PKI／CA技术在国防军工PDM系统中的安全应用

随着信息化不断发展,PDM系统已经成为国防军工企业战略发展的重要组成部分。在PDM系统建设逐步成熟的背景下,PDM的安全性（身份鉴别与数据安全）也成为摆在国防军工企业面前的一大难题。为解决PDM系统安全性问题,这里以国际通用先进的信息安全技术为参考,以国内信息安全标准为依据,结合PDM系统业务应用的现状,提出了采用PKI公钥基础设施为PDM系统提供安全支撑的技术思路。从而利用PKI完善灵活的接口和标准的安全中间件,使得PDM和新建应用系统可以方便地纳入基于PKI的安全信息服务体系。     

IoT/CPS的安全体系结构及关键技术

物联网（IoT）和信息物理融合系统（CPS）作为下一代网络的核心技术,被业界广泛关注。与传统网络不同,IoT/CPS异构融合、协同自治、开放互连的网络特性带来了巨大的系统安全方面的挑战。挑战包括安全协议的无缝衔接、用户隐私保护等。研发新的安全模型、关键安全技术和方法是IoT/CPS发展中的重点。文章基于IoT/CPS安全需求和威胁模型,提出了一种层次化的安全体系结构,并针对隐私保护、跨网认证和安全控制等IoT/CPS的关键安全技术展开讨论。     

抗DoS攻击的多用户传感器网络广播认证方案

在vBNN-IBS签名基础上提出了一种抗DoS攻击的多用户传感器网络广播认证方案DDA-MBAS,利用散列运算及用户信息进行虚假数据过滤。与现有的多用户传感器网络广播认证方案相比,DDA-MBAS在抵抗节点妥协攻击、主动攻击的基础上,以较低的能耗过滤虚假消息并有效地限制了妥协用户发起的DoS攻击及共谋攻击的安全威胁。     

基于混沌的数码防伪系统研究与实现

设计并实现了一套基于混沌的数码防伪系统.基于混沌密码技术,分别提出一种生成防伪码和验证码的混沌密码加密算法,并采用"双标双码、双向验证"防伪工作机制,构建了一个能进行电话查询的混沌数码防伪系统,实现了防伪查询智能鉴别,系统测试表明该系统防伪效果好且方便实用,适合推广.     

一种基于智能卡的双向身份认证方案

计算机网络的普及使更多的资源和应用可以利用网络远程获得,所以身份认证问题成为网络安全研究中的重要课题。当前主要的身份认证方法有以下几种：基于口令的身份认证;基于生物特征的身份认证;基于智能卡的身份认证以及几种方式的混合认证。结合密码学和智能卡技术的身份认证方案也被多次提出,许多专家和学者还提出了多种改进的方案。但是,这些方案均会出现一些不可避免的漏洞。针对多种方案的漏洞,该文提出了一种在智能卡中引入公钥密码算法的认证方案,并对其安全性进行了分析,该方案的安全性和优越性也在文中得到体现。     

数据库三层安全结构设计

数据库的安全的一项关键技术是数据库加密,加密粒度涉及到整个数据库、表、字段、记录,但是,不论采取何种加密粒度,都不可避免影响到数据库的访问效率。如何能兼而得之？对此,可以设计一种三层结构,它包括系统CA模块、授权登录模块、加解密模块共三层,系统CA模块负责身份认证,授权登录负责用户权限管理,加解密模块直接保证数据库本身的安全。三层结构在保证数据库安全的前提下,有效保证了用户访问数据库的效率。     

Lightweight and provably secure user authentication with anonymity for the global mobility network

Seamless roaming in the global mobility network (GLOMONET) is highly desirable for mobile users, although their proper authentication is challenging. This is because not only are wireless networks susceptible to attacks, but also mobile terminals have limited computational power. Recently, some authentication schemes with anonymity for the GLOMONET have been proposed. This paper shows some security weaknesses in those schemes. Furthermore, a lightweight and provably secure user authentication scheme with anonymity for the GLOMONET is proposed. It uses only symmetric cryptographic and hash operation primitives for secure authentication. Besides, it takes only four message exchanges among the user, foreign agent and home agent. We also demonstrate that this protocol enjoys important security attributes including prevention of various attacks, single registration, user anonymity, user friendly, no password/verifier table, and use of one‐time session key between mobile user and foreign agent. The security properties of the proposed protocol are formally validated by a model checking tool called AVISPA. Furthermore, as one of the new features in our protocol, it can defend smart card security breaches. Copyright © 2010 John Wiley & Sons, Ltd.     

A hidden mutual authentication protocol for low‐cost RFID tags

Radio‐frequency identification (RFID) technology enables the identification and tracking of objects by means of the wireless signals emitted by a tag attached to the objects of interest. Without adequate protection, however, malicious attackers can easily eavesdrop, scan or forge the information within the tag, thereby threatening the integrity of the system. Previous research has shown that the basic security requirements of RFID systems, i.e. identity authentication, information privacy and location privacy, can be satisfied using conventional cryptographic components. However, such components are expensive, and therefore conflict with the general requirement for low‐cost tag designs. Accordingly, this paper presents a low‐cost challenge‐response security protocol designated as the hidden mutual authentication protocol (HMAP) to accomplish both a mutual authentication capability between the tag and the reader and information privacy. The results show that HMAP provides an efficient means of concealing the authentication messages exchanged between the tag and the reader and is robust toward replay attacks. In addition, it is shown that HMAP is easily extended to provide complete location privacy by utilizing a hash function to generate different tag identifiers in each authentication session. Copyright © 2011 John Wiley & Sons, Ltd.     

Cryptanalysis of Hsiang‐Shih's authentication scheme for multi‐server architecture

From user point of view, password‐based remote user authentication technique is one of the most convenient and easy‐to‐use mechanisms to provide necessary security on system access. As the number of computer crimes in modern cyberspace has increased dramatically, the robustness of password‐based authentication schemes has been investigated by industries and organizations in recent years. In this paper, a well‐designed password‐based authentication protocol for multi‐server communication environment, introduced by Hsiang and Shih, is evaluated. Our security analysis indicates that their scheme is insecure against session key disclosure, server spoofing attack, and replay attack and behavior denial. Copyright © 2010 John Wiley & Sons, Ltd.     

基于Ajax和图形验证码的身份认证实现

为了保证Web系统的安全,传统的模式一般采用用户名和密码来进行身份认证,这种模式以同步方式运行,以文本格式存储,效率低,安全性差,Ajax技术的异步能力、图形验证码的点阵存储、权限访问控制三者相结合,高效实现了Web系统身份认证功能,安全性能大有改善。