EPON系统中的认证与加密机制研究

EPON通信系统采用点对多点通信模式,而这种通信模式使得OLT与ONU通信过程中存在非法接入、窃听、伪造等安全威胁,针对这种情况,提出了一种基于SHA-256散列算法及AES加密算法的认证、密钥更新、加密技术来解决上述安全威胁,并对方案中认证、会话密钥生成和密钥更新各阶段进行了详细分析。     

PKI体系下的网络安全性能评估算法

通过分析基于公钥基础设施安全的网络防御问题和攻击问题,得出一个能反应网络安全性能的网络安全性能评估算法。该算法包含4个重要的安全参数:网络用户数n、密钥破解系数p、网络安全系数λ和网络安全度s。通过对网络安全性能评估算法中的各个安全参数进行分析,观察各参数对网络安全性能的影响,最后得出网络安全系数的一个上限值和网络用户数的一个上限值。这些结果可用于网络安全建设和对网络安全性能进行度量和评估。     

SINET中组密钥管理方案研究

文章介绍了空间信息网络研究的背景、目的和意义,由其巨大的安全等威胁确定需要组密钥管理来保障其安全和性能;分析了组密钥管理的拓扑结构后确定分层分组式更适合空间信息网络的特性,并给出其典型结构逻辑密钥树方案的安全性能分析及相关改进方案的介绍;在研究空中网络组密钥管理方案后发现整个空间网络架构的密钥管理方案、空间信息网络的私钥更新方案研究很少,文章给出研究思路;并给出密钥更新节点的在线解决办法,最后提出展望。     

传感器网络中基于三元多项式的密钥管理方案

提出一种新的密钥管理方案KMTP(key management based on ternary polynomial)。基站为每个节点建立唯一性标识,保证节点合法性;基于三元多项式设计簇内和簇间密钥预分配算法,可以保证秘密多项式的破解门限值分别大于簇内节点和分簇总数,理论上难以破解;通过构造安全连通邻接表,设计簇间多跳路由选择算法,保证通信阶段的安全;引入更新参数和更新认证数,保证密钥更新阶段的安全。仿真表明,相比已有方案,KMTP开销较小,且能够提供更高的安全性。     

基于多因子的ZigBee安全认证机制

针对ZigBee网络节点入网认证机制中存在认证机制不完善、协调器的负载过大的不足,设计了基于多因子的ZigBee安全认证机制,以特定周期更新的新鲜因子并将其与节点硬件信息绑定,匹配节点上传的密钥信息因子和配置因子完成身份认证以防止非法节点入网对整个网络造成危害。安全性分析及测试结果表明,该机制在保证网络节点入网安全的前提下实现了协调器的负载均衡,改善了其综合性能。     

WiMAX密钥管理方案研究

分析了WiMAX网络物理层和MAC层面临的安全威胁,给出了WiMAX网络安全体系结构;对密钥管理机制中的授权与认证密钥(AK)交换过程以及传输加密密钥(TEK)交换过程进行了详细的介绍。     

基于密钥阵列的RFID安全认证协议

随着RFID技术的发展和广泛应用,安全认证协议的设计与完善对于保护信息安全和用户隐私变得更加重要。该文针对现有安全认证协议中常常忽略的来自系统内部合法阅读器之间的伪造和篡改问题,提出一种新的基于密钥阵列的安全认证协议。它通过增加密钥更新标记,有效地解决了标签和数据库之间的同步更新问题。新协议在维持一定复杂度和标签成本的基础上,可抵抗包括重传、跟踪、阻断和篡改等多种攻击手段,尤其针对来自系统内的安全威胁,具有较高的安全性和实用性。     

一种基于量子加密的软件定义网络南向安全防护策略

提出一种以量子加密技术为核心的软件定义网络（Software-defined Network,SDN）的南向安全防护策略,建立了基于量子密钥分发的SDN网络模型并分析了该模型下的身份认证、量子密钥分发和自适应免疫窃听流程。推导出了本策略下窃听攻击强度、用于检测窃听的量子态数目的比例α、系统发现窃听者的概率、密钥分发效率之间的定量关系。通过动态仿真分析确立了不同攻击强度下系统参数α的最优选值区间。SDN控制器可根据该仿真结果,动态地决策系统中α的取值进行自适应免疫密钥分发,实施更为精准的窃听免疫方案。     

PKMv2协议研究

IEEE 802.16的安全子层采用了认证客户端/服务器密钥管理协议,在该协议中基站(服务器)能够对分发给客户端SS的密钥进行控制.IEEE 802.16系列标准的安全性主要基于PKM协议.在初始授权密钥交换期间,BS使用基于数字证书的SS认证对客户端SS进行认证.PKM协议使用公钥密码技术建立SS与BS之间的共享密钥,SS也使用PKM协议支持周期性重认证和密钥更新.文章首先分析了PKMv2中安全子层的协议栈,然后给出了相互认证、授权密钥生成和安全认证的流程.同时,从支持的认证算法、安全关联种类和加密算法等方面将PKMv2和PKMv1进行了比较,并对PKMv2可能存在的安全威胁进行了详细的分析.     

七号信令网中基于MTP3层的安全机制研究

七号信令系统作为电信网络的神经系统,其安全问题日益严重.给出了SS7网络面临的主要安全威胁,分析了攻击者利用网络缺乏认证机制,通过MTP3层的网络管理消息对七号信令网实施攻击.提出用密钥交换协议和认证头协议对MTP3层进行安全保护,增强SS7网络的安全性.     

Efficient identity-based security schemes for ad hoc network routing protocols

Wireless ad hoc networks consist of nodes with no central administration and rely on the participating nodes to share network responsibilities. Such networks are more vulnerable to security attacks than conventional wireless networks. We propose two efficient security schemes for these networks that use pairwise symmetric keys computed non-interactively by the nodes which reduces communication overhead. We allow nodes to generate their broadcast keys for different groups and propose a collision-free method for computing such keys. We use identity-based keys that do not require certificates which simplifies key management. Our key escrow free scheme also uses identity-based keys but eliminates inherent key escrow in identity-based keys. Our system requires a minimum number of keys to be generated by the third party as compared to conventional pairwise schemes. We also propose an authenticated broadcast scheme based on symmetric keys and a corresponding signature scheme.     

Secure Computation Without Authentication

Research on secure multiparty computation has mainly concentrated on the case where the parties can authenticate each other and the communication between them. This work addresses the question of what security can be guaranteed when authentication is not available. We consider a completely unauthenticated setting, where all messages sent by the parties may be tampered with and modified by the adversary without the uncorrupted parties being able to detect this fact. In this model, it is not possible to achieve the same level of security as in the authenticated-channel setting. Nevertheless, we show that meaningful security guarantees can be provided: Essentially, all the adversary can do is to partition the network into disjoint sets, where in each set the computation is secure in of itself, and also independent of the computation in the other sets. In this setting we provide, for the first time, nontrivial security guarantees in a model with no setup assumptions whatsoever. We also obtain similar results while guaranteeing universal composability, in some variants of the common reference string model. Finally, our protocols can be used to provide conceptually simple and unified solutions to a number of problems that were studied separately in the past, including password-based authenticated key exchange and nonmalleable commitments. As an application of our results, we study the question of constructing secure protocols in partially authenticated networks, where some of the links are authenticated, and some are not (as is the case in most networks today).     

移动漫游中强安全的两方匿名认证密钥协商方案

由于低功耗的移动设备计算和存储能力较低,设计一种高效且强安全的两方匿名漫游认证与密钥协商方案是一项挑战性的工作.现有方案不仅计算开销较高,而且不能抵抗临时秘密泄露攻击.针对这两点不足,提出一种新的两方匿名漫游认证与密钥协商方案.在新方案中,基于Schnorr签名机制,设计了一种高效的基于身份签密算法,利用签密的特性实现实体的相互认证和不可追踪;利用认证双方的公私钥直接构造了一个计算Diffie-Hellman（Computational Diffie-Hellman,CDH）问题实例,能抵抗临时秘密泄露攻击.新方案实现了可证明安全,在eCK（extended Canetti-Krawczyk）模型基础上,探讨两方漫游认证密钥协商方案安全证明过程中可能出现的情形,进行归纳和拓展,并给出新方案的安全性证明,其安全性被规约为多项式时间敌手求解椭圆曲线上的CDH问题.对比分析表明：新方案安全性更强,需要实现的算法库更少,计算和通信开销较低.新方案可应用于移动通信网络、物联网或泛在网络,为资源约束型移动终端提供漫游接入服务.     

一种基于ECDH的可认证密钥协商协议

针对Diffie-Hellman密钥交换协议和ECDH密钥协商协议的缺陷,给出了一种改进后的可认证密钥协商协议。该协议具有等献性、密钥不可控、密钥确认、完美前向安全以及抗已知密钥攻击等安全特性。跟以往的密钥协商协议相比,其管理简单、开销较低、安全性高、扩展性较好且实现了身份认证,以较低的计算成本和较高的运算效率实现了通信双方安全的会话密钥协商与密钥验证,能够较好地适用于大规模网络的端到端密钥管理。     

安全高效的空间信息网中密钥管理方案

空间信息网是卫星通信系统的进一步发展,安全高效的密钥管理是保障空间信息网内安全通信的关键。分析了空间信息网中密钥管理方案的安全需求,提出了按需建立密钥的思想,并依据该思想提出一个适用于空间信息网的安全高效的密钥管理方案。方案采用完全分布式的管理模式,每个结点管理并维护自己的密钥列表,方案具有认证安全性、前向保密性等安全性特征。仿真结果表明,与现有的空间信息网密钥管理方案相比,该方案在网络规模较大时能极大地降低通信开销,具有良好的通信效率。     

空天地一体化网络安全防护技术分析

随着我国海洋、太空等国家利益不断拓展,国内安全应急事件处置,以及空间科学探索任务等的不断深入,对空天地一体化网络跨地域、跨空域安全通信、传输提出了更高的要求。针对其面临的安全威胁进行深入的分析,并提出了一体化网络安全防护未来发展亟待解决的关键技术,为后期开展空天地一体化网络安全防护研究指明了方向。     

A pairing-free identity-based authenticated group key agreement protocol for imbalanced mobile networks

The secure and reliable group communication gains popularity in imbalanced mobile networks due to the increase demand of the group-oriented applications such as teleconferences, collaborative workspaces, etc. For acquiring the group security objectives, many authenticated group key agreement (AGKA) protocols exploiting the public key infrastructure have been proposed, which require additional processing and storage space for validation of the public keys and the certificates. In addition, the most of the AGKA protocols are implemented using bilinear pairing and a map-to-point (MTP) hash function. The relative computation cost of the bilinear pairing is approximately two to three times more than the elliptic curve point multiplication (ECPM) and the MTP function has higher computation cost than an ECPM. Due to the limitation of communication bandwidth, computation ability, and storage space of the low-power mobile devices, these protocols are not suitable especially for insecure imbalanced mobile networks. To cope with the aforementioned problems, in this paper, we proposed a pairing-free identity-based authenticated group key agreement protocol using elliptic curve cryptosystem. It is found that the proposed protocol, compared with the related protocols, not only improves the computational efficiencies, but also enhances the security features.     

一种新的适于Ad hoc网可认证密钥协商协议

提出一种新的适于Ad hoc网可认证密钥协商协议。基于签密技术。在同一逻辑步内同时实现了认证和加密功能,提高了密钥协商效率;基于身份的公钥密码系统,降低了建立和管理公钥基础设施的代价;应用椭圆曲线上双线性对,使得该协议能以短的密钥和小的计算量实现同等安全要求。与已有密钥协商协议相比,新协议计算和传输量小,带宽要求低,安全性高,适合能源和带宽受限的Ad hoc网络。     

Detecting forged routing messages in ad hoc networks

The effective tremendous deployment of ad hoc networks is incontestably braked by their unreliability in terms of security and quality of services. In this paper, we focus on security problems and show that despite of efforts made in the ad hoc security field, many security issues still jeopardize correct MANETs routing operation. For such threats, we propose an IDS (Intrusion Detection System) solution for which cryptographic-based solutions are ineffective. Actually, authenticated nodes legitimately present in the network are able to send faked routing messages to compromise the routing and then communication between nodes. To cope with such security attacks, we propose an IDS dedicated to the OLSR protocol and well fitted to its characteristics and operation. In addition, our IDS is implemented on all network’s nodes which act cooperatively by continually analyzing routing messages semantics. When an intrusion is detected, alerts are flooded and intruders are banished from the network. We have finally implemented this IDS and performances evaluation shows the intrusion detection effectiveness.     

基于无证书公钥密码体制的密钥管理

移动IPv6是IPv6的子协议,有着巨大的地址空间、对移动性和QoS的良好支持,内嵌的IPSec协议,以及邻居发现和自动配置等诸多优势。然而,移动通信网络链路的开放性、网络拓扑结构的动态性、移动资源的有限性等特点使其容易遭受更严重的安全威胁。针对在移动IPv6环境下,采用无证书的公钥密码体制,部署和实现移动IPv6网络的密钥管理问题。提出了一种新的接入注册解决方案,该方案可以解决具有高敏感性要求移动网络的安全保护问题。