基于TrustZone的可信移动终端云服务安全接入方案

可信云架构为云计算用户提供了安全可信的云服务执行环境,保护了用户私有数据的计算与存储安全. 然而在移动云计算高速发展的今天, 仍然没有移动终端接入可信云服务的安全解决方案. 针对上述问题, 提出了一种可信移动终端云服务安全接入方案, 方案充分考虑了移动云计算应用背景, 利用ARM TrustZone硬件隔离技术构建可信移动终端, 保护云服务客户端及安全敏感操作在移动终端的安全执行, 结合物理不可克隆函数技术, 给出了移动终端密钥与敏感数据管理机制. 在此基础之上, 借鉴可信计算技术思想, 设计了云服务安全接入协议, 协议兼容可信云架构, 提供云服务端与移动客户端间的端到端认证. 分析了方案具备的6种安全属性, 给出了基于方案的移动云存储应用实例, 实现了方案的原型系统. 实验结果表明, 可信移动终端TCB较小, 方案具有良好的可扩展性和安全可控性, 整体运行效率较高.     

一种基于IKE协议的移动VPN安全通信方案

实现移动终端的安全接入、移动通信的安全传输是智能移动终端普及和移动业务扩展的重要环节。以保证移动数据安全交换为目的,针对移动终端接入企业内网所面临的安全问题,提出了一种移动VPN(Virtual PrivateNetwork)通信方案。方案对IPSec VPN的IKE(Internet Key Exchange)协商流程进行了改进,能支持多因子认证和基于角色的访问控制。分析和实验测试证明了方案的安全性和可行性。     

在移动战术环境下的终端安全接入方案

针对在搜索、救援、军事作战等环境中,恶劣的通信状况和频繁的终端移动造成传统的安全认证体制难以实现终端安全接入的问题,提出了一种移动战术环境下的终端安全接入方案。该方案采用一种无证书的密钥管理机制,分析了终端移动后的安全认证过程,以及终端和网关受损或被入侵后的安全处理方法。仿真结果表明,该方案提高了网关与终端之间授权与认证的安全性,能够很好地抵抗已知攻击,解决了战术环境下缺少相互认证以及密钥托管的问题,并且该方案使用的无证书密钥算法较其他算法有更好的安全性和更少的计算开销,可以对终端移动过程中接入网关的安全性与能耗进行权衡。     

基于加密SD卡的内网移动终端可信接入方案

为了解决因不可信移动终端非法接入内网导致的信息安全问题,设计了一种基于加密SD卡的内网移动终端可信接入方案。通过可信计算技术,以加密SD卡作为可信硬件设备实现了移动终端设备的可信启动、完整性验证与内网可信接入,并对接入后移动终端与内网的数据交互过程提供了一种加密通信安全存储机制。实验结果表明,该方案在不改变移动终端基本架构的前提下,较为高效地对移动终端进行安全性认证,并在一定程度上保护内网环境的安全。     

异构无线融合网络统一接入认证研究

不同网络同时维护多套认证设施会大幅降低异构融合网络的接入效率,多套认证机制中的短板效应也会降低融合网络中的安全性能。为此,提出基于用户、位置、寻址的信息分离技术,从移动通信系统对安全的需求出发,分析并借鉴3G网络认证与密钥分配协议,在异构无线网络环境中建立基于统一用户标识的的认证方案。仿真测试结果表明,该方案实现了异构网络和移动终端的统一接入及安全 认证。     

一体化移动安全接入系统的设计与实现

从网络适应性、接入方式多样性、接入平台多种类的移动接入需求入手,针对移动安全接入现有的缺点,提出了基于用户的接入控制和管理技术,给出了接入认证方案.并采用一体化的方法,设计了移动安全接入的体系结构,实现了一种新的一体化移动安全接入系统,解决了基于移动通信和互联网的接入安全问题.     

宽带无线IP系统移动终端的安全接入技术

针对目前宽带无线IP系统移动终端的接入现状，本文基于公钥密码机制，提出了一种宽带无线IP系统移动终端的安全接入技术。该技术是无线通信技术、网络技术及密码技术相结合的产物，它不仅解决了目前无线IP系统中移动终端没有接入控制与非安全接入问题，而且完成了移动终端的接入控制，实现了其通信保密功能。持有证书的移动终端既可以本地接入，也可以异地登录，从而保障了其通信漫游功能。理论分析与实验结果均表明，该方案不仅切实可行，而且相比目前技术具有无可比拟的安全性。     

企业办公网移动终端安全接入技术研究

针对企业办公网移动终端设备安全接入问题,研究了移动终端的安全接入技术,并构建了安全接入系统架构,实现移动终端访问企业办公网的安全接入,及企业办公网向移动终端设备延伸的安全保障机制,为开放网络环境下的移动办公提供了安全支撑.     

基于PKI的无线异构网接入认证

利用PKI提出了一种新的公钥认证方案,该方案针对移动终端计算速度慢、存储量小的特点,本着尽量减少移动终端计算量、节省存储空间的原则,引入＂密钥短,安全性高＂的椭圆曲线密码体制进行加密和签名,并对加密和签名算法精心选择;采用归属方辅助证明的方法,使移动终端不传递和验证证书;移动终端和接入认证服务器之间以及各接入认证服务器间不需要预先存在安全关联;认证服务器间也不需要有相同的公钥参数,增强了系统的扩展性。     

一种移动终端的安全认证方法

为了确保移动终端的信息安全,针对一种结合移动云计算技术的移动终端安全认证方法进行研究,设计基于多跳接入的最优截断带宽分配方案D2MSMC网络覆盖扩展机制,对无线网络拓扑结构进行优化。D2MSMC算法最大化了认证服务器网络的服务质量,确保移动终端安全认证的过程顺利进行,保护移动终端的信息安全。仿真实验结果表明该方法有效地提高了移动终端安全认证的可靠性和稳定性。     

智能卡和口令结合的动态认证方案

远程认证协议能有效的保证远程用户和服务器在公共网络上的通信安全。提出一种匿名的安全身份认证方案,通过登录 的动态变化,提供用户登录的匿名性,通过用户和服务器相互验证建立共享的会话密钥,抵抗重放攻击和中间人攻击,实现用户安全和隐私,通过BAN逻辑分析证明改进方案的有效性,通过安全性证明和性能分析说明了新协议比同类型的方案具有更高的安全性、高效性。     

Remote login authentication scheme based on a geometric approach

A smart card-oriented remote login authentication scheme is presented. The proposed scheme can be divided into three phases: registration, login and authentication. In the registration phase, the registering user chooses a password only known to himself. The central authority (CA) assigns an identity for the user, and delivers a smart card to the registered user. The smart card contains some necessary public parameters used in the login and authentication phases. Based on some simple properties of Euclidean geometry, the login and authentication phases can be achieved easily. Impersonation and replay attacks on the proposed scheme are discussed.     

增强的基于智能卡的远程用户认证协议

基于智能卡的远程用户认证协议比基于口令的安全协议能提供更好的安全性。2011年Chen等提出一种对Hsiang-Shih方案改进的基于智能卡的远程认证协议,并称解决了相关方案中存在的各种攻击问题。指出Chen等方案仍然存在着内部攻击、丢失智能卡攻击、重放攻击和身份冒充攻击,并针对基于口令和智能卡的远程认证协议类存在的离线口令猜测攻击提出一种基于智能卡和椭圆曲线离散对数问题的认证协议。该协议能抵抗提到的所有攻击,在登陆和认证阶段只需要一个点乘运算。     

An improved timestamp-based remote user authentication scheme

To protect the remote server from various malicious attacks, many authentication schemes have been proposed. Some schemes have to maintain a password verification table in the remote server for checking the legitimacy of the login users. To overcome potential risks of verification tables, researchers proposed remote user authentication schemes using smartcard, in which the remote server only keeps a secret key for computing the user’s passwords and does not need any verification table for verifying legal user. In 2003 Shen, Lin, and Hwang proposed a timestamp-based password authentication scheme using smartcards in which the remote server does not need to store the passwords or verification table for user authentication. Unfortunately, this scheme is vulnerable to some deadly attacks. In this paper, we analyze few attacks and finally propose an improved timestamp-based remote user authentication scheme. The modified scheme is more efficient and secure than original scheme.     

组播用户安全管理系统设计与实现

为了克服IP组播模型的开放性,使得在现有互联网条件下能够为组播管理者提供用户对频道的访问控制,在原有安全组播模型的基础上,提出了一种基于IPv6网络环境的组播用户安全管理系统模型的设计方案。该方案采用钩子(hook)机制在接入路由器上挂载了认证与访问控制模块,任何想要监听组播流的用户,都要通过该模块进行身份认证与频道访问权限的判定,从而实现了基于频道的组播用户安全管理。并在教育科研骨干网中实验验证了该系统的身份认证和访问控制功能。     

基于区块链的身份托管模型研究

针对现有中心化信任下用户多身份管理难的问题,提出一种基于区块链的身份托管模型。模型将用户拥有的各个系统的身份信息采用椭圆曲线算法加密签名,确保身份信息的所有权;设计了身份认证区块链模型和身份信息上链的智能合约,将身份签名结果存储到区块链中,确保其安全和不可篡改;设计了登录验证的智能合约,使用用户公钥对签名信息验证用户是否具有登录系统的权限。对该区块链身份托管模型在Hyperledger Fabric中进行实验论证,实验结果表明,该模型具有高的安全性和时间效率,能方便管理用户的多个系统身份信息。     

Secure Key Management Based Mobile Authentication in Cloud

Authentication is important to the security of user data in a mobile cloud environment. Because of the server’s user credentials, it is subject to attacks. To maintain data authentication, a novel authentication mechanism is proposed. It consists of three independent phases: Registration, login, and authentication and key agreement. The user registers with the Registration Center (RC) by producing a secret number that isn’t stored in the phone, which protects against privileged insider attacks. The user and server generate a nonce for dynamic user identity and agree on a session secret key for safe communication. The passwords are not stored on the computer or provided in plain text, they are resistant to replay, guessing, and stolen verification attacks. The suggested protocol uses a one-way hash function and XOR operations, with the client having remote access to a large number of servers over a secure communication channel. Concentrates on HMAC and SHA3 for Collision Free Hashing and to overcome length extension attacks. HMACs are substantially less affected by collisions than their underlying hashing algorithms alone. So adding an HMAC to an MD5 or SHA hash would make it substantially more difficult to break via a rainbow table.     

An anonymous mobile user authentication protocol using self-certified public keys based on multi-server architectures

As a smart phone becomes a daily necessity, mobile services are springing up. A mobile user should be authenticated and authorized before accessing these mobile services. Generally, mobile user authentication is a method which is used to validate the legitimacy of a mobile login user. As the rapid booming of computer networks, multi-server architecture has been pervasive in many network environments. Much recent research has been focused on proposing password-based remote user authentication protocols using smart cards for multi-server environments. To protect the privacy of users, many dynamic identity based remote user authentication protocols were proposed. In 2009, Hsiang and Shih claimed their protocol is efficient, secure, and suitable for the practical application environment. However, Sood et al. pointed out Hsiang et al.’s protocol is susceptible to replay attack, impersonation attack and stolen smart card attack. Moreover, the password change phase of Hsiang et al.’s protocol is incorrect. Thus, Sood et al. proposed an improved protocol claimed to be practical and computationally efficient. Nevertheless, Li et al. found that Sood et al.’s protocol is still vulnerable to leak-of-verifier attack, stolen smart card attack and impersonation attack and consequently proposed an improvement to remove the aforementioned weaknesses. In 2012, Liao et al. proposed a novel pairing-based remote user authentication protocol for multi-server environment, the scheme based on elliptic curve cryptosystem is more secure and efficient. However, through careful analyses, we find that Liao et al.’s protocol is still susceptible to the trace attack. Besides, Liao et al.’s protocol is inefficient since each service server has to update its ID table periodically. In this paper, we propose an improved protocol to solve these weaknesses. By enhancing the security, the improved protocol is well suited for the practical environment.     

An enhanced smart card based remote user password authentication scheme

Smart card based password authentication is one of the simplest and efficient authentication mechanisms to ensure secure communication in insecure network environments. Recently, Chen et al. have pointed out the weaknesses of some password authentication schemes and proposed a robust smart card based remote user password authentication scheme to improve the security. As per their claims, their scheme is efficient and can ensure forward secrecy of the session key. However, we find that Chen et al.'s scheme cannot really ensure forward secrecy, and it cannot detect the wrong password in login phase. Besides, the password change phase of Chen et al.'s scheme is unfriendly and inefficient since the user has to communicate with the server to update his/her password. In this paper, we propose a modified smart card based remote user password authentication scheme to overcome the aforementioned weaknesses. The analysis shows that our proposed scheme is user friendly and more secure than other related schemes.     

基于可信度计算的网络接入认证模型研究

由于远程终端本身的不安全性或合法身份被利用而导致内网安全事故,针对此问题,提出了一种基于可信度计算的网络接入认证模型,通过集成现有身份认证技术和可信度计算方法,动态计算终端的可信度值.当目标终端可信度低于设定值或访问超时,启动重新认证机制,从而弥补现有认证方法的不足.同时给出了该模型完整的执行过程.