基于代理签名的移动通信网络匿名漫游认证协议

随着无线移动终端的广泛应用,漫游认证、身份保密等问题显得日益突出。该文分析了现有的各种漫游认证协议在匿名性及安全性上存在的问题,指出现有协议都无法同时满足移动终端的完全匿名与访问网络对非法认证请求的过滤,进而针对性地提出了一种新的匿名认证协议。该协议基于椭圆曲线加密和代理签名机制,通过让部分移动终端随机共享代理签名密钥对的方式,实现了完全匿名和非法认证请求过滤。此外,协议运用反向密钥链实现了快速重认证。通过分析比较以及形式化验证工具AVISPA验证表明,新协议实现了完全匿名,对非法认证请求的过滤,双向认证和会话密钥的安全分发,提高了安全性,降低了计算负载,适用于能源受限的移动终端。     

无线网络中高效的匿名漫游安全协议

无线漫游安全(Secure Wireless Roaming,SWR)协议允许隶属于本地服务器的用户漫游到外地时,可以与外地服务器互相验证身份并建立安全的会话密钥.在此基础上,匿名SWR协议能保证即使所有外地服务器串通情况下漫游用户的匿名性和不可追踪性.该文提出了一个匿名的无线漫游安全协议SYM-SWR (SYMmetric key based SWR).而且就目前所知,该协议是第1个完全基于对称密钥的匿名SWR.同其他已知协议相比,SYM-SW的通信复杂度和计算复杂度均最低.因为SYM-SWR只需要4次消息传送,且不需要PKI (Public Key Infrastructure)而采用消息验证码(Message Authentication Code,MAC)和对称密钥加密这两种高效的运算.     

移动Adhoc网络中按需路由协议的安全性改进方案

在移动Adhoc网络中,安全性是保证其可用性的一个重要方面.文章提出了一种针对按需路由协议的安全性改进方案,这种方案采用了对邻居节点的身份即时认证、对远端节点按需认证、匿名寻找路由,逐跳加密传输的机制,能够有效地阻止恶意节点对网络的窃听、篡改等攻击,确保网络路由信息的安全.     

移动漫游中强安全的两方匿名认证密钥协商方案

由于低功耗的移动设备计算和存储能力较低,设计一种高效且强安全的两方匿名漫游认证与密钥协商方案是一项挑战性的工作.现有方案不仅计算开销较高,而且不能抵抗临时秘密泄露攻击.针对这两点不足,提出一种新的两方匿名漫游认证与密钥协商方案.在新方案中,基于Schnorr签名机制,设计了一种高效的基于身份签密算法,利用签密的特性实现实体的相互认证和不可追踪;利用认证双方的公私钥直接构造了一个计算Diffie-Hellman（Computational Diffie-Hellman,CDH）问题实例,能抵抗临时秘密泄露攻击.新方案实现了可证明安全,在eCK（extended Canetti-Krawczyk）模型基础上,探讨两方漫游认证密钥协商方案安全证明过程中可能出现的情形,进行归纳和拓展,并给出新方案的安全性证明,其安全性被规约为多项式时间敌手求解椭圆曲线上的CDH问题.对比分析表明：新方案安全性更强,需要实现的算法库更少,计算和通信开销较低.新方案可应用于移动通信网络、物联网或泛在网络,为资源约束型移动终端提供漫游接入服务.     

可信的匿名无线认证协议

提出一种可信的匿名无线认证协议,对移动用户身份进行认证的同时验证用户终端平台可信性,认证过程的每阶段使用不同的临时身份和一次性密钥,保持用户身份和平台信息的匿名性,分析表明协议安全可靠,具有域分离特性和密钥协商公正性,计算代价和消息交互轮数满足无线移动网络环境需求.     

网络实名体系模型中的用户认证策略

文中介绍一种安全可控的互联网实名认证机制,它的网站服务器和判断用户输入身份信息真伪的实名注册服务器通过网络相连,实现注册服务器登录用户实名信息,网站服务器不保存真实的原始个人身份信息,且在实名注册及身份追溯过程中均采用加密信息处理.上述机制可以有效杜绝个人身份信息被滥用,实现互联网用户的匿名网络行为可控可查,为互联网监管提供有价值的参考.     

椭圆曲线加密结合cookie信息的物联网终端安全认证协议

针对物联网(IoT)中终端设备接入网络服务器的安全性问题,提出了一种基于椭圆曲线加密(ECC)和cookie信息的物联网终端安全认证协议.协议首先将用户身份信息、服务器私钥、随机数和cookie有效期信息组成一个cookie文件,然后利用椭圆曲线加密体制对其进行加密,并将之存储在智能终端.在认证阶段,通过比对由cookie信息计算的安全参数来实现相互身份认证.性能分析表明,该协议在具有较低计算和通信成本的同时,能够有效抵抗多种攻击,提供了较高的安全性,非常适合应用于物联网中资源有限的终端设备.     

移动社交网络中一种朋友发现的隐私安全保护策略

在移动社交网络中分享用户特征属性配置文件能够迅速找到与用户特征属性相同的朋友。然而,配置文件通常包含用户的敏感隐私信息,如果被恶意攻击者截获将有可能造成不可预计的后果。该文提出一种基于用户伪身份匿名与哈希值比对认证的双重握手机制的隐私保护方案,结合身份权限认证、单向哈希散列函数、密钥协商等技术保证恶意攻击者无法通过身份欺骗、伪造特征属性、窃听安全信道等方式获取用户配置文件的真实内容,从而保证用户的个人隐私不被泄漏。依靠可信第三方服务器强大的计算和抗攻击能力, 减轻智能用户终端计算负担和安全风险。安全分析和实验分析表明,该方案更具有隐私性、消息不可抵赖性和可验证性,比传统的解决方案更有效。     

安全高效的无线传感器网络远程身份验证协议

针对无线传感器网络节点资源受限及通信链路易出错的问题,给出一种安全高效的无线传感器网络远程身份验证协议.该协议采用集中式基于簇的分层无线传感器网络选出最优百分比的簇头,并对其与相邻节点的通信进行授权,再最小化节点能耗实现网络负载平衡,然后每个簇头作为服务器在每个传递消息的有效负载内保证数据认证与交换,对相邻节点进行身份...     

一种WLAN Mesh网络漫游接入认证协议

针对WLAN Mesh网络节点漫游接入过程中现有协议的不足,通过利用EMSA(efficient mesh security association)初始认证过程中所建立的安全链路和消息认证码技术,并引入修改后的DH(Diffie Hellman)密钥交换过程,提出了一种能有效满足漫游接入性能和安全性需求的接入认证协议。该协议不仅具有基本的SK(session key,会话密钥)安全属性,还具有较小的接入时延,能够适应Mesh网络拓扑变化的特性,在完成双向接入认证过程的同时,完成了密钥的生成,并能较好地隐藏终端节点的身份信息。     

An enhanced secure delegation-based anonymous authentication protocol for PCSs

Rapid development of wireless networks brings about many security problems in portable communication systems (PCSs), which can provide mobile users with an opportunity to enjoy global roaming services. In this regard, designing a secure user authentication scheme, especially for recognizing legal roaming users, is indeed a challenging task. It is noticed that there is no delegation-based protocol for PCSs, which can guarantee anonymity, untraceability, perfect forward secrecy, and resistance of denial-of-service (DoS) attack. Therefore, in this article, we put forward a novel delegation-based anonymous and untraceable authentication protocol, which can guarantee to resolve all the abovementioned security issues and hence offer a solution for secure communications for PCSs.     

一个匿名Internet移动代理方案

移动代理技术是一种新兴的网络技术,而电子商务是移动代理技术的主要应用之一.在本文中,我们针对电子商务中对用户的匿名性有较高要求的问题,设计了一个适用于电子商务的匿名Internet移动代理方案.在本方案中,服务器可以验证每个移动代理程序的身份的有效性,但不能确认该代理程序的具体身份,而对服务器进行恶意攻击的代理程序可由代理管理中心进行追踪.     

适用于车载边缘计算网络的高效匿名认证协议

为了解决车载边缘计算网络中无线网络传输特性导致的窃听、重放、拦截、篡改等安全威胁,考虑到车载终端资源有限的特点,提出了一种轻量级匿名高效身份认证协议。基于切比雪夫混沌映射算法,避免了多数方案所采用的指数、双线性映射等复杂算法,有效降低了身份认证与密钥协商过程中的计算复杂度。此外,在实现接入认证及切换认证的同时,能够实现终端匿名性及可追溯、可撤销等安全功能。通过Scyther工具验证结果表明该协议能够满足认证过程中的安全需求并且能够抵抗多种协议攻击。相比已有方案,所提接入认证方案总计算开销最低可节省67%,带宽开销最低可节省11%。此外,相比于接入认证方案,所提域内切换认证方案总计算开销可节省99.8%,带宽开销可节省52%;域间切换认证方案总计算开销可节省80%,带宽开销可节省37%。性能分析结果表明该协议具备更良好的计算和通信性能,因此可以解决车载边缘计算网络中的终端高效安全接入及切换问题。     

Provable analysis and improvement of smart card–based anonymous authentication protocols

Nowadays, authentication protocols are essential for secure communications specially for roaming networks, distributed computer networks, and remote wireless communication. The numerous users in these networks rise vulnerabilities. Thus, privacy‐preserving methods have to be run to provide more reliable services and sustain privacy. Anonymous authentication is a method to remotely authenticate users with no revelation about their identity. In this paper, we analyze 2 smart card–based protocols that the user's identity is anonymous. However, we represent that they are vulnerable to privileged insider attack. It means that the servers can compromise the users' identity for breaking their privacy. Also, we highlight that the Wen et al protocol has flaws in both stolen smart card and stolen server attacks and the Odelu et al protocol is traceable. Then, we propose 2 modified anonymous authentication protocols. Finally, we analyze our improved protocols with both heuristic and formal methods.     

A practical authentication protocol with anonymity for wireless access networks

The use of anonymous channel tickets was proposed for authentication in wireless environments to provide user anonymity and to probably reduce the overhead of re‐authentications. Recently, Yang et al. proposed a secure and efficient authentication protocol for anonymous channel in wireless systems without employing asymmetric cryptosystems. In this paper, we will show that Yang et al.'s scheme is vulnerable to guessing attacks performed by malicious visited networks, which can easily obtain the secret keys of the users. We propose a new practical authentication scheme not only reserving the merits of Yang et al.'s scheme, but also extending some additional merits including: no verification table in the home network, free of time synchronization between mobile stations and visited networks, and without obsolete anonymous tickets left in visited networks. The proposed scheme is developed based on a secure one‐way hash function and simple operations, a feature which is extremely fit for mobile devices. We provide the soundness of the authentication protocol by using VO logic. Copyright © 2010 John Wiley & Sons, Ltd.     

An improved EAAP scheme for vehicular ad hoc networks

Recently, Maria Azees et al proposed an “EAAP: efficient anonymous authentication with conditional privacy‐preserving scheme for Vehicular Ad Hoc Networks.” Their scheme is mainly to solve the problem of high computation time of anonymous certificate and signature authentication, as well as the tracking problem of malicious vehicles. However, some improvements are needed in the protection of anonymous identity and the effective tracking of malicious vehicles. In this paper, our scheme realizes mutual authentication between OBU and RSU, and the RSU is authenticated without using certificate. In order to prevent the anonymous identity of the vehicles from being monitored and tracked, we use the negotiated short‐time key to encrypt the anonymous identity in the vehicle certificates. In addition, our scheme uses a new tracking method for malicious vehicles. Then, we prove the scheme through BAN logic, and it has the properties of authentication, anonymity, unlinkability, privacy protection, and traceability. Finally, we compare the computation cost and communication cost with other schemes, and the scheme has been greatly improved.     

A pairing‐free identity‐based handover AKE protocol with anonymity in the heterogeneous wireless networks

Nowadays, seamless roaming service in heterogeneous wireless networks attracts more and more attention. When a mobile user roams into a foreign domain, the process of secure handover authentication and key exchange (AKE) plays an important role to verify the authenticity and establish a secure communication between the user and the access point. Meanwhile, to prevent the user's current location and moving history information from being tracked, privacy preservation should be also considered. However, existing handover AKE schemes have more or less defects in security aspects or efficiency. In this paper, a secure pairing‐free identity‐based handover AKE protocol with privacy preservation is proposed. In our scheme, users' temporary identities will be used to conceal their real identities during the handover process, and the foreign server can verify the legitimacy of the user with the home server's assistance. Besides, to resist ephemeral private key leakage attack, the session key is generated from the static private keys and the ephemeral private keys together. Security analysis shows that our protocol is provably secure in extended Canetti‐Krawczyk (eCK) model under the computational Diffie‐Hellman (CDH) assumption and can capture desirable security properties including key‐compromise impersonation resistance, ephemeral secrets reveal resistance, strong anonymity, etc. Furthermore, the efficiency of our identity‐based protocol is improved by removing pairings, which not only simplifies the complex management of public key infrastructure (PKI) but also reduces the computation overhead of ID‐based cryptosystem with pairings. It is shown that our proposed handover AKE protocol provides better security assurance and higher computational efficiency for roaming authentication in heterogeneous wireless networks.     

Purpose-restricted Anonymous Mobile Communications Using Anonymous Signatures in Online Credential Systems

To avoid the risk of long-term storage of secrets on a portable device, an online credential system supports the roaming user in retrieving securely at various locations his private key and other material to generate anonymous signatures. The protocol proposed here allows a roaming mobile user to access anonymously services such as whistle blowing and net-counselling. Our approach: (1) allows a mobile user, remembering a short password, to anonymously and securely retrieve the credentials necessary for his anonymous communication without assuming a pre-established anonymous channel to the credential server or establishing an anonymous channel using the time-consuming existing rerouting techniques; (2) provides authenticated anonymous access to privacy-related services without rerouting the packets; (3) helps combatting the abuse of anonymity for performing illegal activities (e.g. redistribution of copy-righted contents, illegal drug trading and so on).     

Privacy‐preserving registration protocol for mobile network

In this paper, we propose a novel privacy‐preserving registration protocol that combines the verifier local revocation group signature with mobile IP. The protocol could achieve strong security guarantee, such as user anonymity via a robust temporary identity, local user revocation with untraceability support, and secure key establishment against home server and eavesdroppers. Various kinds of adversary attacks can be prevented by the proposed protocol, especially that deposit‐case attack does not work here. Meanwhile, a concurrent mechanism and a dynamical revocation method are designed to minimize the handover authentication delay and the home registration signals. The theoretical analysis and simulation results show that the proposed scheme could provide high security level besides lightweight computational cost and efficient communication performance. For instance, compared with Yang's scheme, the proposed protocol could decrease the falling speed of handover authentication delay up to about 40% with privacy being preserved. Copyright © 2012 John Wiley & Sons, Ltd.