public key revocation, which are considered among the most challenging design objectives in service-oriented vehicular networks. A novel fast vehicle-to-infrastructure authentication based on a vehicle mobility prediction scheme and an infrastructure-based short-time certificate management scheme are then proposed to address these two challenges.     

网络环境中远程医疗保健服务分布式安全模型

提出了一种用于中远程医疗服务的分布式安全模型,该模型包括用于医疗大数据管理和处理的安全网络.在模型中,安全网络与物联网相结合,可在无任何资源限制的情况下正常运行,适应面向安全的网络特性.使用双重加密的高级加密标准和用于提供用户匿名性的环签名技术进行建模.将基于认证、机密性、隐私性、完整性等安全因素对获得的结果进行检验....     

移动自组网中基于多跳步加密签名 函数签名的分布式认证

移动自组网Manet(Mobile Ad Hoc Network)是一种新型的无线移动网络,由于其具有网络的自组性、拓扑的动态性、控制的分布性以及路由的多跳性,所以,传统的安全机制还不能完全保证Manet的安全,必须增加一些新的安全防范措施.本文探讨了Manet所特有的各种安全威胁,提出了一种基于多跳步加密签名函数签名的安全分布式认证方案,即将移动密码学与(n,t)门槛加密分布式认证相结合,并采用了分布式容错处理算法和私钥分量刷新技术以发现和避免攻击者假冒认证私钥进行非法认证以及保护私钥分量和认证私钥不外泄.     

基于Tangle网络的移动群智感知数据安全交付模型

针对现有群智感知平台在数据和酬金交付过程中存在的安全风险和隐私泄露问题,该文提出一种基于Tangle网络的分布式群智感知数据安全交付模型。首先,在数据感知阶段,调用局部异常因子检测算法剔除异常数据,聚类获取感知数据并确定可信参与者节点。然后,在交易写入阶段,使用马尔科夫蒙特卡洛算法选择交易并验证其合法性,通过注册认证中心登记完成匿名身份数据上传,并将交易同步写入分布式账本。最后,结合Tangle网络的累计权重共识机制,当交易安全性达到阈值时,任务发布者可进行数据和酬金的安全交付。仿真试验表明,在模型保护用户隐私的同时,增强了数据和酬金的安全交付能力,相比现有感知平台降低了时间复杂度和任务发布成本。     

基于零知识证明的多实体RFID认证协议

物联网的发展对射频识别(RFID)系统的安全性能提出了越来越高的要求。虽然基于密钥阵列的RFID认证协议解决了传统RFID认证协议在多实体环境中存在的内部攻击问题,但基于交换实体身份信息的认证方式存在信息泄露的安全隐患。针对这一问题,设计了基于零知识证明的多实体RFID认证协议(MERAP)。该协议采用分布式密钥阵列抵御内部攻击,利用零知识证明方案实现双向认证时敏感身份信息零泄露。性能分析结果显示,MERAP协议在维持一定复杂度和标签成本的基础上,可抵抗包括重传、跟踪、拒绝服务和篡改等多种外部攻击和内部攻击。     

基于公钥密码体制的Kerberos分布式认证协议

本文提出了在Kerberos认证框架内,用公钥体制的完全分布式认证方法,它将密钥分配中心(KDC)的认证工作分散到通信各方,使得新协议在安全性和公平性方面与传统的Kener V5协议相比都有很大提高,同时使Kerberos用户的隐私性也得到提高。     

A self-encryption mechanism for authentication of roaming and teleconference services

A simple authentication technique for use in the global mobility network (GLOMONET) is proposed. This technique is based on the concept of distributed security management, i.e., the original security manager administrates the original authentication key (long-term secret key) acquired when a user makes a contract with his home network, while a temporary security manager is generated for a roaming user in the visited network that provides roaming services. The temporary security manager will take the place of the original security manager when the roaming user stays in the service area of the visited network. In the proposed authentication protocol for the regular communication phase, the procedures of the original security manager and the temporary security manager are the same except for introducing different parameters. Furthermore, the proposed technique not only reduces the number of transmissions during the authentication phase, but it also can decrease the complexity of mobile equipment. The idea behind the proposed technique is to introduce a simple mechanism which is called "self-encryption". We also suggest that this mechanism can be easily adopted as the authentication function for the secure teleconference service.     

Increasing availability and security of an authentication service

Authentication, the process by which one satisfies another about one's claim of identity, is typically provided by an authentication server via an authentication protocol. Compromise of the authentication service can lead to the compromise of the whole system, and the service is a performance bottleneck because many activities cannot proceed unless the identities of concerned parties can be satisfactorily established. Therefore, a desirable authentication service should be both highly secure and highly available. A general solution in which the authentication server is replicated so that a minority of malicious and colluding servers cannot compromise security or disrupt service is proposed. Some unusual features of such a distributed authentication service, including the tradeoff between availability and security, are discussed. Such a distributed service is also useful when clients cannot identify or agree upon trusted servers prior to authentication. For example, in some cooperative or federated systems, clients simply cannot all trust the same set of servers     

Research on Mixed Encryption Authentication

1　IntroductionWiththedevelopmentofcomputernetworktechniquesandthecontinuousavalancheofnewap plications,viciousnetworkattackeventshavemadeusers’lossesincreaserapidly .Andtheproblemofnetworksecurityisbecomingmoreandmorecom plex[1 ] .Inanetworksecurityenvironment,identi fyingandtestingmainbodyandobjectisaprecondi tionforcomputernetworksafety .Peoplewouldsus pectentitiesandcommunicationdatawhicharenotauthenticated .However,actualauthenticationpro tocolshavesomeshortcomingsinsafety ,systemef fic…     

一种传感器网络分布式认证方案

传感器网络的资源受限性给它的安全认证机制设计带来很大的困难。论文在基于椭圆曲线密码体制(ECC)的基础上提出了一种新的分布式认证方案,利用节点群实现公钥算法,在不提高节点计算强度的前提下可以实现节点间的身份认证,并有效提高整个网络的安全性。     

Federation solutions for inter- and intradomain security in next-generation mobile service platforms

A federation approach for security in future distributed service delivery platforms for mobile users offers some key advantages over an integrated solution relying on a common choice of a standardized authentication technology. By agreeing on an exchange protocol for security assertions rather than on the detailed security mechanisms, Service Aggregators and Access Network Operators will be able to federate their customer offerings flexibly and jointly offer services. The consumer will find formerly separate offerings combined, and Service Operators will enjoy open interfaces towards the network's service delivery platform. Through the use of Security Assertion Markup Language (SAML), standardized assertion statements can be made not only for the user's identity, but also on attributes and authorizations associated with it. This will allow a seamless personalized service experience offering single sign-on across separate operational domains. An example from automobile telematics is used to illustrate the concepts.     

Mimic defense authentication method for physical access control

To address the security problem of the vulnerability of the authentication methods of traditional physical access control systems,a mimic defense authentication method was designed based on the principle of mimic defense technique and its dynamic heterogeneous redundant architecture (DHR),using mobile 2D code as the interface and dynamic password as the core.First,the actuator pool of the authentication server was constructed.Then,a central controller consisting of functional modules such as input distribution agent,selector and voter was used to dynamically schedule heterogeneous redundant actuators from the actuator pool.Finally,a multimode ruling on the heterogeneous redundant actuator output to determine the authentication result was made by the voter.The experimental results show that the proposed authentication method has higher security and reliability compared to the traditional physical access control system authentication method,and at the same time,it can be used in combination with other authentication methods.     

SSDHT：基于社交网络的DHT安全增强机制

P2P系统在文件共享等领域中得到了广泛的应用,但DHT（distributed hash table）网络无中心、无认证、缺乏节点身份验证机制,使得现有的基于DHT的P2P系统易受到Sybil攻击等外部攻击。提出一种基于社交网络的DHT安全增强机制,将社交网络中节点的信任关系引入DHT网络中提高对Sybil节点的识别能力。以KAD（Kademlia）算法为例进行了实验验证,基于Facebook和Twitter数据集的实验结果表明本文提出的安全机制适用于大规模动态的网络,能够有效防御Sybil攻击。     

Authentication with P2P Agents

The problem of network security is now heavily focused on user and agent authentication. In particular, higher levels of automated management and autonomous behaviour are economically necessary within security services. This work focuses on a peer-to-peer (P2P) network architecture in support of an authentication service application. The paper considers whether the key properties of P2P systems, such as scalability, robustness and resilience, may be of significant value in the context of designing a secure agent-based user authentication service. The task of authenticating legitimate network users across distributed systems and services remains a challenging process. The proposed solution is to use a distributed agent-based application to address the process of client authentication and the maintenance of user credentials. Using an agent-to-agent platform, an autonomous and scalable defence mechanism has been constructed. The agent architecture provides a number of security services with the goal of automating the process of user authentication and trust management. In particular, the agents handle all password, encryption keys and certificate management. This revised version was published online in July 2006 with corrections to the Cover Date.     

Conditional privacy protection authentication scheme based on bilinear pairings for VANET

To solve the problem of security and efficiency of anonymous authentication in the vehicle Ad-hoc network（VANET）, a conditional privacy protection authentication scheme for vehicular networks is proposed based on bilinear pairings. In this scheme, the tamper-proof device in the roadside unit (RSU) is used to complete the message signature and authentication process together with the vehicle, which makes it more secure to communicate between RSU and trusted authority (TA) and faster to update system parameters and revoke the vehicle. And this is also cheaper than installing tamper-proof devices in each vehicle unit. Moreover, the scheme provide provable security proof under random oracle model (ROM), which shows that the proposed scheme can meet the security requirements such as conditional privacy, unforgeability, traceability etc. And the results of simulation experiment demonstrate that this scheme not only of achieves high efficiency, but also has low message loss rate.     

视频监控设备身份认证机制的设计与实现

针对视频监控系统接入层中前端设备的身份安全问题,通过对会话初始协议(Session Initia-tion Protocol,SIP)进行研究和扩展,设计并改进了一种基于超文本传输协议(Hyper Text Transfer Pro-tocol,HTTP)摘要访问认证的SIP安全机制.前端设备在接入视频监控系统前,需要通过该安全机制与系统安全管理平台上的SIP服务器进行身份认证.认证双方基于公钥基础设施数字证书认证体系(Public Key Infrastructure/Certificate Authority,PKI/CA)获取对方的数字证书后解析公钥,在摘要认证的基础上使用公钥加密和私钥签名来保护认证序列的安全性,解密认证序列后通过异或校验和摘要校验实现双向身份认证.测试与分析结果表明,改进的安全机制能够抵御常见的SIP安全风险,实现设备与安管平台间的双向身份认证,在适当损失效率的情况下确保接入系统的设备身份合法可信.     

An authentication technique based on distributed securitymanagement for the global mobility network

This paper proposes an authentication technique for use in the global mobility network (GLOMONET), which provides a personal communication user with global roaming service. This technique is based on new distributed security management, where authentication management in roaming-service provision is conducted only by the roamed network (the visited network). The original security manager (OSM) administrates the original authentication key (OAK) acquired when a user makes contracts with the home network, while the temporary security manager (TSM) is generated for a roamer in the visited network in order to provide roaming services. The TSM generates and administrates the temporary authentication key (TAK) for a roamer, which key is confidential to the OSM, releases the TAK administration when a roamer moves to other networks, and then disappears. The proposed authentication technique consists of two phases. In the roaming-service-setup phase, triggered by the user's location registration request, authentication control to set up the roaming-service environment is negotiated by the TSM in the visited network, the OSM, and the roamer. In the roaming-service-provision phase, triggered by the user's service request, authentication control to provide the roaming service is negotiated (using the TAK acquired by the roamer in the first phase) only by the visited network and the roamer. This authentication control using the TAK provides a unified authentication procedure with a single logic to both subscribers and roamers. In addition, the security management of the whole GLOMONET is reinforced and the security responsibility is made clear by allocating the subscriber's/roamer's security administration to only the TSM     

Quality-Optimized and Secure End-to-End Authentication for Media Delivery

The need for security services, such as confidentiality and authentication, has become one of the major concerns in multimedia communication applications, such as video on demand and peer-to-peer content delivery. Conventional data authentication cannot be directly applied for streaming media when an unreliable channel is used and packet loss may occur. This paper begins by reviewing existing end-to-end media authentication schemes, which can be classified into stream-based and content-based techniques. We then motivate and describe how to design authentication schemes for multimedia delivery that exploit the unequal importance of different packets. By applying conventional cryptographic hashes and digital signatures to the media packets, the system security is similar to that achievable in conventional data security. However, instead of optimizing packet verification probability, we optimize the quality of the authenticated media, which is determined by the packets that are received and able to be decoded and authenticated. The quality of the authenticated media is optimized by allocating the authentication resources unequally across streamed packets based on their relative importance, thereby providing unequal authenticity protection. The effectiveness of this approach is demonstrated through experimental results on different media types (image and video), different compression standards (JPEG, JPEG2000, and H.264), and different channels (wired with packet erasures and wireless with bit errors).     

Ad hoc空间网络密钥管理与认证方案

为了使一组卫星动态配置成一个具有灵活的分布式体系结构的集成网络信息系统，可以采用ad hoc组网方式，这种卫星网络的组网方式带来了新的安全挑战。提出了一个灵活的安全方案，设计了公钥基础设施和认证策略。基于完全分布式的认证中心，可以直接采用几乎所有的标准公钥认证协议。当空间节点的计算能力有限时，设计了一个轻型的基于对称密钥算法和单向散列函数的认证协议，在提供保密性和数据完整性的同时大大减小了计算量。