一种新型抵御字典攻击的方案

身份验证是网络应用系统中的第一道防线,目的是验证通信双方的身份,防止非法用户窃取和假冒合法用户。尽管通过口令是最方便的身份验证方法,但它也伴随着字典攻击的威胁。分析了常用的几种一次性口令身份认证方案,在挑战-响应方案基础上,利用安全单向哈希函数提出并设计了一种新型身份验证方案。该方案不仅明显减少了认证服务器的开销,而且能有效地抵御字典攻击、拒绝服务攻击等攻击手段,显著增强了应用系统的安全性。     

CICS身份验证的改进

主要是CICS身份验证的改进.通过对CICS结构及现有身份验证的详细分析,提出了"签到回写"身份验证方案,新方案采用前后台序列号一致的比较原则,达到阻止非法进入、减少无谓连接的目的.方案中还采用了序列号自动产生,一次连接一个序列号的方法以及对序列号采取加密传输方法来提高系统的安全性.     

一种新型抵御字典攻击的认证方案

身份验证是网络应用系统中的第一道防线,目的是验证通信双方的身份,防止非法用户窃取和假冒合法用户.尽管通过口令是最方便的身份验证方法,但它也伴随着字典攻击的威胁.分析了常用的几种一次性口令身份认证方案,在挑战-响应方案基础上,利用安全单向哈希函数提出并设计了一种新型身份验证方案.该方案不仅明显减少了认证服务器的开销,而且能有效地抵御字典攻击、拒绝服务攻击等攻击手段,显著增强了应用系统的安全性.     

EAST远程等离子体控制门户系统的安全管理

EAST装置是世界上第一个非圆截面全超导托卡马克核聚变实验装置,已经发展成为国际上重要的合作实验平台.为扩大和方便合作单位参与实验,提出开发EAST远程等离子体控制系统,系统采用Web开发模式,其功能是为远程客户提供获取实验数据、即时控制服务和放电方案设置服务.其门户系统设计主要负责身份验证与授权、请求格式检查和技术数据检查等安全性功能.身份验证与授权阶段采用三阶段验证,主要采用VPN,数字证书和随机验证码等网络安全技术.请求格式检查和技术数据检查采用模块化技术,针对不同放电方案单独编写模块,保证系统的可扩展性.     

利用指纹识别技术实现银行业务系统中的个人身份验证

本文论述了用指纹识别技术实现银行业务系统中的个人身份验证的必要性与可能性，并提出了基于业务应用系统的指纹识别身份验证的实现方案。     

基于决策树的个性化身份验证研究

身份认证是网络安全中一个重要问题,本文结合了Web日志挖掘和决策树分类这两方面的知识,提出了一种新的认证方式,个性化身份验证,在用户登陆系统后可以对其身份进行二次验证。     

基于区块链网络的医疗记录安全储存访问方案

针对在当前医疗系统中医疗记录授权流程繁琐、记录分享效率低下和身份验证困难问题，提出一种结合区块链技术与密码学的非对称加密技术的方法，将非对称加密技术的安全性高、多方协作简单等特性应用到区块链技术构成的点对点网络中，实现医疗记录跨域分享的可追踪、数据的不可篡改和身份验证的简化。首先，基于区块链技术的不可篡改性结合非对称加密技术，设计了文件同步合约和授权合约，其分布式储存优势保证了用户医疗信息隐私。其次，跨域获取合约的设计能够有效验证数据分享双方身份以及提高身份验证效率，不需要第三方公证机构便可安全过滤非合法用户。仿真实验结果显示，所提出的方案相比传统使用云计算方法解决医疗记录分享问题的方案，在数据防盗窃、多方身份验证和节约系统开销方面有明显优势。该方案对利用区块链的去中心化、可审计等优点解决数据分享过程中的安全问题提供了参考，为解决数据跨域分享、跨域身份验证问题提供了借鉴思路。     

二次剩余下改进He-Dawson的多秘密共享方案

研究了He-Dawson所提出的基于单向函数的多步骤秘密共享方案,指出该方案是一次方案而且不能抵抗合谋攻击,结合基于身份验证的密码学多秘密共享方案和利用二次剩余构造的数字签名方案,提出了一种利用二次剩余构造一个多秘密共享方案,该方案功能是一种(t,n)门限的多秘密共享方案。该方案中,由秘密分发者分发秘密,但每个参与者可以验证由秘密分发者分发的秘密,可以防止秘密分发者的欺骗,并且每个参与者能够验证其他合作者的欺骗。另外,每个参与者选取的子秘密可以复用,组秘密可以以任意顺序重构,同时该方案还能够抵抗合谋攻击。其安全性是基于Shamir门限方案和RSA密钥体制。在大整数分解困难离散对数难分解等问题的假设下,证明了提出的方案是安全的。     

基于增强型OTP的电子投票方案

利用身份注册、增强型0TP认证和公开验证机制,提出了一种新的电子投票方案.该方案利用注册中心与认证中心的共同管理实现对投票人的身份验证,防止投票人重复投票;投票人利用简单的认证口令不仅能实现有效申诉,还避免投票人的私有信息在公开验证阶段被泄露.     

一种面向网格计算的分布式匿名协作算法

基于TCG提出的可信计算技术为网格协作安全性提出一种匿名分组身份验证算法,该算法可以非常可靠地解决网格计算平台之间的身份匿名验证问题.算法使用一个硬件模块TPM解决远程的身份验证,并通过TPM机制可以提供可靠的匿名验证和平台认证功能.算法中所有涉及的验证过程都是基于匿名机制实现的,除了实现匿名验证机制以外,算法还提供一套完整标记恶意网络实体的方法.提出了网格计算中虚拟分组的匿名认证平台架构,并在此架构基础上分成5步实现匿名验证算法,然后说明了算法在一种对等计算平台的应用实例,与GT2,GT3,GT4以及信任管理进行安全性的比较,并设计一个实验评价其性能.     

增强的基于智能卡的远程用户认证协议

基于智能卡的远程用户认证协议比基于口令的安全协议能提供更好的安全性。2011年Chen等提出一种对Hsiang-Shih方案改进的基于智能卡的远程认证协议,并称解决了相关方案中存在的各种攻击问题。指出Chen等方案仍然存在着内部攻击、丢失智能卡攻击、重放攻击和身份冒充攻击,并针对基于口令和智能卡的远程认证协议类存在的离线口令猜测攻击提出一种基于智能卡和椭圆曲线离散对数问题的认证协议。该协议能抵抗提到的所有攻击,在登陆和认证阶段只需要一个点乘运算。     

Improving the security of ‘a flexible biometrics remote user authentication scheme’

Recently, Lin–Lai proposed ‘a flexible biometrics remote user authentication scheme,’ which is based on El Gamal's cryptosystem and fingerprint verification, and does not need to maintain verification tables on the server. They claimed that their scheme is secured from attacks and suitable for high security applications; however, we point out that their scheme is vulnerable and can easily be cryptanalyzed. We demonstrate that their scheme performs only unilateral authentication (only client authentication) and there is no mutual authentication between user and remote system, thus their scheme is susceptible to the server spoofing attack. To fill this security gap, we present an improvement which overcomes the weakness of Lin–Lai's scheme. As a result, our improved security patch establishes trust between client and remote system in the form of mutual authentication. Moreover, some standards for biometric-based authentication are also discussed, which should be followed during the development of biometric systems.     

Cryptanalysis and security enhancement of a ‘more efficient & secure dynamic ID-based remote user authentication scheme’

Remote user authentication is a method, in which remote server verifies the legitimacy of a user over an insecure communication channel. Currently, smart card-based remote user authentication schemes have been widely adopted due to their low computational cost and convenient portability for the authentication purpose. Recently, Wang et al. proposed a dynamic ID-based remote user authentication scheme using smart cards. They claimed that their scheme preserves anonymity of user, has the features of strong password chosen by the server, and protected from several attacks. However, in this paper, we point out that Wang et al.’s scheme has practical pitfalls and is not feasible for real-life implementation. We identify that their scheme: does not provide anonymity of a user during authentication, user has no choice in choosing his password, vulnerable to insider attack, no provision for revocation of lost or stolen smart card, and does provide session key agreement. To remedy these security flaws, we propose an enhanced authentication scheme, which covers all the identified weaknesses of Wang et al.’s scheme and is more secure and efficient for practical application environment.     

A secure and efficient mutual authentication scheme for session initiation protocol

The Session Initiation Protocol (SIP) as the core signaling protocol for multimedia services is receiving much attention. Authentication is becoming increasingly crucial issue when a user asks to use SIP services. Many authentication schemes for the SIP have been proposed. Very recently, Zhang et al. has presented an authentication scheme for SIP and claimed their scheme could overcome various attacks while maintaining efficiency. In this research, we illustrate that their scheme is susceptible to the insider attack and does not provide proper mutual authentication. We then propose a modified secure mutual authentication scheme to conquer the security flaws in Zhang et al.’s scheme. Through the informal and formal security analyses, we demonstrate that our scheme is resilient possible known attacks including the attacks found in Zhang et al.’s scheme. In addition, the performance analysis shows that our scheme has better efficiency in comparison with other related ECC-based authentication schemes for SIP.     

支持双认证方式的单点登录方案

支持多认证方式的单点登录是目前的一个新需求,通常这又使认证协议的实现和跨域的认证更加复杂。为此提出一种灵活的支持证书、口令及其组合认证的单点登录方案。方案通过认证协议模板和临时证书票据设计,避免了单点登录的认证协议重复设计,并简化了跨域认证的信任模型。     

An enhanced smart card based remote user password authentication scheme

Smart card based password authentication is one of the simplest and efficient authentication mechanisms to ensure secure communication in insecure network environments. Recently, Chen et al. have pointed out the weaknesses of some password authentication schemes and proposed a robust smart card based remote user password authentication scheme to improve the security. As per their claims, their scheme is efficient and can ensure forward secrecy of the session key. However, we find that Chen et al.'s scheme cannot really ensure forward secrecy, and it cannot detect the wrong password in login phase. Besides, the password change phase of Chen et al.'s scheme is unfriendly and inefficient since the user has to communicate with the server to update his/her password. In this paper, we propose a modified smart card based remote user password authentication scheme to overcome the aforementioned weaknesses. The analysis shows that our proposed scheme is user friendly and more secure than other related schemes.     

一种改进的动态门限签名方案

基于椭圆曲线上的双线性映射设计的远程用户认证方案,因安全性好、计算复杂度较小近年来成为了研究的热点.Manik提出了一种基于双线性映射的远程用户认证方案,随后Chou等指出其方案针对假冒攻击是不安全的,并给出了一种改进方案,但Thulasi指出该改进方案仍是不安全的.该文对已有的攻击方法进行了简单分析,提出了一种新的改进方案,并对其安全性进行了分析,新的方案针对已有的攻击方法是安全的,从而解决了基于双线性映射的远程用户认证方案的安全问题.     

一种安全的远程用户认证方案

基于椭圆曲线上的双线性映射设计的远程用户认证方案,因安全性好、计算复杂度较小近年来成为了研究的热点。Manik提出了一种基于双线性映射的远程用户认证方案,随后Chou等指出其方案针对假冒攻击是不安全的,并给出了一种改进方案,但Thulasi指出该改进方案仍是不安全的。该文对已有的攻击方法进行了简单分析,提出了一种新的改进方案,并对其安全性进行了分析,新的方案针对已有的攻击方法是安全的,从而解决了基于双线性映射的远程用户认证方案的安全问题。     

一个新的动态口令认证方案

介绍并分析了S／KEY口令认证方案和非对称口令认证方案,针对它们无法抵御劫取连接攻击等安全缺陷,在充分吸收它们设计思想的基础上,提出了一个新的动态口令认证方案,给出了具体注册过程、认证过程及参数选择,并进行了安全性分析。分析可得,新方案可抵御劫取连接等攻击。     

Cryptanalysis and improvement of ‘a secure authentication scheme for telecare medical information system’ with nonce verification

In 2009, Xu et al. presented an improved smartcard based authentication scheme while using a security model previously applied by Bellare et al. to prove the security of their authentication methods. Later on, in 2012, Wu et al. pointed out number of authentication attacks in Xu et al. scheme. To address these issues, Wu et al. presented a Smartcard based Two-Factor Authentication (2FA) scheme for Telecare Medical Information System (TMIS) facility. In this study, we prove that authentication scheme of Wu et al. is still vulnerable to impersonation attack, offline password guessing attack, forgery attack and many other attacks. Moreover, number of performance and verification issues are also outlined in the authentication scheme of Wu et al. To overcome these issues, an improved and enhanced 3FA Smartphone based authentication method is proposed on a Cloud Computing environment. The proposed scheme is further corroborated using Burrows-Abadi-Needham logic (BAN logic) nonce verification. The detailed BAN logic verification and further security analysis shows that the proposed authentication protocol is highly reliable and secure in terms of message verifications, message freshness and trustworthiness of its origin. Moreover, the comparative security, performance and feature analysis shows that the proposed work yields an even more improved and enhanced authentication framework as compared to Wu et al. authentication scheme.