基于代理随机数的低成本RFID安全协议

针对低成本电子标签安全隐私保护能力和防跟踪能力较弱的问题,采用读写器代理生成随机数的方法,提出一种面向大容量被动型标签的新型无线射频识别(RFID)安全认证协议。理论分析证明,该协议具有前向安全性,能够防止位置隐私攻击、窃听攻击,保障数据的保密性、可靠性和一致性,且硬件复杂度较低,适用于低成本电子标签。     

异构无线融合网络统一接入认证研究

不同网络同时维护多套认证设施会大幅降低异构融合网络的接入效率,多套认证机制中的短板效应也会降低融合网络中的安全性能。为此,提出基于用户、位置、寻址的信息分离技术,从移动通信系统对安全的需求出发,分析并借鉴3G网络认证与密钥分配协议,在异构无线网络环境中建立基于统一用户标识的的认证方案。仿真测试结果表明,该方案实现了异构网络和移动终端的统一接入及安全 认证。     

WSN中的无证书认证和密钥协商协议

由于无线传感器网络节点在能量、计算能力和存储能力等方面的局限性,传统的网络认证密钥协商协议难以直接应用到无线传感器网络中。为此,基于无证书的公钥密码体制,提出一种适用于无线传感器网络的认证和密钥协商协议,克服传统公钥认证的证书管理问题和基于身份认证的密钥托管问题。通过分析证明该协议满足认证协议各方面的安全属性要求,与已有的认证密钥协商协议相比,系统开销更少。     

一种改进的无线传感器网络密钥管理方案

在无线传感器网络中,针对已有动态更新密钥管理方案的无身份认证、可扩展性差等问题,提出一种实用的无线传感器网络密钥管理方案。采用增加身份认证模块的方法,设计可行的新节点加入机制。分析结果表明,与原方案及同类密钥管理方案相比,该方案在保持安全高效的同时,具有更好的可扩展性和网络连通性。     

Using and managing multiple passwords: A week to a view

Security policies are required that protect information from unauthorised access, and also respect challenges users face in creating, and particularly managing, increasing numbers of passwords. This paper investigates real password use in the context of daily life. It presents the results of an empirical study where participants completed a password diary over 7 days, followed by debrief interviews to gain further knowledge and understanding of user behaviour. The results reported relate to how many passwords are in use, the types of passwords participants created, the relationships between different passwords and to sensitive services, how participants retrieved their passwords and finally, the different strategies adopted by users in their management of passwords. The paper concludes by providing a high level set of password guidelines, along with suggestions for mechanisms to support creating, encoding, retrieving and executing multiple passwords.     

RFID标签所有权转移协议研究

无线射频识别技术(RFID)是适用于普适计算环境的技术之一,它的应用正在变得随处可见.RFID安全与隐私问题是这些应用的基本需求之一,由于RFID标签的资源限制,传统的安全元素不能很好地应用到RFID标签中.因此,设计轻量级的安全机制非常重要.应用中,贴有标签的物品经常发生所有权的转移.这就需要保护原所有者与新所有者的...     

一种新的涉密数据跨域传输机制

针对涉密数据在多个域之间传输的安全需求,介绍一种新的涉密数据跨域传输机制。该机制基于一种新的跨域认证与密钥建立协议,借助各域内的监督服务器完成双向认证,并结合签密法建立新的文件传输密钥。安全分析证明,该机制能保证不同安全等级域之间涉密数据传输的安全性和隐密性,并能抵御多种安全攻击。     

A novel user identification scheme with key distribution preserving user anonymity for distributed computer networks

Recently, Yang et al. proposed an efficient user identification scheme with key distribution, in which it is possible for the user to anonymously log into a system and establish a secret key shared with the system. Mangipudi and Katti later demonstrated a Deniable-of-Service (DoS) attack on the Yang et al. scheme and then proposed an improvement to withstand such an attack. However, this paper demonstrates an identity disclosure attack to show that neither schemes’ claimed user anonymity requirement can be achieved. We further propose a novel user identification scheme with key distribution preserving user anonymity for distributed computer networks. The proposed scheme not only withstands the attacks mentioned above, but also achieves the following: (i) user anonymity, (ii) key distribution, (iii) mutual authentication, and (iv) key confirmation. The performance of our scheme is of greater efficiency than that of previously proposed schemes in terms of communication costs and computational complexities.     

Probabilistic model checking for the quantification of DoS security threats

Secure authentication features of communication and electronic commerce protocols involve computationally expensive and memory intensive cryptographic operations that have the potential to be turned into denial-of-service (DoS) exploits. Recent proposals attempt to improve DoS resistance by implementing a trade-off between the resources required for the potential victim(s) with the resources used by a prospective attacker. Such improvements have been proposed for the Internet Key Exchange (IKE), the Just Fast Keying (JFK) key agreement protocol and the Secure Sockets Layer (SSL/TLS) protocol. In present article, we introduce probabilistic model checking as an efficient tool-assisted approach for systematically quantifying DoS security threats. We model a security protocol with a fixed network topology using probabilistic specifications for the protocol participants. We attach into the protocol model, a probabilistic attacker model which performs DoS related actions with assigned cost values. The costs for the protocol participants and the attacker reflect the level of some resource expenditure (memory, processing capacity or communication bandwidth) for the associated actions. From the developed model we obtain a Discrete Time Markov Chain (DTMC) via property preserving discrete-time semantics. The DTMC model is verified using the PRISM model checker that produces probabilistic estimates for the analyzed DoS threat. In this way, it is possible to evaluate the level of resource expenditure for the attacker, beyond which the likelihood of widespread attack is reduced and subsequently to compare alternative design considerations for optimal resistance to the analyzed DoS threat. Our approach is validated through the analysis of the Host Identity Protocol (HIP). The HIP base-exchange is seen as a cryptographic key-exchange protocol with special features related to DoS protection. We analyze a serious DoS threat, for which we provide probabilistic estimates, as well as results for the associated attacker and participants' costs.     

基于图像块等级模型的多重认证水印算法

提出了一种新的用于灵活图像认证的多重水印嵌入算法.不同于传统的块独立水印算法中每个图像块只嵌入一个水印信息,算法对每个图像块嵌入多重水印信息.提出了两个通用的图像块等级模型,形成图像块内部的等级结构,对每个图像块以及图像块内部的各等级子块进行独立的水印生成和嵌入.将图像特征值映射为混沌系统的初值,并将图像块的编号映射为混沌系统的迭代次数,经过混沌迭代生成图像块水印,再将水印信号替代图像块中选定像素点的最低有效位,完成水印的嵌入.实验结果表明,该算法可对图像进行多重认证,对篡改区域进行精确的检测与定位,并能选择不同的定位精度.