基于ECC和指纹USBKey的身份认证协议

分析了现有网络身份认证方案的不足,给出了一种指纹识别技术与USBKey技术相结合的身份认证方案。利用载有指纹特征的指纹USBKey改进现有的USBKey认证技术。利用椭圆曲线密码算法ECC（elliptic curve cryption）,提高身份认证协议的安全性。采用挑战与应答的认证机制,实现了双向身份认证。使用含指纹特征的数字证书,防止非法用户篡改指纹特征。给出的身份认证协议实现了USBKey对用户权限的验证及远程服务器对用户身份的实体认证。能够有效抵御窃听攻击、假冒攻击、重放攻击及DoS攻击。     

Efficient Protocol-Proving Algorithm Based on Improved Authentication Tests

A new efficient protocol-proving algorithm was proposed for verifying security protocols. This algorithm is based on the improved authentication tests model, which enhances the original model by formalizing the message reply attack. With exact causal dependency relations between messages in this model, the protocol-proving algorithm can avoid the state explosion caused by asynchronous. In order to get the straight proof of security protocols, three authentication theorems are exploited for evaluating the agreement and distinction properties. When the algorithm terminates, it outputs either the proof results or the potential flaws of the security protocol. The experiment shows that the protocol-proving algorithm can detect the type flaw attack on Neuman-Stubblebine protocol, and prove the correctness of NSL protocol by exploring only 10 states.     

基于自更新哈希链的安全高效车-地鉴权方案

针对下一代高速铁路无线通信系统LTE-R （long term evolution-railway）对安全性和实时性的特殊需求，基于哈希链技术，提出一种完全基于对称密码体制的的车-地通信鉴权方案. 用户归属服务器（home subscriber sever，HSS）利用身份授权主密钥为车载设备（on-board unit，OBU）生成动态可变的匿名身份（temporary identity，TID），以在接入认证请求信令中保护车载设备的隐私，同时能够抵挡去同步攻击. 在列车高速移动过程中，方案采用高效的哈希链代替认证向量完成列车和服务网络之间的双向认证，哈希链的本地更新可解决认证向量耗尽导致的全认证重启问题. 此外，通过引入身份证明票据实现基于基站协同的高效无缝切换认证. 安全性和性能分析表明:在同样条件下，所提出的全认证协议、重认证协议和切换认证协议与目前性能最优的LTE （long term evolution）标准协议相比，计算量分别下降41.67%、44.44%和45.45%，通信量分别下降62.11%、50.91%和84.91%，能够满足LTE-R接入网络的安全性和实时性要求.      

Simple three-party password authenticated key exchange protocol

Three-party password authenticated key exchange (3PAKE) protocol plays a significant role in the history of secure communication area in which two clients agree a robust session key in an authentic manner based on passwords. In recent years, researchers focused on developing simple 3PAKE (S-3PAKE) protocol to gain system efficiency while preserving security robustness for the system. In this study, we first demonstrate how an undetectable on-line dictionary attack can be successfully applied over three existing S-3PAKE schemes. An error correction code (ECC) based S-3PAKE protocol is then introduced to eliminate the identified authentication weakness.     

广义椭圆曲线数字签名链口令认证方案

一次性口令是身份认证的重要技术。文章构造了一个基于椭圆曲线数字签名链的一次性口令认证和密钥协商方案。该方案使用了具有消息恢复功能、无须求逆的椭圆曲线数字签名算法,椭圆曲线认证密钥协商协议,密钥进化算法和椭圆曲线数字签名链等。方案有以下优点:服务器无需维护口令和验证列表;允许用户自主选择和更改口令,实现了双向认证;无需系统时钟同步和传输时延限制;能够抵抗重放攻击、离线字典攻击、中间人攻击和内部人攻击;具备口令错误敏感性和强安全修复性;生成的会话密钥具有新鲜性、机密性、已知密钥安全性和前向安全性。经对比,该方案具有更好的安全性能,适合强安全性需求的场合。     

一体化标识网络中的用户身份认证协议

一体化标识网络解决了传统网络中IP地址二义性问题,是一种基于网络的身份与位置分离体系.本文在一体化标识网络中提出一种用户身份认证协议,基于该协议设计了一种利用数字证书构建的接入标识.这种接入标识唯一的表示一体化标识网络中的终端,实现用户身份信息与终端的绑定.该用户身份认证协议基于Diffie-Hellman密钥交换完成用户到用户真实身份的双向认证,采用谜题机制和无认证状态防止应答方受到DoS攻击.通过C-K安全模型分析用户身份认证协议的安全性,分析表明该协议是会话密钥安全的.     

Sequence Patterns of Identity Authentication Protocols

From the viewpoint of protocol sequence, analyses are made of the sequence patterns of possible identity authentication protocol under two cases： with or without the trusted third party （TFP）. Ten feasible sequence patterns of authentication protocol with TIP and 5 sequence patterns without TFP are gained. These gained sequence patterns meet the requirements for identity authentication, and basically cover almost all the authentication protocols with TFP and without TFP at present. All of the sequence patterns gained are classified into unilateral or bilateral authentication. Then, according to the sequence symmetry, several good sequence patterns with TFP are evaluated. The accompolished results can provide a reference to design of new identity authentication protocols.     

Formal analysis of authentication in 802.11i

Authentication is the basis of the security of IEEE 802.11i standard. The authentication process in 802.11i involves two important protocols: a 4-way handshake and a group key handshake. A formal analysis of authentication in 802.11i is given via a belief multisets formalism. The analysis shows that the 4-way handshake and the group key handshake may provide satisfactory mutual authentication, key management, and issue of a new group temporal key from an access point to a user device, under the guarantee of mutual possession of a confidential pairwise master key. The analysis also shows that there exists a denial of service attack in the 4-way handshake and some seeming redundancies are useful in the protocol implementation.     

一体化网络中可证明安全的三方认证协议

为了有效地保证终端、接入交换路由器和认证中心的安全,本文提出了一体化网络中可证明安全的三方认证协议．该协议实现了终端和认证中心之间及接入交换路由器和认证中心之间的相互认证,不仅可以有效防止非授权终端接入网络,还可以防止伪造的认证中心和接入交换路由器对终端的欺骗．在BR扩展模型下,可证明该协议是安全的．通过性能分析得出,协议具有很高的效率．     

A Strategy for Middleman Attack Prevention in Remote Desktop Protocol

This paper introduces the middleman attack methods which are against the remote desktop protocol(RDP),discusses advantages and disadvantages of several current mainstream prevention strategies,and puts forward a new prevention strategy.The strategy,taking advantage of the original key agreement process of the RDP,designs a piecewise authentication scheme of the key agreement.Using the strategy can achieve the purpose of prevention and detection of middleman attacks.Finally,the security of the strategy is analyzed.     

A New Fragile Watermark for Image

Fragile watermarking is a method to verify the integrity and authenticity of multimedia data. A new fragile watermark for image was proposed, which can be used in image verification applications. The paper first described the above two techniques, some of which will be used in the method. Then it described the embedding and authentication process and also analyzed the method to show how it can survive some attacks. The experimental results show that the proposed method doesn‘t need the watermark or original image on authentication side. It provides more security against attack, and can localize where the temoerinlz has occurred.     

无线局域网低时延切换的一种两级认证方法

IEEE 802.11无线局域网已得到了广泛的部署.在无线局域网中,终端移动时经常发生切换,需要进行安全认证,这导致较长的处理时延,降低了服务质量.目前的认证方法,如AAA和IEEE 802.1x,不能支持低时延切换.本文提出了一种两级认证方法,移动终端在快速切换协议中可以执行认证.在漫游到新域之前从目标接入点获取一个临时身份,通过使用该临时身份继续认证快速接入.移动终端在短时间内必须执行再认证,以便完成正常的认证过程,否则,认证接入将被终止.仿真结果表明,本文提出的两级认证方法在切换过程中显著地减少了切换时延和丢包率.     

Fast Confidentiality-Preserving Authentication for Vehicular Ad Hoc Networks

This paper studies the existing problems of message authentication protocols in vehicular ad hoc networks(VANETs) due to their significance in the future of commuting and transportation. Our contribution has been devoted to implementing a new protocol for VANETs so that inherent security problems in past works are resolved. Exclusive security measures have been considered for the system which protects the users against threat of any attack. The new protocol shows a great hardness guaranteed by certificate based 80 bit security which assures messages to remain confidential in any time. Also, new unprecedented features like V2 X which improves system performance effectively have been instantiated. The simulation results indicate that message signature generation and verification both take place in much less time than present comparable rival protocols.     

A NEW TWO-WAY AUTHENTICATION AND PRIVACY MECHANISM FOR WLAN SECURITY

Theconceptofwirelessnetworkwasintro ducedaround 1 980 [1,2 ] ,IEEE 80 2 .1 1forWirelessLocalAreaNetwork (WLAN )was publishedinJune 1 997[3] .Nowavarietyofwirelesstechnolo giesandproductshavebeendeveloped ,theyarebe comingtheviablecomplementarysolutionstowirednetworks[1] ,suchasLANextension ,inter LANbridges,ad hocnetworking ,nomadicaccess,etc..Moreover,wirelessalsoproducesavarietyofnewapplications,suchasmobileeducation ,computing ,bankingandsoon .Anewmobilecommerceisforthcoming .Thebig…     

Robust password and smart card based authentication scheme with smart card revocation

User authentication scheme allows user and server to authenticate each other, and generates a session key for the subsequent communication. How to resist the password guessing attacks and smart card stolen attacks are two key problems for designing smart cart and password based user authentication scheme. In 2011, Li and Lee proposed a new smart cart and password based user authentication scheme with smart card revocation, and claimed that their scheme could be immunity to these attacks. In this paper, we show that Li and Lee＇s sctleme is vulnerable to off-line password guessing attack once the information stored in smart card is extracted, and it does not provide perfect forward secrecy. A robust user authentication scheme with smart card revocation is then proposed. We use a most popular and widely used formal verification tool ProVerif, which is based on applied pi calculus, to prove that the proposed scheme achieves security and authentication.     

IPSec系统中安全联盟及密钥生成过程分析

分析了IPSec系统中IKE协议的功能,构成及工作过程,给出了IKE在生成安全联盟过程中用到的消息格式和各个时期产生的密钥源料和密钥,讨论了在不同认证方式下的信息交换过程及安全强度。     

能区分图像内容或水印篡改的自恢复脆弱水印

分析了现有算法的缺陷,提出了一种能有效区分图像内容或水印篡改的自恢复安全脆弱水印算法.该方案利用检测水印实现篡改定位和篡改区分的功能,采用恢复水印恢复被篡改的图像内容.理论分析和实验仿真均表明,所提出的算法具有很好的篡改区分、篡改定位和篡改恢复的能力,能够抵抗同步伪造攻击和密钥分析攻击.     

具有可追查性的抗合谋攻击(t,n)门限签名方案

在分析王斌和李建华的无可信中心门限签名方案(王-李方案)以及X ie-Yu改进方案安全缺陷的基础上,提出了一种新的具有可追查性的抗合谋攻击(t,n)门限签名方案;对新方案的安全性进行了分析,并与现有方案的效率进行了比较.结果表明:该方案不仅能够从根本上抵抗合谋攻击和伪造签名攻击,而且在保证匿名性的前提下,能够真正实现签名成员身份的可追查性,同时通过构造安全的分布式密钥生成协议保证群私钥的不可知性,因此比现有方案具有更高的安全性.此外,新方案的计算量和通信量与王-李方案接近,但优于X ie-Yu方案.     

ID-Based Authenticated Dynamic Group Key Agreement

IntroductionIn many modern collaborative and distributedapplications such as multicast communication, au-dio-video conference and collaborative tools, scal-able and reliable group communication is one of thecritical problems. A group key agreement (GKA)protocol allows a group of users to share a key,which may later be used to achieve some crypto-graphic goals. In addition to this basic tool an au-thentication mechanism provides an assurance ofkey shared with intended users. A protocol achiev…     

一种高效的移动云服务环境下隐私保护认证协议

为了解决移动云服务环境的互相认证和隐私保护问题,设计了一种改进的移动云服务环境下隐私保护认证协议.该协议结合基于身份的签密技术和多服务器认证技术,保证用户只需注册一次,就可以访问多个移动云服务提供者,同时认证过程不需要可信第三方参与;该协议在移动终端未使用计算复杂度高的双线性对运算和映射到域上的hash运算,其计算效率显著提高. 通过理论分析和实验结果可知:该协议与目前已有的同类协议相比,在移动端的计算时间为45.242 s,其计算效率约为已有同类协议的2倍;具有用户匿名和不可追踪等安全性质;能够抵抗错误口令登录、更改攻击.