LI Jian-jun,XU Duan-qing,GUO Wei-qing

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.09.068

2005-01-01

Abstract:Combining with living examples and based on IPSEC,the realization of the VPN system was approached in many internet circumstances of remote access(such as gateway,broadband,xDSL etc.),and in view of the deficiency and the hidden troubles of the traditional static password,introduces a working mechanism was introduced which took into consideration both the tokencard two factor authentication and Windows AD,and proveds to be flexible and liable for the single-sign on clients.

YAO Lin,FAN Qingna,KONG Xiangwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.06.023

2011-01-01

Abstract:As a result of the high mobility of the pervasive computing,the principles communicating with each other usually locate at different domains.To secure the service access and communications,the principles should authenticate each other and establish a fresh session key.A novel inter-domain authentication and key establishment protocol is proposed.The proposed protocol reduces the burden of certificates management by adopting the biometric encryption.After inter-domain mutual authentication,the two principles build a new session key using the signcryption technique.The protocol can defend lots of attacks and its correctness is proven by the SVO logic.

Yang Ming,Xiaopeng Yu,Xiaoqin Shen

DOI: https://doi.org/10.1109/access.2020.3018488

IF: 3.9

2020-01-01

IEEE Access

Abstract:Healthcare Internet of Things (IoT) is an emerging paradigm, which can provide comprehensive and different types of health services and enable various types of medical sensors to monitor patient's health conditions. In the healthcare IoT, patient is deployed with a variety of medical sensors, which continuously monitors and collects patient's sensitive health data that needs specially protection for preventing privacy leakage. To safely send multiple different health data monitored by multiple different medical sensors to multiple corresponding healthcare professionals in one data report, several multi-message and multi-receiver signcryption schemes have been introduced by employing the traditional public key cryptography, identity-based cryptography or certificateless cryptography. However, these schemes suffer from the certificate management, key escrow and key distribution problem. Besides, due to the resource-constraint property of medical sensors, they are unsuitable for healthcare IoT in terms of both performance and privacy requirements. To solve these issues, this paper introduces an efficient anonymous certificate-based multi-message and multi-receiver signcryption scheme for healthcare IoT, where the certificate-based cryptography and elliptic curve cryptography are combined to simplify the certificate management problem, eliminate the key escrow problem, solve the key distribution problem and ensure the privacy-preserving. Furthermore, the security analysis suggests that the proposed scheme is able to achieve the confidentiality, unforgeability, receiver anonymity, sender anonymity and decryption fairness; the performance evaluation indicates that the proposed scheme brings to the lower computation cost and communication cost in comparison to the existing schemes.

Jianhong Zhang,Wenle Bai,Yuehai Wang

DOI: https://doi.org/10.1109/access.2019.2899828

IF: 3.9

2019-01-01

IEEE Access

Abstract:The Internet of Things (IoT) is the internetworking of terminal physical devices depends on application programming interfaces and sensors to be connected to the Internet for collecting and exchanging data. According to the characteristics of IoT, it can provide rich services for the terminal user. However, the centralized cloud computing-based storage architecture in IoT faces many challenges, such as data security, identity privacy, and high latency. To overcome these challenges, this paper introduces an IoT network storage architecture based on mobile edge computing, which not only achieves low-latency message response and computation offloading of the terminal user but also preserves identity-privacy of the terminal user. Afterward, we presented a novel non-interactive pairing-free ID-based proxy re-signature scheme (ID-PRS), which is a kernel technique to construct the aforementioned storage architecture. Compared with most of proxy re-signature schemes constructed based on traditional public-key-infrastructure, the proposed scheme avoids expensive pairing operation and intricate certificate-maintenance. And it is demonstrated to be provably secure under the classic security assumptions: integer factoring problem and the RSA assumption. Finally, in contrast to the other two ID-PRS schemes, the proposed ID-PRS scheme has more advantages in terms of security, functionability, and computation costs. Thus, it is very suitable to be applied to the resource-constrained mobile users.

Yan Shen,Qi-fei Zhang,Ling-di Ping,Yan-Fei Wang,Wen-juan Li

DOI: https://doi.org/10.1109/trustcom.2012.41

2012-01-01

Abstract:In the existing large-scale performance test of IPsec tunnel, it often needs special software and hardware. To solve the problem, this article proposed a new method, in which packet was encapsulated in user space, and a multi-tunnel controller was designed and implemented with the method of FSM(finite state machine), which controlled the negotiation and establishment of multiple tunnel, including L2tp, IKEv1, IKEv2, IKEv2+EAP and L2tp Over IPsec. Libpcap was used as the bottom layer driver of package, and the application of zero copy technique had reduced system cost immensely. At last, the result of the experiment verified the performance of the IKEv1 tunnel on Tunnel-mode and Transport-mode.

符松,金志权,陈佩佩

DOI: https://doi.org/10.3969/j.issn.1000-3428.2001.10.045

2001-01-01

Abstract:IPSec is a security architecture for the Internet protocol ,which provides transparent protection services for upper protocols. It consists of the protocols of automatic key management, authentication and encryption. In this paper, some modifications and a new protocol for the runtime detection are presented to enhance the efficiency and security of the original architecture.

Qiang Huang

2002-01-01

Abstract:The IP address management is one of the difficult parts in networks administration. Its solution directly affects the other aspects of networks administration. In this paper we first discuss several popular schemes of IP address management, the advantages and disadvantages. Then we focuse on the introduction of an user based IP address managing method, which takes advantage of the Web and Lightweight Directory Access Protocol technologies. The reasons we use these two technologies are : the Web technology has been very mature, and the related encryption technologies are also grown up; Directory Service is becoming the key technology of central management about network resources and user informations. At last an implementation of this technique is described.

Qing Wang,Haoran Li

DOI: https://doi.org/10.1155/2022/4584072

IF: 3.12

2022-04-21

Computational Intelligence and Neuroscience

Abstract:A new IoT authentication protocol is presented to address the security deficiencies in the Z-Wave protocol. The new protocol is based on Diameter and includes authentication/authorization module, billing module, and secure communication module. According to the characteristics of IoT devices, the relevant algorithms are optimized, and the key agreement scheme based on elliptic curve algorithm and the symmetric encryption scheme based on AES and RC4 are introduced, which enhances the security of the protocol and also improves the system performance. The speed of response reduces the energy consumption of the system. Aiming at solving the problem that the existing polynomial-based key predistribution management scheme is limited by the key sharing rate between the nodes and the network connectivity rate, a quadratic-based wireless sensor key management scheme is proposed. The scheme breaks through the existing idea of building a shared key with a binary t-order symmetric polynomial, introduces a multivariate asymmetric quadratic polynomial, and utilizes the relationship between the quadratic eigenvalues and eigenvectors. The analysis proves that the quadratic form can be orthogonally diagonalized and uses it to generate key information, and nodes realize identity authentication by exchanging key information. The establishment of an independent and unique session key with the neighbor node is completed. The security performance analysis and simulation results show that, compared with the existing key management schemes, the scheme has great improvements in anti-capture property, connectivity, scalability, communication overhead, and storage overhead. After a series of functional tests, the enterprise information system based on the SaaS platform in this paper basically met the design requirements and finally realized the networking of the enterprise information management process and the sharing of information. Each functional module of the system can be used normally. When the input and output are wrong, the system will have a correct prompt. The buttons and various controls of the system can work normally, meeting the requirements of functional testing. Each document of the system is correct and complete, and the language description and logic meet the needs of users and meet the requirements of document testing. The test results show that the interface of the system is friendly and easy to operate and the performance of the system is stable, which is basically in line with the needs of users and achieves the design goal of this system.

mathematical & computational biology,neurosciences

Hung-Min Sun,Shih-Ying Chang,Yao-Hsin Chen,Bing-Zhe He,Cheng-Kai Chen

DOI: https://doi.org/10.1109/tencon.2007.4429003

2007-01-01

Abstract:IPSec has been popularly used in protecting data over IP network; however, how to detect and avoid policy conflicts is a big challenge. Under current architecture, user- space process can directly manipulate security associations database (SADB) or security policies database (SPDB) causing inter-application conflict, lack of access control, lack of conflict avoiding and recovering, and conflict diffusion. Previous proposed algorithms can only detect conflicts afterward instead of preventing them in advance. Therefore we propose a new architecture to avoid conflicts and provide recovery mechanism. Finally, we implement these functionalities and the evaluation of performance shows that this architecture is realistic and practical.

XU Guo-yong,LIU Qiang,ZHANG Pu-xuan

DOI: https://doi.org/10.3969/j.issn.1000-7024.2007.01.011

2007-01-01

Abstract:On resource integration implemented in government and organization,a more security and open access control system working in large scale application environment is required.Public key infrastructure authenticates a user by granting a public key certificate.Pri-vilege management infrastructure authorizes a user using attribute certificates.RBAC provides a flexible relationship between user and privilege.Emphasis on access control proceeding and policy management using PKI,PMI and RBAC,an access control mechanism based on role and dual-certificates is described.The mechanism has implemented in the taxation resource integration project.

Weichu Deng,Jin Li,Hongyang Yan,Arthur Sandor Voundi Koe,Teng huang,Jianfeng Wang,Cong Peng

DOI: https://doi.org/10.1016/j.jisa.2024.103885

IF: 4.96

2024-09-14

Journal of Information Security and Applications

Abstract:In the Internet of Things, access control and identity management rely on centralized platforms. However, centralized platforms will compromise user privacy with identity leakage. Self-sovereign identity (SSI) is a novel model for identity management that does not require third-party centralized authority. Thus, SSI is a potential solution to the identity management problem in IoT access control. This paper's motivation is to address the problems of lack of identity sovereignty, centralized authorization, and high computational overhead for IoT access control. We propose a novel access control scheme for IoT that decentralizes identity management and tackles single-point-of-failure issues. This scheme leverages ciphertext policy attribute-based encryption (CP-ABE) and SSI to achieve the overall goal. Specifically, Our scheme eliminates the central authority and empowers users to manage their identity, allowing users to decide what attributes they disclose. Regarding the distribution of roles in the architecture, this paper follows the generic SSI model (ISSUER–HOLDER—VERIFIER) that allows a user to access a service from a service provider. To enable real-world deployment of our scheme, we establish an attribute authorization authority(such as the government) as a trusted identity point of entry. Users generate decentralized identifiers to enjoy services of interest in a privacy-preserving manner. The analysis demonstrates the practicality and superiority of our scheme. Our scheme requires less computation and is suitable for resource-constrained IoT scenarios.

computer science, information systems

Haixin Duan,Jianping Wu

DOI: https://doi.org/10.1109/APCC.1999.820481

1999-01-01

Abstract:Security management is one of the five management functions defined by ISO/OSI, which covers two aspects: security of management and management of security. As to management of network security, we give security management requirements for large computer networks, combined with our management experience of managing CERNET. From our experience, the widely used firewalls in the Internet are lacking in the capability to be remotely managed on a large scale, especially multi-vendor network environment. Addressing these problems, the concept of high level security policy management is proposed for large networks. To support high level policy management and collaborative management of multi-vendor firewalls, a definition for a common firewall MIB (CFWMIB) and a common format for the TRAP events record are proposed. For the aspect of security of network management, we present a security architecture which is implemented in our web-based network management system. Flexible authentication and role-based access control mechanisms of the architecture are described. Our ongoing and future research is also outlined.

Tiantian Cai,Lin Fan,Siliang Suo,Hao Yao,Ganyang Jian,W. Xi

DOI: https://doi.org/10.1109/ITNEC.2019.8729305

2019-03-15

Abstract:The target of security protection of the power distribution automation system (the distribution system for short) is to ensure the security of communication between the distribution terminal (terminal for short) and the distribution master station (master system for short). The encryption and authentication gateway (VPN gateway for short) for distribution system enhances the network layer communication security between the terminal and the VPN gateway. The distribution application layer encryption authentication device (master cipher machine for short) ensures the confidentiality and integrity of data transmission in application layer, and realizes the identity authentication between the master station and the terminal. All these measures are used to prevent malicious damage and attack to the master system by forging terminal identity, replay attack and other illegal operations, in order to prevent the resulting distribution network system accidents. Based on the security protection scheme of the power distribution automation system, this paper carries out the development of multi-chip encapsulation, develops IPSec Protocols software within the security chip, and realizes dual encryption and authentication function in IP layer and application layer supporting the national cryptographic algorithm.

Engineering,Computer Science

ZENG Kuang-yi,YANG Jia-hai

DOI: https://doi.org/10.3969/j.issn.1000-1220.2007.02.006

2007-01-01

Abstract:Policy refinement and policy conflict resolution are two of the toughest issues in implementing a policy-based network management (PBNM) system. Based on a brief review of general PBNM theories and specific access control technologies, the paper proposed a novel policy-based network management model, which adopts XML as the high level policy description language, and uses the generalized access control list(ACL) as an intermediate refining mechanism, focusing on network security and QoS management. Some critical issues and their solutions, including policy representation, policy refinement, and policy conflict policy detection, are discussed. A formula representation of the policy conflict issue is given with several important inferences. The effectiveness and efficiency of the model is verified by the implemented prototype.

YANG Xin,LI Hui,QUE Jianming,MA Zhentai,LI Gengxin,YAO Yao,WANG Bin,JIANG Fuli

DOI: https://doi.org/10.11896/jsjkx.220600265

2023-01-01

Abstract:Traditional IP-based Internet offers an end-to-end data transport service and has developed rapidly in the past half-century.However,serious security incidents emerged from attacks based on traditional networks.Traditional security mechanisms(e.g.,firewalls,intrusion detection systems) enhance security.However,most of them only provide some remedial strategies rather than solve the address-security problem radically due to the lack of change in network design.The overall in-depth security of the networked system cannot be guaranteed without a fundamental change.In order to meet the development requirements of the next generation of an endogenous security network,one of the future networks,the multi-identifier network(MIN),is introduced as our research background.This paper proposes an efficient scheme in hieratical architecture that provides comprehensive protection by addressing the security aspects pertaining to the network and application layers.At the network layer,the proposed architecture develops a multi-identifier routing scheme with embedded identity-based authentication and packet signature mechanisms to provide data tamper-resistance and traceability.At the application layer,the proposed architecture designs a mimic defensive scheme combined with weighted network centrality measures.This scheme focuses on protecting the core components of the whole network to improve the service's robustness and efficiently resist potential attacks.This paper tests and evaluates the proposed scheme from a theoretical and practical perspective.An analytical model is built based on the random walk for theoretical evaluation.In experiments,the proposed scheme is developed in MIN as MIN-VPN.Then considering IP-VPN as a baseline,anti-attack tests are conducted on IP-VPN and MIN-VPN.The results of theoretical evaluations and experiments show that the proposed scheme provides excellent transmission performance and successful defense against various TCP/IP-based attacks with acceptable defensive cost,demonstrating this security mechanism's effectiveness.In addition,after long-period penetration testing in three international elite security contests,the proposed method is effectively immune to all TCP/IP-based attacks from thousands of professional teams,thus verifying its strong security.

Yinghua Wu,Jianping Wu,Ke Xu,Mingwei Xu

DOI: https://doi.org/10.1109/TENCON.2002.1181240

2002-01-01

Abstract:IPSec protocols offer a standard security mechanism, used for security service to upper' protocols (such as UDP and TCP). This paper introduces the design and implementation of Router Security Subsystem based on IPSec, the important part of High Performance Security Router made by Tsinghua University. We complete consummate and reliable security functions, use various optimal methods to enhance the performance furthest.

Ya Hang Zhang,BoWen Cheng,Sihan Qing,Guang N. Zou,Weiping Wen

DOI: https://doi.org/10.1117/12.855391

2010-01-01

Abstract:To solve the conflict between TCP accelerating technology based on PEP middle node and IPSec protocol used in the Satellite Network, NASA and the Hughes Research Laboratory (HRL) each independently proposed a solution named Multilayer IPsec protocol which can integrate IPSec with TCP PEPs. The problem is: Traditional IKE protocol can't work with Multilayer IPSec protocol. In this study, the traditional IKE main mode and quick mode are enhanced for layered IPSec protocol, and an improved layered key distribution protocol: ML-IKE is proposed. This key distribution protocol is used for key exchange between peers and middle node, so that different nodes have different security associations (SA), and different security associations correspond to different IP packet fields, so different SA nodes have different authorization to different IP packet fields. ML-IKE protocol is suitable for layered IPSec, thus layered IPSec can be used for automatic key distribution and update.

Liwei Xu,Han Wu,Jianguo Xie,Qiong Yuan,Ying Sun,Guozhen Shi,Shoushan Luo

DOI: https://doi.org/10.3390/e25050760

IF: 2.738

2023-05-07

Entropy

Abstract:The Space–Air–Ground Integrated Network (SAGIN) expands cyberspace greatly. Dynamic network architecture, complex communication links, limited resources, and diverse environments make SAGIN's authentication and key distribution much more difficult. Public key cryptography is a better choice for terminals to access SAGIN dynamically, but it is time-consuming. The semiconductor superlattice (SSL) is a strong Physical Unclonable Function (PUF) to be the hardware root of security, and the matched SSL pairs can achieve full entropy key distribution through an insecure public channel. Thus, an access authentication and key distribution scheme is proposed. The inherent security of SSL makes the authentication and key distribution spontaneously achieved without a key management burden and solves the assumption that excellent performance is based on pre-shared symmetric keys. The proposed scheme achieves the intended authentication, confidentiality, integrity, and forward security, which can defend against masquerade attacks, replay attacks, and man-in-the-middle attacks. The formal security analysis substantiates the security goal. The performance evaluation results confirm that the proposed protocols have an obvious advantage over the elliptic curve or bilinear pairings-based protocols. Compared with the protocols based on the pre-distributed symmetric key, our scheme shows unconditional security and dynamic key management with the same level performance.

physics, multidisciplinary

Qi Liu,Xiangyu Bai

DOI: https://doi.org/10.1109/iceiec.2017.8076576

2017-01-01

Abstract:In order to ensure the security of mobile ad hoc networks (MANETs), the research on certificateless key management scheme is attracting more and more attention. The certificateless key management scheme can well resist the key escrow problem and it is very suitable for MANET, which is source-constrained and has no public key infrastructure. In this paper, we give an overview of some recent certificateless key management schemes and analyse their advantages and disadvantages. Then we make a comparison of their main methods, key distribution, private key generation and their calculation cost. Finally we put forward a suggestion to solve the problems existing in the certificateless key management scheme.

Yimin Guo,Yajun Guo,Ping Xiong,Fan Yang,Chengde Zhang

DOI: https://doi.org/10.1109/tifs.2024.3382934

IF: 7.231

2024-05-10

IEEE Transactions on Information Forensics and Security

Abstract:Designing an efficient and secure authentication scheme is a significant means to ensure the security of IoT systems. Hundreds of authentication schemes tailored for IoT environments have been proposed in recent years, and regrettably, many of them were soon found to have succumbed to security vulnerabilities. In an effort to investigate the underlying reason for this, Wang et al. (at TIFS'23) recently analyzed the vulnerability of authentication schemes from the perspective of provable security. However, we observe that some authentication schemes with sound security proofs and heuristic security analysis are also not resistant to certain attacks, and even those that have been improved several times are still not immune. To explore the deep-seated reasons for security vulnerabilities in IoT authentication schemes, we divide security attacks into explicit and implicit attacks and find that many authentication schemes exhibit security under explicit attacks but are rendered vulnerable under implicit attacks. Further, we propose the relationship between the design goals of security attributes of authentication schemes and implicit attacks, analyze the vulnerability of three typical authentication schemes under implicit attacks, and find that only the security attributes capable of resisting the strongest implicit attacks are secure. Finally, we offer some specific suggestions on how to achieve the security attribute goals.

computer science, theory & methods,engineering, electrical & electronic