Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/tvt.2006.877704

2005-01-01

Abstract:Privacy and security are two important but seemingly contradict objectives in pervasive computing environments (PCEs). On the one hand, service providers want to authenticate service users and make sure they are accessing only authorized services in a legitimate way. On the other hand, users want to maintain necessary privacy without being tracked down for wherever they are and whatever they are doing. In this paper we propose a novel privacy enhanced authentication and access control scheme to secure the interactions between mobile users and services in PCEs. The proposed scheme seamlessly integrates two underlying cryptographic primitives, blind signature and hash chain, into a highly flexible and lightweight authentication and key establishment protocol. It provides explicit mutual authentication between a user and a service, while allowing the user to anonymously interact with the service. Differentiated service access control is also enabled in the proposed scheme by classifying mobile users into different service groups.

Lin Yao,Xiangwei Kong,Guowei Wu,Qingna Fan,Chi Lin

DOI: https://doi.org/10.1007/s11767-008-0089-5

2010-01-01

Abstract:In pervasive computing environments, users can get services anytime and anywhere, but the ubiquity and mobility of the environments bring new security challenges. The user and the service provider do not know each other in advance, they should mutually authenticate each other. The service provider prefers to authenticate the user based on his identity while the user tends to stay anonymous. Privacy and security are two important but seemingly contradictory objectives. As a result, a user prefers not to expose any sensitive information to the service provider such as his physical location, ID and so on when being authenticated. In this paper, a highly flexible mutual authentication and key establishment protocol scheme based on biometric encryption and Diffie-Hellman key exchange to secure interactions between a user and a service provider is proposed. Not only can a user’s anonymous authentication be achieved, but also the public key cryptography operations can be reduced by adopting this scheme. Different access control policies for different services are enabled by using biometric encryption technique. The correctness of the proposed authentication and key establishment protocol is formally verified based on SVO logic.

YAO Lin,FAN Qing-na,KONG Xiang-wei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2010.32.030

2010-01-01

Abstract:Pervasive computing raises new challenges to the security and privacy of the Internet communication,and conventional authentication protocols cannot meet the requirements of this new pervasive environment.A novel mutual authentication and key establishment scheme to secure the interactions between mobile users and service providers is proposed.Highly integrating biometric encryption and the Diffie-Hellman key exchange,the proposed protocol achieves mutual authentication without revealing any privacy information of the user.Secure session key establishment is enabled by the proposed algorithm.Differentiated service access control is also achieved with the biometric encryption.It is shown that the protocol can resist most of the attacks,especially the denial of service attack.

Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

YAO Lin,FAN Qingna,KONG Xiangwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.06.023

2011-01-01

Abstract:As a result of the high mobility of the pervasive computing,the principles communicating with each other usually locate at different domains.To secure the service access and communications,the principles should authenticate each other and establish a fresh session key.A novel inter-domain authentication and key establishment protocol is proposed.The proposed protocol reduces the burden of certificates management by adopting the biometric encryption.After inter-domain mutual authentication,the two principles build a new session key using the signcryption technique.The protocol can defend lots of attacks and its correctness is proven by the SVO logic.

Zhi-Yu Peng,Shan-Ping Li

DOI: https://doi.org/10.1109/icmlc.2008.4620616

2008-01-01

Abstract:As pervasive computing leading to an increased collection of information in the computational world as well as the real world, privacy leaking becomes a serious issue. Although privacy protection has drawn great attention in recent years, the privacy-preserving trust management has not been brought forward. Credential chain discovery problem is the key issue in trust management, and traditionally credentials are full open in the whole system. This could expose users' access control policies as well as other private information, and leads to a great risk of being cheated by malicious users. This paper advocates a privacy-preserving credential chain discovery mechanism, in which credentials are no longer available to everyone. By merely learning credentials of one's logic neighbors, this mechanism still achieves good results. The simulations show that this mechanism is practical.

Yuanchao Shu,Yu (Jason) Gu,Jiming Chen

DOI: https://doi.org/10.1109/tpds.2013.153

IF: 5.3

2014-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Access card authentication is critical and essential for many modern access control systems, which have been widely deployed in various government, commercial, and residential environments. However, due to the static identification information exchange among the access cards and access control clients, it is very challenging to fight against access control system breaches due to reasons such as loss, stolen or unauthorized duplications of the access cards. Although advanced biometric authentication methods such as fingerprint and iris identification can further identify the user who is requesting authorization, they incur high system costs and access privileges cannot be transferred among trusted users. In this work, we introduce a dynamic authentication with sensory information for the access control systems. By combining sensory information obtained from onboard sensors on the access cards as well as the original encoded identification information, we are able to effectively tackle the problems such as access card loss, stolen, and duplication. Our solution is backward-compatible with existing access control systems and significantly increases the key spaces for authentication. We theoretically demonstrate the potential key space increases with sensory information of different sensors and empirically demonstrate simple rotations can increase key space by more than 1,000,000 times with an authentication accuracy of 90 percent. We performed extensive simulations under various environment settings and implemented our design on WISP to experimentally verify the system performance.

Xiuxia Tian,Chaofeng Sha,Xiaoling Wang,Aoying Zhou

DOI: https://doi.org/10.1109/ICWS.2011.46

2011-01-01

Abstract:With the convenient connection to network, more and more individual information including sensitive information, such as contact list in Mobile Phone or PDA, can be delegated to the professional third service provider to manage and maintain. The benefit of this paradigm is, on one hand to avoid the sensitive information leakage when individual devices failed or lost, on the other hand to make only the authorized users access and share the delegated information online anytime and anywhere. However, in this paradigm the critical problems to be resolved are to guarantee both the privacy of delegated individual information and the privacy of authorized users, and what is more important to afford the owners of communication devices to have high level of control and power to create their own particular access control policies. In this paper, we present an approach to implement the personalized access control at third service provider in a privacy preserving way. Our approach implements the critical problems above in this paradigm by using selective encryption, blind signature and the combination of role based access control and discretionary access control.

Artur Souza,Antônio A. F. Loureiro,Leonardo B. Oliveira

DOI: https://doi.org/10.48550/arXiv.1907.05214

2019-07-11

Cryptography and Security

Abstract:We quickly approach a "pervasive future" where pervasive computing is the norm. In this scenario, humans are surrounded by a multitude of heterogeneous devices that assist them in almost every aspect of their daily routines. The realization of this future demands strong authentication guarantees to ensure that these devices are not abused and that their users are not endangered. However, providing authentication for these systems is a challenging task due to the high heterogeneity of pervasive computing applications. This heterogeneity makes it unfeasible to propose a single authentication solution for all of the pervasive computing applications. In this paper, we review several pervasive application scenarios and promising authentication methods for each. To do this, we first identify the key characteristics of each pervasive application scenario. Then, we review the strengths and weaknesses of prominent authentication methods from the literature. Finally, we identify which authentication methods are well suited for each application scenario based on the identified characteristics. Our goal is to provide promising directions to be explored for authentication in each of these scenarios.

Wenjing Lou,Kui Ren

DOI: https://doi.org/10.1109/mwc.2009.5281259

IF: 12.777

2009-01-01

IEEE Wireless Communications

Abstract:The presence of ubiquitous connectivity provided by wireless communications and mobile computing has changed the way humans interact with information. At the same time, it has made communication security and privacy a hot-button issue. In this article we address the security and privacy concerns in wireless access networks. We first discuss the general cryptographic means to design privacy-preserving security protocols, where the dilemma of attaining both security and privacy goals, especially user accountability vs. user privacy, is highlighted. We then present a novel authentication framework that integrates a new key management scheme based on the principle of separation of powers and an adapted construction of Boneh and Shacham's group signature scheme, as an enhanced resort to simultaneously achieve security, privacy, and accountability in wireless access networks.

Arijit Ukil

DOI: https://doi.org/10.48550/arXiv.1108.2111

2011-08-10

Cryptography and Security

Abstract:In ubiquitous computing domain context awareness is an important issue. So, in ubiquitous computing, mere protection of message confidentiality is not sufficient for most of the applications where context-awareness can lead to near deterministic ideas. An adversary might deduce sensitive information by observing the contextual data, which when correlated with prior information about the people and the physical locations that are being monitored by a set of sensors can reveal most of the sensitive information. So, it is obvious that for security and privacy preservation in ubiquitous computing context protection is of equal importance. In this paper, we propose a scheme which provides two layer privacy protection of user's or application's context data. Our proposed context protecting privacy preservation scheme focuses on protecting spatial and temporal contextual information. We consider the communication part of ubiquitous computing consists of tiny sensor nodes forming Wireless Sensor Networks (WSNs). Through simulation we show the efficacy of our scheme. We also demonstrate the capability of our scheme to overcome the constraints of WSNs.

Aiqiang Gao,Dongqing Yang,Shiwei Tang,Ming Zhang

DOI: https://doi.org/10.1109/icpca.2008.4783602

2008-01-01

Abstract:The emerging paradigm of pervasive computing and web services needs a flexible service discovery and composition infrastructure. The widespread use of Web services in pervasive environments is hindered by the lack of adequate security and privacy support. In this paper, we discuss an access control protocol for conversation-based (composite) Web services. This approach takes into account the conversational nature of composite web services and differentiates two types of web service: goal-driven and interaction-intensive. The former is goal driven and the client cares about the final goal and participates the conversation at only a few steps. While the interaction-intensive composite web service is interaction heavy, and the service and the client need to interact with each other frequently to exchange access control credentials.

Daojing He,Jiajun Bu,Sammy Chan,Chun Chen,Mingjian Yin

DOI: https://doi.org/10.1109/twc.2010.120610.101018

IF: 10.4

2011-01-01

IEEE Transactions on Wireless Communications

Abstract:Seamless roaming over wireless networks is highly desirable to mobile users, and security such as authentication of mobile users is challenging. In this paper, we propose a privacy-preserving universal authentication protocol, called Priauth, which provides strong user anonymity against both eavesdroppers and foreign servers, session key establishment, and achieves efficiency. Most importantly, Priauth provides an efficient approach to tackle the problem of user revocation while supporting strong user untraceability.

Lingshuang Liu,Cheng Huang,Dan Zhu,Dongxiao Liu,Jianbing Ni,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/globecom48099.2022.10000715

2022-01-01

Abstract:Pervasive edge computing (PEC) integrates the resources of peer devices at the network edge to serve users' latency-sensitive computation needs. Due to the high dynamics of the PEC environment, it is very challenging to achieve efficient service access control of edge servers and users without an "always-online" centralized server. In this paper, we propose a secure, efficient, and distributed service access control framework (SE-DAC) in the PEC environment. Specifically, SE-DAC extends the key-aggregate cryptosystem to achieve batch service authorization, where the service provider aggregates the access keys of different services to produce a constant-size aggregate key for the edge servers. Meanwhile, user authentication tasks are delegated to the edge servers by integrating secret sharing. The mutual authentication between the edge servers and the users is based on zero-round trip communication, such that the communication bandwidth cost is low. In addition, the service provider can efficiently revoke the authorization of the dropout or compromised edge servers in response to the dynamics of the PEC environment. Finally, we conduct numerical analysis and experiments to demonstrate that SE-DAC is highly computational efficient on service authorization, authentication, and revocation.

Debiao He,Sherali Zeadally,Baowen Xu,Xinyi Huang

DOI: https://doi.org/10.1109/tifs.2015.2473820

IF: 7.231

2015-01-01

IEEE Transactions on Information Forensics and Security

Abstract:By broadcasting messages about traffic status to vehicles wirelessly, a vehicular ad hoc network (VANET) can improve traffic safety and efficiency. To guarantee secure communication in VANETs, security and privacy issues must be addressed before their deployment. The conditional privacy-preserving authentication (CPPA) scheme is suitable for solving security and privacy-preserving problems in VANETs, because it supports both mutual authentication and privacy protection simultaneously. Many identity-based CPPA schemes for VANETs using bilinear pairings have been proposed over the last few years to enhance security or to improve performance. However, it is well known that the bilinear pairing operation is one of the most complex operations in modern cryptography. To achieve better performance and reduce computational complexity of information processing in VANET, the design of a CPPA scheme for the VANET environment that does not use bilinear paring becomes a challenge. To address this challenge, we propose a CPPA scheme for VANETs that does not use bilinear paring and we demonstrate that it could supports both the mutual authentication and the privacy protection simultaneously. Our proposed CPPA scheme retains most of the benefits obtained with the previously proposed CPPA schemes. Moreover, the proposed CPPA scheme yields a better performance in terms of computation cost and communication cost making it be suitable for use by the VANET safety-related applications.

Ding Wang,Ping Wang,Jing Liu

DOI: https://doi.org/10.1109/WCNC.2014.6953015

2014-01-01

Abstract:User authentication is an important security mechanism that allows mobile users to be granted access to roaming service offered by the foreign agent with assistance of the home agent in mobile networks. While security-related issues have been well studied, how to preserve user privacy in this type of protocols still remains an open problem. In this paper, we revisit the privacy-preserving two-factor authentication scheme presented by Li et al. at WCNC 2013. We show that, despite being armed with a formal security proof, this scheme actually cannot achieve the claimed feature of user anonymity and is insecure against offline password guessing attacks, and thus, it is not recommended for practical applications. Then, we figure out how to fix these identified drawbacks, and suggest an enhanced scheme with better security and reasonable efficiency. Further, we conjecture that under the non-tamper-resistant assumption of the smart cards, only symmetric-key techniques are intrinsically insufficient to attain user anonymity.

Yang Xu,Quanrun Zeng,Guojun Wang,Cheng Zhang,Ju Ren,Yaoxue Zhang

DOI: https://doi.org/10.1007/978-3-030-05345-1_31

2018-01-01

Abstract:The emerging attribute-based access control (ABAC) mechanism is an expressive, flexible, and manageable authorization technique that is particularly suitable for current distributed, inconstant and complex service-oriented scenarios. Unfortunately, the inevitable disclosure of attributes that carry sensitive information bring significant risks to users' privacy, which obstructs the further development and popularization of the ABAC severely. In this paper, we propose an effective privacy-preserving ABAC (P-ABAC) scheme to defend against privacy leakage risks of users' attributes. In the P-ABAC approach, the necessary sensitive attributes are securely handled on the service requester side by using the homomorphic encryption method for privacy protection. And meanwhile, the service provider is still able to make accurate access decisions according to the received attribute ciphertext and pre-set policies with the help of the homomorphic encryption-based secure multi-party computation techniques, while learning no privacy information. The theoretical analysis proves that our model contributes to making an efficient and effective ABAC model with the enhanced privacy-protection feature.

Xue Li,Cheng Jiang,Dajun Du,Minrui Fei,Lei Wu

DOI: https://doi.org/10.1109/jiot.2022.3221943

IF: 10.6

2023-03-11

IEEE Internet of Things Journal

Abstract:The existing identity security schemes (e.g., based on bilinear pairing) have high computational complexity and large bytes of variables, which results in high computation and communication costs. It is difficult to apply the schemes to resource-constrained (i.e., computation and communication) devices. Moreover, most of these schemes adopt a fixed cycle key update strategy compromising the security of authentication schemes or dynamic (real-time) key update strategy with high computational cost. To solve these issues, this article explores a novel revocable lightweight authentication scheme for resource-constrained devices in cyber–physical power systems (CPPSs). First, a lightweight authentication scheme combined elliptic-curve cryptography (ECC) and certificateless cryptography (CLC) is proposed to negotiate a secure session key, which can achieve mutual authentication with low computation and communication costs. Second, aiming at security problem caused by key leakage, a real-time key update strategy with low computational cost is designed to improve the security of identity authentication. Third, according to a hardness assumption of the elliptic-curve discrete logarithm problem (ECDLP), theoretical analysis rigorously proves that the proposed authentication scheme ensures the security with respect to existential unforgeability against adaptively chosen message attacks (EUF-CMAs). Finally, experimental results confirm the feasibility and effectiveness of the proposed authentication scheme.

computer science, information systems,telecommunications,engineering, electrical & electronic

Daojing He,Jiajun Bu,Sammy Chan,Chun Chen

DOI: https://doi.org/10.1109/TC.2011.258

IF: 3.183

2013-01-01

IEEE Transactions on Computers

Abstract:Existing mechanisms for handover authentication mainly focus on designing a secure authentication module, little attention has been paid to protect users' privacy when they are authenticated by the access points for data access. Further, most existing approaches do not support user revocation. In this paper, we present a secure and efficient authentication protocol named Handauth. Similar to the mechanisms of this field, Handauth provides user authentication and session key establishment. However, compared to other well-known approaches, Handauth not only enjoys both computation and communication efficiency, but also achieves strong user anonymity and untraceablility, forward secure user revocation, conditional privacy-preservation, AAA server anonymity, access service expiration management, access point authentication, easily scheduled revocation, dynamic user revocation and attack resistance. Experimental results show that the proposed approach is feasible for real applications.

Zhang Qingsheng,Qi Yong,Zhao Jizhong,Hou Di,Niu Yujie

DOI: https://doi.org/10.1109/ICSMC.2007.4414056

2007-01-01

Abstract:In pervasive environment, context-aware service provider can use personal information to customize the adequate services for end users. Personal information is people's privacy concern. Therefore, people need privacy control methods. In this paper, we analyzed privacy control from two aspects: personal privacy model about information disclosure and the function of context-aware service provider. According to the analysis, we designed the components about context-aware privacy control in order to minimize the burden of personal privacy decision about personal information disclosure. The simulation experiment shows that it is possible method for the proposed privacy protection mechanism. Finally, we also proposed conceptual context-aware architecture to control personal information disclosure.