A novel user’s authentication scheme for pervasive on-line media services

Due to the explosive growth of the Internet and the pervasion of multimedia, protection of intellectual property (IP) rights of digital content in transactions induces people’s concerns. Current security requirements and copyright protection mechanisms especially need to work in real-time and on-line for communication and networking. For media service systems in the Internet, user’s authentication is most essential in association with the access control of the media system. The authentication scheme is a trivial but crucial issue for maintaining user’s information. Up to now, many one-time password-based authentication schemes have been proposed. However, none is secure enough. The purpose of a one-time password (OTP) is to make it more difficult to gain unauthorized access to restricted resources. Traditionally static passwords can more easily be obtained by an unauthorized intruder given enough attempts and time. By constantly altering the password, as is done with a one-time password, this risk can be greatly reduced. These schemes are specially fit for media services in the Internet since they will frustrate the attacker’s attempt. Lin, Shen and Hwang proposed a strong-password authentication scheme in association with one-time password by using smart cards, and claimed their scheme can resist guess attack, replay attack, impersonation attack and stolen attack. Later, Ku, Tsai, and Chen showed that Lin-Shen-Hwang’s scheme suffers from a replay attack and a denial-of-service attack. Furthermore, Ku proposed a hash-based strong-password authentication scheme to enhance the security. In this paper, we show the weaknesses and devise some attacks against Ku’s scheme. Then, we revise Ku’s scheme and propose a novel user’s authentication scheme in pervasive on-line media services for current communication and networking.     

无线传感器网络中的“双重”身份验证

如今,无线传感器网络是一种新的和有前途的下一代实时无线监控应用的解决方案。如果在考虑部署传感器网络之前没有适当的安全考虑,可以成为一个威胁。但是,如果有任何安全漏洞,即可能向攻击者敞开了大门并且危害应用。因此,用户身份验证的核心要求之一,以防止未经授权的无线传感器网络的数据访问用户。在这方面提出一个有效的双重身份验证的无线传感器网络,它是基于密码和智能卡（双重）。计划提供了相互认证,使用户能够选择和频繁地改变自己密码。再者,通过合理计算成本,提供强大的保护防止不同类型的攻击。     

Threshold password authentication against guessing attacks in Ad hoc networks

Password authentication has been accepted as one of the commonly used solutions in network environment to protect resources from unauthorized access. The emerging mobile Ad hoc network, however, has called for new requirements for designing authentication schemes due to its dynamic nature and vulnerable-to-attack structure, which the traditional schemes overlooked, such as availability and strong security against off line guessing attacks in face of node compromise. In this paper, we propose a threshold password authentication scheme, which meets both availability and strong security requirements in the mobile Ad hoc networks. In our scheme, t out of n server nodes can jointly achieve mutual authentication with a registered user within only two rounds of message exchanges. Our scheme allows users to choose and change their memorable password without subjecting to guessing attacks. Moreover, there is no password table in the server nodes end, which is preferable since mobile nodes are usually memory-restricted devices. We also show that our scheme is efficient to be implemented in mobile devices.     

移动通信网络安全发展前景分析

移动通信技术的飞速发展,日益丰富的数据增值业务诸如微博邮件、数据传输、手机支付、多媒体业务等得以应用。而用户更多的个人信息将在移动通信网络中传送,移动通信网络的安全也随之成为移动通信行业界重要的课题。笔者针对移动通信网络中所面临的各种安全威胁和攻击,重点从鉴权认证、用户身份保护、数据加密等方面对移动通信安全现有解决措施的发展情况进行了阐述,并结合移动通信技术的发展分析了其安全措施并提出一些改进方向,最后对移动通信网络安全的前景进行了展望。     

基于指纹识别的云安全认证技术

在云计算环境中,作为云安全的第一道防线,用户身份认证有着至关重要的作用。分析了当前云服务系统的认证需求,考虑到指纹识别技术在云安全认证中的应用优势,提出了一种基于指纹识别的云安全认证系统。并对其系统架构、工作流程进行了深入研究,以通过更加安全的认证方式防止恶意用户的非法访问,保证云环境下用户数据的访问安全。     

Security for Industrial Communication Systems

Modern industrial communication networks are increasingly based on open protocols and platforms that are also used in the office IT and Internet environment. This reuse facilitates development and deployment of highly connected systems, but also makes the communication system vulnerable to electronic attacks. This paper gives an overview of IT security issues in industrial automation systems which are based on open communication systems. First, security objectives, electronic attack methods, and the available countermeasures for general IT systems are described. General security objectives and best practices are listed. Particularly for the TCP/IP protocol suite, a wide range of cryptography-based secure communication protocols is available. The paper describes their principles and scope of application. Next, we focus on industrial communication systems, which have a number of security-relevant characteristics distinct from the office IT systems. Confidentiality of transmitted data may not be required; however, data and user authentication, as well as access control are crucial for the mission critical and safety critical operation of the automation system. As a result, modern industrial automation systems, if they include security measures at all, emphasize various forms of access control. The paper describes the status of relevant specifications and implementations for a number of standardized automation protocols. Finally, we illustrate the application of security concepts and tools by brief case studies describing security issues in the configuration and operation of substations, plants, or for remote access.     

Multicast security and its extension to a mobile environment

Multicast is rapidly becoming an important mode of communication and a good platform for building group-oriented services. To be used for trusted communication, however, current multicast schemes must be supplemented by mechanisms for protecting traffic, controlling participation, and restricting access of unauthorized users to data exchanged by the participants. In this paper, we consider fundamental security issues in building a trusted multicast facility. We discuss techniques for group-based data encryption, authentication of participants, and preventing unauthorized transmissions and receptions. We also describe the application of these principles and techniques in designing an architecture for secure multicast in a mobile environment.     

A secure n-secret based client authentication protocol for 802.11 WLANs

Authentication has strong impact on the overall security model of every information system. Various authentication techniques are available for restricting the access of unauthorized users to the enterprise scale networks. IEEE 802.1X defines a secure and reliable authentication framework for 802.11 WLANs, where Extensible Authentication Protocol (EAP) provides the base to this architecture. EAP is a generic architectural framework which supports extensibility by incorporating the new and improved authentication schemes, which are based on different types of credentials. Currently there exist a number of EAP and Non-EAP methods with varying level of security and complexity. In this work, we have designed a new n-secret based authentication scheme referred here as Personal Dialogue Based Authentication, for the client authentication to the network. It is a Transport Layer Security (TLS) protected authentication protocol, which will be executed inside the secure TLS tunnel for providing the privacy and credential security to the wireless client. The developed authentication protocol has a reasonable set of features like; strong security, user privacy, simplicity and extensibility. For the formal analysis of the protocol we have used SPAN–AVISAP model checker on Ubuntu platform for validating the realization of the specified security goals. The experimental results obtained by simulation performed with the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool shows that our protocol is efficient and secured.

     

Secure Remote User Mutual Authentication Scheme with Key Agreement for Cloud Environment

Authentication schemes are widely used mechanisms to thwart unauthorized access of resources over insecure networks. Several smart card based password authentication schemes have been proposed in the literature. In this paper, we demonstrate the security limitations of a recently proposed password based authentication scheme, and show that their scheme is still vulnerable to forgery and offline password guessing attacks and it is also unable to provide user anonymity, forward secrecy and mutual authentication. With the intention of fixing the weaknesses of that scheme, we present a secure authentication scheme. We show that the proposed scheme is invulnerable to various attacks together with attacks observed in the analyzed scheme through both rigorous formal and informal security analysis. Furthermore, the security analysis using the widely-accepted Real-Or-Random (ROR) model ensures that the proposed scheme provides the session key (SK) security. Finally, we carry out the performance evaluation of the proposed scheme and other related schemes, and the result favors that the proposed scheme provides better trade-off among security and performance as compared to other existing related schemes.

     

个人指纹信息与随机密钥生成相结合提高网络信息传输安全性

研究了计算机网络通信与密码技术的一般方法，提出采用个人指纹信息作为身份论证和由服务端向客户端发送随机密钥相结合的方法，进一步提高了网络信息传输的安全性；并给出了采用Delphi为网络开发工具，以IDEA(国际数据加密算法)为传输数据的加密算法的网络信息传输方案和鳊程方法。     

BYOD企业移动设备管理技术

提出了中兴通讯自带设备办公（BYOD）解决方案.方案在终端层、接入层、控制层、应用分别解决企业面临的设备安全管理、应用安全管理及数据安全问题.终端层提供BYOD安全套件;接入层提供信令媒体接入网关和统一接入控制服务,提供移动设备安全接入服务,并提供统一的设备鉴权认证及用户鉴权认证;控制层用于控制移动用户及设备的行为模式;应用层用于提供具体的企业移动服务,包括通用的企业通信服务、企业办公应用支撑、虚拟桌面、企业网盘,以及企业业务相关的移动应用.     

个人通信系统中的一种移动用户登记认证协议

假冒和窃听攻击是无线通信面临的主要威胁。在个人通信系统中,为了对无线链路提供安全保护,必须对链路上所传送的数据/话音进行加密,而且在用户与服务网络之间必须进行相互认证。近年来,人们在不同的移动通信网络(如GSM,IS-41,CDPD,Wireless LAN等)中提出了许多安全协议。然而,这些协议在个人通信环境中应用时存在不同的弱点。本文基于个人通信系统的双钥保密与认证模型,设计了用户位置登记认证协议;并采用BAN认证逻辑对协议的安全性进行了形式化证明,也对协议的计算复杂性进行了定性分析。分析表明,所提出的协议与现有的协议相比具有许多新的安全特性。     

An enhanced two-factor user authentication in wireless sensor networks

Since wireless sensor networks (WSN) are often deployed in an unattended environment and sensor nodes are equipped with limited computing power modules, user authentication is a critical issue when a user wants to access data from sensor nodes. Recently, M.L. Das proposed a two-factor user authentication scheme in WSN and claimed that his scheme is secure against different kinds of attack. Later, Khan and Alghathbar (K-A) pointed out that Das’ scheme has some security pitfalls and showed several improvements to overcome these weaknesses. However, we demonstrate that in the K-A-scheme, there is no provision of non-repudiation, it is susceptible to the attack due to a lost smart card, and mutual authentication between the user and the GW-node does not attained. Moreover, the GW-node cannot prove that the first message comes from the user. To overcome these security weaknesses of the K-A-scheme, we propose security patches and prove our scheme.     

User centric three‐factor authentication protocol for cloud‐assisted wearable devices

Wearable devices, which provide the services of collecting personal data, monitoring health conditions, and so on, are widely used in many fields, ranging from sports to healthcare. Although wearable devices bring convenience to people's lives, they bring about significant security concerns, such as personal privacy disclosure and unauthorized access to wearable devices. To ensure the privacy and security of the sensitive data, it is critical to design an efficient authentication protocol suitable for wearable devices. Recently, Das et al proposed a lightweight authentication protocol, which achieves secure communication between the wearable device and the mobile terminal. However, we find that their protocol is vulnerable to offline password guessing attack and desynchronization attack. Therefore, we put forward a user centric three‐factor authentication scheme for wearable devices assisted by cloud server. Informal security analysis and formal analysis using ProVerif is executed to demonstrate that our protocol not only remedies the flaws of the protocol of Das et al but also meets desired security properties. Comparison with related schemes shows that our protocol satisfies security and usability simultaneously.     

Improvement of robust smart‐card‐based password authentication scheme

Smart‐card‐based password authentication scheme is one of the commonly used mechanisms to prevent unauthorized service and resource access and to remove the potential security threats over the insecure networks and has been investigated extensively in the last decade. Recently, Chen et al. proposed a smart‐card‐based password authentication scheme and claimed that the scheme can withstand offline password guessing attacks even if the information stored in the smart card is extracted by the adversary. However, we observe that the scheme of Chen et al. is insecure against offline password guessing attacks in this case. To remedy this security problem, we propose an improved authentication protocol, which inherits the merits of the scheme of Chen et al. and is free from the security flaw of their scheme. Compared with the previous schemes, our improved scheme provides more security guarantees while keeping efficiency. Copyright © 2013 John Wiley & Sons, Ltd.     

行业安全手机探索研究

党政军、学校、企业等特殊行业主要移动互联网安全问题是接入设备安全、移动应用安全、用户接入认证安全等.本文将从操作系统安全、应用程序安全、设备管理安全、网络传输安全4个方面进行讨论,实行对手机的全面安全防护,为行业安全提供成套解决方案.     

A combined public-key scheme in the case of attribute-based for wireless body area networks

The wireless body area networks (WBANs) is a practical application model of Internet of things. It can be used in many scenarios, especially for e-healthcare. The medical data of patients is collected by sensors and transmitted using wireless communication techniques. Different users can access the patient’s data with different privileges. Access control is a crucial problem in WBANs. In this paper, we design a new security mechanism named combined public-key scheme in the case of attribute-based (CP-ABES) to address the user access control in WBANs. Our scheme combines encryption and digital signatures. It uses ciphertext-policy attribute-based encryption to achieve data confidentially, access control, and ciphertext-policy attribute-based signature to realize the identity authentication. The access policy used in our scheme is threshold. Based on this feature, the length of ciphertext and signature of our scheme is constant. Our scheme provides confidentiality, unforgeability, signer privacy and collusion resistance. We prove the efficiency of our scheme theoretically and analyze the security level and energy consumption of our scheme.

     

网格代理认证技术在制造资源共享中的应用

制造技术的发展．使得各制造单位之间为了共同的需要形成一种松散耦合形式的虚拟企业来共享制造资源，牵制共享的一个主要问题是：虚拟企业的成员都希望能像使用自己的资源一样使用其他成员的资源．而各成员又不会希望改变自己的资源使用策略或交出自己的资源控制权去迎合其他成员的使用。通过对当前计算机网格安全技术的研究，使用用户代理机制，在数字制造系统中部署数字制造资源多级代理授权认证策略，实现各虚拟企业之间资源请求的身份代理认证，用户单点登录即可共享虚拟企业的所有数字制造资源。     

Authentications and Key Management in 3G-WLAN Interworking

The successful deployment of WLAN for high speed data transmission and 3G cellular systems for wide coverage and global roaming has emerged to be a complementary platform for wireless data communications. But security in the 3G-WLAN interworking, especially the efficient authentication and valid key management, has been remaining a challenging issue. What’s more, some emerging security challenges are neglected by 3GPP specifications as well as the previous studies. This paper first analyzes and evaluates the current contributions in this field, and then puts forward some design issues. Thereafter, by modifying the EAP-AKA keying framework we propose an improved authentication scheme which enables a WLAN user to efficiently access packet switch services through the 3G networks. What’s more, through the new keying framework the user can efficiently realize the future re-authentications and handover authentications. The proposed authentication scheme, the corresponding re-authentications and handover authentications are simulated, and results indicate that our scheme can reduce authentication latency significantly.     

Security, privacy, and accountability in wireless access networks - [Accepted from open call]

The presence of ubiquitous connectivity provided by wireless communications and mobile computing has changed the way humans interact with information. At the same time, it has made communication security and privacy a hot-button issue. In this article we address the security and privacy concerns in wireless access networks. We first discuss the general cryptographic means to design privacy-preserving security protocols, where the dilemma of attaining both security and privacy goals, especially user accountability vs. user privacy, is highlighted. We then present a novel authentication framework that integrates a new key management scheme based on the principle of separation of powers and an adapted construction of Boneh and Shacham's group signature scheme, as an enhanced resort to simultaneously achieve security, privacy, and accountability in wireless access networks.