Some remarks on the TKIP key mixing function of IEEE 802.11i

Temporal key integrity protocol (TKIP) is a sub-protocol of IEEE 802.11i. TKIP remedies some security flaws in wired equivalent privacy (WEP) protocol. TKIP adds four new algorithms to WEP: a message integrity code (MIC) called Michael, an initialization vector (IV) sequencing discipline, a key mixing function and a re-keying mechanism. The key mixing function, also called temporal key hash, de-correlates the IVs from weak keys. Some cryptographic properties of the substitution box (S-box) used in the key mixing function are investigated in this paper, such as regularity, avalanche effect, differ uniform and linear structure. Moen et al pointed out that there existed a temporal key recovery attack in TKIP key mixing function. In this paper a method is proposed to defend against the attack, and the resulting effect on performance is discussed.     

A New Fragile Watermark for Image

Fragile watermarking is a method to verify the integrity and authenticity of multimedia data. A new fragile watermark for image was proposed, which can be used in image verification applications. The paper first described the above two techniques, some of which will be used in the method. Then it described the embedding and authentication process and also analyzed the method to show how it can survive some attacks. The experimental results show that the proposed method doesn‘t need the watermark or original image on authentication side. It provides more security against attack, and can localize where the temoerinlz has occurred.     

Security Mechanisms of Wired Equivalent Privacy and Wi-Fi Protected Access in WLAN： Review and Analysis

An analysis of WLAN security mechanisms of wired equivalent privacy (WEP) and Wi-Fi protected access (WPA) discovers that the current literature is not totally creditable in its judgment on the security value of WEP and WPA.Based on the respective performances of WEP and WPA under certain typical attacks,this paper substantiates the judgment that WEP has quite a few vulnerabilities concerning confidentiality and integrity,but at the same time challenges the judgment on WPA with that WPA is robust enough to confront potential typical attacks and is not so unreliable as the current literature believes,although it has some vulnerabilities in its message integrity code (MIC).     

广义椭圆曲线数字签名链口令认证方案

一次性口令是身份认证的重要技术。文章构造了一个基于椭圆曲线数字签名链的一次性口令认证和密钥协商方案。该方案使用了具有消息恢复功能、无须求逆的椭圆曲线数字签名算法,椭圆曲线认证密钥协商协议,密钥进化算法和椭圆曲线数字签名链等。方案有以下优点:服务器无需维护口令和验证列表;允许用户自主选择和更改口令,实现了双向认证;无需系统时钟同步和传输时延限制;能够抵抗重放攻击、离线字典攻击、中间人攻击和内部人攻击;具备口令错误敏感性和强安全修复性;生成的会话密钥具有新鲜性、机密性、已知密钥安全性和前向安全性。经对比,该方案具有更好的安全性能,适合强安全性需求的场合。     

一种高效的移动云服务环境下隐私保护认证协议

为了解决移动云服务环境的互相认证和隐私保护问题,设计了一种改进的移动云服务环境下隐私保护认证协议.该协议结合基于身份的签密技术和多服务器认证技术,保证用户只需注册一次,就可以访问多个移动云服务提供者,同时认证过程不需要可信第三方参与;该协议在移动终端未使用计算复杂度高的双线性对运算和映射到域上的hash运算,其计算效率显著提高. 通过理论分析和实验结果可知:该协议与目前已有的同类协议相比,在移动端的计算时间为45.242 s,其计算效率约为已有同类协议的2倍;具有用户匿名和不可追踪等安全性质;能够抵抗错误口令登录、更改攻击.      

新一代互联网中连接标识解析映射研究

分析了连接标识解析映射的4种情况,并提出了一种新型的动态映射机制.其优势在于根据服务的要求,合理的选择路径建立方式用于数据传输,通过探测网络单向状态参数,实现动态调整映射关系的目标.在真实网络中的测试结果表明,该机制能够很好的测量多条路径单项时延的差别,为准确检测网络单向状态参数提供了一种新的思路,也为在新一代互联网中实现高性能数据传输提供了重要的方法.     

A Self-Encryption Remote User Anonymous Authentication Scheme Using Smart Cards

Introduction Remoteuserauthenticationschemesarevery usefulindistributedsystemssincetheycanguar-anteeonlythelegalusershaverighttovisitthere-sourcesprovidedbytheremoteservers.There-fore,overthepastyears,manyremoteuserau-thenticationschemes[1-8]havebeenproposed.In1981,Lamport[1]proposedthefirstwell-known passwordauthenticationschemeusingapassword tabletoachieveuserauthentication.However,Lamport'sschemesuffersfromtheriskofamodi-fiedpasswordtableandthecostofprotectingand maintainingthepasswordtabl…     

一体化网络中可证明安全的三方认证协议

为了有效地保证终端、接入交换路由器和认证中心的安全,本文提出了一体化网络中可证明安全的三方认证协议．该协议实现了终端和认证中心之间及接入交换路由器和认证中心之间的相互认证,不仅可以有效防止非授权终端接入网络,还可以防止伪造的认证中心和接入交换路由器对终端的欺骗．在BR扩展模型下,可证明该协议是安全的．通过性能分析得出,协议具有很高的效率．     

支持可信计算的软件保护模型

借助可信计算的完整性检验、认证及访问控制和密封存储等关键技术，在现有PC体系结构下提出了支持可信计算的软件保护模型．该模型利用PC机USB接口外接TPM，结合基于动态口令的身份认证、基于角色的访问控制、代码移植和信道加密技术，从不同层次和角度来综合防止软件被非法使用和传播．与现有软件保护方案相比，本模型利用TPM实现了用户和软件之间的相互认证，并通过身份映射的角色来控制不同用户对软件的使用权限．     

一体化标识网络中的用户身份认证协议

一体化标识网络解决了传统网络中IP地址二义性问题,是一种基于网络的身份与位置分离体系.本文在一体化标识网络中提出一种用户身份认证协议,基于该协议设计了一种利用数字证书构建的接入标识.这种接入标识唯一的表示一体化标识网络中的终端,实现用户身份信息与终端的绑定.该用户身份认证协议基于Diffie-Hellman密钥交换完成用户到用户真实身份的双向认证,采用谜题机制和无认证状态防止应答方受到DoS攻击.通过C-K安全模型分析用户身份认证协议的安全性,分析表明该协议是会话密钥安全的.     

基于ECC和指纹USBKey的身份认证协议

分析了现有网络身份认证方案的不足,给出了一种指纹识别技术与USBKey技术相结合的身份认证方案。利用载有指纹特征的指纹USBKey改进现有的USBKey认证技术。利用椭圆曲线密码算法ECC（elliptic curve cryption）,提高身份认证协议的安全性。采用挑战与应答的认证机制,实现了双向身份认证。使用含指纹特征的数字证书,防止非法用户篡改指纹特征。给出的身份认证协议实现了USBKey对用户权限的验证及远程服务器对用户身份的实体认证。能够有效抵御窃听攻击、假冒攻击、重放攻击及DoS攻击。     

REAL-TIME LICENSING MANAGEMENT OF SECURE MULTIMEDIA CONTENT DELIVERY

Media Commerce is now becoming a new trend which results from faster development of network bandwidth and high availability of multimedia technologies, how to protect media content from being used in a rightviolated way is one of most important issues to take into account. In this paper, a novel and efficient authorization and authentication Digital Rights Management (DRM) schema is proposed firstly for secure multimedia delivery, then based on the schema, a real-time digital signature algorithm built on Elliptic Curve Cryptography (ECC) is adopted for fast authentication and verification of licensing management, thus secure multimedia delivery via TCP/RTP can efficiently work with real-time transaction response and high Quality of Service (QoS) . Performance evaluations manifest the proposed schema is secure, available for real-time media stream authentication and authorization without much effected of QoS. The proposed schema is not only available for Client/Server media service but can be easily extended to P2P and broadcasting network for trusted rights management.     

基于自更新哈希链的安全高效车-地鉴权方案

针对下一代高速铁路无线通信系统LTE-R （long term evolution-railway）对安全性和实时性的特殊需求，基于哈希链技术，提出一种完全基于对称密码体制的的车-地通信鉴权方案. 用户归属服务器（home subscriber sever，HSS）利用身份授权主密钥为车载设备（on-board unit，OBU）生成动态可变的匿名身份（temporary identity，TID），以在接入认证请求信令中保护车载设备的隐私，同时能够抵挡去同步攻击. 在列车高速移动过程中，方案采用高效的哈希链代替认证向量完成列车和服务网络之间的双向认证，哈希链的本地更新可解决认证向量耗尽导致的全认证重启问题. 此外，通过引入身份证明票据实现基于基站协同的高效无缝切换认证. 安全性和性能分析表明:在同样条件下，所提出的全认证协议、重认证协议和切换认证协议与目前性能最优的LTE （long term evolution）标准协议相比，计算量分别下降41.67%、44.44%和45.45%，通信量分别下降62.11%、50.91%和84.91%，能够满足LTE-R接入网络的安全性和实时性要求.      

Two Modifications on IKE Protocol with Pre-shared Key Authentication

This paper proposed two modifications on IKE protocol with pre-shared key authentication. The first modification can improve its immunity against DDoS attack by authenticating the initiator before the responder generates the computation-intensive Diffie-Hellman public value. The second modification can improve its efficiency when the attack on messages occurs because it can detect the attack quickly by replacing the centralized authentication in origical IKE protocol with immediate authentication. In addition, the two modifications can be integrated into one protocol compactly.     

Robust password and smart card based authentication scheme with smart card revocation

User authentication scheme allows user and server to authenticate each other, and generates a session key for the subsequent communication. How to resist the password guessing attacks and smart card stolen attacks are two key problems for designing smart cart and password based user authentication scheme. In 2011, Li and Lee proposed a new smart cart and password based user authentication scheme with smart card revocation, and claimed that their scheme could be immunity to these attacks. In this paper, we show that Li and Lee＇s sctleme is vulnerable to off-line password guessing attack once the information stored in smart card is extracted, and it does not provide perfect forward secrecy. A robust user authentication scheme with smart card revocation is then proposed. We use a most popular and widely used formal verification tool ProVerif, which is based on applied pi calculus, to prove that the proposed scheme achieves security and authentication.     

一种代理证书撤消机制在网格中的应用

介绍了代理认证技术,并对PKI的CRL机制进行分析,比较了在X.509中常用的几种撤消机制以及所存在的问题.指出了撤消机制存在的延时问题和不容易在网格中应用等问题,根据MyProxy系统设计了一种新的代理证书撤消机制,即在MyProxy系统中增加一个代理撤销层,这个系统允许网格管理系统撤消PC.当一个代理被撤消时,由这个代理所衍生的代理将会同时被撤消.采用NOVOMODO密码系统去认证和撤消代理证书,利用160位的哈稀散列值来表示证书的撤消信息,明显地提高了时间效率,减少了存储空间以及时间延时.     

���ߴ�������QoS���Ϲؼ������о���Ӧ��

结合传统数据通信网络的QoS保障机制研究成果及无线传感器网络自身特点,针对青藏冻土地温自动监测的应用特点,提出能量的高效利用、数据的可靠传输和网络生存周期的有效延长是其QoS保障的主要需求和关键点。并以此关键点为目标,研究了青藏冻土地温监测的无线传感器网络QoS保障机制的能量优化策略,提出了非均匀分簇路由算法并进行了深入分析。最后,通过仿真验证及在青藏冻土地温自动监测的试点应用,验证非均匀分簇路由算法能有效提高网络的生命周期和数据传输可靠性。研究成果将为建立无线传感器网络相关应用系统提供理论支撑和模型参考。     

Secure and efficient digital rights management mechanisms with privacy protection

In the Internet or cloud computing environments, service providers provide more and more content services. Users can use these convenient content services in daily life. The major data of the user are maintained by the service providers except that some personal privacy data are stored at the client device. An attacker may try to invade the systems, and it will cause the damage of users and service providers. Also, users may lose their mobile devices and then it may cause the data disclosure problem. As a result, the data and privacy protection of users become an important issue in these environments. Besides, since many mobile devices are used in these environments, secure authentication and data protection methods must be efficient in these low resource environments. In this paper, we propose an efficient and privacy protection digital rights management （DRM） scheme that users can verify the valid service servers and the service servers can ensure the legal users. Since the key delegation center of the third party has the robust security protection, our proposed scheme stores the encrypted secret keys in the key delegation center. This approach not only can reduce the storage space of the user devices, but also can recover the encrypted secret keys in the key delegation center when a user loses her/his devices for solving the device losing problem.     

Efficient Protocol-Proving Algorithm Based on Improved Authentication Tests

A new efficient protocol-proving algorithm was proposed for verifying security protocols. This algorithm is based on the improved authentication tests model, which enhances the original model by formalizing the message reply attack. With exact causal dependency relations between messages in this model, the protocol-proving algorithm can avoid the state explosion caused by asynchronous. In order to get the straight proof of security protocols, three authentication theorems are exploited for evaluating the agreement and distinction properties. When the algorithm terminates, it outputs either the proof results or the potential flaws of the security protocol. The experiment shows that the protocol-proving algorithm can detect the type flaw attack on Neuman-Stubblebine protocol, and prove the correctness of NSL protocol by exploring only 10 states.     

数据链中基于动态博弈的联合功率与速率控制

为了满足机间数据链多种业务功能的需求以及大数据量战场信息传输需求,需要对各节点传输速率和发射功率进行联合控制,提出了一种基于动态博弈的联合功率与速率控制算法.在速率与功率控制中同时引入动态博弈,解决了传输速率与发射功率的最优化问题,证明了该算法纳什均衡点的存在性和唯一性.通过算法仿真表明,提出的动态博弈算法与固定速率功率分配算法、传统的静态博弈联合控制算法相比,各节点的传输速率值至少提升了约50.92%,收敛速度提升了约50%,发射功率收敛速度提升了80%,使系统具备更强的稳定性和公平性.