用Cookie构建Web安全的实现

给出了用Cookie实现用户认证的步骤，并详细讨论了可用的安全cookie设计方法，对同一域中不同服务器间加密Cookie的密钥的管理问题，除传统密钥管理方案外，提出了Cookie集中管理的解决方案，最后，应用Cookie将Web的安全实现扩展到访问控制。     

基于Web的RBAC权限机制在电子病历系统的研究

首先分析了电子病历系统安全验证的必要性,着重研究了Cookie技术,探讨了安全Cookie的应用机制,并且通过使用PKI数字认证技术,分析了安全Cookie的安全特性。进一步通过对基于角色的访问控制的深入研究,提出了一种基于Web高效安全机制。该机制在利用安全Cookie保证安全性的前提下,引入缓存机制来提高权限获取效率。通过实际数据模拟实验,结果表明该机制在效率上有一定程度的提高。最后,针对电子病历系统的特点分析了该机制在其中的应用。     

基于Cookie的Web服务安全认证系统

Web服务是一种崭新的分布式计算模式,是下一代电子商务的框架。但Web服务能否顺利发展的关键是其安全问题,对Web服务请求者的身份进行认证是解决安全问题的重要途径。为克服HTTP协议的无状态性,在对基于cookie的认证机制的实现原理和过程进行分析和研究的基础上,提出了一种基于Cookie的认证系统,详细介绍了其工作流程。谊认证系统具备单点登录和适应所有浏览器等特点,比较适合于Web服务在单域内的安全认证。     

基于J2EE的Web应用系统身份认证技术研究

基于J2EE平台的Web应用系统常用的验证主体身份的方法是基于主体了解的秘密的,常用的认证技术主要有基于X.509证书的认证和基于用户名和口令的认证.本文较系统地阐述了Servlet容器和Web服务器用户认证的原理与实现,并剖析了应用程序本身运用Session和Cookie机制进行用户认证的原理.     

Web应用中的Cookie测试方法研究

在Web应用程序中,Cookie应用十分广泛,且给用户带来了极大的便利,然而,由于Cookie中所包含信息的敏感性,极易被不法人员利用而造成巨大损失,因此,如何对Cookie进行有效的测试就成为用户上网安全的重要保障。本文对Cookie的概念、作用和调用过程进行了分析,并Cookie机制存在的问题进行了讨论,在此基础上提出了Cookie测试的概念,并对Cookie测试的测试点进行了分析,进而采用测试工具进行测试法、屏蔽测试法、有选择性拒绝测试法、篡改测试法实现了对Cookie的初步测试。测试结果表明,本文所提出的方法在实现Cookie测试方面具有较好的效果。     

基于可变Cookie的跨域单点登录

针对单点登录中的跨域身份认证问题,提出了一种基于可变Cookie的方案解决跨域单点登录,使用随机数字生成票据,并作为传统加密算法的会话密钥对客户端的Cookie进行加密,采用现代加密算法在异域系统之间安全传递票据,每次认证产生新的票据并更新异域应用系统的Cookie。通过对票据产生和传输以及Cookie加密和常见攻击的安全性分析,可以实现跨域单点登录的功能并保证身份认证安全可信。     

基于Cookie的单点登录技术

在基于Web的多种应用系统中需要统一身份认证和资源访问控制机制,采用基于Cookie的单点登录系统是一种很好的解决方案,它是一种基于HTTP重定向和票据,并以跨域Cookie的共享为核心的集中式认证系统.     

基于Cookie和信任链的跨域单点登录方案

由于HTTP协议存在无状态性,很多网站采用Cookie来认证用户,但Cookie不能够跨域传递.在对基于Cookie的认证方式和单点登录的实现机制做了深入分析和研究的基础上,结合信任链观点,提出了一种基于Cookie的跨域认证方法.     

脆弱型文本数字水印在WEB认证中的应用

WEB认证中最常运用的是Cookie技术。通过对Cookie机制的研究，给出了一种使用脆弱型文本数字水印对Cookie机制改进的方法。该方法采用LSB算法实现。     

一种单一认证机制的设计与实现

本文描述了在校园网中的一个单一认证机制的设计与实现方式,该认证机制是基于Cookie服务票据的,并引入基于角色的统一授权的访问控制模式,安全地实现了用户只登录一次便可对网络提供的多种资源进行访问的目的。     

一种基于Cookie的跨域单点登录方案设计

针对多应用系统下用户需多次进行身份认证导致工作效率较低及系统安全性差的问题,提出了一种基于Cookie的跨域单点登录方案。用户可以在不同域内的应用系统间安全有效地实现"一处登录,多处访问"。给出了方案的总体模型,分析了登录流程,解释了跨域的实现,详细地说明了双向认证过程,保证通信双方的身份合法性。引入角色认证管理,降低了单点登录系统与应用系统的耦合。     

基于公钥证书的cookies安全实现方案

Cookies是由Web服务器生成并存贮于用户计算机硬盘内的有用信息。Cookies往往含有重要的用户鉴别信息和用户资料,因此确保Cookies安全显得十分重要。本文首先分析了使用可能给用户造成的安全威胁,提出了抵御这些安全威胁需要实现的安全需求。在此基础上,提出了一种基于公钥证书的安全实现方案。     

基于 Cookie的跨域单点登录认证机制分析

为克服HTTP协议的无状态性,大多数门户网站采用cookie来认证用户,但cookie不能跨域传递。深入分析和研究了基于cookie的认证方式和单点登录的实现机制,并基于“联盟”观点,提出了一种基于cookie的跨域认证方法。     

A secure cookie scheme

Cookies are the primary means for web applications to authenticate HTTP requests and to maintain client states. Many web applications (such as those for electronic commerce) demand a secure cookie scheme. Such a scheme needs to provide the following four services: authentication, confidentiality, integrity, and anti-replay. Several secure cookie schemes have been proposed in previous literature; however, none of them are completely satisfactory. In this paper, we propose a secure cookie scheme that is effective, efficient, and easy to deploy. In terms of effectiveness, our scheme provides all of the above four security services. In terms of efficiency, our scheme does not involve any database lookup or public key cryptography. In terms of deployability, our scheme can be easily deployed on existing web services, and it does not require any change to the Internet cookie specification. We implemented our secure cookie scheme using PHP and conducted experiments. The experimental results show that our scheme is very efficient on both the client side and the server side.A notable adoption of our scheme in industry is that our cookie scheme has been used by Wordpress since version 2.4. Wordpress is a widely used open source content management system.     

面向多网关的无线传感器网络多因素认证协议

无线传感器网络作为物联网的重要组成部分,广泛应用于环境监测、医疗健康、智能家居等领域.身份认证为用户安全地访问传感器节点中的实时数据提供了基本安全保障,是保障无线传感器网络安全的第一道防线;前向安全性属于系统安全的最后一道防线,能够极大程度地降低系统被攻破后的损失,因此一直被学术及工业界视为重要的安全属性.设计面向多网关的可实现前向安全性的无线传感器网络多因素身份认证协议是近年来安全协议领域的研究热点.由于多网关无线传感器网络身份认证协议往往应用于高安全需求场景,一方面需要面临强大的攻击者,另一方面传感器节点的计算和存储资源却十分有限,这给如何设计一个安全的多网关无线传感器网络身份认证协议带来了挑战.近年来,大量的多网关身份认证协议被提出,但大部分都随后被指出存在各种安全问题.2018年,Ali等人提出了一个适用于农业监测的多因素认证协议,该协议通过一个可信的中心(基站)来实现用户与外部的传感器节点的认证;Srinivas等人提出了一个通用的面向多网关的多因素身份认证协议,该协议不需要一个可信的中心,而是通过在网关之间存储共享秘密参数来完成用户与外部传感器节点的认证.这两个协议是多网关无线传感器网络身份认证协议的典型代表,分别代表了两类实现不同网关间认证的方式:1)基于可信基站,2)基于共享秘密参数.分析指出这两个协议对离线字典猜测攻击、内部攻击是脆弱的,且无法实现匿名性和前向安全性.鉴于此,本文提出一个安全增强的可实现前向安全性的面向多网关的无线传感器网络多因素认证协议.该协议采用Srinivas等协议的认证方式,即通过网关之间的共享秘密参数完成用户与外部传感器节点的认证,包含两种典型的认证场景.对新协议进行了BAN逻辑分析及启发式分析,分析结果表明该协议实现了双向认证,且能够安全地协商会话密钥以及抵抗各类已知的攻击.与相关协议的对比结果显示,新协议在提高安全性的同时,保持了较高的效率,适于资源受限的无线传感器网络环境.     

基于攻击者和秘密的安全协议验证算法的研究与实现

网络的普及便得网络安全问题日益重要,协议的安全性和密码算法的安全性是网络数据安全的两个最基本的概念。本文介绍了几种有代表性的安全协议的形式化验证工具,研究并使用了JAVA语言实现了基于攻击者和秘密的安全协议验证算法。我们提出了身份验证协议必须交换秘密的概念,还为协议的形式化验证过程设计了框架。框架是指针对攻击者和其冒充的角色对原安全协议的改造。我们实现的验证工具是证伪的,即如果攻击者能够成功冒充某主体,则该安全协议是有漏洞的,反之则该协议的安全性得到某种程度的保证。本文还给出了该算法的攻击实例,并且对以后的研究工作进行了展望。     

Analysis and design of secure watermark-based authentication systems

This paper focuses on a coding approach for effective analysis and design of secure watermark-based multimedia authentication systems. We provide a design framework for semi-fragile watermark-based authentication such that both objectives of robustness and fragility are effectively controlled and achieved. Robustness and fragility are characterized as two types of authentication errors. The authentication embedding and verification structures of the semi-fragile schemes are derived and implemented using lattice codes to minimize these errors. Based on the specific security requirements of authentication, cryptographic techniques are incorporated to design a secure authentication code structure. Using nested lattice codes, a new approach, called MSB-LSB decomposition, is proposed which we show to be more secure than previous methods. Tradeoffs between authentication distortion and implementation efficiency of the secure authentication code are also investigated. Simulations of semi-fragile authentication methods on real images demonstrate the effectiveness of the MSB-LSB approach in simultaneously achieving security, robustness, and fragility objectives.     

Chirp-Loc: Multi-factor authentication via acoustically-generated location signatures

Context-based authentication has been proposed as a way to enable secure authentication with minimal or even no user interaction requirements by using sensor data to ensure the device being authenticated is in possession of the person initiating the authentication request. A key limitation of practically all context-based authentication systems is that they are vulnerable to context manipulation attacks where an attacker manipulates the environment to create a desired response in the sensor data. We contribute Chirp-Loc as a system that has been designed to improve the robustness of context-based authentication solutions against context-manipulation attacks. Chirp-Loc integrates an innovative approach based on room impulse response (RIR) to establish a location fingerprint that characterizes the physical environment instead of the ambient environment. We describe the design and development of an Android prototype of Chirp-Loc. We also conduct extensive accuracy and security analysis of Chirp-Loc by considering a multi-factor authentication solution that uses Chirp-Loc to verify the proximity of an authentication token, such as a smartphone. Through extensive experiments, we demonstrate that Chirp-Loc offers high degree of security and usability. Our work paves the way for improving the resilience of context-based authentication against attackers that manipulate the context information and offers a way to implement authentication systems that minimize user interaction demands while offering a high degree of security.     

Seed-based authentication for mobile clients across multiple devices

Authenticating users for mobile cloud apps has been a major security issue in recent years. Traditional passwords ensure the security of mobile applications, but it also requires extra effort from users to memorize complex passwords. Seed-based authentication can simplify the process of authentication for mobile users. In the seed-based authentication, images can be used as credentials for a mobile app. A seed is extracted from an image and used to generate one-time tokens for login. Compared to complex passwords, images are more friendly to mobile users. Previous work had been done in seed-based authentication which focused on providing authentication from a single device. It is common that a mobile user may have two or more mobile devices. Authenticating the same user on different devices is challenging due to several aspects, such as maintaining the same credential for multiple devices and distinguishing different users. In this article, we aimed at developing a solution to address these issues. We proposed multiple-device authentication algorithms to identify users. We adopted a one-time token paradigm to ensure the security of mobile applications. In addition, we tried to minimize the authentication latency for better performance. Our simulation showed that the proposed algorithms can improve the average latency of authentication for 40% at most, compared to single-device solutions.