YAO Lin,FAN Qingna,KONG Xiangwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.06.023

2011-01-01

Abstract:As a result of the high mobility of the pervasive computing,the principles communicating with each other usually locate at different domains.To secure the service access and communications,the principles should authenticate each other and establish a fresh session key.A novel inter-domain authentication and key establishment protocol is proposed.The proposed protocol reduces the burden of certificates management by adopting the biometric encryption.After inter-domain mutual authentication,the two principles build a new session key using the signcryption technique.The protocol can defend lots of attacks and its correctness is proven by the SVO logic.

LI Jian-jun,XU Duan-qing,GUO Wei-qing

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.09.068

2005-01-01

Abstract:Combining with living examples and based on IPSEC,the realization of the VPN system was approached in many internet circumstances of remote access(such as gateway,broadband,xDSL etc.),and in view of the deficiency and the hidden troubles of the traditional static password,introduces a working mechanism was introduced which took into consideration both the tokencard two factor authentication and Windows AD,and proveds to be flexible and liable for the single-sign on clients.

Hongjun Lin,Ping Luo,Daoshun Wang

DOI: https://doi.org/10.1016/j.jnca.2008.03.001

IF: 7.574

2008-01-01

Journal of Network and Computer Applications

Abstract:To solve the scalability problems of the identity authentication model based on CA for application in large distributed networks, adopting a rigorous binary tree code algorithm, we present a distributed identity authentication model based on public keys. The advantages of our model are described as follows: First, it has good scalability and is suitable for large-scale distributed networks. Second, the authentication path is short, with no more than two entities intervening. Third, it does not require users to inquire about certificate revocation lists.

Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

Liu Duan-yang,Pan Xue-zeng,Ping Ling-di

DOI: https://doi.org/10.1631/jzus.2003.0555

2003-01-01

Abstract:Distributed certification via threshold cryptography is much more secure than other ways to protect certification authority (CA)'s private key, and can tolerate some intrusions. As the original system such as ITTC, etc., is unsafe, inefficient and impracitcal in actual network environment, this paper brings up a new distributed certification scheme, which although it generates key shares concentratively, it updates key shares distributedly, and so, avoids single-point failure like ITTC. It not only enhances robustness with Feldman verification and SSL protocol, but can also change the threshold (t, k) flexibly and robustly, and so, is much more practical. In this work, the authors implement the prototype system of the new scheme and test and analyze its performance.

YANG Xiao-hu,WANG Xin-yu,MAO Ming

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.04.011

2008-01-01

Abstract:Two classical models in distributed environment,symmetrical cluster and unsymmetrical cluster,were introduced.Aiming at the problems in enterprise applications caused by the two models,a distributed model based on data partition was presented,and a new load balance algorithm based on database access was proposed.Two critical threshold values Dmax and VSRT in the algorithm could be obtained by testing and analysis.The model and the load balance mechanism benefit the system with good performance,high scalability and dynamic load balance.They were applied to a financial system which was reengineered from standalone legacy system into J2EE distributed environment.The system architecture based on data partition was implemented successfully and performed very well.

Yuesheng Zhu,Limin Ma,Jinjiang Zhang

DOI: https://doi.org/10.1002/sec.1066

IF: 1.968

2014-01-01

Security and Communication Networks

Abstract:As one of the most important trusted third-party-based authentication protocols, Kerberos is widely used to provide authentication service in distributed networks. However, it is vulnerable to common brute force password-guessing attacks because of its password-based mechanism. Some enhanced Kerberos protocols based on public key cryptography were proposed as solutions, but they require excessive computation and communication resources. In this paper, a new enhanced Kerberos protocol with non-interactive zero-knowledge proof is proposed, in which the clients and the authentication server can mutually authenticate each other without revealing any information during the authentication process. Our security analysis and experimental results have shown that the proposed scheme can resist password-guessing attacks and is more convenient and efficient than previous schemes. Copyright (C) 2014 John Wiley & Sons, Ltd.

Ruichuan Chen,Wenjia Guo,Liyong Tang,Jianbin Hu,Zhong Chen

DOI: https://doi.org/10.1007/978-3-540-85451-7_64

2008-01-01

Abstract:Peer-to-Peer (P2P) communication model has the potential to harness huge amounts of resources. However, due to the self-organizing and self-maintaining nature, current P2P networks suffer from various kinds of attacks. Public key authentication can provide a fundamental building block for P2P communication security. In this paper, we propose a scalable Byzantine fault tolerant public key authentication scheme for P2P networks, in which each participating peer dynamically maintains a trusted group to perform distributed challenge-response authentication without centralized infrastructure. To guarantee the authentication correctness, we additionally present a complementary trusted group maintenance scheme. The experimental results demonstrate that our authentication scheme can work in various different P2P scenarios effectively and efficiently.

HUANGH Yan,ZHOU Xuehai,LI Xi,XU Burong

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.03.051

2007-01-01

Abstract:Login is an important process for user authentication.Some P2P systems,however,still use concentrated control model to implement login process because this process usually involves some sensitive data such as username and password.This paper describes a model for distributed login based on CHORD,and uses many methods such as split encryption,independent backup and profile take-over to improve the security and reliability.This model has great significance in reducing the running cost and solving the force-out of concentrated login server.

Lin Zhang,Hong Li,Limin Sun,Zhiqiang Shi,Yunhua He

DOI: https://doi.org/10.1109/pac.2017.28

2017-01-01

Abstract:User authentication in computer systems has been a cornerstone of computer security for decades. However, the existing user authentication schemes either require human cognitive ability to remember numerous complex id and password, or rely on a trusted third party which could fail due to technical failure or denial-of-service attacks. In this paper, we design a fully distributed user authentication framework with the blockchain technology. In our scheme, a user stores her identity in the blockchain, stores her encrypted personal information in a off-blockchain storage, and attaches a smart contract which grants different permissions to each website/application. When a user logs in a website/application, the service provider employs a challenge-response protocol to verify the identity of the user, and then retrieve the user's personal information from the off-blockchain storage.

gansen zhao,zhongjie ba,xinming wang,feng zhang,changqin huang,yong tang

DOI: https://doi.org/10.1002/sec.1202

IF: 1.968

2016-01-01

Security and Communication Networks

Abstract:Cloud computing offers a cheap and efficient solution for the deployment of web applications. It results in a big increase of the number of service provider. Users hold multiple identities for using services from different domains. The openness of public clouds requires the authentication system to accept user identities from various domains and to support hybrid authentication protocols. This work proposes a cross-domain single sign-on mechanism to address the preceding issues and makes a formal mathematical model to analyze the security issues of the proposed mechanism's authentication architecture; furthermore, an algorithm is proposed to detect the authentication architecture's weak vertex whose failure would lead to a partial failure in the architecture. The proposed mechanism allows service providers to verify user identities in a decentralized way and allows users to unify their identities from various domains in a safe way. The verification process used in this mechanism is able to support hybrid authentication protocols as well as to accelerate the verification of credentials by eliminating single point of failure and single-point bottleneck. Copyright © 2015John Wiley & Sons, Ltd.

Ma Limin,Zhu Yuesheng

2014-01-01

Abstract:As an important trust third-party authentication protocol, Kerberos is widely deployed to provide authentication service in distributed networks. However, it is vulnerable to some attacks such as password guessing attack and replay attack. PKINIT is an enhanced Kerberos protocol based on public key cryptography to resist these attacks. However, it requires excessive computation and communication resources. A new scheme based on one-time password (OTP) mechanism is proposed and implemented to improve the security and computation efficiency of Kerberos protocol in this paper. Experiment results demonstrate that the proposed scheme can enhance the security of Kerberos and reduce 32.3% time of initial authentication exchange and is easier to be deployed than PKINIT. © 2014 ISSN 1881-803X.

Zhao Hu,Yuesheng Zhu,Limin Ma

DOI: https://doi.org/10.1109/icon.2012.6506591

2012-01-01

Abstract:Kerberos is a widely-used network authentication protocol based on a trusted third-party. PKINIT, an enhanced Kerberos protocol which uses PKI mechanism, can prevent the password guessing attack, however, it introduces excessive amount of computational power. To enhance the security performance and computation efficiency of Kerberos, in this paper an improved Kerberos protocol based on Diffie-Hellman-DSA (DH-DSA) key exchange is proposed. Mutual authentication and key exchange between the client and Authentication Server (AS) can be simultaneously achieved with the proposed approach. Our experimental and analysis results have demonstrated that this new protocol can resist the password guessing attack and is more efficient and easily deployed than PKINIT.

Zhang Xiantao,Li Qi,Qing Sihan,Zhang Huanguo,Zhang Liqiang

DOI: https://doi.org/10.1109/ISCIT.2007.4392214

2007-01-01

Abstract:Role-based Access Control (RBAC) become an important techniques to secure e-commerce systems during recent years. However, RBAC management issue is still an unresolved problem. Moreover, with the development of IT technologies in many departments, there emerge many group communications which require dynamic user-role assignments. In these scenarios it is infeasible for few security officers to administrate the assignment for local variant applications. In this paper, we propose a novel RBAC model for decentralized and distributed systems. We also present an administration model of our PBAC model to address the management issues in traditional RBAC systems. As one of the main contributions, this paper proposes a decentralized administration model by introducing a component of group assignment to implement a novel user authorization mechanism and a new user-role assignment (UA) approach which provides a two-level administration for user and role management through the concept of group. Our model can be applied for the current group communication applications with dynamic assignments where typically local administrators take charge of the dynamic assignments. In this way, many administrative tasks for different applications can spread over many different local administrators, and a fine-grained administration model of RBAC based on the local administration policies is realized. As a proof-of-concept we implemented a prototype in Xen virtualization environment based on our proposed model to secure real distributed applications.

Xiali Hei,Xiaojiang Du,Binheng Song

DOI: https://doi.org/10.1109/icc.2012.6364197

2012-01-01

Communications

Abstract:In Peer-to-Peer (P2P) networks, security is a challenging issue due to decentralization. In this paper, we propose an effective distributed login framework for P2P networks. User profile availability is a critical issue in P2P networks. Within the distributed login framework, we propose a new Reed-Solomon erasure code scheme leveraging the Pascal matrix that can guarantee user profile availability. Our performance and security analyses show that: (1) the distributed login framework provides high availability and low redundancy rate; and (2) the new erasure code has low computation and memory overheads.

Mengxiang Guan,Jiaxing Song,Weidong Liu

DOI: https://doi.org/10.1109/cscloud.2016.26

2016-01-01

Abstract:Password-based user authentication service is widely used in Internet. Most of the password-based authentication protocols are constructed under the single-server structure that a authencitation server stores cleartext passwords or verification data derived from password and responds to users' authentication request.The security of single-server authentication system is very fragile. In particular, when the server is comprimised, all of users' verification data is exposed to the attacker. Nowadays, development of mobile Internet leads the demand of authentication on roaming device. In this scenario, easily memorable short password and simple secret is accepted by most people despite of its security limitation. The utilization of short password worsens the situation of single-server authentication protocol. Attackers controlling the system can launch off-line dictionary attack from internal of server side to obtain users' original password.Multi-server authentication protocols can improve the security of verification data by distributed storing data on the cluster. This approach increases the difficulty of internal attack and guarantees security even if a portion of servers in the cluster are controlled by adversary. But in practice, There are some problems in existing multi-server protocols. For example, communicating with multiple servers brings extra network and computational burden to client device.To address these problems, in this paper we propose a novel password-based multi-server authenication protocol which not only require less computation on client device but remain functional and secure even if adversary controls some servers and forces them collude to attack our protocol.

徐恪,吴建平,江勇,徐明伟

2001-01-01

Abstract:结合当前主要的两种主动网络实现策略的优点提出了一种新的基于扩展服务路由器的主动网络体系结构 ,该体系结构由扩展服务路由器 ,主动扩展组件服务器和密钥分发中心KDC组成。用户可以使用编程接口编写可扩展组件。为了保证安全性 ,设计了一种简化的身份认证协议。目前 ,基于分布式实时操作系统VxWorks的扩展服务路由器原型系统和基于Solaris的主动扩展组件服务器和KDC原型系统已经设计完成。

Li Yang,Zhiming Zheng

DOI: https://doi.org/10.1371/journal.pone.0194093

IF: 3.7

2018-01-01

PLoS ONE

Abstract:According to advancements in the wireless technologies, study of biometrics-based multi-server authenticated key agreement schemes has acquired a lot of momentum. Recently, Wang et al. presented a three-factor authentication protocol with key agreement and claimed that their scheme was resistant to several prominent attacks. Unfortunately, this paper indicates that their protocol is still vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack. Furthermore, their protocol cannot provide the perfect forward secrecy. As a remedy of these aforementioned problems, we propose a biometrics-based authentication and key agreement scheme for multi-server environments. Compared with various related schemes, our protocol achieves the stronger security and provides more functionality properties. Besides, the proposed protocol shows the satisfactory performances in respect of storage requirement, communication overhead and computational cost. Thus, our protocol is suitable for expert systems and other multi-server architectures. Consequently, the proposed protocol is more appropriate in the distributed networks.

Gansen Zhao,Zhongjie Ba,Feng Zhang,Qi Chen,Jianguo Li,Yong Tang

DOI: https://doi.org/10.1109/CSC.2013.24

2013-01-01

Abstract:Cloud computing enables rapid deployment of services on an on-demand basis in large scale. Public clouds are open to all users with identities from various domains, requiring the support of multiple identity providers and hybrid authentication protocols. The complexity of the authentication scenario brings a great burden to service providers. Service providers and users know only a small part of the complicated authentication network. This work explores a system view on the authentication network in cloud, allowing the authentication interaction and the trust relations to be explicitly described and analyzed. A cross-domain single sign-on model is proposed and the implementation details of the authentication architecture and protocol is presented.

Song Luo,Jianbin Hu,Zhong Chen

DOI: https://doi.org/10.1109/ETCS.2010.437

2010-01-01

Abstract:User authentication is very important mechanism in computer network systems for preventing unauthorized network access. In recent years, the bilinear pairings have been found to be very useful in various applications in cryptography and have allowed us to construct new cryptographic primitives. In 2006, Das et al. proposed an identity-based remote user authentication scheme with smart cards using bilinear pairings. Unfortunately, their scheme is insecure against forgery attack. In this paper, we propose a (t, n) threshold distributed authentication scheme using the bilinear pairings with smart cards which needs at least t authentication servers to collaboratively authenticate the remote user. Our scheme makes some improvements from Das's scheme and is expanded to a multi-server environment in distributed networks. Based on the Computational Diffie-Hellman Problem, we show that the proposed scheme is secure against forgery attack and identity attack under the random oracle model.