Jie Jiang,TieMing Chen,Bo Chen,Limin Jin,Deren Chen

2008-01-01

Abstract:In order to solve the security problems introduced by the dynamic characteristics of grid services in authentication and authorization, a security services access platform based on Grid Security Infrastructure is proposed, which can provide the security grid services including the single sign-on and unified authentication and dynamic authorization. In this platform, a self-signed proxy certificate technique and improved context-constrains role based access control mechanism are deployed. The application in Country Emergency Response Grid Service System shows that the proposed platform can satisfy the need of security for grid services access through the grid portal.

Qinghuai Zeng,Changqin Huang,Deren Chen,Hualiang Hu

DOI: https://doi.org/10.1109/CACWD.2004.1349224

2004-01-01

Abstract:In grid environments, the dynamic and multi-institutional nature introduces challenging security issues. In this paper, we propose subtask-based authorization service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus' gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

Jie Jiang,Deren Chen,Tim Chen,Xiaodong Shen

DOI: https://doi.org/10.1109/imsccs.2006.169

2006-01-01

Abstract:With the development of grid service, there are two key problems to be improved. One is to access Web grid service with friend interface for user. Another is the security authentication for grid resource share. Nowadays, a solution of Web universal entrance for grid service has been given through a Web framework named grid portal. PKI based grid security infrastructure has been widely used in order to guarantee grid security. However, although proxy certificate has been well applied in GSI, there is still no integrated model for security grid portal based on PKI and proxy mechanism. From the view of cooperation, a security grid portal is proposed based on PKI and online proxy certificate repository. It can successfully move the user's credential from the PKI public key certificates to its proxy certificate issued by online proxy certificate repository, which makes a Web user be easily authenticated through Web client to any grid service process

XU Jing-jing,DAI Hong-lei,ZHA Li,XU Zhi-wei

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.07.070

2006-01-01

Abstract:The Community-based VEGA Grid Operating System(VEGA GOS) is an environment and platform that support development and running of the grid applications.Combining with community that centralize the user and resource locally,we form a cross domain authorization model in subject,resource and operating space to solve the issues of versatile,autonomous control and easy-to-use in grid environment.This paper introduces the design and implementation of the community-based multi-grained authorization and access control mechanism,and take a measurement and analysis to the performance penalty due to the use of security mechanism.

Xiyuan Chen,Yang OUYang,Miaoliang Zhu,Yan He

DOI: https://doi.org/10.1109/ICYCS.2008.407

2008-01-01

Abstract:The emerging grid infrastructure presents many challenging security issues that demand new access approach due to its inherent heterogeneity, multidomain characteristic and highly dynamic nature. In order to protect the secure sharing and coordinated use of diverse resources in distributed "virtual organizations", fine-grained access control in grid computing is therefore very necessary and important. In this paper, a semantic-aware access conrtol(SAAC) extending the RBAC with the semantic specification is proposed. Supplying semantic specification by the implementation of semantic inference engine (SIE), the administration for the applicability of users' role memberships to particular permissions is much more easy and precise. The enforcement of the SAAC model for grid application is presented. An experimental evaluation of its overheads is also described.

Di Wang,Yue Cao,Kim-Kwang Raymond Choo,Zhaohui Yang,Zhili Sun,Haitham Cruickshank

DOI: https://doi.org/10.1109/tvt.2023.3281592

IF: 6.8

2023-01-01

IEEE Transactions on Vehicular Technology

Abstract:For large-scale battery-swapping demands, reservations are utilized to effectively manage battery swapping. To achieve data security, one promising solution is heterogeneous signcryption (i.e. signature + encryption). However, existing heterogeneous signcryption cannot simultaneously support aggregation, batch verification, conditional privacy-preserving, bidirectional heterogeneous communication, and availability. Besides, to reduce the end-to-end delays, mobile edge computing (MEC) is introduced to reservations, so other challenge is to design an incentive mechanism to encourage mobile edge nodes (MENs) to transmit reservation messages. Seeking to address these challenges, we propose a reservation scheme with conditional privacy-preserving bidirectional heterogeneous aggregate signcryption and incentive mechanism, namely SecBS. More precisely, in status publication (i.e. SecBS-SP), electric vehicles (EVs) obtain status messages released by battery swapping stations (BSSs) via MENs, which is realized via heterogeneous signcryption from certificateless cryptosystem (CLC) to identity-based cryptosystem (IBC). In the reservation (i.e. SecBS-R), under the incentive, MENs transmit reservations sent by EVs to BSSs, which is realized via heterogeneous signcryption from IBC to CLC. Finally, formally security proof and extensive simulations are carried out to manifest the security and feasibility of our SecBS.

W Liu,Jp Wu,Hx Duan,X Li,P Ren

DOI: https://doi.org/10.1007/978-3-540-30208-7_47

2004-01-01

Abstract:This paper presents an authorization solution for resource management and control developed as part of the China Education and Research Network (CERNET) to perform fine-grained authorization of job and resource management requests in a Grid environment which meets the Fusion-Grid's security needs in large scale networks such as CERNET. It integrates the GT2 job manager and X.509 authorization and this model can be extended to other authorization decision functions. It allows the system to evaluate a user's resource specification language request against authorization policies on resource usage. Furthermore, based on XML integrated authorization policies, it allows other virtual organization members to manage the user's resources.

Steffen Schreiner,Latchezar Betev,Costin Grigoras,Maarten Litmaath

DOI: https://doi.org/10.48550/arXiv.1112.2444

2011-12-12

Abstract:Grid computing infrastructures need to provide traceability and accounting of their users" activity and protection against misuse and privilege escalation. A central aspect of multi-user Grid job environments is the necessary delegation of privileges in the course of a job submission. With respect to these generic requirements this document describes an improved handling of multi-user Grid jobs in the ALICE ("A Large Ion Collider Experiment") Grid Services. A security analysis of the ALICE Grid job model is presented with derived security objectives, followed by a discussion of existing approaches of unrestricted delegation based on X.509 proxy certificates and the Grid middleware gLExec. Unrestricted delegation has severe security consequences and limitations, most importantly allowing for identity theft and forgery of delegated assignments. These limitations are discussed and formulated, both in general and with respect to an adoption in line with multi-user Grid jobs. Based on the architecture of the ALICE Grid Services, a new general model of mediated definite delegation is developed and formulated, allowing a broker to assign context-sensitive user privileges to agents. The model provides strong accountability and long- term traceability. A prototype implementation allowing for certified Grid jobs is presented including a potential interaction with gLExec. The achieved improvements regarding system security, malicious job exploitation, identity protection, and accountability are emphasized, followed by a discussion of non- repudiation in the face of malicious Grid jobs.

Distributed, Parallel, and Cluster Computing,Cryptography and Security

Victor L. Winter,Azamat MametJanov,Steven E. Morrison,James A. Mccoy,Gregory L. Wickstrom

DOI: https://doi.org/10.1109/hase.2007.29

2007-01-01

Abstract:With the increasing complexity of dynamic and collaborative computing environments in grid, security management has become a critical factor. Although several approaches have been proposed, fully decentralized and efficient authorization management is still a challenging problem. We propose an access control scheme based on a group-based RBAC model for grid computing environments. By separating the administrations of users by VO level policies and permissions by resource or service provider policies, our scheme provides decentralized, autonomous, and fine-grained security management which fits the dynamic environment of grids, and can support ad-hoc collaborations. We implement a proof-of-concept prototype system by enhancing the access control module in grid file system (GFS) and specifying different levels of policies with XACML.

Weifeng Sun,Boxiang Dong,Zhenquan Qin,Juanyun Wang,Mingchu Li

DOI: https://doi.org/10.1109/iihmsp.2010.184

2010-01-01

Abstract:Computational grids are a promising platform for solving platform for solving large-scale resource intensive problems. Security problems become an urgent and complex undertaking for the application of grid computing. Traditional approaches to proving certificates validity such as CRL and OCSP are problematic in some areas. A new mechanism LSSM(Low-level Security Solving Method) which can efficiently solve problems of security, time accuracy and overhead is introduced in detail. LSSM is able to realize better security and faster revocation without bringing about too much cost.

Emmanuel Ahene,Zhangchi Qin,Akua Konadu Adusei,Fagen Li

DOI: https://doi.org/10.1109/jiot.2019.2930742

IF: 10.6

2019-01-01

IEEE Internet of Things Journal

Abstract:Smart grid utilizes intelligent metering and other monitoring devices that frequently collect and send a customer's usage report of energy consumption to an energy service provider (ESP). By mere behavioral inference from usage reports, its viable to adjudge the daily routine, location, and the kind of electrical devices of a customer. The collection and transmission of such data raises security concerns. Hence, its vital to secure ESP's access to a customer's data. In perspective of this, we introduce a data access control scheme which is suitable for smart grids with secure customer data access. In our scheme, the customer is a data owner while an ESP or other third party stakeholder (TPS) is the data user. A data user can have secure access to a customer's data via a gateway device such as energy service interface (ESI). The ESI fits in as proxy that re-encrypts data for authorized data users based on the delegation command from the data owner. Here, ESI is unable to acquire plaintext information on the data. Moreover, only authorized data users are eligible for decrypting and verifying the integrity and authentication of data. We achieve the data access control via a certificateless signcryption with proxy re-encryption (CLSPRE) scheme. Detailed security analysis shows that our CLSPRE scheme is secure in the random oracle model (ROM). Moreover, extensive performance evaluation indicates its efficiency with respect to communication overhead and computation complexity.

Rachana Y. Patil,Yogesh H. Patil,Mohamed Louzazni,Rajkumar Bhimgonda Patil,Sameer Al-Dahidi

DOI: https://doi.org/10.1155/js/1603926

IF: 2.336

2024-11-29

Journal of Sensors

Abstract:The rapid development of smart renewable energy grids (SREGs) has resulted in a vast amount of data that requires efficient access control and secure mechanisms for sharing energy records among stakeholders. This paper proposes a novel approach called the identity‐based proxy signcryption‐based scheme for SREGs (ID‐PSC‐SREGs), which ensures the secure sharing of energy records in SREGs. The ID‐PSC‐SREG scheme integrates the benefits of signature and encryption techniques, merging them into a unified algorithm and providing a comprehensive solution for the confidentiality and authenticity of energy records. Extensive security analysis demonstrates that the scheme achieves provable security against adaptive chosen ciphertext attacks (IND‐ID‐PSC‐SREG‐CCA2) and existential unforgeability against adaptive chosen message attacks (EUF‐ID‐PSC‐SREG‐CMAs) under the decisional Diffie–Hellman problem. In order to further ascertain the security of the ID‐PSC‐SREG scheme, formal verification utilizing the automated validation of internet security protocols and applications (AVISPAs) is performed. The results confirm the scheme's safety under the On‐the‐Fly Model‐Checker (OFMC) and Constraint Logic‐based Attack Searcher (CL‐AtSe).

engineering, electrical & electronic,instruments & instrumentation

蒋文保,戴一奇,杨大鉴

DOI: https://doi.org/10.3321/j.issn:1000-0054.2004.04.033

2004-01-01

Abstract:Grid environments have a broad range of security requirements that differ from conventional network environment needs. This paper proposes a new grid security system, CertGSI, which uses multiple certifications including identity certification, attribute certification, and proxy certification to address various grid security requirements. Moreover, CertGSI incorporates a flexible authentication and access control mechanism that provides scalability to a large number of resources and users. Its security policy, framework, multiple certifications, authentication, and access control mechanism are discussed in detail.

Yaqing Song,Yuan Zhang,Chunxiang Xu,Shiyu Li,Anjia Yang,Nan Cheng

DOI: https://doi.org/10.1109/jiot.2023.3264682

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Certificate revocation checking (CRC) is a fundamental requirement in certificate-based public-key cryptographic systems. Most existing CRC schemes are not tailored for edgecloud computing systems, and directly applying these schemes would cause security and efficiency problems. In this paper, we first propose a two-layer edge-cloud-assisted CRC framework, dubbed ECA-CRC, where edge nodes utilizing a probabilistic checking algorithm serve as a first layer, and the cloud server utilizing a deterministic checking algorithm serves as a second layer. Both the edge nodes and the cloud server collaboratively provide verifiable CRC services for devices. The most prominent manifestations of ECA-CRC are that (1) most CRC requests can be processed with the probabilistic checking layer, which reduces the checking delay significantly while providing an accurate CRC service; (2) devices can detect the irresponsible behavior of the service provider, including using an incorrect revoked certificate set (RCS) to compute checking results or procrastinating on updating the RCS, as soon as possible.We then propose an efficient instantiation of ECA-CRC, dubbed eECACRC, by utilizing a Merkle hash tree (MHT) based homomorphic signature, Cuckoo filter, and Othello. We formally prove the security of eECA-CRC against the irresponsible service provider under the random oracle model. We implement an eECA-CRC prototype and conduct a comprehensive performance evaluation based on a public certificate database. Our results show that 95% of CRC requests are completed on the edge nodes, and only 5% of CRC requests need to be handled by the cloud server.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xuejiao Liu,Yingjie Xia,Wenzhi Chen,Yang Xiang,Mohammad Mehedi Hassan,Abdulhameed Alelaiwi

DOI: https://doi.org/10.1016/j.jcss.2016.05.006

IF: 1.043

2016-01-01

Journal of Computer and System Sciences

Abstract:Vehicular ad hoc network (VANET) is an increasing important paradigm, which not only provides safety enhancement but also improves roadway system efficiency. However, the security issues of data confidentiality, and access control over transmitted messages in VANET have remained to be solved. In this paper, we propose a secure and efficient message dissemination scheme (SEMD) with policy enforcement in VANET, and construct an outsourcing decryption of ciphertext-policy attribute-based encryption (CP-ABE) to provide differentiated access control services, which makes the vehicles delegate most of the decryption computation to nearest roadside unit (RSU). Performance evaluation demonstrates its efficiency in terms of computational complexity, space complexity, and decryption time. Security proof shows that it is secure against replayable choosen-ciphertext attacks (RCCA) in the standard model.

Xukai Zou,Yuan-Shun Dai,Xiang Ran

DOI: https://doi.org/10.1016/j.future.2006.12.004

IF: 7.307

2007-01-01

Future Generation Computer Systems

Abstract:Grid computing is a newly developed technology for complex systems with large-scale resource sharing and multi-institutional collaboration. The prominent feature of grid computing is the collaboration of multiple entities to perform collaborative tasks that rely on two fundamental functions: communication and resource sharing. Since the Internet is not security-oriented by design, there exist various attacks, in particular malicious internal and external users. Securing grid communication and controlling access to shared resources in a fine-tuned manner are important issues for grid services. This paper proposes an elegant Dual-Level Key Management (DLKM) mechanism using an innovative concept/construction of Access Control Polynomial (ACP) and one-way functions. The first level provides a flexible and secure group communication technology while the second level offers hierarchical access control. Complexity analysis and Simulation demonstrate the efficiency and effectiveness of the proposed DLKM in both computational grid and data grid. An example is illustrated.

Lei Chen,Chong Guo,Bei Gong,Muhammad Waqas,Lihua Deng,Haowen Qin

DOI: https://doi.org/10.1186/s13677-024-00631-x

2024-03-24

Journal of Cloud Computing

Abstract:The widespread adoption of fifth-generation mobile networks has spurred the rapid advancement of mobile edge computing (MEC). By decentralizing computing and storage resources to the network edge, MEC significantly enhances real-time data access services and enables efficient processing of large-scale dynamic data on resource-limited devices. However, MEC faces considerable security challenges, particularly in cross-domain service environments, where every device poses a potential security threat. To address this issue, this paper proposes a secure cross-domain authentication scheme based on a threshold signature tailored to MEC's multi-subdomain nature. The proposed scheme employs a (t,n) threshold mechanism to bolster system resilience and security, catering to large-scale, dynamic, and decentralized MEC scenarios. Additionally, the proposed scheme features an efficient authorization update function that facilitates the revocation of malicious nodes. Security analysis confirmed that the proposed scheme satisfies unforgeability, collusion resistance, non-repudiation and forward security. Theoretical evaluation and experimental simulation verify the effectiveness and feasibility of the proposed scheme. Compared with existing schemes, the proposed scheme has higher computational performance while implementing secure authorization updates.

Cong Wang,Peng Huo,Maode Ma,Tong Zhou,Yiying Zhang

DOI: https://doi.org/10.1007/s00607-023-01188-4

2023-06-28

Computing (Vienna/New York)

Abstract:With the gradual maturity of Smart Grid (SG), security challenges become the most important issues that need to be addressed urgently. In recent years, many schemes adopt mutual authentication and key agreement to ensure secure communication in SG. However, most existing methods have their own shortcomings in either security or efficiency which make them difficult to satisfy the security requirements of SG. In this paper, we propose a provable secure and lightweight authenticated key agreement scheme based on the Elliptic Curve Cryptosystem (ECC) for the cloud-edge-end collaboration SG communication network. The proposed scheme can guarantee the security of the communication and provide anonymity for both the edge server and the smart meters. The anonymity of the smart meters can be provided by a pseudonym mechanism. By rigorous security analysis, the proposed scheme can resist to the typical attacks including replay attacks and identity forgery attacks. The security properties are also evaluated by using the Canetti and Krawczyk (CK) adversary model. The performance simulation results denotes that the proposed scheme not only owns stronger security functions but also improves computation efficiency by 24.5% on average than other four schemes. By simulation results, the proposed scheme has been shown to hold high efficiency.

Yiming Mou,Lunzhi Deng,Yu Ruan

DOI: https://doi.org/10.1002/cpe.8321

2024-10-31

Concurrency and Computation Practice and Experience

Abstract:Certificateless cryptography, which solves the key escrow problem and avoids the complexity of certificate management, is an important part of public key cryptography. In the multi‐user scenarios, broadcast encryption can improve computational efficiency and reduce communication cost. Moreover, there may be some malicious users in the above scenarios, and the decryption permissions of these users need an effective mechanism to revoke them. In this paper, a revocable certificateless encryption scheme for multi‐user (RCLE‐MU) is proposed to address this issue. In the scheme, the Cloud Server Provider (CSP) utilizes the master time key to periodically generate time keys for legitimate users. For illegitimate users, their decryption privileges are revoked since they are unable to obtain the time keys. Then this new scheme is proved to be ciphertext indistinguishable under selected identity and chosen‐ciphertext attacks (sID‐CCAs). Finally, compared with several other schemes, the new scheme has more efficiency advantage. So it is suitable for multi‐user scenarios.

computer science, theory & methods, software engineering

Daniel Hsu,Hsuan-Tung Chen,Hung–Min Sun,Tiao‐Lai Huang

2023-01-01

Abstract:With the development of technology, cryptography needs to be improved to remain with the same strength of security, so as for meters for smart grid. The cipher suites used in smart grid meters defined in DLMS/COSEM are not RSA but rather ECDSA. However, users who would like to enroll for an ECDSA certificate will need a pre-shared password with the server. To change that, we use the ECDH method to overcome the limitation from others’ previous research. Also, to authenticate the requests from the meters for the smart grid, we use a temporary certificate mechanism to authenticate the SCEP protocol request, and the mechanism also supports the EST protocol to establish a security communication channel. With ECDH implementation in SCEP and the authentication method, the ECDSA certificate can be compatible with the SCEP protocol and the transmission can be done without a shared password.