云计算时代的开放安全服务体系分析

针对移动互联网时代日益发展带来的安全性问题,在既要满足服务的多样性,又要满足服务安全性的双重使命下,如何构建移动互联网云计算时代开放安全的云服务,文中提出了一种开放的安全服务体系。同时,基于开发安全服务体系的各种技术特征,设计并构建了一个云服务平台架构,可以提供能力开放应用云、企业安全私有应用云和认证鉴权公共应用云。     

基于指纹识别的云安全认证技术

在云计算环境中,作为云安全的第一道防线,用户身份认证有着至关重要的作用。分析了当前云服务系统的认证需求,考虑到指纹识别技术在云安全认证中的应用优势,提出了一种基于指纹识别的云安全认证系统。并对其系统架构、工作流程进行了深入研究,以通过更加安全的认证方式防止恶意用户的非法访问,保证云环境下用户数据的访问安全。     

移动互联网安全审计云

基于移动互联网的信息技术产品为人们带来随时随地便捷上网的同时,也迫使人们不得不考虑移动互联网对传统安全审计系统的威胁。目前,现有的安全审计系统只能对局域网内部进行监控,无法对具有跨地域、跨网段特点的移动互联网设备进行实时和持续的审计。文中提出了一种针对移动互联网设备的安全审计框架,利用嵌入式智能探针技术,并结合现有云平台和大数据处理技术,提出了跨地区跨网段移动互联网审计云,来应对移动互联网安全审计的新挑战。     

ID-Based User Authentication Scheme for Cloud Computing

In cloud computing environments, user authentication is an important security mechanism because it provides the fundamentals of authentication, authorization, and accounting (AAA). In 2009, Wang et al. proposed an identity-based (ID-based) authentication scheme to deal with the user login problem for cloud computing. However, Wang et al.'s scheme is insecure against message alteration and impersonation attacks. Besides, their scheme has large computation costs for cloud users. Therefore, we propose a novel ID-based user authentication scheme to solve the above mentioned problems. The proposed scheme provides anonymity and security for the user who accesses different cloud servers. Compared with the related schemes, the proposed scheme has less computation cost so it is very efficient for cloud computing in practice.     

User centric three‐factor authentication protocol for cloud‐assisted wearable devices

Wearable devices, which provide the services of collecting personal data, monitoring health conditions, and so on, are widely used in many fields, ranging from sports to healthcare. Although wearable devices bring convenience to people's lives, they bring about significant security concerns, such as personal privacy disclosure and unauthorized access to wearable devices. To ensure the privacy and security of the sensitive data, it is critical to design an efficient authentication protocol suitable for wearable devices. Recently, Das et al proposed a lightweight authentication protocol, which achieves secure communication between the wearable device and the mobile terminal. However, we find that their protocol is vulnerable to offline password guessing attack and desynchronization attack. Therefore, we put forward a user centric three‐factor authentication scheme for wearable devices assisted by cloud server. Informal security analysis and formal analysis using ProVerif is executed to demonstrate that our protocol not only remedies the flaws of the protocol of Das et al but also meets desired security properties. Comparison with related schemes shows that our protocol satisfies security and usability simultaneously.     

云计算环境中虚拟机用户身份认证技术研究及实现

安全问题是云计算应用最受关注也是最受争议的一个问题,云计算中虚拟机使用者具有强身份认证一直以来都是云计算需要解决的主要安全问题之一.文中从建立虚拟机使用者强身份认证入手,从必要性、使用需求、虚拟机终端认证、虚拟机登录认证、虚拟机操作系统登录认证出发,阐述了虚拟机使用者身份认证相关技术及实现流程.     

计算集成身份认证机制

研究集成口令认证、令牌认证、以及生物认证的机制,其创新在于利用协议消息还原用户的信任状,再利用传统的认证技术完成对后者的鉴别,从而提供一种把应用系统与其用户认证技术分离的集成身份认证机制。该机制易于标准化及推广应用,可为多租户的云环境的安全提供更好的安全保障。     

一种增强的智能卡口令鉴别方案

分析了Zhang等提出的身份鉴别方案,指出了其不能抵抗离线口令猜测攻击,以及在登录阶段和验证阶段存在设计缺陷等问题.然后在保留其优点的基础之上,通过引入随机数和增加登录请求信息的方法,提出了一种更加安全可靠的口令认证协议方案.安全性分析结果表明,该方案能够有效抵抗离线口令猜测攻击和假冒攻击,可以实现双向鉴别等特点,增强了系统的安全性和实用性.     

Secure communication in CloudIoT through design of a lightweight authentication and session key agreement scheme

Internet of Things (IoT) is a newly emerged paradigm where multiple embedded devices, known as things, are connected via the Internet to collect, share, and analyze data from the environment. In order to overcome the limited storage and processing capacity constraint of IoT devices, it is now possible to integrate them with cloud servers as large resource pools. Such integration, though bringing applicability of IoT in many domains, raises concerns regarding the authentication of these devices while establishing secure communications to cloud servers. Recently, Kumari et al proposed an authentication scheme based on elliptic curve cryptography (ECC) for IoT and cloud servers and claimed that it satisfies all security requirements and is secure against various attacks. In this paper, we first prove that the scheme of Kumari et al is susceptible to various attacks, including the replay attack and stolen-verifier attack. We then propose a lightweight authentication protocol for secure communication of IoT embedded devices and cloud servers. The proposed scheme is proved to provide essential security requirements such as mutual authentication, device anonymity, and perfect forward secrecy and is robust against security attacks. We also formally verify the security of the proposed protocol using BAN logic and also the Scyther tool. We also evaluate the computation and communication costs of the proposed scheme and demonstrate that the proposed scheme incurs minimum computation and communication overhead, compared to related schemes, making it suitable for IoT environments with low processing and storage capacity.     

Mobile Payment Based on Transaction Certificate Using Cloud Self‐Proxy Server

Recently, mobile phones have been recognized as the most convenient type of mobile payment device. However, they have some security problems; therefore, mobile devices cannot be used for unauthorized transactions using anonymous data by unauthenticated users in a cloud environment. This paper suggests a mobile payment system that uses a certificate mode in which a user receives a paperless receipt of a product purchase in a cloud environment. To address mobile payment system security, we propose the transaction certificate mode (TCM), which supports mutual authentication and key management for transaction parties. TCM provides a software token, the transaction certificate token (TCT), which interacts with a cloud self‐proxy server (CSPS). The CSPS shares key management with the TCT and provides simple data authentication without complex encryption. The proposed self‐creating protocol supports TCM, which can interactively communicate with the transaction parties without accessing a user's personal information. Therefore, the system can support verification for anonymous data and transaction parties and provides user‐based mobile payments with a paperless receipt.     

A provable and secure mobile user authentication scheme for mobile cloud computing services

The mobile cloud computing (MCC) has enriched the quality of services that the clients access from remote cloud‐based servers. The growth in the number of wireless users for MCC has further augmented the requirement for a robust and efficient authenticated key agreement mechanism. Formerly, the users would access cloud services from various cloud‐based service providers and authenticate one another only after communicating with the trusted third party (TTP). This requirement for the clients to access the TTP during each mutual authentication session, in earlier schemes, contributes to the redundant latency overheads for the protocol. Recently, Tsai et al have presented a bilinear pairing based multi‐server authentication (MSA) protocol, to bypass the TTP, at least during mutual authentication. The scheme construction works fine, as far as the elimination of TTP involvement for authentication has been concerned. However, Tsai et al scheme has been found vulnerable to server spoofing attack and desynchronization attack, and lacks smart card‐based user verification, which renders the protocol inapt for practical implementation in different access networks. Hence, we have proposed an improved model designed with bilinear pairing operations, countering the identified threats as posed to Tsai scheme. Additionally, the proposed scheme is backed up by performance evaluation and formal security analysis.     

基于智能卡的轻量级非平衡型口令认证方案

智能卡与口令相结合的身份认证方式既可保留使用强密钥优势,又具有使用方便的特点,是一种理想的安全双因子认证方式。当前许多公开的口令认证方案,要么需要较强的计算环境而难于采用智能卡快速实现,要么不能抵抗离线口令猜测攻击或服务端内部攻击而存在安全缺陷。提出一种非平衡型口令认证方案,基于智能卡和用户口令双因子设计,具有简便高效、口令安全、双向认证特点,能够抵御离线口令猜测攻击和服务端内部攻击,可用于满足设备开机时的安全认证需求。     

移动云计算安全问题及安全度量方法浅析

移动云计算安全度量是云计算安全中的一个研究领域,主要是研究采用手机等移动终端设备,通过移动互联网使用云计算服务过程中的安全问题及安全度量方法。本文分析了目前移动云计算行业发展过程中存在的安全问题,指出了这些安全问题是阻碍用户使用云计算服务的关键,分析了传统的安全度量方法在移动云计算中的应用的优缺点,并在此基础上提出了一种基于场景的移动云计算安全度量方法,该方法可以有效度量和展示用户正在使用的云计算服务的安全情况,可以解除用户对于安全的顾虑,让用户放心使用。     

基于移动设备加密系统的设计与实现

为保障信息安全,政府部门和企业都建立了信息安全系统,对重要电子文档加密。然而,员工外出办公时,无法随时随地都携带着自己的电脑,有时必须使用他人或公共的电脑进行办公,在这种情况下无法保证机密文件的安全。文中提出了一种移动设备加密系统,将加解密功能固化到移动设备上,并由认证模式对本身的功能进行保护。密文文件可存储在移动设备上带出或通过互联网传输,而不用担心泄密风险。当到异地时,任何一台电脑都可以通过与移动设备的连接而进行对密文文件的使用,以此来保障信息的安全。     

基于云计算的物联网安全问题研究

介绍了云计算和物联网的概念,分析二者融合的必要性以及结合的基本平台,提出了基于云计算的物联网体系结构。研究了基于云计算物联网三层体系结构所面临的安全威胁,针对安全威胁给出一种基于云计算的物联网安全体系结构,并且给出一种基于云计算的物联网应用层云用户认证的认证方案,即引用数据库技术中对于模式的划分规则和权限分配方法,可以对基于云计算的物联网用户进行严格认证,保证数据的安全。     

Anonymous authentication protocol based on elliptic curve Diffie–Hellman for wireless access networks

Anonymous channel tickets have been proposed as a way to provide user anonymity and to reduce the overhead of re‐authentication for authentication in wireless environments. Chen et al. proposed a secure and efficient protocol, based on a protocol proposed by Yang et al., which is resistant to guessing attacks on networks from which users’ secret keys are easy to obtain. However, their scheme is time‐consuming in the phases of ticket issuing and authentication. Furthermore, a malicious attacker can utilize the expired time, T_exp, to launch a denial of authentication (DoA) attack, which is a type of denial of service attack. Because T_exp is exposed to any user, it would be easy to launch a DoA attack that could make the scheme impractical. To resist against DoAs that the scheme of Chen et al. might suffer, we propose an improved scheme based on elliptic curve cryptography in this paper. Our scheme not only reduces time cost but also enhances security. The basis of the proposed scheme is the elliptic curve discrete logarithm problem. The operations of points of an elliptic curve are faster and use fewer bits to achieve the same level of security. Therefore, our scheme is more suitable for mobile devices, which have limited computing power and storage. Copyright © 2012 John Wiley & Sons, Ltd.     

一种适用于NFC移动设备的双向认证安全方案

近场无线通信(NFC)是一种已经被广泛应用的短距无线通信技术.其中最常见的是将NFC技术应用于移动支付和门禁访问控制等应用.从技术上讲,这些应用利用NFC模拟卡模式将NFC设备模拟成银行卡或门禁卡,然后等待外部阅读器验证.在这类应用场景下,选取合适的安全认证方案是非常重要的.首先,介绍了现有的NFC认证系统和安全方案并分析了系统安全需求和潜在的安全风险.然后,采用Hash、AES和口令Key动态更新机制,提出了一种适用于NFC移动设备的双向认证安全方案,并设计了自同步机制.最后,利用GNY逻辑以形式化证明的形式证明了方案的安全性,分析表明该方案能解决伪造、重放攻击、窃听、篡改、异步攻击等安全问题.     

A lightweight anonymous authentication scheme for consumer roaming in ubiquitous networks with provable security

Ubiquitous networks provide roaming service for mobile nodes enabling them to use the services extended by their home networks in a foreign network. A mutual authentication scheme between the roamed mobile node and the foreign network is needed to be performed through the home network. Various authentication schemes have been developed for such networks, but most of them failed to achieve security in parallel to computational efficiency. Recently, Shin et al. and Wen et al. separately proposed two efficient authentication schemes for roaming service in ubiquitous networks. Both argued their schemes to satisfy all the security requirements for such systems. However, in this paper, we show that Shin et al. 's scheme is susceptible to: (i) user traceability; (ii) user impersonation; (iii) service provider impersonation attacks; and (iv) session key disclosure. Furthermore, we show that Wen et al. 's scheme is also insecure against: (i) session key disclosure; and (ii) known session key attacks. To conquer the security problems, we propose an improved authentication scheme with anonymity for consumer roaming in ubiquitous networks. The proposed scheme not only improved the security but also retained a lower computational cost as compared with existing schemes. We prove the security of proposed scheme in random oracle model. Copyright © 2015 John Wiley & Sons, Ltd.     

3G认证和密钥分配协议的形式化分析及改进

介绍了第三代移动通信系统所采用的认证和密钥分配(AKA)协议,网络归属位置寄存器/访问位置寄存器(HLR/VLR)对用户UE(用户设备)的认证过程和用户UE对网络HLR/VLR的认证过程分别采用了两种不同的认证方式,前者采用基于"询问-应答"式的认证过程,后者采用基于"知识证明"式的认证过程.使用BAN形式化逻辑分析方法分别对这两种认证过程进行了分析,指出在假定HLR与VLR之间系统安全的前提下,基于"知识证明"式的认证过程仍然存在安全漏洞.3GPP采取基于顺序号的补充措施;同时,文中指出了另一种改进方案.     

基于可信根的移动设备安全研究

随着移动通信技术的不断成熟,移动用户数量飞速增长,人们希望在工作场合使用自带设备（Bring your own device,BYOD）的意愿不断增强。移动设备的运用在给用户带来随时随地接入系统、方便快捷获取数据和交流业务的同时,也给用户带来了移动设备固有的相关安全风险。目前的移动设备由于缺乏基于硬件的可信根功能,不能为用户提供强有力的安全保证。文章详细介绍移动设备安全组件,给出移动设备体系架构,着重描述使移动设备能够更安全使用所需的基本安全功能。