面向车载自组网的高效位置隐私保护查询方案

随着车载自组网应用对安全性要求的提高,用户和服务提供商对各自私有信息保密性的要求也越来越高。针对现有查询方案无法同时保护车辆身份、位置及服务提供商数据隐私的问题,利用私有信息检索技术,提出一种高效的位置服务查询方案。采用匿名认证的方法进行车辆间的相互认证与车辆及路边基站的认证。在此基础上,使用安全硬件对数据库的数据进行混淆处理,通过代理重加密完成车辆对数据库服务数据的检索,从而实现车辆和数据库双方的隐私保护。分析结果表明,该方案可实现车辆身份匿名查询,能够保护车辆位置隐私和服务提供商的数据库信息,且只需两轮通信,具有较高的通信效率。     

面向车联网的多服务器架构的匿名双向认证与密钥协商协议

车联网(vehicular ad hoc networks, VANETs)是一种依据特定通信协议,实现车-X(X：车、路、行人及互联网等)之间的无线通讯和信息交换的大型网络.随着云计算的发展,越来越丰富的车联网云服务将涌现并服务于车辆.但这些服务往往由不同的服务器提供,车辆(用户)则不得不在各个服务器上注册并记住大量的用户名与密码.为了实现用户一次注册即可与多个服务器相互认证的目标,多服务器架构的认证协议已被提出并应用于众多领域,但尚未有面向车联网的相关研究.车间通信的瞬时性对认证协议提出了更高的要求,然而已有的多服务器架构的认证协议使用了复杂的双线性密码,在通信与认证开销方面无法满足车联网的要求.为此,首次提出了一个面向车联网的多服务器架构下的新型匿名双向认证与密钥协商协议,该协议采用非奇异椭圆曲线构造了简易的认证方法,降低了认证的计算复杂性.随机匿名机制能有效地保护车辆的隐私,且可与服务器进行双向认证与密钥协商.在随机预言机模型下证明了协议的安全性.性能分析表明：与最近的匿名双向认证协议相比,该协议在认证与密钥协商阶段的计算开销与通信开销分别减少了61%与62%,可更好地满足车联网对计算与通信开销的要求.     

Concurrently deniable ring authentication and its application to LBS in VANETs

Deniable ring authentication can be used to facilitate privacy-preserving communication since the receiver accepts authentication while cannot convince a third party that the fact of this authentication occurred. Besides that, the receiver cannot decide the actual sender as the sender identity is hidden among a group of participants. However, the concurrent problem has not been studied well in the interactive deniable ring authentication so far. In this work, we propose a deniable ring authentication protocol to handle concurrent scenario, which achieves full deniability. We construct a CCA2-secure (which is secure against Adaptive Chosen Ciphertext attack) multi-receiver encryption scheme to support this protocol and it requires only 2 communication rounds, which is round-optimal in fully deniable ring authentications. In addition, we observe that efficient fully deniable ring authentication can be applied to location-based service in VANETs to protect vehicle privacy.     

独立于应用的身份识别与访问控制系统研究

身份识别与访问控制是网络信息安全重要部分之一。实施它们的传统方法是通过身份识别与访问控制功能和应用之间的API接口来实现。这一方法的安全性和实用性不能满足网络和应用的发展。本文提出了独立于应用的身份识别与访问控制系统,该系统是一种为网络应用提供了高效的身份识别服务的安全平台。它通过结合Kerberos,PKI和安全通道技术极大地提升了性能和便利性。     

普适环境下基于生物加密的认证机制

普适计算的出现对网络通信中的安全和隐私提出了新的挑战,传统的认证技术已经不能满足普适环境的安全需求。提出了一种普适环境中用于完成服务使用者与提供者之间双向认证及密钥建立的机制。该机制高度融合了生物加密技术和Diffie-Hellman密钥交换技术,在不泄露用户隐私的情况完成双向认证。该机制提供了安全的建立密钥的算法,并且通过使用生物加密技术实现了访问控制策略的区别对待。经分析证明,该协议能很好地抵抗各种攻击,尤其是拒绝服务（DoS）攻击。     

PS-PPF:一个基于代理签名簇的VANETs隐私保护框架

车辆自组网(VANETs)是一种物联网在智能交通领域的重要应用形态,近年来已经成为学术界和工业界共 同研究的重点。VANE Ts具有诱人的发展前景,但其应用受到安全性和隐私保护的严格制约,因此有关VANE`I's的 安全性和隐私保护的文献逐渐成为研究的一个热点,涌现了一大批研究成果,这些成果对VANETs的实用化具有重 要意义。代理签名是现实世界中应用领域非常广泛的一种数字签名技术。在不同的场景下,代理签名有大量的变体, 其可形成一个代理签名簇。提出了一个基于代理签名簇的VANE I's隐私保护框架(PS-PPF);在VANE`I's系统体系 架构层面上提出了一个面向实用的VANE Ts隐私保护框架;划分了4个级别设置;分析了7个关键角色;探讨了4关键代理签名:条件隐私保护型代理签名、身份认证授权型代理签名、防追溯滥用授权型代理签名、业务前置授权型代 理签名。该框架不仅能对车辆身份隐私和位置隐私进行安全保护,还具备良好的实际部署能力和可扩展能力。最后, 指出了一些该框架的实际扩展说明。PS-PPF可用于规范和指导实际运营系统的规划和建设。据悉,这是第一个面向 实用的基于代理签名簇的VANETs隐私保护框架设计方案。     

Dissemination of safety messages in IEEE 802.11p/WAVE vehicular network: Analytical study and protocol enhancements

Multi-channel IEEE WAVE 1609.4 protocol has been proposed to guarantee the co-existence of safety and non-safety applications over the same Vehicular Ad hoc NETwork (VANET) scenario. While the usage of multi-channel avoids the risk of collisions between applications allocated on different frequencies, its implementation on a single-radio transceiver poses some major concerns about the effective utilization of the channel resources. In this paper, we study the performance of safety applications over multi-channel single-radio VANETs, and we present three novel contributions in this regard. First, we propose an analytical analysis and a simulation study of IEEE 1609.4. We show the harmful impact of synchronous channel switching on the message delay and delivery ratio. Second, we investigate the problem of dissemination of safety broadcast messages over multi-channel VANETs, where the network is intermittently disconnected, due to the alternation of control and service intervals. Finally, we propose a WAVE-enhanced Safety message Delivery (WSD) scheme to enable fast dissemination of safety messages over multi-channel VANETs, while guaranteeing compatibility with the existing WAVE stack. To this aim, we formulate the dissemination problem as a multi-channel scheduling problem. We further introduce cooperation among vehicles to reduce the dissemination latency. Simulation study shows the ability of the WSD scheme to enhance the performance of IEEE 1609.4 in terms of message delay and delivery ratio under different topologies and various applications.     

基于SAML的图书资源联合身份访问控制机制

针对目前图书馆电子资源传统访问控制机制存在的缺陷，本文提出一种基于SAML规范的联合身份访问控制机制。该机制能够实现单点登录、保障身份认证的强度和保护用户的隐私，从而能够满足用户、管理员、分布资源和服务提供者的要求。     

The design of speedy seamless safe messaging mechanism in VANET

With the popularity of automobile, traffic safety and our lives are inseparable. In vehicular ad hoc networks (VANETs), the properties authenticity, privacy and traceability have already been considered in many previous researches. Many automotive systems combine their applications with smart life. In this paper, a speedy seamless safe (3-S) messaging mechanism for roadside-to-vehicle authentication and vehicle-to-vehicle communication is proposed. In addition to the essential requirements mentioned above, 3-S messaging mechanism is designed to reduce the computation cost and provide the seamless communication when the vehicle crosses the various regions. With better performance and availability, our scheme can be applied in various VANET applications, especially in safety systems to provide the drivers active safety.     

PrivaKERB: A user privacy framework for Kerberos

Kerberos is one of the most well-respected and widely used authentication protocols in open and insecure networks. It is envisaged that its impact will increase as it comprises a reliable and scalable solution to support authentication and secure service acquisition in the Next Generation Networks (NGN) era. This means however that security and privacy issues related to the protocol itself must be carefully considered. This paper proposes a novel two-level privacy framework, namely PrivaKERB, to address user privacy in Kerberos. Our solution offers two privacy levels to cope with user anonymity and service access untraceability. We detail how these modes operate in preserving user privacy in both single-realm and cross-realm scenarios. By using the extensibility mechanisms already available in Kerberos, PrivaKERB does not change the semantics of messages and enables future implementations to maintain interoperability. We also evaluate our solution in terms of service time and resource utilization. The results show that PrivaKERB is a lightweight solution imposing negligible overhead in both the participating entities and network.     

普适环境中的隐私保护认证协议设计

针对普适环境中的认证和隐私保护问题,运用哈希链和部分盲签名技术,提出一种新的隐私保护认证协议。该协议运用哈希链构造信任书,保证每个信任书只能使用一次,利用部分盲签名在信任书中嵌入用户访问次数,对用户的访问次数进行控制。在实现用户匿名访问和双向认证的同时,解决服务滥用和非授权访问问题。仿真结果表明,与同类协议相比,该协议具有更好的安全特性和较高的执行效率。     

基于RBAC的隐私访问控制研究

基于角色的访问控制(Role-Based Access Control,RBAC)在Web服务隐私保护中可用于控制服务提供者对用户隐私数据的访问。针对RBAC运用于隐私场景中缺少相应的隐私属性而无法精确地描述隐私访问控制策略这一问题,提出了一种以RBAC为中心的隐私访问控制模型,给出了服务提供者信誉度分级方法。对不同信誉度等级的服务提供者分配不同的角色,以控制其对敏感隐私信息的访问。最后通过实例验证了该模型的有效性和可行性。     

边缘计算场景下的异构终端安全接入技术研究

边缘计算能够对海量终端设备的请求进行实时性处理,但是边缘计算的分布性和实时性等特点也为信息安全的防护带来了更多的局限,身份认证和隐私保护是边缘计算的应用和数据的安全防护需要面临的挑战问题。阐述了当前边缘计算终端安全接入时的信息安全需求,分析了其可能面临的信息安全威胁,提出了一种边缘计算场景下"云-边-端"三层体系的异构终端接入认证机制,方案能够支持海量终端的接入认证请求,并且通过匿名身份的方式保障了终端设备的隐私性。     

基于Web服务的数字化校园统一身份认证系统研究

通过对数字化校园网络应用传统统一身份认证和资源访问控制机制不足之处的分析,提出了一种基于Web服务的统一身份认证系统模型,并采用基于票据的集中式架构,以跨域Cookie共享为核心来完成用户的登录、认证和权限控制。实例证明,此方案可以方便的将分散网络节点加入认证体系,完成网络节点单点登录和资源访问控制问题。     

Efficient and multi-level privacy-preserving communication protocol for VANET

In this paper, we introduce an efficient and multi-level conditional privacy preservation authentication protocol in vehicular ad hoc networks (VANETs) based on ring signature. The proposed protocol has three appealing characteristics: First, it offers conditional privacy preservation authentication: while every receiver can verify that a message issuer is an authorized participant in the system only a trusted authority can reveal the true identity of a message sender. Second, it is equipped with multi-level countermeasure: each vehicle can select the degree of privacy according to its own requirements. Third, it is efficient: our system outperforms previous proposals in message authentication and verification, cost-effective identity tracking in case of a dispute, and low storage requirements. We demonstrate the merits gained by the proposed protocol through extensive analysis.     

An infrastructure framework for privacy protection of community medical internet of things

As a kind of medical service around people, community health care is closely related to peoples lives, and thus it has also been placed higher requirements. In the face of growing community medical needs, the construction and development of community medical Internet of things is imminent. Subsequently, massive multi-type of medical data which contain all kinds of user identity data, various types of vital signs data and other sensitive information are generated. Such a large scale of data in the transmission, storage and access process is facing the risk of data leakage. To effectively protect the privacy information of patients, an infrastructure framework for privacy protection of community medical Internet of things is proposed. It includes transmission protection based on multi-path asymmetric encryption fragment transmission mechanism, storage protection using distributed symmetric encryption cloud storage scheme and access control with identity authentication and dynamic access authorization. Through theoretical analysis and simulation experiments, it is proved that the community medical data can be effectively protected.     

An Efficient Authentication Scheme for Access Control in Mobile Pay-TV Systems

In a mobile pay-TV system, a large number of messages are exchanged for mutual authentication purposes. In traditional authentication schemes, with one-to-one delivery, one authentication message per request is delivered from a head end system to subscribers. This results in the delivery of a large quantity of messages and therefore is inefficient and costly. Moreover, since most traditional schemes use an RSA-based signature for identity validation and nonrepudiation of communication, they suffer from high communication costs. Due to its wireless nature, mobile pay-TV is vulnerable to attacks during hand-off. As traditional schemes do not support hand-off authentication, they are insecure during hand-off. With these shortcomings, they are not suitable for mobile pay-TV. In this paper, we propose an innovative authentication scheme, in which, by providing one-to-many facility, only one authentication message for multiple requests is broadcasted from the head end system to subscribers. By employing bilinear property of pairing and elliptic curve cryptography, our scheme provides one-to-many facility in the case of multiple requests for the same service in a short period of time. This new scheme achieves better broadcast efficiency and performance on communication costs than traditional ones. Additionally, this scheme provides a hand-off authentication mechanism to protect the access of services while preventing attacks during hand-off; therefore, the scheme is more secure to support access control. Moreover, to provide anonymous authentication for protecting identity privacy, the scheme adopts an identity-based scheme while traditional schemes do not apply. The scheme inherits advantages of the identity-based scheme that a public key does not need to be certificated, the certification authority mechanism will not be needed and the key exchange overhead can be reduced. With these advantages of our scheme, it is well suited for mobile pay-TV system.     

一种基于粗糙集理论的VANET接入方法

随着车载自组网(VANET)的快速发展和广泛应用,从接入角度保证车辆可信的问题得到了人们越来越多的关注。针对粗糙集理论适于处理不确定性信息的特点,本文提出了一种基于粗糙集理论的VANET接入方法。将VA-NET与移动可信模块(MTM)相结合,使用MTM采集车辆的可信属性信息,以便于做出接入决策。实验结果验证了方法的有效性与实用性。     

Unicast routing protocols for urban vehicular networks: review,taxonomy, and open research issues

Over the past few years, numerous traffic safety applications have been developed using vehicular ad hoc networks（VANETs）. These applications represent public interest and require network-wide dissemination techniques. On the other hand, certain non-safety applications do not require network-wide dissemination techniques.Such applications can be characterized by their individual interest between two vehicles that are geographically apart. In the existing literature, several proposals of unicast protocols exist that can be used for these non-safety applications. Among the proposals, unicast protocols for city scenarios are considered to be most challenging.This implies that in city scenarios unicast protocols show minimal persistence towards highly dynamic vehicular characteristics, including mobility, road structure, and physical environment. Unlike other studies, this review is motivated by the diversity of vehicular characteristics and difficulty of unicast protocol adaption in city scenarios.The review starts with the categorization of unicast protocols for city scenarios according to their requirement for a predefined unicast path. Then, properties of typical city roads are discussed, which helps to explore limitations in efficient unicast communication. Through an exhaustive literature review, we propose a thematic taxonomy based on different aspects of unicast protocol operation. It is followed by a review of selected unicast protocols for city scenarios that reveal their fundamental characteristics. Several significant parameters from the taxonomy are used to qualitatively compare the reviewed protocols. Qualitative comparison also includes critical investigation of distinct approaches taken by researchers in experimental protocol evaluation. As an outcome of this review, we point out open research issues in unicast routing.