XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

ZHANG Chaodong,XU Mingwei

DOI: https://doi.org/10.3321/j.issn:1000-0054.2006.07.024

2006-01-01

Abstract:The version 2 of the Internet Key Exchange Protocol(IKEv2) will become a request for comments.Analyses of IKEv2 have shown that IKEv2 is susceptible to denial of service(DoS) attacks based on IP fragment and degenerate message attacks.DoS attacks can be handled by using an IP address preferred list.An improved way to generate keying materials to protect against degenerate message attacks is based on shared secrets.Analysis results indicate that these two measures improve IKEv2's ability to resist DoS attacks and degenerate message attacks.Measures based on the IP address preferred list can be used directly when implementing IKEv2.The improved methods to generate keying material can be used as a reference for the next version of IKEv2.

ZHANG Ling-ling,PAN Xue-zeng,CUI Yu-zeng

2005-01-01

Abstract:Comparing the difference between IKEv2 and IKE,the advantages of IKEv2 on the complex of the implementation and the low delay were analyzed.The message exchange and the generation of various keys of IKEv2 was introduced, an implementation approach of IKEv2 using the security coprocessor were proposed.This implementation can accelerate the process of key generation,message encryption and integrity verify check.

张勇,冯东雷,陈涵生,白英彩

2002-01-01

Journal of Software

Abstract:IKE (Internet key exchange, RFC2409) describes a suite of Internet key exchange protocols for establishing security associations and obtaining authenticated keying material. A security flaw in these IKE protocols is observed and a simple modification is proposed. In this paper, it is pointed out that there is a neglected security flaw in the amended IKE protocols. And a successful attack on the amended IKE protocols is also provided. A new amendment to IKE protocols is proposed, and the reasons which cause the two security flaws are analyzed by using BAN logic successfully.

杜全文,潘雪增,平玲娣

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.09.039

2002-01-01

Abstract:It is necessary to implement IKE protocol when using IPSec protocol to ensure IP security.This paper describes how to implement a typical IKE message exchange by multithread in detail.

Wang Changji,Yang Bo,Wu Jianping

DOI: https://doi.org/10.1007/s11767-005-0007-z

2005-01-01

Abstract:In 1999, Seo and Sweeney proposed a simple authenticated key agreement protocol that was designed to act as a Diffie-Hellman key agreement protocol with user authentication. Various attacks on this protocol are described and enhanced in the literature. Recently, Ku and Wang proposed an improved authenticated key agreement protocol, where they asserted the protocol could withstand the existing attacks. This paper shows that Ku and Wang’s protocol is still vulnerable to the modification attack and presents an improved authenticated key agreement protocol to enhance the security of Ku and Wang’s protocol. The protocol has more efficient performance by replacing exponentiation operations with message authentication code operations.

舒剑,许春香

DOI: https://doi.org/10.3969/j.issn.1000-436x.2010.03.008

2010-01-01

Abstract:The security of a recently proposed password-based authenticated key exchange protocol was analyzed. Al- though it was provably secure in the standard model, it was vulnerable to reflection attacks. A modify scheme was pro- posed, which eliminated the defect of original scheme and improved the efficiency of the protocol. The security of the proposed scheme had been proven in the standard model under DDH assumption. The results show that it provides per- fect forward secrecy.

Rui Jiang,LI Jian-Hua,Li Pan,蒋睿,李建华,潘理

2006-01-01

Abstract:Simple authenticated key agreement algorithm is one of the Diffie-Hellman key agreement variations. It prevents man-in-the-middle attack with only two more packets required to agree on the secret session key, but it has some weaknesses. In this paper, a new enhanced simple authenticated key agreement algorithm is proposed to overcome these weaknesses on the basis of analyzing the weaknesses of the related protocols. The new enhanced simple authenticated key agreement algorithm can get over replay attack and password guessing attack, provide perfect forward secrecy, and hold the merits of the simple authenticated key agreement algorithm.

LIU Jie,LI Jian-hua

DOI: https://doi.org/10.3778/j.issn.1002-8331.2008.14.031

2008-01-01

Computer Engineering and Applications Journal

Abstract:Investigate a Diffie-Hellman key exchange protocol which is integrated into digital signature algorithm.Analyze Phan's improved protocol and give a further improvement.Then a novel key exchange protocol based on RSA-OAEP cryptosystem is presented.The protocol is simple,efficient and can provide standard security attributes that key exchange protocols should have.

Liu Xiang-jiang

2009-01-01

Abstract:Since the Point-to-Point protocol (PPP) provides no protection for the negotiations of algorithms, the Internet key exchange (IKE) protocol is introduced into PPP for the negotiations of shared keys and authentication, compression and encryption algorithms. Through the integrity protection of the control messages, this method effectively solves the security problem of negotiations in PPP. The analysis of the method shows that it is much more secure and more effective than the original PPP.

Zhao Hu,Yuesheng Zhu,Limin Ma

DOI: https://doi.org/10.1109/icon.2012.6506591

2012-01-01

Abstract:Kerberos is a widely-used network authentication protocol based on a trusted third-party. PKINIT, an enhanced Kerberos protocol which uses PKI mechanism, can prevent the password guessing attack, however, it introduces excessive amount of computational power. To enhance the security performance and computation efficiency of Kerberos, in this paper an improved Kerberos protocol based on Diffie-Hellman-DSA (DH-DSA) key exchange is proposed. Mutual authentication and key exchange between the client and Authentication Server (AS) can be simultaneously achieved with the proposed approach. Our experimental and analysis results have demonstrated that this new protocol can resist the password guessing attack and is more efficient and easily deployed than PKINIT.

YANG Jian-jun,JIA Chen-jun,RAN Li-xin

DOI: https://doi.org/10.3785/j.issn.1008-973x.2005.02.014

2005-01-01

Abstract:By analyzing the principle of remote authentication dial in user service (RADIUS) protocol and the applied security algorithm, an improved RADIUS protocol was proposed to enhance the security performance of networks.Based on the improved protocol,AAA (authentication,authority and account) architecture was set up for the Internet service providers.The AAA architecture for wireless gateway does not increase the complexity of the communication systems, and is simple and easy to implement.

ZHOU Xian-cun,XIONG Yan,LIU Ren-jin

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.20.021

2012-01-01

Abstract:Analysis indicates that Liaw et al's remote user authentication scheme is vulnerable to replay attack,man-in-the-middle attack,and there are obvious security vulnerabilities in the password changing phase and registration phase.A remote user authentication scheme based on Diffie-Hellman(D-H) key exchange protocol is proposed.Theoretical analysis shows that the scheme can resist impersonation attack,replay attack,man-in-the-middle attack,and it can implement mutual authentication and session key generation securely.

顾文俊,熊云风,杨宇航

DOI: https://doi.org/10.3321/j.issn:1006-2467.2003.z1.017

2003-01-01

Shanghai Jiaotong Daxue Xuebao/Journal of Shanghai Jiaotong University

Abstract:This paper analysed the HARN-LIN protocol and the two modifications, and pointed out the essential cause of the bug for security. Also, this paper proposed one modification that not only eradicated the bug of the original protocol, but also obeyed the original intention not to use one-way function. It discussed the proposed modification in validity, security and efficiency. The results indicate that the proposed modification can guarantee the creation and sharing of multiple secret keys between communication peers.

Jian-fan WEI,Zhong CHEN,Yun-suo DUAN,Li-fu WANG

DOI: https://doi.org/10.3321/j.issn:0372-2112.2005.02.023

2005-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:Denial of service has become a major security threat in open communications networks. Authentication and key establishment protocols usually are vulnerable to network DoS attacks. This paper presents a new countermeasure to make authentication protocols without trusted third party resistant against DoS attack. By using this method, the strength of resistance can be adjusted dynamically and most parallel session attacks can be prevented.

LIU Xin,MAO Yu-ming

DOI: https://doi.org/10.3969/j.issn.1672-2892.2005.01.015

2005-01-01

Abstract:Now the network security service is provided by the security gateway.The most widely used protocol is Internet Key Exchange protocol (IKE).The initial IKE standards work well for peers with fixed IP address.But with the development of the network,especially after the mobile network is introduced,the methods of accession have been multiplied,which has aroused a problem that the IP address of the computer is no longer fixed.How to provide the security service in such a kind of network is a current focus.In this paper,how to combine the IKE with the Authentication Methods is introduced.The advantages and disadvantages of the ways are discussed.The situations in which such ways could work best are analyzed. In the end a conclusion is drawn that in the network in which the IP address is not fixed,the performance of the IKE could be promoted.

Linzhi Jiang,Chunxiang Xu,Xiaofang Wang,Yanghong Zhou

DOI: https://doi.org/10.1109/HPCC-CSS-ICESS.2015.148

2015-01-01

Abstract:Network security protocol design is important aspect of network security research. DoS/DDoS is very serious attack in wired and wireless network. DoS/DDoS attack depletes memory/cpu of service provider, so legitimate user can't gain normal service. According to anti-DoS attack strategy of network security protocols, we give and discuss three mechanisms (stateless connection, Fail-together and Subset Sum Client-Puzzle) on design of a key exchange protocol against denial of service attack for ISO/IEC1170-3 key exchange protocol. Subset Sum Client-Puzzle has simple structure, Non-Parallelizable speciality and fast verification. N Subset Sum Client-Puzzles' difficulties are sum of n Subset Sum Client-Puzzle's difficulty. Based on analysis of new key exchange protocol, we compare initiator and responder for computation resource, memory depletion and anti-DoS/DDoS. ISO/IEC1170-3 key exchange protocol on Subset Sum Client Puzzle, which is non-parallelizable, easy construction and verification, has the good property against DoS/DDoS attack. It provides a very good reference for network security protocol design with anti-DoS/DDoS attack.

CHEN Aiguo,LIN Wei,LUO Guangchun,ZHANG Qiang

2013-01-01

MANNED SPACEFLIGHT

Abstract:To solve the conflict between TCP segment-based transport layer performance enhancement technology and IPSec protocol,the multi-layer IPSec technology has been proposed. But traditional IKE protocols can not meet the needs of Multi-layer IPSec key exchange. Based on the IKEv2,a lightweight space Quadri-party Internet Key Exchange Protocol (LSQ-IKE) is presented which can operate in multi-layer IPSec. LSQ-IKE makes a key agreement for the four parties,including two communication sides and two trusted middle nodes. It creates two security associations (SA) and the corresponding session keys to protect the communication process. One of the SA protects the IP packet header and the other protects the payload field,which meets the requirements of multi-layer IPSec key exchange. The analysis shows that LSQ-IKE uses fewer steps to achieve a Quadri-party key exchange than protocols that already exists. So LSQ-IKE has the low-cost and lightweight features.

Yang ZHANG,Chaoyang LI,Xiangjun XIN,Fagen LI

DOI: https://doi.org/10.16186/j.cnki.1673-9787.2017.05.015

2017-01-01

Abstract:In order to improve the security and efficiency of the key agreement protocol,a secure one-pass and two-party authenticated key agreement protocol is proposed.In this protocol,a certificateless digital signature is sent to the receiver,in which the sender's public key,identification number,time stamp,and other identifiable information are signed.Then,the receiver verifies the variety of the digital signature.The session key is built by using the Diffie-Hellman key agreement protocol.The new protocol can be proved to be secure in random oracle model;it can also satisfy the properties of known session key secrecy,forward secrecy,uncontrollability of the session key and key compromise impersonation resilience.