Chunhua Chen,Chris J. Mitchell,Shaohua Tang

DOI: https://doi.org/10.1007/s11036-011-0329-z

2011-01-01

Mobile Networks and Applications

Abstract:The Generic Authentication Architecture (GAA) is a standardised extension to the mobile authentication infrastructure that enables the provision of security services, such as key establishment, to network applications. In this paper we first show how Trusted Computing can be extended in a GAA-like framework to offer new security services. We then propose a general scheme that converts a simple static password authentication mechanism into a one-time password (OTP) system using the GAA key establishment service. The scheme employs a GAA-enabled user device and a GAA-aware server. Most importantly, unlike most OTP systems using a dedicated key-bearing token, the user device does not need to be user or server specific, and can be used in the protocol with no registration or configuration (except for the installation of the necessary application software). We also give two practical instantiations of the general scheme, building firstly on the mobile authentication infrastructure and secondly on Trusted Computing. The practical systems are secure, scalable, fit well to the multi-institution scenario, and enable the provision of ubiquitous and on-demand OTP services.

Chunhua Chen,Shaohua Tang,Chris J. Mitchell

DOI: https://doi.org/10.1007/978-3-642-36883-7_3

2012-01-01

Abstract:The Generic Authentication Architecture (GAA) is a standardised extension to the mobile telephony security infrastructures that supports the provision of security services to network applications. We have proposed a generalised version of GAA which enables almost any pre-existing infrastructure to be used as the basis for the provision of generic security services, and have examined a GAA instantiation supported by Trusted Computing. In this paper we study another instantiation of GAA, this time building on the widely deployed EMV security infrastructure. This enables the existing EMV infrastructure to be used as the basis of a general-purpose authenticated key establishment service in a simple and uniform way, and also provides an opportunity for EMV-aware third parties to provide novel security services. We also discuss possible applications and issues of privacy and trust. © 2013 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering.

YAO Lin,FAN Qing-na,KONG Xiang-wei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2010.32.030

2010-01-01

Abstract:Pervasive computing raises new challenges to the security and privacy of the Internet communication,and conventional authentication protocols cannot meet the requirements of this new pervasive environment.A novel mutual authentication and key establishment scheme to secure the interactions between mobile users and service providers is proposed.Highly integrating biometric encryption and the Diffie-Hellman key exchange,the proposed protocol achieves mutual authentication without revealing any privacy information of the user.Secure session key establishment is enabled by the proposed algorithm.Differentiated service access control is also achieved with the biometric encryption.It is shown that the protocol can resist most of the attacks,especially the denial of service attack.

Chunhua Chen,Chris J. Mitchell,Shaohua Tang

DOI: https://doi.org/10.1007/978-3-642-21040-2_4

2011-01-01

Abstract:Most SSL/TLS-based electronic commerce (e-commerce) applications (including Internet banking) are vulnerable to man in the middle attacks. Such attacks arise since users are often unable to authenticate a server effectively, and because user authentication methods are typically decoupled from SSL/TLS session establishment. Cryptographically binding the two authentication procedures together, a process referred to here as SSL/TLS session-aware user authentication (TLS-SA), is a lightweight and effective countermeasure. In this paper we propose a means of implementing TLS-SA using a GAA bootstrapped key. The scheme employs a GAA-enabled user device with a display and an input capability (e. g. a 3G mobile phone) and a GAA-aware server. We describe a simple instantiation of the scheme which makes the password authentication mechanism SSL/TLS session-aware; in addition we describe two possible variants that give security-efficiency trade-offs. Analysis shows that the scheme is effective, secure and scalable. Moreover, the approach fits well to the multi-institution scenario.

Rongxing Lu,Xiaodong Lin,Zhiguo Shi,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/wcnc.2013.6554840

2013-01-01

Abstract:The increasing demands for improving transmission reliability and efficiency have brought us a wide interest in smart grid. In current smart grid research, one of challenges is its security issue. If the security is not well addressed, the concept of smart grid cannot be widely accepted. In this paper, in order to simultaneously resolve the security and efficiency challenges in smart grid communications, we propose an efficient aggregate authentication protocol, called EATH, which is characterized by eliminating the Map-To-Hash hash and reducing the pairing operations in aggregation and verification to improve the computational efficiency. Detailed security analysis has shown that the proposed EATH protocol is secure in terms of source authentication and data integrity in smart grid communications. In addition, performance evaluation also demonstrates its efficiency in terms of low computation and communication overheads.

Yu Zheng,Dake He,Weichi Yu,Xiaohu Tang

DOI: https://doi.org/10.1109/PDCAT.2005.243

2005-01-01

Abstract:In this paper security requirements and security architecture for 4G systems are presented with the consideration of Trusted Computing (TC) for mobile equipment (ME). The security framework based on Trusted Mobile Platform (TMP) and PKI is proposed to provide a considerable robust platform for user’s access to sensitive service and data in the scenario of 4G systems. Over this framework, with the combination of password and biometric identification (BI) as well as public key-based identification, an efficient hybrid authentication and key agreement (HAKA) scheme is presented to resist the possible attacks, particularly the attacks on/from ME. Compared with 3G architecture and other security schemes for 4G mobile networks, our architecture and corresponding HAKA is more secure, scalable and convenient to support globe mobility and capable of being employed to handle the complicated security issues in 4G mobile networks.

Yu Zheng,Dake He,Xiaohu Tang,Hongxia Wang

DOI: https://doi.org/10.1109/ICICS.2005.1689196

2005-01-01

Abstract:Future 4G mobile communication networks are expected to provide all IP-based services for heterogeneous wireless access technologies. Security service for mobile user as a major challenge in developing such 4G networks becomes more complicated to handle. Since the mobile equipment (ME) becomes ever more powerful but still remain open to possible attacks, the neglect of the security of ME in developing traditional security scheme for mobile networks will remain many risks in the coming 4G systems. In this paper we associate trusted computing (TC) with PKI to provide a considerable robust platform for user's access to sensitive service and data in the scenario of 4G systems. Then over the trusted mobile platform (TMP) we present an hybrid AKA (authentication and key agreement) and authorization scheme, in which password is in combination with fingerprint as well as public key to achieve mutual authentication among user/ME/USIM (universal subscriber identity module) and that among user/AN (accessed network)/HE (home environment). Compared with other AKA for future mobile networks and 3G AKA, our scheme with well scalability and acceptable efficiency is more robust and secure to resist potential attacks on/from ME and attacks in heterogeneous network infrastructure

Wei Feng,Yu Qin,Dengguo Feng,Ge Wei,Lihui Xue,Dexian Chang

DOI: https://doi.org/10.1007/978-3-642-38631-2_23

2013-01-01

Abstract:Trusted computing technology can establish trust in the local computer platform by a trusted boot, and can further transfer the trust to a remote verifier through a remote attestation mechanism. However, no standard solution is provided to convey the trust information to users in a friendly manner. Existing methods have no implementation, or need users to buy a specific USB device (an additional purchasing burden for users). To establish user-based trust, we summarize possible solutions and classify the related works according to each solution. After comparing these solutions, we provide a better method “Mobile Trusted Agent (MTA)”, which uses a general mobile device as a reliable medium to establish a secure channel between the local user and the remote verifier. Finally, we have implemented MTA using an ARM SoC device and evaluated the performance of the protocol for secure channel. The evaluation results demonstrate that MTA has high quality and flexibility for building user-based trust.

Man Chun Chow,Maode Ma

DOI: https://doi.org/10.3390/s22124525

2022-06-15

Abstract:The futuristic fifth-generation cellular network (5G) not only supports high-speed internet, but must also connect a multitude of devices simultaneously without compromising network security. To ensure the security of the network, the Third Generation Partnership Project (3GPP) has standardized the 5G Authentication and Key Agreement (AKA) protocol for mutually authenticating user equipment (UE), base stations, and the core network. However, it has been found that 5G-AKA is vulnerable to many attacks, including linkability attacks, denial-of-service (DoS) attacks, and distributed denial-of-service (DDoS) attacks. To address these security issues and improve the robustness of the 5G network, in this paper, we introduce the Secure Blockchain-based Authentication and Key Agreement for 5G Networks (5GSBA). Using blockchain as a distributed database, our 5GSBA decentralizes authentication functions from a centralized server to all base stations. It can prevent single-point-of-failure and increase the difficulty of DDoS attacks. Moreover, to ensure the data in the blockchain cannot be used for device impersonation, our scheme employs the one-time secret hash function as the device secret key. Furthermore, our 5GSBA can protect device anonymity by mandating the encryption of device identities with Subscription Concealed Identifiers (SUCI). Linkability attacks are also prevented by deprecating the sequence number with Elliptic Curve Diffie-Hellman (ECDH). We use Burrows-Abadi-Needham (BAN) logic and the Scyther tool to formally verify our protocol. The security analysis shows that 5GSBA is superior to 5G-AKA in terms of perfect forward secrecy, device anonymity, and mutual Authentication and Key Agreement (AKA). Additionally, it effectively deters linkability attacks, replay attacks, and most importantly, DoS and DDoS attacks. Finally, the performance evaluation shows that 5GSBA is efficient for both UEs and base stations with reasonably low computational costs and energy consumption.

Liang TAN,Xun LUO,Ming-tian ZHOU

DOI: https://doi.org/10.3969/j.issn.1001-0548.2007.03.005

2007-01-01

Abstract:In this paper, the Trusted Authentication Gateway System (TAGS), based on Trusted Platform Model (TPM) of Trusted Computing Group (TCG), is presented, its design and principle are introduced, and deficiencies of TAGS are analyzed. Key and certification are resident in TPM on client platform, so verifier can decide that when a secure link between client and server could be established by TAGS.

Andreas U. Schmidt,Nicolai Kuntze,Michael Kasper

DOI: https://doi.org/10.1109/WCNC.2008.553

2007-12-14

Abstract:In its recently published TCG Mobile Reference Architecture, the TCG Mobile Phone Work Group specifies a new concept to enable trust into future mobile devices. For this purpose, the TCG devises a trusted mobile platform as a set of trusted engines on behalf of different stakeholders supported by a physical trust-anchor. In this paper, we present our perception on this emerging specification. We propose an approach for the practical design and implementation of this concept and how to deploy it to a trustworthy operating platform. In particular we propose a method for the take-ownership of a device by the user and the migration (i.e., portability) of user credentials between devices.

Cryptography and Security

Chenlin Huang,Wei Chen,Lu Yuan,Yan Ding,Songlei Jian,Yusong Tan,Hua Chen,Dan Chen

DOI: https://doi.org/10.1016/j.jpdc.2020.11.002

IF: 4.542

2021-03-01

Journal of Parallel and Distributed Computing

Abstract:<p>With the rise of concerns over security and privacy in the cloud, the "security-on-demand" service mode dynamically provides cloud customers with trusted computing environments according to their specific security needs. Major challenges, however, remain to achieve this goal: (1) integrating an auditable, tamper-resistant trust-management mechanism into the cloud infrastructure and (2) building a protocol to guarantee the consistency of customers' policies during virtual machine (VM) migrations. This study develops a new security-on-demand framework called a "policy-customized trusted cloud service" (PC-TCS) architecture that comprises two core components: an attribute-based signature (ABS)-based remote-attestation scheme to achieve trusted remote attestation with customized security policies and an ABS- and blockchain-based VM-migration protocol to support policy-customized trusted migration. To prove the availability of this architecture, we implemented a PC-TCS prototype based on Xen Hypervisor, the results of which indicate that (1) PC-TCS can be integrated into cloud infrastructure as part of a trusted computing base; (2) cloud users can customize the security policies of computing environments and validate their enforcement throughout the service life-cycle with the support of PC-TCS; and (3) PC-TCS can support policy-customized remote attestation and policy-customized migration with a minimal impact on performance.</p>

computer science, theory & methods

Li Kuang,Yingjie Xia,Caijun Sun,Jiaming Wu,Liangdi Bao

DOI: https://doi.org/10.19026/rjaset.5.4738

2013-01-01

Abstract:With wide adoption of Service Computing and Mobile Computing, people tend to invoke services with mobile devices, requiring accurate and real-time feedback from services at any time and any place. Among these services, some are private to limited users and require identity authorization before use; hence secure access control in wireless network should be provided. To address the challenge, in this study, we propose the architecture and protocols of a system of access to private services for mobile clients, which combines the technologies of trusted computing, Diffie-Hellman key agreement protocol, digital certificate, DES data encryption algorithm and twice verification. We further show the implementation of the proposed system, in which we have realized the authentication and authorization of mobile clients and then secure data transfer between mobile clients in the unsafe Internet and private services in the Intranet. © 2013 Maxwell Scientific Organization.

Qi Li,Xinwen Zhang,Jean-Pierre Seifer,Hulin Zhong

DOI: https://doi.org/10.1109/aptc.2008.24

2008-01-01

Abstract:Mobile payment (m-payment) received significant attention because it enables an easy payment mechanism and becomes an important complement to traditional payment means. However, m-payment over open devices and networks poses security challenges of a new dimension. Although many researchers address security issues in m-payment, there are still some security problems that are not well resolved, such as platform integrity and user privacy protection. In this paper, we propose a general payment architecture with Trusted Computing (TC) technologies to secure mobile payment. Using only a simple mobile payment infrastructure, a platform integrity protection solution is proposed to secure payment software downloading, application initialization, and secure payment transactions. We further propose two schemes to enhance the performance and flexibility of our solution. The first scheme provides platform attestation using an identity-based signature (IBS) algorithm instead of a traditional credential-based public-key signature algorithm within Trusted Computing Group (TCG) technologies, which fully utilizes the merits of the mobile computing infrastructure and improves the flexibility and performance of the payment solution. The second scheme provides attestation caching without sacrificing security achievements. We have implemented a real prototype system based on an emulated payment environment. Our security analysis and experimental results prove that our scheme can effectively meet the security requirements of a practical m-payment with acceptable performance.

JIANG Rui,LI Jianhua,PAN Li,TIE Ling

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.12.056

2006-01-01

Abstract:The 3GPP authentication and key agreement has two security shortages.One is that it needs a strong secure channel assumption between the VLR and the HLR,and will easily suffer from the active attack after the adversary accesses the channel.The other is that it easily suffers from the re-direction attack for the users.In this paper,a new enhanced 3GPP authentication and key agreement is proposed to overcome the two security shortages.The new enhanced 3GPP AKA protocol can ensure the secure communication in the insecure channel and defeat the re-direction attack for the users.In addition,it can be implemented without modification of SGPP AKA security architecture.

Y Zheng,DK He,LX Xu,XH Tang

DOI: https://doi.org/10.1109/icccas.2005.1493433

2005-01-01

Abstract:4G mobile communication systems focus on seamlessly integrating the existing wireless technologies and providing great flexibility and mobility which complicate the security problem. In this paper the security policy including authentication authorization account and audit (AAAA) is discussed according to the features of 4G systems. Meanwhile the security architecture scenario based on hybrid PKI trust model and Mobile IPv6 is proposed. Over this architecture a novel hybrid authentication and key agreement scheme that associates dynamic password with public-key mechanism is presented to provide lightweight authentication and non-repudiation service. Compared with other architectures and protocols, our scheme is more flexible and convenient to support global mobility with low computational power and secure communication. So it is very suitable for 4C mobile communication systems.

Minghui Shi,Humphrey Rutagemwa,Xuemin (Sherman) Shen,Jon W. Mark,Yixin Jiang,Chuang Lin

DOI: https://doi.org/10.1007/978-0-387-33112-6_11

2007-01-01

Abstract:A wireless LAN service integration architecture based on current wireless LAN hotspots is proposed to make migrating to new service cost effective. The AAA (Authentication, Authorization and Accounting) based mobile terminal registration signaling process is discussed. An application layer end-to-end authentication and key negotiation protocol is proposed to overcome the open air connection problem existing in wireless LAN deployment. The protocol provides a general solution for Internet applications running on a mobile station under various authentication scenarios and keeps the communications private to other wireless LAN users and foreign networks. A functional demonstration of the protocol is also given. The research results should contribute to rapid deployment of wireless LANs hotspot service.

Chen Tianzhou,Mao Haixia,Dai Hongjun

2006-01-01

Abstract:This paper briefly analyzes the security mechanisms of GSM/UMTS and finds their security defects, such as unidirectional authentication and cipher key transmission without encryption. For these defects, existing mobile communication systems can not prevent hostile attacks to satisfy high-level security demands. To solve these problems, we propose the robust Middleware Architecture for Mobile Communication Security (MAMCS), which employs new Authentication and Key Agreement (AKA) protocols, chooses different encryption algorithms for different applications and implements integrity control mechanism. In the end, we analyze the performance of MAMCS and show that MAMCS gets a 200%~2% improvement in security only at the cost of 1.51% descent in bandwidth and 18.14 ms extra latency.

Jing Zou,Peizhe Xin,Zhihong Xiao,Jiang Fang,Ting Li,Haonan He,Shangyuan Zhuang,Yinlong Liu

DOI: https://doi.org/10.3390/electronics12081882

IF: 2.9

2023-04-18

Electronics

Abstract:A vehicle charging network system has to access large-scale heterogeneous terminals to collect charging pile status information, which may also give malicious terminals an opportunity to access. Though some general access authentication solutions aimed at only allowing trusted terminals have been proposed, they are difficult to work with in a vehicle charging network system. First, among various heterogeneous terminals with significant differences in computing capabilities, there are inevitably terminals that cannot support computations required for cryptography-based access authentication schemes. Second, though access authentication schemes based on device fingerprints are independent of terminal computing capabilities, their authentication performance is weak in robustness and high in overhead. Third, the access authentication delay is huge since the system cannot withstand heavy concurrent access requests from large-scale terminals. To address the above problems, we propose a reliable and lightweight trusted access authentication solution for terminals in the vehicle charging network system. By cloud, edge, and local servers cooperating to execute authentication tasks, our Cloud-Edge-End Collaborative architecture effectively alleviates the authentication delay caused by high concurrent requests. Each server in the architecture deploys our well-designed unified trusted access authentication (UATT) model based on device fingerprints. With ingenious data construction and the powerful swin-transformer network, the UATT model can provide robust and low-overhead authentication services for heterogeneous terminals. To minimize authentication latency, we further design an A2C-based authentication task scheduling scheme to decide which server executes the current task. Comprehensive experiments demonstrate our solution can authenticate terminals with an accuracy higher than 98% while reducing the required data packets by two orders of magnitude, and it can effectively reduce authentication latency.

engineering, electrical & electronic,computer science, information systems,physics, applied

ZHENG Yu,HE Da-Ke,HE Ming-Xing

DOI: https://doi.org/10.3321/j.issn:0254-4164.2006.08.002

2006-01-01

Chinese Journal of Computers

Abstract:In this paper, according to the features of mobile equipment (ME) an example of constructing trusted mobile platform(TMP) is presented based on the smart phone’s processor, along with which three alternative methods to build trusted platform module(TPM) are discussed as well. In the framework of TMP, through combining password and fingerprint with the USIM card via RSA-KEM(Key Encapsulate Mechanism) and Hash function, a user authentication scheme is proposed to improve the security of the user domain, which achieves the mutual identification among user, ME and USIM even if their public-key certificates are issued by different certificate authorities(CAs). Moreover, the user authentication can not only easily distinguish the valid users from the pretenders but also identify the owner of ME from the genuine operators without any pre-negotiation. The performance analysis ane experimental test result show that no matter what kinds of TPM is employed authors’ authentication scheme is more secure, efficient and flexible than the corresponding scheme presented in TMP draft standard and achieves advanced security and better flexibility as compared to the schemes proposed by Lee, Lin et al..