车载网络中基于群签名的可保护隐私的车辆认证

安全和隐私是配置车载网络时所需要的2个重要条件,具有保护隐私功能的认证是实现这2个条件的关键技术.不同于已有的认证方案,文中用群签名来实现车载网络中能保护隐私的车辆认证.为了满足认证的快速性要求,基于目前安全性最强、效率较高和签名较短的ZL 06局部验证者撤销短群签名方案,提出了2个具有隐私保护功能的车载网络中的车辆认证方案.群签名所具有的良好性质保证了所提出的认证方案具有实用性和隐私保护功能.     

基于SLA的云计算动态信任评估模型

针对云计算环境中用户如何有效的选择云服务商及签订服务协议的问题,本文提出一种基于服务等级协议SLA的中立第三方动态信任评估系统框架.通过在用户端和云端设置的监测代理,实时监控并采集SLA相关的实际服务数据;通过实际观测的参数、其变化情况及SLA协定的参数,同时结合用户主观评价,计算得到服务质量的信任值,最终形成对云服务商服务可信度的全面的和动态的评价.本文给出了系统框架结构、评估方法和评估输入与流程等信任评估的实现方法.与其他信任评估方法相比,本文提出的模型全面融合了多种数据主客观评价来源,给出了具体流程和方法,具有更好的客观性、准确性和可信性.     

一体化标识网络中的用户身份认证协议

一体化标识网络解决了传统网络中IP地址二义性问题,是一种基于网络的身份与位置分离体系.本文在一体化标识网络中提出一种用户身份认证协议,基于该协议设计了一种利用数字证书构建的接入标识.这种接入标识唯一的表示一体化标识网络中的终端,实现用户身份信息与终端的绑定.该用户身份认证协议基于Diffie-Hellman密钥交换完成用户到用户真实身份的双向认证,采用谜题机制和无认证状态防止应答方受到DoS攻击.通过C-K安全模型分析用户身份认证协议的安全性,分析表明该协议是会话密钥安全的.     

基于自更新哈希链的安全高效车-地鉴权方案

针对下一代高速铁路无线通信系统LTE-R （long term evolution-railway）对安全性和实时性的特殊需求，基于哈希链技术，提出一种完全基于对称密码体制的的车-地通信鉴权方案. 用户归属服务器（home subscriber sever，HSS）利用身份授权主密钥为车载设备（on-board unit，OBU）生成动态可变的匿名身份（temporary identity，TID），以在接入认证请求信令中保护车载设备的隐私，同时能够抵挡去同步攻击. 在列车高速移动过程中，方案采用高效的哈希链代替认证向量完成列车和服务网络之间的双向认证，哈希链的本地更新可解决认证向量耗尽导致的全认证重启问题. 此外，通过引入身份证明票据实现基于基站协同的高效无缝切换认证. 安全性和性能分析表明:在同样条件下，所提出的全认证协议、重认证协议和切换认证协议与目前性能最优的LTE （long term evolution）标准协议相比，计算量分别下降41.67%、44.44%和45.45%，通信量分别下降62.11%、50.91%和84.91%，能够满足LTE-R接入网络的安全性和实时性要求.      

一种基于差分隐私保护的skyline查询方法

为了解决差分隐私保护机制中重复攻击会泄露用户隐私的问题，提出了一种基于动态页敏感度调节的skyline查询方法. 首先，提出了依据最优主导页的计算页敏感度方法，提高页敏感度计算的效率；其次，为了合理设置隐私预算值，提出了基于置信率的隐私预算值调节方法；最后，基于隐私预算值动态更新查询次数的上界，实现了基于差分隐私保护的skyline查询方法. 实验结果表明:所提出方法在隐私预算值设定小于0.8时，隐私数据的泄露数由787个降低到423个.      

基于用户口令的GSM—R身份认证协议

现有的GSM-R身份认证协议,是对SIM卡的身份认证而不是对铁路员工的身份认证,在日常铁路生产中,移动台容易丢失也容易被盗窃,使得SIM卡信息有可能泄露,导致SIM卡被克隆,给正常的铁路生产带来安全隐患.针对这一问题,本文设计了一种新的身份认证协议,通过在移动台使用用户口令作为认证密钥,不仅实现了对人的认证,而且实现了认证实体之间的双向认证,使得铁路员工可以使用任意的移动台进行通信,提高了日常工作的灵活性和安全性.     

基于移动智能体的空间信息共享服务设计与实现

为提高分布、异构、动态网络环境下的空间数据协作效率,引入移动智能体计算技术构建空间信息共享服务.通过分析移动智能体技术的特点及应用于空间信息服务的优势,构建了基于四层体系的空间信息服务框架,设计了基于移动智能体技术的服务系统功能结构,并建立了移动智能体计算动态控制模型.最后,以堰塞湖溃决风险评估的分布式协同服务系统为例,给出了移动智能体计算的实现方法.研究结果表明,移动智能体计算可以避免空间数据在网络中传输,保障数据安全,提高数据协作效率.     

圆形区域划分的k-匿名位置隐私保护方法

用户位置信息的准确度反比于用户的隐私保护安全系数k（privacy protection level）,正比于查询服务质量;为了平衡由位置信息的准确性引起的隐私保护安全与查询服务质量之间的矛盾,借助位置k-匿名模型,提出了圆形区域划分匿名方法.将整个区域划分为相切圆及相邻的4个相切圆的顶点组成的曲边菱形形成的组合区域,当用户位置区域含有的用户数量不满足隐私保护安全系数要求时,利用区域扩充公式得到合适的匿名区域.实验结果表明该方法减小了匿名区域的面积,提高了相对匿名度,从而平衡了k与QoS的矛盾;并从匿名成功率、服务质量和信息处理时间3个角度确定了基于位置k-匿名隐私保护方法的评估模型.     

铁路物流中基于短签名的实时跟踪协议

随着铁路物流软硬件建设的快速发展,大数据和物联网技术在铁路物流中得到广泛应用,以云计算、人工智能和实时在线监控技术为基础的智慧铁路物流系统研究成为一个热门课题。针对当前一些铁路智慧物流系统和设计方案在信息交互过程中缺乏安全认证和数据完整性保护的缺点,提出了一个基于身份标识的高效短签名方案,进一步以此签名方案为基础,设计了一种适用于铁路实时物流跟踪协议。对签名方案进行了协议交互的实验仿真,结果表明签名方案计算量小,效率较高,协议交互次数少,可有效的解决实时物流信息数据完整性保护和可靠性认证问题。     

一种基于Hash的RFID双向认证协议

分析了RFID系统中存在的安全问题,剖析了目前比较有代表性的基于Hash的RFID认证协议,提出了一种改进的基于Hash的双向认证协议HAsH-IMAP.该协议可以有效解决非法访问、重放攻击、标签失效等问题.通过其安全性能分析以及各协议的存储开销、计算开销和安全性能对比分析,说明了本协议具有高效的性能和良好的安全性.     

无线局域网低时延切换的一种两级认证方法

IEEE 802.11无线局域网已得到了广泛的部署.在无线局域网中,终端移动时经常发生切换,需要进行安全认证,这导致较长的处理时延,降低了服务质量.目前的认证方法,如AAA和IEEE 802.1x,不能支持低时延切换.本文提出了一种两级认证方法,移动终端在快速切换协议中可以执行认证.在漫游到新域之前从目标接入点获取一个临时身份,通过使用该临时身份继续认证快速接入.移动终端在短时间内必须执行再认证,以便完成正常的认证过程,否则,认证接入将被终止.仿真结果表明,本文提出的两级认证方法在切换过程中显著地减少了切换时延和丢包率.     

Secure and efficient digital rights management mechanisms with privacy protection

In the Internet or cloud computing environments, service providers provide more and more content services. Users can use these convenient content services in daily life. The major data of the user are maintained by the service providers except that some personal privacy data are stored at the client device. An attacker may try to invade the systems, and it will cause the damage of users and service providers. Also, users may lose their mobile devices and then it may cause the data disclosure problem. As a result, the data and privacy protection of users become an important issue in these environments. Besides, since many mobile devices are used in these environments, secure authentication and data protection methods must be efficient in these low resource environments. In this paper, we propose an efficient and privacy protection digital rights management （DRM） scheme that users can verify the valid service servers and the service servers can ensure the legal users. Since the key delegation center of the third party has the robust security protection, our proposed scheme stores the encrypted secret keys in the key delegation center. This approach not only can reduce the storage space of the user devices, but also can recover the encrypted secret keys in the key delegation center when a user loses her/his devices for solving the device losing problem.     

A Distributed Authentication Algorithm Based on GQ Signature for Mobile Ad Hoc Networks

Introduction Mobile ad hoc networks (MANETs) are newinfrastructureless networks without the usual rout-ing infrastructure like fixed routers and routingbackbones. A mobile ad hoc network is a multi-hop temporary self-organizing system compromisedof a group of mobile nodes with radios. MANETshave some special characteristics: self organizing,dynamic topology, limited bandwidth, resourceconstraint nodes, multi-hop routing, vulnerable tosecurity attacks etc. Recently, MANET has beenone of t…     

A New Traffic Model for Mobile Wireless Networks

A new traffic model for mobile wireless networks was given and analysed. In the model, it is considered of traffic characteristic for two special periods of time. A pre-emptive priority scheme combined with channel borrowing strategy according to the speciality was proposed. All the channels can be used by non-real-time services, and real-time services are given higher priority for they are allowed to pre-empt channels used by non-real-time services. Either real-time handoff requests or non-real-time handoff requests can be queued in queues when there is no channel can be used. Some channels are reserved for real-time handoff requests, which can also be used by non-real-time service when they are idle. Simulation results are also given. It is seen that our scheme performs better than other schemes when the arrival rate of real-time services is much higher than non-real-time services.     

A semi-fragile wavelet transform watermarking scheme for content authentication of images

A novel semi-fragile watermarking scheme for the content authentication of images using wavelet transform (WT) is presented in this paper. It is tolerant to the embedded wavelet image compression methods based on WT such as embedded zerotree wavelet (EZW), set partitioning in hierarchical trees (SPIHT) and embedded block coding with optimized truncation (EBCOT) in JPEG2000 to a pre-determined bit-plane, but is sensitive to all other malicious attacks. The image features are generated from the lowest-frequency (LF) subband of the original image as the embedded watermark. The watermark is embedded into the pre-determined bit-plane by adjusting the corresponding values in the given subband. In the process of watermarking authentication, we compare the image features generated from the LF subband of the received image with the embedded watermarking information (the image features of the original image) extracted from the pre-determined bit-plane in the given subband of the received image to decide whether the image is attacked maliciously or processed acceptably (the embedded wavelet compression). The most important advantage of our watermarking scheme is that the watermark information can be extracted from the watermarked image when detecting watermark, so the received image authentication needs no information about the original image or watermark. Experimental results prove the effectiveness of our proposed watermarking scheme.     

基于SDKEY的移动终端数据分区保护

针对传统的安全数字钥匙（Secure Digital Key,SDKEY）硬件存在的性能问题,给出了一种SDKEY硬件改进方案,并设计了SDKEY和移动终端之间的双重认证方案.提交了一种基于SDKEY的移动终端数据分区保护方案,给出了一个基于SDKEY的移动终端应用框架模型.研究分析表明,该方案在安全和性能上得到提高,并具有一定的应用价值.     

广义椭圆曲线数字签名链口令认证方案

一次性口令是身份认证的重要技术。文章构造了一个基于椭圆曲线数字签名链的一次性口令认证和密钥协商方案。该方案使用了具有消息恢复功能、无须求逆的椭圆曲线数字签名算法,椭圆曲线认证密钥协商协议,密钥进化算法和椭圆曲线数字签名链等。方案有以下优点:服务器无需维护口令和验证列表;允许用户自主选择和更改口令,实现了双向认证;无需系统时钟同步和传输时延限制;能够抵抗重放攻击、离线字典攻击、中间人攻击和内部人攻击;具备口令错误敏感性和强安全修复性;生成的会话密钥具有新鲜性、机密性、已知密钥安全性和前向安全性。经对比,该方案具有更好的安全性能,适合强安全性需求的场合。     

Robust password and smart card based authentication scheme with smart card revocation

User authentication scheme allows user and server to authenticate each other, and generates a session key for the subsequent communication. How to resist the password guessing attacks and smart card stolen attacks are two key problems for designing smart cart and password based user authentication scheme. In 2011, Li and Lee proposed a new smart cart and password based user authentication scheme with smart card revocation, and claimed that their scheme could be immunity to these attacks. In this paper, we show that Li and Lee＇s sctleme is vulnerable to off-line password guessing attack once the information stored in smart card is extracted, and it does not provide perfect forward secrecy. A robust user authentication scheme with smart card revocation is then proposed. We use a most popular and widely used formal verification tool ProVerif, which is based on applied pi calculus, to prove that the proposed scheme achieves security and authentication.     

Pre-emptive channel borrowing and traffic overflowing channel allocation scheme for multimedia overlay networks

This paper proposes a channel allocation scheme for multimedia wireless networks, in which a twolayer macro-cell or micro-cell architecture is considered. Macro-cells are used to access high-mobility services; while micro-cells, which are overlaid by the macro-cells, are used to cater low-mobility services. To analyze the scheme, a multidimensional Markov traffic model is firstly developed, in which traffic characteristic of two special periods of time is considered. And then, a pre-emptive channel-borrowing scheme combined with trafficoverflowing strategy for multimedia (voice, video or data) networks is proposed, in which handoff requests can not only borrow channels from adjacent homogenous cells, but also be overflowed to heterogeneous cells. Priority strategies are also dedicated to high-mobility services for they can pre-empt channels being used by low-mobility services in macro-cells. To meet the high quality of service (QoS) requirements of video services and increase the channel utilization ratio, video services can be transformed between real-time services and non-real-time services as necessary. Simulation results show that our schemes can decrease the blocking probabilities and improve the channel utilization.