一种基于二次剩余的动态口令算法*

针对基于动态口令的电子商务身份认证机制存在计算和通信负担过重及不能对用户的使用次数和使用时间进行控制的问题,利用二次剩余理论中计算模平方根的复杂性提出一种基于二次剩余的动态口令算法。本算法具有失效次数和失效时间两个特性,因为不需要任何口令和验证表,可以避免重放攻击,因此具有稳定的安全性。这些特点使其适合用于电子商务,如在线游戏、付费电视等。另外本算法客户端计算量很小,可以用于手机等计算能力有限的环境。     

一种基于消息认证码的身份认证算法

针对电子商务中广泛使用的密码身份认证法存在的易泄漏、重放攻击、负担过重等问题,提出一种基于消息认证码的身份认证算法,来解决上述问题。本算法具有失效次数和失效时间两个特性,不需要任何口令和验证表,因此具有稳定的安全性。此外本算法客户端计算量很小,可以用于手机等计算能力有限的环境。     

A secure and robust temporal credential-based three-factor user authentication scheme for wireless sensor networks

User authentication is one of the most important security services required for the resource-constrained wireless sensor networks (WSNs). In user authentication, for critical applications of WSNs, a legitimate user is allowed to query and collect the real-time data at any time from a sensor node of the network as and when he/she demands for it. In order to get the real-time information from the nodes, the user needs to be first authenticated by the nodes as well as the gateway node (GWN) of WSN so that illegal access to nodes do not happen in the network. Recently, Jiang et al. proposed an efficient two-factor user authentication scheme with unlinkability property in WSNs Jiang (2014). In this paper, we analyze Jiang et al.’s scheme. Unfortunately, we point out that Jiang et al.’s scheme has still several drawbacks such as (1) it fails to protect privileged insider attack, (2) inefficient registration phase for the sensor nodes, (3) it fails to provide proper authentication in login and authentication phase, (4) it fails to update properly the new changed password of a user in the password update phase, (5) it lacks of supporting dynamic sensor node addition after initial deployment of nodes in the network, and (6) it lacks the formal security verification. In order to withstand these pitfalls found in Jiang et al.’s scheme, we aim to propose a three-factor user authentication scheme for WSNs. Our scheme preserves the original merits of Jiang et al.’s scheme. Our scheme is efficient as compared to Jiang et al.’s scheme and other schemes. Furthermore, our scheme provides better security features and higher security level than other schemes. In addition, we simulate our scheme for the formal security analysis using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool. The simulation results clearly demonstrate that our scheme is also secure.     

New efficient user identification and key distribution scheme providing enhanced security

Apart from user identification and key distribution, it is very useful for the login process to achieve user anonymity. Recently, Wu and Hsu proposed an efficient user identification scheme with key distribution while preserving user anonymity by extending an earlier work of Lee and Chang. We however find out that the Wu and Hsu scheme has a serious weakness, which can be exploited by the service provider to learn the secret token of the user who requests services from the service provider. We further propose a scheme to overcome this limitation while attaining the same set of objectives as the previous works. Performance analyses have shown that efficiency in terms of both computation and communication is not sacrificed in our scheme.     

一个基于共享抛物线的安全远程登录认证方案

文章提出了一个基于共享抛物线的安全远程登录方案。该方案克服了Wu的基于共享直线方案[1]的缺点,而且可以抵制Hwang的攻击方法[2]。该方案的主要优点是用户可以随意选择或修改他们自己的口令,并且远程系统不需要为认证远程登录请求而事先存储认证表。     

An enhanced smart card based remote user password authentication scheme

Smart card based password authentication is one of the simplest and efficient authentication mechanisms to ensure secure communication in insecure network environments. Recently, Chen et al. have pointed out the weaknesses of some password authentication schemes and proposed a robust smart card based remote user password authentication scheme to improve the security. As per their claims, their scheme is efficient and can ensure forward secrecy of the session key. However, we find that Chen et al.'s scheme cannot really ensure forward secrecy, and it cannot detect the wrong password in login phase. Besides, the password change phase of Chen et al.'s scheme is unfriendly and inefficient since the user has to communicate with the server to update his/her password. In this paper, we propose a modified smart card based remote user password authentication scheme to overcome the aforementioned weaknesses. The analysis shows that our proposed scheme is user friendly and more secure than other related schemes.     

Remote login authentication scheme based on a geometric approach

A smart card-oriented remote login authentication scheme is presented. The proposed scheme can be divided into three phases: registration, login and authentication. In the registration phase, the registering user chooses a password only known to himself. The central authority (CA) assigns an identity for the user, and delivers a smart card to the registered user. The smart card contains some necessary public parameters used in the login and authentication phases. Based on some simple properties of Euclidean geometry, the login and authentication phases can be achieved easily. Impersonation and replay attacks on the proposed scheme are discussed.     

Android手机安全登录系统

针对Android手机应用软件登录中存在的设计缺陷和漏洞,梳理并分析了目前手机登录系统技术和不足之处,采用多因子（账号、密码、验证码、登录位置、登录次数、人脸数据）方案,构建手机安全登录系统. 该登录系统由登录、注册、日志审计、微信提醒、找回密码等功能构成. 详细介绍了设计思想、技术路线、安全验证逻辑和日志审计功能,实现了用户身份识别和登录行为审计,为用户提供了一个安全性高、易用性强、成本低的解决方案.     

A remote password authentication scheme based on the digital signature method

Conventional password authentication schemes require password files or verification tables to validate the legitimacy of the login user. In addition, for remote access, these schemes cannot withstand an attack by replaying a previously intercepted login request. In this paper, we propose a remote password authentication scheme based on the digital signature methods. This scheme does not require the system to maintain a password file, and it can withstand attacks based on message replaying.     

Efficient identity-based threshold decryption scheme from bilinear pairings

Using Shamir’s secret sharing scheme to indirectly share the identity-based private key in the form of a pairing group element, we propose an efficient identity-based threshold decryption scheme from pairings and prove its security in the random oracle model. This new paring-based scheme features a few improvements compared with other schemes in the literature. The two most noticeable features are its efficiency, by drastically reducing the number of pairing computations, and the ability it gives the user to share the identity-based private key without requiring any access to a private key generator. With the ability it gives the user to share the identity-based private key, our ID-based threshold decryption (IBTD) scheme, the second of its kind, is significantly more efficient than the first scheme, which was developed by Baek and Zheng, at the expense of a slightly increased ciphertext length. In fact, our IBTD scheme tries to use as few bilinear pairings as possible, especially without depending on the suite of Baek–Zheng secret sharing tools based on pairings.     

Merging: an efficient solution for a time-bound hierarchical key assignment scheme

Conventional hierarchical key assignment schemes have not been concerned with a practical situation: Users might be assigned to a class for only a period of time. When a user leaves a class, the keys of that class and all the descendent classes must be renewed. For applications where the privileges of users change frequently or where there are many users, the communication load for key redistributions is very large. Recently, Tzeng (2002) proposed a time-bound hierarchical key assignment scheme to address this issue. However, Tzeng's scheme was very complex and suffered from a collusion attack. In this paper, we propose an efficient time-bound scheme based on a technique called merging. The idea behind merging is to consider primitive keys instead of hierarchies. It is conceptually like the compression used in source coding. Through this technique, it is feasible to combine multiple keys into an aggregate key. Thus, communication and storage requirements are greatly reduced. This technique can also be used for an alternative implementation of Akl-Taylor's scheme. Moreover, it can be used to construct a systematic approach for adjusting hierarchies in Akl-Taylor's scheme as well. Through the insights gained from these exercises, we may see that some problems that are usually addressed by the conventional key assignment schemes can be solved directly via merging, with better performance. Furthermore, if other suitable merging functions are found in the future, new secure hierarchical key assignment schemes and time-bound schemes is obtained accordingly.     

基于社会网络特性的双混沌互反馈加密算法研究

社会网络的数据获取已经成为社会网络分析的重要基石,虽然大多数社会媒体提供给开发者官方接口以供数据获取,但是在调用频次、权限、内容等方面都有严格的限制,难以获取全面的数据。因此,基于用户模拟登录的数据获取方法显得尤为重要,然而目前大多数社会媒体的登录过程存在较大的安全隐患,其登录密码均采用明文传输,严重威胁到用户的隐私安全。详细分析了Twitter登录过程中客户端与服务器间的交互过程,并且在流量层面解析POST请求时,发现Twitter的登录密码采用明文传输。为此,提出一种基于社会网络特性的双混沌互反馈加密算法。该算法利用登录用户的ID、创建时间、关注数作为加密函数的初始值与参数,并通过Logistic映射和Tent映射两个混沌系统交互式运算,得出密钥序列。由于输入参数的特殊性,使得密文具有不可预测性。实验表明,该算法取得了较好的加密和解密效果,同时加密与解密均处于毫秒级,可以做到用户的无感操作。此外,该算法拥有初始条件极度敏感、密钥空间大、加密强度高等特点。该算法能有效地防止攻击者使用相图、穷举、统计等方法进行密码破解,具有广阔的应用前景。     

一种改进的智能卡远程用户匿名认证方案

针对Sonwanshi提出的远程用户认证方案存在会话密钥安全性差、不能抵御扮演攻击和离线口令猜测攻击的缺陷,提出了一种改进方案,主要在注册和登录阶段增加了安全性能。在注册阶段,用户口令直接在智能卡内进行相应运算,不再提交给服务器。这不仅降低了服务器对口令存储、维护的开销,而且避免了服务器对用户的攻击,提高了安全性能。在登录阶段,采用随机数的挑战应答方式取代原方案的时间戳方式,消除了时钟不同步导致的认证失败。对原方案、改进方案和其他同类方案进行安全性和效率分析的结果表明,改进方案不仅弥补了原方案的缺陷,而且相对同类方案,降低了时间复杂度,适用于安全需求高、处理能力低的设备。     

智能卡和口令结合的动态认证方案

远程认证协议能有效的保证远程用户和服务器在公共网络上的通信安全。提出一种匿名的安全身份认证方案,通过登录 的动态变化,提供用户登录的匿名性,通过用户和服务器相互验证建立共享的会话密钥,抵抗重放攻击和中间人攻击,实现用户安全和隐私,通过BAN逻辑分析证明改进方案的有效性,通过安全性证明和性能分析说明了新协议比同类型的方案具有更高的安全性、高效性。     

A strong user authentication scheme with smart cards for wireless communications

Seamless roaming over wireless network is highly desirable to mobile users, and security such as authentication of mobile users is challenging. Recently, due to tamper-resistance and convenience in managing a password file, some smart card based secure authentication schemes have been proposed. This paper shows some security weaknesses in those schemes. As the main contribution of this paper, a secure and light-weight authentication scheme with user anonymity is presented. It is simple to implement for mobile user since it only performs a symmetric encryption/decryption operation. Having this feature, it is more suitable for the low-power and resource-limited mobile devices. In addition, it requires four message exchanges between mobile user, foreign agent and home agent. Thus, this protocol enjoys both computation and communication efficiency as compared to the well-known authentication schemes. As a special case, we consider the authentication protocol when a user is located in his/her home network. Also, the session key will be used only once between the mobile user and the visited network. Besides, security analysis demonstrates that our scheme enjoys important security attributes such as preventing the various kinds of attacks, single registration, user anonymity, no password/verifier table, and high efficiency in password authentication, etc. Moreover, one of the new features in our proposal is: it is secure in the case that the information stored in the smart card is disclosed but the user password of the smart card owner is unknown to the attacker. To the best of our knowledge, until now no user authentication scheme for wireless communications has been proposed to prevent from smart card breach. Finally, performance analysis shows that compared with known smart card based authentication protocols, our proposed scheme is more simple, secure and efficient.     

Cryptanalysis of a mutual authentication scheme based on nonce and smart cards

To prevent the forged login attacks, Liu et al. recently proposed a new mutual authentication scheme using smart cards. However, we demonstrate that the attacker without any secret information can successfully not only impersonate any user to cheat the server but also impersonate the server to cheat any user. That is, Liu et al.’s scheme fails to defend the forged login attack as the previous version. Our cryptanalysis result is important for security engineers, who are responsible for the design and development of smart card-based user authentication systems.     

一个改进的基于混沌映射的移动端认证协议

摘要：人们使用移动设备进行电子转账,网上购物等经济活动需要认证协议来保证安全。最近,Zhu提出了一个基于混沌映射的认证协议方案。针对此方案,分析了其存在的缺陷,包括易遭受用户模仿攻击,离线字典攻击,无法提供用户匿名性,以及注册阶段及口令修改阶段存在设计缺陷,提出了一个改进的基于混沌映射（切比雪夫多项式）的移动端认证协议来克服这些缺陷。之后用BAN逻辑证明了安全性,又同其他相关方案进行了性能比较,结果显示提出的协议更加安全实用。     

基于仲裁的SM9标识加密算法

SM9-IBE是我国于2016年发布的标识加密算法行业标准.标识加密算法以用户的标识(如邮件地址、身份证号等)作为公钥,从而降低系统管理用户密钥的复杂性.然而,标识加密算法的密钥撤销和更新问题却变得更加困难.此外,SM9算法的结构特殊使得已有技术无法完全适用于该算法.为此,本文提出一种基于仲裁的SM9标识加密算法,可快...     

基于CPK的可信平台用户登录认证方案

用户登录身份认证是建立操作系统可信性的一个非常重要的环节,是建立可信计算环境的基础。首先讨论了认证的相关技术,介绍了CPK（组合公钥）原理,然后根据可信计算组织的规范,利用CPK算法和动态验证码的技术,提出了一种基于CPK的可信平台用户登录认证方案,该方案属于双因素认证方案,将认证和授权严格分开,并启发式分析了方案的特色和安全,最后在串空间模型下证明了方案的安全性,取得了比TCG标准中引用的方案更好的性能。