Mutual authenticated quantum no-key encryption scheme over private quantum channel

In this paper, we realize Shamir’s no-key protocol via quantum computation of Boolean functions and a private quantum channel. The proposed quantum no-key protocol has three rounds and provides mutual data origin authentication. Random Boolean functions are used to create entanglement and guarantee that any adversary without keys cannot pass the authentication. Thus, our protocol can resist the man-in-the-middle attack. A security analysis has shown that pieces of ciphertexts of the three rounds are completely mixed state. This property ensures no adversary can get any information about the sent message or authentication keys. Therefore, our protocol is unconditionally secure and its authentication keys can be reused.     

Side-Channel Analysis for the Authentication Protocols of CDMA Cellular Networks

Time-division multiple access (TDMA) and code-division multiple access (CDMA) are two technologies used in digital cellular networks. The authentication protocols of TDMA networks have been proven to be vulnerable to side-channel analysis (SCA), giving rise to a series of powerful SCA-based attacks against unprotected subscriber identity module (SIM) cards. CDMA networks have two authentication protocols, cellular authentication and voice encryption (CAVE) based authentication protocol and authentication and key agreement (AKA) based authentication protocol, which are used in different phases of the networks. However, there has been no SCA attack for these two protocols so far. In this paper, in order to figure out if the authentication protocols of CDMA networks are sufficiently secure against SCA, we investigate the two existing protocols and their cryptographic algorithms. We find the side-channel weaknesses of the two protocols when they are implemented on embedded systems. Based on these weaknesses, we propose specific attack strategies to recover their authentication keys for the two protocols, respectively. We verify our strategies on an 8-bit microcontroller and a real-world SIM card, showing that the authentication keys can be fully recovered within a few minutes with a limited number of power measurements. The successful experiments demonstrate the correctness and the effectiveness of our proposed strategies and prove that the unprotected implementations of the authentication protocols of CDMA networks cannot resist SCA.     

Symmetric authentication in a simulatable Dolev–Yao-style cryptographic library

Tool-supported proofs of security protocols typically rely on abstractions from real cryptography by term algebras, so-called Dolev–Yao models. However, until recently it was not known whether a Dolev–Yao model could be implemented with real cryptography in a provably secure way under active attacks. For public-key encryption and signatures, this was recently shown, if one accepts a few additions to a typical Dolev–Yao model such as an operation that returns the length of a term.Here we extend this Dolev–Yao-style model, its realization, and the security proof to include a first symmetric primitive message authentication. This adds a major complication: we must deal with the exchange of secret keys. For symmetric authentication, we can allow this at any time, before or after the keys are first used for authentication, while working only with standard cryptographic assumptions.     

Analysing a stream authentication protocol using model checking

In this paper, we consider how one can analyse a stream authentication protocol using model checking techniques. In particular, we will be focusing on the Timed Efficient Stream Loss-tolerant Authentication Protocol, TESLA. This protocol differs from the standard class of authentication protocols previously analysed using model checking techniques in the following interesting way: an unbounded stream of messages is broadcast by a sender, making use of an unbounded stream of keys; the authentication of the n-th message in the stream is achieved on receipt of the n+1-th message. We show that, despite the infinite nature of the protocol, it is possible to build a finite model that correctly captures its behaviour.     

Security flaws of remote user access over insecure networks

Remote user authentication based on passwords over untrusted networks is the conventional method of authentication in the Internet and mobile communication environments. Typical secure remote user access solutions rely on pre-established secure cryptographic keys, public-key infrastructure, or secure hardware. Recently, Peyravian and Jeffries proposed password-based protocols for remote user authentication, password change, and session key establishment over insecure networks without requiring any additional private- or public-key infrastructure. In this paper we point out security flaws of Peyravian–Jeffries’s protocols against off-line password guessing attacks and Denial-of-Service attacks.     

Integrity Codes: Message Integrity Protection and Authentication over Insecure Channels

Inspired by unidirectional error detecting codes that are used in situations where only one kind of bit errors are possible (e.g., it is possible to change a bit "0" into a bit "1", but not the contrary), we propose integrity codes (I-codes) for a radio communication channel, which enable integrity protection of messages exchanged between entities that do not hold any mutual authentication material (i.e. public keys or shared secret keys). The construction of I-codes enables a sender to encode any message such that if its integrity is violated in transmission over a radio channel, the receiver is able to detect it. In order to achieve this, we rely on the physical properties of the radio channel and on unidirectional error detecting codes. We analyze in detail the use of I-codes on a radio communication channel and we present their implementation on a wireless platform as a "proof of concept". We further introduce a novel concept called "authentication through presence", whose broad applications include broadcast authentication, key establishment and navigation signal protection. We perform a detailed analysis of the security of our coding scheme and we show that it is secure within a realistic attacker model.     

An efficient key management scheme for user access control in outsourced databases

Recently, researches on key management scheme for user access control in outsourced databases have been actively done. Because outsourced databases require dealing with a lot of users and data resources, an efficient key management scheme for reducing the number of authentication keys is required. However, the existing schemes have a critical problem that the cost of key management is rapidly increasing as the number of keys becomes larger. To solve the problem, we propose an efficient key management scheme for user access control in outsourced databases. For this, we propose an Resource Set Tree(RST)-based key generation algorithm to reduce key generation cost by merging duplicated data resources. In addition, we propose a hierarchical Chinese Remainder Theorem(CRT)-based key assignment algorithm which can verify a user permission to gain accesses to outsourced databases. Our algorithm can reduce key update cost because the redistribution of authentication keys is not required. We also provide the analytic cost models of our algorithms and verify the correctness of the theoretical analysis by comparing them with experiment results. Finally, we show from the performance analysis that the proposed scheme outperforms the existing schemes in terms of both key generation cost and update cost.     

An ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem

Recently, remote user authentication schemes are implemented on elliptic curve cryptosystem (ECC) to reduce the computation loads for mobile devices. However, most remote user authentication schemes on ECC are based on public-key cryptosystem, in which the public key in the system requires the associated certificate to prove its validity. Thus, the user needs to perform additional computations to verify the certificate in these schemes. In addition, we find these schemes do not provide mutual authentication or a session key agreement between the user and the remote server. Therefore, we propose an ID-based remote mutual authentication with key agreement scheme on ECC in this paper. Based upon the ID-based concept, the proposed scheme does not require public keys for users such that the additional computations for certificates can be reduced. Moreover, the proposed scheme not only provides mutual authentication but also supports a session key agreement between the user and the server. Compared with the related works, the proposed scheme is more efficient and practical for mobile devices.     

基于指纹识别和智能卡的安全电子报税系统*

针对现有电子报税系统中在身份认证和数据传输方面存在的安全问题,提出了基于指纹识别和智能卡的电子报税系统的安全解决方案.该方案在电子报税终端引入智能卡技术,保证密钥等机密信息的安全,同时将指纹识别技术作为身份认证的依据,并用指纹信息作为报税数据传输中加密密钥产生的种子,实现了动态密钥和双向认证,提高了电子报税系统中身份认证和信息传输的安全性.     

基于IBCPK的证书管理系统的设计与实现

基于标识的组合公钥算法是一种新型的公钥认证技术,解决了当前认证领域的规模化密钥管理以及信息验证的直接性问题。该文分析当前的公钥认证系统存在的问题,介绍基于标识的组合公钥算法的原理及构造方法,描述基于IBCPK的证书管理系统的设计与实现。该系统可以有效地管理IBCPK体系下的密钥分发与维护。     

A rectangle bin packing optimization approach to the signal scheduling problem in the FlexRay static segment

As FlexRay communication protocol is extensively used in distributed real-time applications on vehicles, signal scheduling in FlexRay network becomes a critical issue to ensure the safe and efficient operation of time-critical applications. In this study, we propose a rectangle bin packing optimization approach to schedule communication signals with timing constraints into the FlexRay static segment at minimum bandwidth cost. The proposed approach, which is based on integer linear programming (ILP), supports both the slot assignment mechanisms provided by the latest version of the FlexRay specification, namely, the single sender slot multiplexing, and multiple sender slot multiplexing mechanisms. Extensive experiments on a synthetic and an automotive X-by-wire system case study demonstrate that the proposed approach has a well optimized performance.     

无线传感器网络轻量级数据加密机制设计

针对无线传感器网络处理能力、存储空间、能量等有限的特点,设计了轻量级数据加密机制。该机制对RC6算法进行了改进,添加了"对称层"运算,使改进后的RC6算法在运算工作量变化不大的情况下,硬件实现更加容易,硬件资源消耗更小。为进一步提高密文的安全性与数据加密强度,使用双密钥对明文进行两级加密,并引入了随机密钥管理机制,使网络节点每次加密时都能使用不同的密钥,提高了密钥的安全性。数据加密机制还使用了节点ID认证、带有身份标识的密钥池认证等多种安全认证机制来阻止非法节点的接入。实验基于低功耗Cortex-M3内核的控制芯片搭建无线传感器网络节点硬件平台,设计了通信协议,并在硬件平台上移植与实现了该机制。实验结果表明,该加密机制能够很好地在低功耗平台上运行。     

Bio-PUF-MAC authenticated encryption for iris biometrics

Biometrics is one of the ways for human authentication. Fabrication of biometrics by intruders, limits the accuracy of authentication. The user-specific keys (ie,) pseudo-random numbers give more security for biometric template protection and increase the accuracy of authentication also. The user-specific token or keys can also be fabricated by intruders by any of the prediction methods. To avoid the creation of fake biometric and fake user-specific keys, a device-specific Physical Unclonable Function (PUF) is proposed. In this article, iris authentication is provided by unclonable PUF-based true random numbers to enhance the unique authentication. Nonreversible Message Authentication Codes (MAC) are developed using PUF and Discrete Wavelet Transform features of iris biometrics. Systematically, MAC codes also created with, encryption algorithm. Encryption is additionally providing confidentiality in the individual iris. Experiments are done with CUHK Iris Image Dataset. Proposed Bio-PUF system has significant functional advantages in point of view of the unclonable pseudo-random number from PUF. Experimentally, Avalanche effect, entropy, NCPR, and UACI parameters are analyzed with PUF-based crypt functions. For 75% of matching with the Bio-PUF-MAC codes with enrolment, the accuracy for correct identification is 77.73%.     

Template-Free Biometric-Key Generation by Means of Fuzzy Genetic Clustering

Biometric authentication is increasingly gaining popularity in a wide range of applications. However, the storage of the biometric templates and/or encryption keys that are necessary for such applications is a matter of serious concern, as the compromise of templates or keys necessarily compromises the information secured by those keys. In this paper, we propose a novel method, which requires storage of neither biometric templates nor encryption keys, by directly generating the keys from statistical features of biometric data. An outline of the process is as follows: given biometric samples, a set of statistical features is first extracted from each sample. On each feature subset or single feature, we model the intra and interuser variation by clustering the data into natural clusters using a fuzzy genetic clustering algorithm. Based on the modelling results, we subsequently quantify the consistency of each feature subset or single feature for each user. By selecting the most consistent feature subsets and/or single features for each user individually, we generate the key reliably without compromising its relative security. The proposed method is evaluated on handwritten signature data and compared with related methods, and the results are very promising.     

FlexRay总线在工业自动化领域的应用展望

FlexRay总线的数据通讯具有突出的可靠性、实时性和很高的传输速率.在总结FlexRay总线特点的基础上,介绍了工业现场总线的技术需要,并将两者的特点进行了深入的比较,重点阐述了FlexRay总线应用于工业自动化领域的优势,并举例说明了FlexRay总线应用到煤矿开采领域的具体应用.     

下一代车载网络FlexRay及其应用研究

FlexRay是能够满足未来车内控制应用需求的通信系统。它采用了基于时间触发的数据传输技术,相对于当前在车内广泛采用的基于事件触发的通信总线（如CAN等）,其应用开发方法有很大不同。为了阐明基于FlexRay总线的应用开发过程,使用DecomSys公司的分布式系统开发工具Designer软件设计了基于FlexRay总线的线控节气门原形控制系统。介绍了系统的体系结构、任务模型的构建以及应用开发过程,并对FlexRay在该系统中的应用进行了分析。     

Key-leakage evaluation of authentication in quantum key distribution with finite resources

Partial information leakages of generation key undoubtedly influence the security of practical Quantum Key Distribution (QKD) system. In this paper, based on finite-key analysis and deep investigation on privacy amplification, we present a method for characterizing information leakages gained by adversary in each authentication round and therefore take the theory derived by Cederlöf and Larsson (IEEE Trans Inf Theory 54:1735–1741, 2008) into practical case. As the authentication key is fed from one round of generation keys to the next except the first round, by considering its security weakness due to information leakages and finite size effect, we further propose a universal formula for calculating the lifetime of initial authentication key used in QKD with finite resources. Numerical simulations indicate that our bound for estimating information leakages strictly characterizes the stability of practical QKD against information-leakage-based attacks, and our calculation formula in terms of lifetime can precisely evaluate the usage time of initial authentication key. Our work provides a practical solution for evaluating authentication security of QKD.     

A scalable authentication model based on public keys

To solve the scalability problems of the identity authentication model based on CA for application in large distributed networks, adopting a rigorous binary tree code algorithm, we present a distributed identity authentication model based on public keys. The advantages of our model are described as follows: First, it has good scalability and is suitable for large-scale distributed networks. Second, the authentication path is short, with no more than two entities intervening. Third, it does not require users to inquire about certificate revocation lists.     

On designing usable and secure recognition-based graphical authentication mechanisms

In this article we present the development of a new, web-based, graphical authentication mechanism called ImagePass. The authentication mechanism introduces a novel feature based on one-time passwords that increases the security of the system without compromising its usability. Regarding usability, we explore the users’ perception of recognition-based, graphical authentication mechanisms in a web environment. Specifically, we investigate whether the memorability of recognition-based authentication keys is influenced by image content. We also examine how the frequency of use affects the usability of the system and whether user training via mnemonic instructions improves the graphical password recognition rate. The design and development process of the proposed system began with a study that assessed how the users remember abstract, face or single-object images, and showed that single-object images have a higher memorability rate. We then proceeded with the design and development of a recognition-based graphical authentication mechanism, ImagePass, which uses single-objects as the image content and follows usable security guidelines. To conclude the research, in a follow-up study we evaluated the performance of 151 participants under different conditions. We discovered that the frequency of use had a great impact on users’ performance, while the users’ gender had a limited task-specific effect. In contrast, user training through mnemonic instructions showed no differences in the users’ authentication metrics. However, a post-study, focus-group analysis revealed that these instructions greatly influenced the users’ perception for memorability and the usability of the graphical authentication. In general, the results of these studies suggest that single-object graphical authentication can be a complementary replacement for traditional passwords, especially in ubiquitous environments and mobile devices.     

Integrating identity-based and certificate-based authenticated key exchange protocols

Key establishment is becoming a widely deployed cryptographic primitive. As such, there has been extensive research on designing algorithms that produce shared secret keys. These protocols require parties to either hold certificates or rely on identity (ID)-based primitives to achieve authentication. Chain and cross certifications allow users trusting different certification authorities to interact. Similarly, there are methods to extend ID-based solutions across multiple key generation centers (KGC). However, there has been no dedicated work on interoperability between the two settings. A straightforward solution would require each user to maintain certificates and ID-based static keys to accommodate all peers. The cost of maintaining many secret keys; matching keys with protocols; and preventing undesired interference would arguably make such a solution impractical. In this work, we offer an alternative where a user needs to keep a single static key pair and can subsequently engage in a session key establishment with peers holding certificates or identity-based keys. Thus, the proposed solution has none of disadvantages of maintaining multiple static private keys.