无线局域网中的信息安全保护和安全漫游

在描述无线局域网中现有安全机制的基础上,提出了一个比较全面的信息安全保护和安全漫游解决方案。采用RADIUS和ESSID认证、MAC地址过滤、WEP加密并动态生成WEP密钥(128位加密密钥)等机制,来保护用户数据的私密性;采用基于MobileIP和RADIUS协议的漫游机制来支持用户在多个接入点之间的漫游,保证用户在进行安全漫游时不中断业务。     

Cryptanalysis and improvement of Panda - public auditing for shared data in cloud and internet of things

Cloud computing and internet of things have gained remarkable popularity by a wide spectrum of users recently. Despite of the convenience of cloud storage, security challenges have risen upon the fact that users do not physically possess their data any more. Thus, some auditing schemes are introduced to ensure integrity of the outsourced data. And among them Panda is a public auditing scheme for shared data with efficient and secure user revocation proposed by Wang et al. It argued that it could verify the integrity of shared data with storage correctness and public auditing. In this paper, we analyze this scheme and find some security drawbacks. Firstly, Panda cannot preserve shared data privacy in cloud storage. Furthermore, our analysis shows that Panda is vulnerable to integrity forgery attack, which can be performed by malicious cloud servers to forge a valid auditing proof against any auditing challenge even without correct data storage. Then we pinpoint that the primary cause of the insecurity is the linear combinations of sampled data blocks without random masking properly. Finally, we propose an improvement of Panda together with data privacy preserving and sound public auditing while incurring optimal communication and computation overhead.     

Privacy-preserving public auditing for educational multimedia data in cloud computing

Nowadays, as distance learning is being widly used, multimedia data becomes an effective way for delivering educational contents in online educational systems. To handle the educational multimedia data efficiently, many distance learning systems adopt a cloud storage service. Cloud computing and storage services provide a secure and reliable access to the outsourced educational multimedia contents for users. However, it brings challenging security issues in terms of data confidentiality and integrity. The straightforward way for the integrity check is to make the user download the entire data for verifying them. But, it is inefficient due to the large size of educational multimedia data in the cloud. Recently many integrity auditing protocols have been proposed, but most of them do not consider the data privacy for the cloud service provider. Additionally, the previous schemes suffer from dynamic management of outsourced data. In this paper, we propose a public auditing protocol for educational multimedia data outsourced in the cloud storage. By using random values and a homomorphic hash function, our proposed protocol ensures data privacy for the cloud and the third party auditor (TPA). Also, it is secure against lose attack and temper attack. Moreover, our protocol is able to support fully dynamic auditing. Security and performance analysis results show that the proposed scheme is secure while guaranteeing minimum extra computation costs.     

A secure re‐encryption scheme for data services in a cloud computing environment

Cloud computing as a promising technology and paradigm can provide various data services, such as data sharing and distribution, which allows users to derive benefits without the need for deep knowledge about them. However, the popular cloud data services also bring forth many new data security and privacy challenges. Cloud service provider untrusted, outsourced data security, hence collusion attacks from cloud service providers and data users become extremely challenging issues. To resolve these issues, we design the basic parts of secure re‐encryption scheme for data services in a cloud computing environment, and further propose an efficient and secure re‐encryption algorithm based on the EIGamal algorithm, to satisfy basic security requirements. The proposed scheme not only makes full use of the powerful processing ability of cloud computing but also can effectively ensure cloud data security. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security model. Copyright © 2015 John Wiley & Sons, Ltd.     

云计算中数据隐私的安全保护机制

在云计算中,用户所拥有的数据信息通常被存放在遥远的云端,而其它用户常常能够访问这些数据且这些数据通常不由数据拥有者自己控制和管理.在此状况下,如何在云计算中保护用户的数据隐私安全则是一个十分具有挑战性的问题.为了解决这个问题,本文提出了一种数据隐私的安全保护机制.在此安全保护机制中,针对用户数据上载和访问的过程,首先提出了一种数据隐私保护的安全流程.在此基础上,提出了用户数据安全存储算法和云端数据安全访问算法.为了证明这种保护机制的有效性,本文对其安全性能进行了一系列的分析.分析结果表明：在云计算中使用这种机制能够确保数据隐私的安全性.     

Trusted data sharing with flexible access control based on blockchain

Along with the progress of cloud service, a growing quantity of data owners store their data on cloud databases, which can not only reduce data owners’ storage cost but also provide a quick search function. However, while cloud storage brings some conveniences to users, new privacy problems may emerge, such as the leakage of data privacy and user’s query privacy. The best way of protecting data privacy is to encrypt the data. So how to efficiently retrieve the ciphertext to make it available becomes a hot issue in recent years. In this paper, new searchable encryption with multiple keywords is described, it can improve the accuracy of retrieval results, and we present a secure and trusted data sharing framework based on attribute-based encryption (ABE), searchable encryption, and blockchain. Unlike the previous studies, we realize flexible data sharing by using ABE. Furthermore, we transfer the related calculation of ciphertext retrieval to blockchain for credible execution without relying on any trusted third party. The security analysis proves that our method meets the proposed security requirements of data, keyword index, trapdoor, and query. Finally, the experimental results indicate that our scheme suggested has certain practicability and efficiency.     

An efficient and secure authentication protocol for RFID systems

The use of radio frequency identification (RFID) tags may cause privacy violation of users carrying an RFID tag. Due to the unique identification number of the RFID tag, the possible privacy threats are information leakage of a tag, traceability of the consumer, denial of service attack, replay attack and impersonation of a tag, etc. There are a number of challenges in providing privacy and security in the RFID tag due to the limited computation, storage and communication ability of low-cost RFID tags. Many research works have already been conducted using hash functions and pseudorandom numbers. As the same random number can recur many times, the adversary can use the response derived from the same random number for replay attack and it can cause a break in location privacy. This paper proposes an RFID authentication protocol using a static identifier, a monotonically increasing timestamp, a tag side random number and a hash function to protect the RFID system from adversary attacks. The proposed protocol also indicates that it requires less storage and computation than previous existing RFID authentication protocols but offers a larger range of security protection. A simulation is also conducted to verify some of the privacy and security properties of the proposed protocol.     

基于区块链的众包物流分级多层智能服务交易监管架构

针对现代服务业的支柱产业众包物流缺乏交易监管致使存在的伪造、欺骗、隐私泄露和不可追溯等安全威胁,提出了基于区块链的众包物流分级多层智能服务交易监管架构。首先,该架构采用了国家授权认证中心对物流服务平台监管与物流服务平台对物流参与主体监管的二级监管体系。之后,在该监管体系架构下,实现了群智合约、合法匿名的身份认证、智能交易匹配、异常数据分析与检测、隐私保护及可追溯等功能。然后,通过安全性分析与交易监管构件软件验证交易监管架构的安全可控及运行效率。最后,在真实的众包物流企业平台上运行该软件构件进行实际测量,测量结果显示,所提出的众包物流分级多层智能服务交易监管架构是安全可控的,能够保障用户和数据的隐私,防范伪造和欺骗,实现用户行为和用户数据的可审计和可追溯。     

一种改进的双向盲代理重签名方案

分析了Deng等(DENG Y Q, DU M H, YOU Z L, et al. A blind proxy re-signatures scheme based on standard model [J]. Journal of Electronics and Information Technology, 2010, 32(5): 1119-1223)提出的双向盲代理重签名方案,发现该方案是不安全的,并给出了一种伪造攻击,受托者不需要与代理者合谋就能成功伪造委托者的签名。为了克服该方案存在的安全缺陷,提出了一个在标准模型下可证安全的双向盲代理重签名方案,可以有效地抵抗这类伪造攻击,并且受托者和代理者都无法获知所签消息的内容,能够更好地保护消息的隐私。分析结果表明,改进的新方案具有盲性、双向性、多用性、透明性和密钥最优性。     

基于SM9算法可证明安全的区块链隐私保护方案

为了解决区块链交易过程中的隐私泄漏问题,对SM9标识密码算法进行改进,提出了基于身份认证的多KGC群签名方案.以联盟链为基础,设计了基于SM9算法可证明安全的区块链隐私保护方案,并对以上方案进行安全性与效率分析.通过分析证明,方案具有签名不可伪造、保证节点匿名及前向安全等特性.通过效率分析：该方案较Al-Riyami等人提出的无证书签名方案减少2次双线性对运算,验签效率提高约40%;较Tseng等人与Chen等人提出的方案分别减少4次与2次指数运算,计算效率整体得到提高.该方案通过多KGC群签名保护交易双方的用户身份,实现在节点间进行身份验证的同时,保护了节点的隐私.     

智能卡和口令结合的动态认证方案

远程认证协议能有效的保证远程用户和服务器在公共网络上的通信安全。提出一种匿名的安全身份认证方案,通过登录 的动态变化,提供用户登录的匿名性,通过用户和服务器相互验证建立共享的会话密钥,抵抗重放攻击和中间人攻击,实现用户安全和隐私,通过BAN逻辑分析证明改进方案的有效性,通过安全性证明和性能分析说明了新协议比同类型的方案具有更高的安全性、高效性。     

网格环境中证书和策略的隐私保护机制研究

网格访问控制机制中网格实体的访问控制策略和证书的隐私保护是网格安全的一个重要方面,其重要性随着网格技术的进一步广泛应用而日益突出.利用安全函数计算和同态加密理论来解决访问控制过程中策略和证书的隐私保护问题.首先提出了适应于复合策略表达的电路组成方法,并基于无记忆传递机制和"混乱电路"计算协议提出了策略计算协议;然后提出了基于同态加密理论的属性相等测试协议;最后基于策略计算协议和属性相等测试协议提出了策略和证书的隐私保护协议.分析表明,本方案可以对策略和证书的属性进行完全的隐私保护,并且可以避免传统方法所引起的循环依赖问题.     

基于生物加密的认证机制

为克服传统认证技术在保护安全和隐私方面的不足,提出了一种基于生物加密的身份认证模型。运用生物加密技术对用户脸部特征和密钥进行保护,防止非授权用户的访问和非授权资源的使用。实验结果表明,尽管人的面部表情变化多端,基于生物加密技术的认证系统仍能正确区分真正的用户与仿冒用户,起到很好的认证效果,保证了安全通信。     

一种无线传感器网络匿名安全路由协议*

为了能在有限资源的无线传感器网络上进行安全的匿名通信,使用双线性函数的双线性对和异或运算提出了一种匿名安全路由协议,与目前现有的无线网络匿名通信方案相比,协议不仅能提供身份的机密性、位置隐私性和路由的匿名性,而且还满足前向和后向安全性,并且大大提高了系统的计算复杂度和带宽消耗,更适合无线传感器网络。     

Study on two privacy-oriented protocols for information communication systems

In these days, the privacy of a user in information communication system is more important than ever before. Especially, the property is important for mobile communication systems due to the mobility of underlying mobile devices. Until now, many cryptographic tools have been proposed for achieving users’ privacy. In this paper, we review two privacy-oriented cryptographic protocols, and show their security holes. We also provide some countermeasure to fix the weaknesses. First, we discuss the security of the user identification scheme proposed by Hsu and Chuang which permits a user to anonymously log into a system and establish a secret key shared with the system. We show that the Hsu-Chuang scheme is not secure against known session key attacks, and then we provide a countermeasure which can be used for enhancing the security the Hsu-Chuang scheme. Secondly, we review a deniable authentication proposed by Harn and Ren which protects the privacy of a message sender. Then we show that the protocol has a potential incompleteness and two weaknesses.     

高效且可验证的多授权机构属性基加密方案

移动云计算对于移动应用程序来说是一种革命性的计算模式,其原理是把数据存储及计算能力从移动终端设备转移到资源丰富及计算能力强的云服务器.但是这种转移也引起了一些安全问题,例如,数据的安全存储、细粒度访问控制及用户的匿名性.虽然已有的多授权机构属性基加密云存储数据的访问控制方案,可以实现云存储数据的保密性及细粒度访问控制;但其在加密和解密阶段要花费很大的计算开销,不适合直接应用于电力资源有限的移动设备;另外,虽然可以通过外包解密的方式,减少解密计算的开销,但其通常是把解密外包给不完全可信的第三方,其并不能完全保证解密的正确性.针对以上挑战,本文提出了一种高效的可验证的多授权机构属性基加密方案,该方案不仅可以降低加密解密的计算开销,同时可以验证外包解密的正确性并且保护用户隐私.最后,安全分析和仿真实验表明了方案的安全性和高效性.     

Control your Facebook: An analysis of online privacy literacy

For an effective and responsible communication on social network sites (SNSs) users must decide between withholding and disclosing personal information. For this so-called privacy regulation, users need to have the respective skills—in other words, they need to have online privacy literacy. In this study, we discuss factors that potentially contribute to and result from online privacy literacy. In an online questionnaire with 630 Facebook users, we found that people who spend more time on Facebook and who have changed their privacy settings more frequently reported to have more online privacy literacy. People with more online privacy literacy, in turn, felt more secure on Facebook and implemented more social privacy settings. A mediation analysis showed that time spend on Facebook and experience with privacy regulation did not per se increase safety and privacy behavior directly, stressing the importance of online privacy literacy as a mediator to a safe and privacy-enhancing online behavior. We conclude that Internet experience leads to more online privacy literacy, which fosters a more cautious privacy behavior on SNSs.     

MILC: A secure and privacy-preserving mobile instant locator with chatting

The key issue for any mobile application or service is the way it is delivered and experienced by users, who eventually may decide to keep it on their software portfolio or not. Without doubt, security and privacy have both a crucial role to play towards this goal. Very recently, Gartner has identified the top ten of consumer mobile applications that are expected to dominate the market in the near future. Among them one can earmark location-based services in number 2 and mobile instant messaging in number 9. This paper presents a novel application namely MILC that blends both features. That is, MILC offers users the ability to chat, interchange geographic co-ordinates and make Splashes in real-time. At present, several implementations provide these services separately or jointly, but none of them offers real security and preserves the privacy of the end-users at the same time. On the contrary, MILC provides an acceptable level of security by utilizing both asymmetric and symmetric cryptography, and most importantly, put the user in control of her own personal information and her private sphere. The analysis and our contribution are threefold starting from the theoretical background, continuing to the technical part, and providing an evaluation of the MILC system. We present and discuss several issues, including the different services that MILC supports, system architecture, protocols, security, privacy etc. Using a prototype implemented in Google’s Android OS, we demonstrate that the proposed system is fast performing, secure, privacy-preserving and potentially extensible.     

可验证的云存储安全数据删重方法

数据删重技术在云存储系统中得到了广泛的应用.如何在保证数据隐私的前提下,在半可信的云存储系统中实现高效的数据删重,是云计算安全领域的研究热点问题.现有方案在数据标识管理和用户数量统计方面普遍依赖于在线的可信第三方,执行效率有待提高,且容易造成系统瓶颈.提出了一种可验证的数据删重方法,无需可信第三方在线参与.基于双线性映射构造双文件标识方案进行流行度查询,确保标识不泄露数据的任何明文信息.采用改进的群签名方案,使用户可验证服务器返回的流行度标识,有效地防止云服务器伪造数据流行度的查询结果.设计了多层加密方案,可以根据数据的流行度,采用不同的加密方式.分析并证明了方案的安全性和正确性.通过仿真实验,验证了方案的可行性和高效性.