无线体域网中基于属性加密的数据访问控制方案

作为一种新的电子医疗技术,无线体域网(wireless body area networks,WBANs)将在病情监测中发挥重要作用,安全性及隐私性保护是无线体域网的重要内容.针对WBANs数据访问控制提出一种细粒度的数据访问方法,该方法采用基于属性的数据加密方法,加密者将数据访问结构作为访问策略,当解密者所具有的属性满足该结构时,即可访问该数据,否则,拒绝用户访问.分别从正确性、安全性及能量消耗三方面对方案进行分析.仿真实验结果表明,本方案相对其他方案能量消耗较小.     

混合式结构下基于网格的位置隐私保护方法

基于中心式和分布式结构的LBS隐私保护方案的特点,设计了一种混合式隐私保护结构以兼具两者优势,并在该结构下提出了一种基于网格的LBS隐私保护方案。该方案使用参数生成器定期向用户及LBS服务器更新偏移参数,通过结合K-匿名和随机偏移技术,在中心服务器生成匿名区域。在保证安全性的同时,避免了传统匿名中心服务器存在的安全隐患。同时,在查询结果的筛选过程中,采用网格化坐标对匿名区域进行表示,实现了高效的结果匹配,显著降低了中心服务器的计算开销。较之已有方案,该方案在通信开销方面亦具有较大优势。     

智能配电网中具有隐私保护的数据安全认证方案

针对智能配电网信息采集系统的隐私安全、存储与通信开销等问题,提出了一种具有隐私保护的数据安全认证方案。该方案融合数据隐私保护和数据完整性认证构建了一个安全可靠的数据传输协议。理论分析和实验结果表明,该方案不仅在节点数量众多的情况下大大降低了节点的存储与通信开销,而且加入了隐私保护,提高了传输的安全性,更加适用于智能配电网信息采集系统。     

基于隐私保护的实时电价计费方案

针对智能电网基于实时电价的计费过程中有大量实时用电数据需要交互和计算,且隐私数据保护不够完善的安全问题,提出了一种基于隐私保护的实时电价计费方案。利用加法同态加密、混合乘法同态加密等技术,保证了实时用电数据在通信、数据聚合、电费计算和账单验证过程中的安全。同时,通过聚合签名技术减少了数据认证过程中的开销。通过对所述方案进行安全性分析和性能分析,表明该方案具有很好的安全性且性能较高。     

车载自组网无证书条件隐私保护认证方案

车载自组网（VANET）在共享交通数据、提升行车效率、减少交通事故等方面具有明显优势,对智能交通系统的构建至关重要。与此同时,车与车之间、车与基础设施之间的安全通信,车辆的隐私保护（如身份隐私、位置隐私）,交通消息的高效认证等问题亟待解决。为了实现安全性和效率的平衡,首先,分析并证明最近提出的方案——条件隐私保护无证书聚合签名方案（CPP-CLAS）不能抵抗公钥替换攻击;其次,在此基础上提出一种新型VANET无证书条件隐私保护认证方案,方案中的车辆在申请部分私钥时不依赖安全信道,并采用聚合认证和批量认证技术批量验证签名;最后,在随机预言机模型下证明了所提方案具有不可伪造性。性能分析表明,与同类型方案相比,所提方案在没有增加验证开销的基础上,将签名阶段的计算效率至少提升了66.76%,通信带宽需求至少降低了16.67%,验证了该方案更加适用于资源受限的VANET。     

智能电网中的数据聚合方案分类研究

智能电网中其安全的通信架构是保证电网安全、稳定运行的基础,隐私保护的数据聚合是保证机密性、提高效率的有效途径。对最近面向智能电网通信系统的数据聚合的五种功能类型的方案进行了总结和分析。在聚合阶段,大部分的方案在系统架构上基本相差不大,不过在聚合方法的选取上,则各自有不同的考虑。诸如Paillier加密体制和ElGamal加密体制,是两种较为常规的加密体制,差分隐私、双线性对技术和数据签名技术也在一些文章中得到应用。通过安全性分析证明,这些方案不仅具有隐私保护、消息的认证性和完整性验证等功能;而且通过对这些方案进行性能比较分析,所述的方案在计算开销和用户的访问控制方面及通信开销都各有优势,对于智能电网多维数据的收集和云端的访问控制提供了更多的参考依据。     

VANET中基于无证书环签密的可认证隐私保护方案

针对车载自组织网络(Vehicular ad-hoc Network,VANET)中车辆用户隐私信息保护和通信消息传输安全的问题,提出了一种可认证的无证书环签密方案。车辆通过可信机构生成的伪身份通信,有且仅有可信机构可以根据车辆节点的原始注册信息和追踪密钥确定消息发送车辆的真实身份,保证了通信的匿名性和对恶意车辆身份的可追踪性;消息发送车辆和接收车辆基于所构建的可认证环签密模型分别执行签密和解签密算法,实现了签密车辆身份和所发送消息的可认证;在随机预言模型下证明了所提方案具有机密性和不可伪造性。将所提的隐私保护方案与现有的VANET隐私保护方案进行安全性能的比较,证明了所提方案的机密性、可认证性和可追踪性等安全性较完善。通过列表比较了所提方案中环签密和解签密算法中各项运算的数量。将两种算法中双线性运算和标量乘运算的开销之和作为所提方案的计算开销,列表并进行数值分析。仿真实验基于Intel I7、3.07 GHz的硬件平台和MATLAB软件。结果表明,所提方案的计算开销远小于其余3个方案。当车辆数量增大到适用范围的上限100时,所提方案的计算开销仍小于150 ms。因此,该隐私保护方案满足了安全性和即时通信的要求,尤其适用于城市交通系统。     

FaceEncAuth：基于FaceNet和国密算法的人脸识别隐私安全方案

人脸识别中,人脸特征作为生物特征的一种,具有唯一性、不可撤销性,一旦遭到攻击、篡改或泄露,用户隐私安全将面临巨大威胁。针对这一问题,提出一种基于深度学习和加密算法的人脸识别隐私安全方案。该方案中,利用FaceNet深度学习算法来高效提取人脸特征,协调生物特征模糊性与密码系统的精确性,采用CKKS全同态加密算法进行人脸识别密文域的运算,通过国密SM4算法增强人脸特征密文抵抗恶意攻击的能力,利用其对称密码的性质兼顾了安全性和运算效率,而SM9非对称密码算法则用于SM4算法对称密钥的管理。实验结果及分析表明,该方案在不影响人脸识别准确率、效率的前提下提高了数据传输、存储和比对的安全性。     

云存储中利用TPA的数据隐私保护公共审计方案

针对云存储中用户数据完整性和私密性易受破坏的问题,提出了一种能够保证云数据完整性和私密性的高效方法。首先定义了隐私保护公共审计算法,然后采用第三方审计方法为用户进行数据审计,最后在随机oracle模型上验证了方案具有较高的安全性和隐私性。计算开销分析表明,相比其他审计方案,所提出方案在服务计算方面更加高效。     

云环境下一种基于数据分割的CP-ABE隐私保护方案

针对云计算隐私安全保护,提出了一种基于数据分割的CP-ABE(密文策略的基于属性的加密方案)隐私保护方案,克服了云环境下不可信第三方、安全性和性能开销的三大难题。本方案利用数据分割思想将数据分为大数据块和小数据块,通过分割策略对大数据块再进行分块,并用CP-ABE算法对小数据块进行加密。经理论分析及实验仿真表明,在云环境下,此方案在安全问题、开销问题及扩展问题上都有很大优势。     

Cloudlet-based Efficient Data Collection in Wireless Body Area Networks

Wireless Body Area Networks (WBANs) have developed as an effective solution for a wide range of healthcare, military and sports applications. Most of the proposed works studied efficient data collection from individual and traditional WBANs. Cloud computing is a new computing model that is continuously evolving and spreading. This paper presents a novel cloudlet-based efficient data collection system in WBANs. The goal is to have a large scale of monitored data of WBANs to be available at the end user or to the service provider in reliable manner. A prototype of WBANs, including Virtual Machine (VM) and Virtualized Cloudlet (VC) has been proposed for simulation characterizing efficient data collection in WBANs. Using the prototype system, we provide a scalable storage and processing infrastructure for large scale WBANs system. This infrastructure will be efficiently able to handle the large size of data generated by the WBANs system, by storing these data and performing analysis operations on it. The proposed model is fully supporting for WBANs system mobility using cost effective communication technologies of WiFi and cellular which are supported by WBANs and VC systems. This is in contrast of many of available mHealth solutions that is limited for high cost communication technology, such as 3G and LTE. Performance of the proposed prototype is evaluated via an extended version of CloudSim simulator. It is shown that the average power consumption and delay of the collected data is tremendously decreased by increasing the number of VMs and VCs.     

Asynchronous inter-network interference avoidance for wireless body area networks

This paper considers the internetwork interference problem in environments with multiple wireless body area networks (WBANs). We propose an asynchronous internetwork interference avoidance scheme (abbreviated as AIIA), which is based on the hybrid multiple access of carrier sense multiple access with collision avoidance (CSMA/CA) and time division multiple access (TDMA). In AIIA, the gateway device of each WBAN maintains a table, called an AIIA table, which includes the timing offset and TDMA transmission schedule information corresponding to the interfering WBANs. By referring to the table, the conflicting TDMA schedule can be checked and updated by itself, in asynchronous and distributed manners. Extensive simulations are conducted to demonstrate the feasibility and effectiveness of AIIA.     

A cloud supported model for efficient community health awareness

The needs for efficient and scalable community health awareness model become a crucial issue in today’s health care applications. Many health care service providers need to provide their services for long terms, in real time and interactively. Many of these applications are based on the emerging Wireless Body Area networks (WBANs) technology. WBANs have developed as an effective solution for a wide range of healthcare, military, sports, general health and social applications. On the other hand, handling data in a large scale (currently known as Big Data) requires an efficient collection and processing model with scalable computing and storage capacity. Therefore, a new computing paradigm is needed such as Cloud Computing and Internet of Things (IoT). In this paper we present a novel cloud supported model for efficient community health awareness in the presence of a large scale WBANs data generation. The objective is to process this big data in order to detect the abnormal data using MapReduce infrastructure and user defined functions with minimum processing delay. The goal is to have a large monitored data of WBANs to be available to the end user or to the decision maker in reliable manner. While reducing data packet processing energy, the proposed work is minimizing the data processing delay by choosing cloudlet or local cloud model and MapReduce infrastructure. So, the overall delay is minimized, thus leading to detect the abnormal data in the cloud in real time mode. In this paper we present a multi-layer computing model composed of Local Cloud (LC) layer and Enterprise Cloud (EP) layer that aim to process the collected data from Monitored Subjects (MSs) in a large scale to generate useful facts, observations or to find abnormal phenomena within the monitored data. Performance results show that integrating the MapReduce capabilities with cloud computing model will reduce the processing delay. The proposed MapReduce infrastructure has also been applied in lower layer, such as LC in order to reduce the amount of communications and processing delay. Performance results show that applying MapReduce infrastructure in lower tire will significantly decrease the overall processing delay.     

On the security and improvement of a two-factor user authentication scheme in wireless sensor networks

User authentication is a basic security requirement during the deployment of the wireless sensor network (WSN), because it may operate in a rather hostile environment, such as a military battlefield. In 2010, Khan and Alghathbar (KA) found out that Das’s two-factor user authentication scheme for WSNs is vulnerable to the gateway node (GW-node) bypassing attack and the privileged-insider attack. They further presented an improved scheme to overcome the security flaws of Das’s scheme. However, in this paper, we show that KA’s scheme still suffers from the GW-node impersonation attack, the GW-node bypassing attack, and the privileged-insider attack. Hence, to fix the security flaws in KA’s scheme, we propose a new user authentication scheme for WSNs. The security of the user authentication session in the proposed scheme is reduced by the model of Bellare and Rogaway. The security of partial compromise of secrets in the proposed scheme is reduced and analyzed by our adversarial model. Based on the performance evaluation, the overall cost of the proposed scheme is less than that of KA’s scheme. Hence, we believe that the proposed scheme is more suitable for real security applications than KA’s scheme.     

标准模型下基于身份代理盲签名方案

由于现有的基于身份代理盲签名方案要么没有得到形式化的安全证明,要么仅在随机预言（Random Oracle,RO）模型下可证明安全,提出一种标准模型下的基于身份代理盲签名方案。该方案的基本签名算法采用了Paterson等人提出的基于身份签名机制。在Paterson等人提出的标准安全模型基础上,引入代理签名敌手模型,并参考盲签名的安全模型,提出基于身份代理盲签名的标准模型。在此安全模型下,该方案被证明满足不可伪造性和盲性,具有可证明安全性。     

标准模型下选择密文安全的基于身份加密方案

Waters在欧密2005上提出的基于身份加密方案是选择明文安全的,这就使得该方案很难应用于一些安全性要求较高的环境中。针对这一问题,设计了一个标准模型下选择密文安全的基于身份的加密扩展方案。该扩展方案基于Waters的方案,其密文中增加一个附加信息,而扩展方案是选择密文安全的,所以解决了Waters方案仅达到选择明文安全的问题。在标准模型下,扩展方案的安全性归约为判定性双线性Diffie-Hellman困难假设。安全性分析表明,扩展方案抵抗自适应选择密文攻击是不可区分的。     

A more efficient and secure ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem

Recently, Yang and Chang proposed an identity-based remote login scheme using elliptic curve cryptography for the users of mobile devices. We have analyzed the security aspects of the Yang and Chang's scheme and identified some security flaws. Also two improvements of the Yang and Chang's scheme have been proposed recently, however, it has been found that the schemes have similar security flaws as in the Yang and Chang's scheme. In order to remove the security pitfalls of the Yang and Chang and the subsequent schemes, we proposed an enhanced remote user mutual authentication scheme that uses elliptic curve cryptography and identity-based cryptosystem with three-way challenge-response handshake technique. It supports flawless mutual authentication of participants, agreement of session key and the leaked key revocation capability. In addition, the proposed scheme possesses low power consumption, low computation cost and better security attributes. As a result, the proposed scheme seems to be more practical and suitable for mobile users for secure Internet banking, online shopping, online voting, etc.     

可追踪的无证书多级代理签名方案

利用双线性映射设计出一个有效的无证书多级代理签名方案。在最强的安全模型下, 方案给出了正式的安全证明。它的安全性基于计算Diffie-Hellman问题的困难性。所提出的方案满足诸如可验证性、不可否认性、可识别性、防止签名滥用等安全性质。 该多级代理签名方案具有前向可追踪性和后向扩展的灵活性。 鉴于方案的安全、高效和灵活的优点, 它可广泛应用于电子商务、移动代理系统等方面。     

基于签密的密码工作流密钥封装机制

密码工作流(cryptographic workflow)是多用户环境下一种特殊的密码系统工作模式,在这种工作模式下,加密消息需要依据某种策略进行,因此只有履行这一策略的实体才能进行消息解密.为保证在密码工作流模式下密钥封装能够同时实现密钥免托管性和密钥封装传递的不可伪造性,基于签密的思想定义了一个新的密码工作流模式下的密钥封装机制.首先定义了密码工作流模式下基于签密的密钥封装一般模型,并给出了相应的安全模型;其次,结合秘密共享方案、基于身份加密方案和签密方案,提出一个新的结构方案,并在标准模型(standard model)下利用序列游戏证明方法对该结构方案的安全性进行了详细证明.证明结果表明,该密钥封装结构方案能够达到密码工作流模式下要求的接收者安全和外部安全.     

可证安全的无证书代理环签名方案

代理环签名可使代理者以匿名的方式进行代理签名, 具有很多优点。首先给出无证书代理环签名方案的最强安全模型, 并利用双线性映射提出一个高效的无证书代理环签名方案。在所定义的最强的安全模型下, 方案给出了严格的安全证明, 它的安全性基于计算Diffie-Hellman问题的困难性。分析显示该方案满足诸如无条件匿名性、强不可伪造性等安全性质。鉴于该方案的安全、高效和无证书管理的优点, 它可广泛应用于电子政务、移动代理系统等方面。