Zhong CHEN,Hongwei MENG,Zhi GUAN

DOI: https://doi.org/10.19363/j.cnki.cn10-1380/tn.2016.02.004

2016-01-01

Abstract:The characteristics of intrinsic security in the future Internet architecture have been used to conquer the secu-rity problems of current Internet. Self-certifying addresses are introduced in future Internet architecture (FIA) to enable the intrinsic security properties. However, without PKI, these approaches in FIA miss the intrinsic binding between user-level descriptor, network-level identifier and correspondent public key. To this end, a naming scheme of Self-Certifying Identi-fier in FIA based on Combined Public Key (CPK), named as SCI-CPK, is proposed in this paper. The use cases of identity authentication based on SCI-CPK in FIA designs are also given, including XIA, MobilityFirst and NDN. The analysis shows that the proposed method is benefit of ubiquitous access and vast mobility scenario in the future Internet.

Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

YAO Lin,FAN Qingna,KONG Xiangwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.06.023

2011-01-01

Abstract:As a result of the high mobility of the pervasive computing,the principles communicating with each other usually locate at different domains.To secure the service access and communications,the principles should authenticate each other and establish a fresh session key.A novel inter-domain authentication and key establishment protocol is proposed.The proposed protocol reduces the burden of certificates management by adopting the biometric encryption.After inter-domain mutual authentication,the two principles build a new session key using the signcryption technique.The protocol can defend lots of attacks and its correctness is proven by the SVO logic.

Shengquan Liao,Chunming Wu,Qiang Yang,Ming Jiang

DOI: https://doi.org/10.4304/jnw.7.11.1837-1844

2012-01-01

Journal of Networks

Abstract:The information-centric network has been proposed for years. It received much attention in the research community until that the content-centric networking (CCN) became one of the fundamental components of Future Internet Architecture (FIA). Meanwhile, current CCN faces enormous technical challenges and one of the key issues is to properly design and evaluate the adaptive forwarding strategies. This paper aims to propose a high efficient routing protocol (ELRP) for the name resolving in CCN. The ELRP incorporates the merits of hierarchical structure, channel and rendezvous network. The demands of path latency are loosen in the proposed routing design, and other metrics, e.g. communication cost, load balancing and resource consumption, are also taken into the consideration. A collection of simulation experiments are carried out and the results show that ELRP can provide improved network performances in terms of these evaluation metrics. Such research outcome implies that a more comprehensive service can be deployed with improved network performance.

Guangwu Hu,Wenlong Chen,Qi Li,Yong Jiang,Ke Xu

DOI: https://doi.org/10.1016/j.future.2016.09.005

IF: 7.307

2016-01-01

Future Generation Computer Systems

Abstract:Despite the Internet has been rapidly developed in the past three decades, its intrinsic security mechanism, e.g., IP source address validation and user identification authentication, is still not well addressed. This results in numerous cyber security threats. In order to enhance the Internet accountability and deter potential cyber-attacks, in this paper, we propose TrueID, an IPv6 header extension scheme which can embed hash-based, creditable and undeniable user identity code inside IPv6 packets. We present the system architecture, header’s format and viable implementation approaches with different credibility granularities. Meanwhile, to verify packet credibility and integrity, we design an Autonomous System (AS) level public-key distribution system which can disseminate user’s public keys between allied ASes safely. Also, the prototype experiment has proved that our scheme possesses these features with desirable performance.

Hongwei Meng,Zhong Chen,Jianbin Hu,Chuck Song,Cong Tang

DOI: https://doi.org/10.1109/CC.2017.7927578

2017-01-01

China Communications

Abstract:Integrating mobility and security in the network layer has become a key factor for Future Internet Architecture (FIA). This paper proposes a secure mobility support mechanism in eXpressive Internet Architecture (XIA), a new FIA currently under development as part of the US National Science Foundation's (NSF) program. Utilizing the natural features of ID/locator decoupling and versatile routing in XIA, a general mechanism to support host mobility is proposed. Exploiting the self -certifying identifier, a secure binding update protocol to overcome the potential threats introduced by the proposed mobility support mechanism is also given. We demonstrate that our design in XIA outperforms IP based solutions in terms of efficiency and flexibility. We also outline our initial design to illustrate one derivative benefit of an evolvable architecture: mobility support customizability with no sacrifice of architectural generality.

Jun Bi

2010-01-01

Abstract:Page 1. Name and Addressing in Future Internet Jun Bi Tsinghua University 2010.11.03 Page 2. Outline • Background • Requirements of New ID Space • Identifier Designs, Proposals and Solutions • Design Suggestions Page 3. Background Page 4. Namespaces in the Internet Today • Namespace in global scope – MAC addresses: used to identify interfaces in layer two – IP addresses: used for data transmission between hosts – Domain names: used by applications – TCP/UDP ports (together with IP addresses): used to identify processes in application layer • IP addresses are overloaded – Problems in mobility, security and so on mostly regarding IP addresses Page 5. Name and Addressing in today's Internet • IP addresses – identify interfaces connected to the Internet – Classful scheme: A, B, C, D before year 1992. – Class-less Inter-Domain Routing (CIDR, RFC1519) • Domain names …

Jie Li,Jianping Wu,Ke Xu

DOI: https://doi.org/10.1109/glocom.2011.6133740

2012-01-01

Chinese Journal of Computers

Abstract:Next generation Internet is highly concerned with the issue of trustworthy. An important foundation of trustworthy is authentication of the source IP address. With existing signature-and-verification based defense mechanisms, there is a lack of hierarchical architecture, which makes the structure of the trust alliance excessively flat and single. Moreover, with the increasing scale of trust alliances, costs of validation grow so quickly that they do not adapt to incremental deployment. Via comparison with traditional solutions, this article proposes a hierarchical, inter-domain authenticated source address validation solution named SafeZone. SafeZone employs two intelligent designs: lightweight tag replacement and a hierarchical partitioning scheme, each of which helps to ensure that SafeZone can construct trustworthy and hierarchical trust alliances without the negative influences and complex operations on de facto networks. Extensive experiments also indicate that SafeZone can effectively obtain the design goals of a hierarchical architecture, along with lightweight, loose coupling and "multi-fence support" as well as supporting incremental deployment.

Jason Chia,Swee-Huay Heng,Ji-Jian Chin,Syh-Yuan Tan,Wei-Chuen Yau

DOI: https://doi.org/10.3390/sym13081535

2021-08-20

Symmetry

Abstract:Public key infrastructure (PKI) plays a fundamental role in securing the infrastructure of the Internet through the certification of public keys used in asymmetric encryption. It is an industry standard used by both public and private entities that costs a lot of resources to maintain and secure. On the other hand, identity-based cryptography removes the need for certificates, which in turn lowers the cost. In this work, we present a practical implementation of a hybrid PKI that can issue new identity-based cryptographic keys for authentication purposes while bootstrapping trust with existing certificate authorities. We provide a set of utilities to generate and use such keys within the context of an identity-based environment as well as an external environment (i.e., without root trust to the private key generator). Key revocation is solved through our custom naming design which currently supports a few scenarios (e.g., expire by date, expire by year and valid for year). Our implementation offers a high degree of interoperability by incorporating X.509 standards into identity-based cryptography (IBC) compared to existing works on hybrid PKI–IBC systems. The utilities provided are minimalist and can be integrated with existing tools such as the Enterprise Java Bean Certified Authority (EJBCA).

Stephanos Matsumoto,Raphael M. Reischuk,Pawel Szalachowski,Tiffany Hyun-Jin Kim,Adrian Perrig

DOI: https://doi.org/10.48550/arXiv.1506.03392

2015-06-13

Abstract:We address the problem of scaling authentication for naming, routing, and end-entity certification to a global environment in which authentication policies and users' sets of trust roots vary widely. The current mechanisms for authenticating names (DNSSEC), routes (BGPSEC), and end-entity certificates (TLS) do not support a coexistence of authentication policies, affect the entire Internet when compromised, cannot update trust root information efficiently, and do not provide users with the ability to make flexible trust decisions. We propose a Scalable Authentication Infrastructure for Next-generation Trust (SAINT), which partitions the Internet into groups with common, local trust roots, and isolates the effects of a compromised trust root. SAINT requires groups with direct routing connections to cross-sign each other for authentication purposes, allowing diverse authentication policies while keeping all entities globally verifiable. SAINT makes trust root management a central part of the network architecture, enabling trust root updates within seconds and allowing users to make flexible trust decisions. SAINT operates without a significant performance penalty and can be deployed alongside existing infrastructures.

Cryptography and Security

Zuoqi Jiang,Jiangtao Luo,Fei Zhang,Chen He,Mengnan Wang,Yanyong Zhang

DOI: https://doi.org/10.1109/hoticn48464.2019.9063215

2019-01-01

Abstract:The current data-centric security architecture for the Information Centric Network (ICN) does not provide efficient user authentication mechanisms, thus causing undesirable issues such as interest flooding a ttacks (IFA). I no rder to address them, this paper proposes a pseudonym authentication scheme on network layer based on the system of identity-based cryptography (IBC). In the proposed approach, each consumer needs to be authenticated before sending Interest packets into the network. After successful authentication, the consumer will be assigned a temporary nickname to be used in later data request. During the procedure, IBC is adopted to protect real names of consumers and verify the interest origin. As a result, this approach can complete user authentication and protect his real identity simultaneously. The proposed approach is case studied in IFA depression and expected results are achieved.

Su Yao,Jianfeng Guan,Zhiwei Yan,Ke Xu

DOI: https://doi.org/10.1109/mnet.2018.1800175

IF: 10.294

2019-01-01

IEEE Network

Abstract:Currently, many hybrid satellite-aerial-terrestrial networks are under construction. The problem is how to coordinate heterogeneous communication networks and platforms to provide more effective services, which is seriously hindering the further development of networks. To mitigate this and other problems, a novel heterogeneous wireless network architecture named the Smart Identifier for Space and Terrestrial Integrated Network (SI-STIN) is designed. Based on the Smart Identifier Network (SINET), SI-STIN aims to solve the problem of the heterogeneous convergence of the integrated network layer, break through the triple binding of the traditional network layer design, and ultimately achieve high efficiency for resource integration and interconnection. The SI-STIN includes three layers and two domains: the smart pervasive service layer, dynamic resource adaption layer, and collaborative network component layer, and the entity domain and behavior domain, in which many separate identifiers and behavior descriptions are applied. Then the details, workflow, applications, and challenges of the STIN are presented. Experimental analysis verifies that the SI-STIN improves the performance in regard to network security and transmission efficiency and thus has great potential to satisfy various network demands.

Xiruo Liu,Wade Trappe,Yanyong Zhang

DOI: https://doi.org/10.1109/icccn.2013.6614191

2013-01-01

Abstract:A recent trend in clean-slate network design has been to separate the role of identifiers from network locators. An essential component to such a separation is the ability to resolve names into network addresses. One challenge facing name resolution is securing the name resolution service. This paper examines the security of a clean-slate name resolution service suitable for mobile networking. We begin with a high-level threat analysis, and identify several types of attacks that may be used against name resolution services. We then present secure protocols that together form a secure global name resolution service. Specifically, we present a secure update protocol that allows users to update their network addresses as they migrate and that includes several checkpoints that prevents spoofing, collusion, stale identifiers and false identifier announcements. Since the primary function behind a name resolution service is to respond to address-lookup queries, we also present a secure query protocol. Finally, we address the security risks associated with IP holes that can arise in a global name resolution service.

Zhou Zhou,Huang Yongfeng,Li Xing

DOI: https://doi.org/10.3321/j.issn:1001-0505.2007.z1.022

2007-01-01

Abstract:A novel authentication framework,which is named central identity-code assignment and distributed authentication(CIADA),is proposed in order to meet the demands of the secure authentication for nodes in the peer-to-peer(P2P) network.The "trusted third party"(TTP) trust model is improved,and the secure dynamic accumulator is utilized to carry out the authentication protocol.The authentication among nodes is implemented efficiently.The dynamic entering or leaving of nodes is supported,and the authentication among domains and the combination of domains are allowed.CIADA takes full account of the characters of P2P network such as self-organization,dynamic and scalability.It is in the same secure intension as public key infrastructure(PKI) but without the defects in keys' issue and revoking and the authentication among domains of other existed distributed authentication protocols.So CIADA is more suitable for the secure authentication of nodes in the P2P network.

Hui LI,Jiangxing WU,Kaixuan XING,Peng YI,Shisheng CHEN,Wei LIANG,Jinwu WEI,Wei LI,Fusheng ZHU,Kaiyan TIAN,Jiang ZHU,Yiqin LU,Ke XU,Jiaxing SONG,Yijun LIU,Yongji DONG,Yongxiang HAN,Hanxu HOU,Junfeng MA,Rui XU,Jianming QUE,Weihao YANG,Weihao MIU,Zefeng ZHENG,Tao SUN,Guohua WEI,Jiuhua QI,Ji LIU,Yongjie BAI,Chonghui NING,Han WANG,Xinchun ZHANG,Jiawei HU,Jiansen HUANG,Sai LV,Xinwei LIU,Gengxin LI

DOI: https://doi.org/10.1360/n112019-00070

2019-01-01

Abstract:The Internet has become the essential infrastructure of modern society, while the centralized domain name system (DNS) is unable to provide high-quality services and secure government.Facing this challenge, we propose a reconfigurable multi-identifier network architecture and develop the prototype of the multi-identifier system.We optimize the network security using consortium blockchain, improve the forwarding speed using HPT for FIB, and enhance the scalability through tunnel algorithm.Experiments and testing of this prototype on the network of the two largest telecommunication service providers in China demonstrate that the system is robust enough to support real-world traffic.It can also be applied to sovereign network and other private networks with multiple identifiers, which may become a Chinese solution of the network security to the world.

Hui Li,Fusheng Zhu,Yiqin Lu,Wai Ho Mow,Yeung Wai-Ho,Zefeng Zheng,Peng Yi,Xinsheng Ji,Qinrang Liu,Wei Li,Kaiyan Tian,Jiangxing Wu,Jiang Zhu,Jiaxing Song,Yijun Liu,Junfeng Ma,Jiawei Hu,Jiansen Huang,Guohua Wei,Jiuhua Qi,Ting Huang,Kaixuan Xing,Xin Yang,Han Wang,Julong Lan,Ke Xu,Hua Tan,Jinwu Wei,Wei Liang

DOI: https://doi.org/10.1109/access.2020.2974327

IF: 3.9

2020-01-01

IEEE Access

Abstract:IP protocol is the core of TCP/IP network layer. However, since IP address and its Domain Name are allocated and managed by a single agency, there are risks of centralization. The semantic overload of IP address also reduces its scalability and mobility, which further hinders the security. This paper proposes a co-governing Multi-Identifier Network (MIN) architecture that constructs a network layer with parallel coexistence of multiple identifiers, including identity, content, geographic information, and IP address. On the management plane, we develop an efficient management system using consortium blockchain with voting consensus, so the network can simultaneously manage and support by hundreds or thousands of nodes with high throughput. On the data plane, we propose an algorithm merging hash table and prefix tree (HTP) for FIB, which avoids the false-negative error and can inter-translate different identifiers with tens of billions of entries. Further, we propose a scheme to transport IP packets using CCN as a tunnel for supporting progressive deployment. We deployed the prototype of MIN to the largest operators' network in Mainland China, Hongkong and Macao, and demonstrated that the network can register identifier under co-governing consensus algorithm, support VoD service very well.

Boyang Wu,Hewu Li,Qian Wu

DOI: https://doi.org/10.1109/WCNC.2019.8885688

2019-01-01

Abstract:Lack of effective accountability mechanisms brings a series of security problems for Internet today. In Next Generation Internet based on IPv6, the system of identity authentication and IP verification is the key to accounting ability. Source Address Validation Improvement (SAVI) can protect IP source addresses from being faked. But without identity authentication mechanism and certain relationship between IP and accountable identity, the accountability is still unreliable. To solve this problem, most research focus on embedding accountable identity into IP address which need either changing DHCP client or twice DHCP request process due to the separate process of user authentication and address assignment. Different from previous research, this paper first analyzes the problems and requirements of combining Web Portal or 802.1X, two main identity authentication mechanism (AAA), with the accountable address assignment in SAVI frame-work. Then a novel Cooperative mechanism for Accountable IP address assignment (CAIP) is proposed based on 802.1X and SAVI, which takes into account the validation of IP address, the authenticity and accountability of identity at the same time. Finally, we build up prototype system for both Fat AP and Thin AP wireless scenarios and simulate the performance of CAIP through large-scale campus networks' data logs. The experiment result shows that the IP addresses and identities in CAIP are protective and accountable. Compared with other previous research, CAIP is not only transparent to the terminals and networks, but also low impact on network equipment, which makes CAIP easy deployment with high compatibility and low cost.

Guohua Wei,Hui Li,Yongjie Bai,Xin Yang,Huayu Zhang,JianMing Que,Wenjun Li

DOI: https://doi.org/10.1109/icccn52240.2021.9522353

2021-01-01

Abstract:In this paper, we propose a Space-Terrestrial Integrated Multi-identifier Network (STI-MIN), which has the characteristic of efficient routing scheme, co-governed network space, and endogenous security. The fundamental theory is proposed to depict the overview of STI-MIN firstly. Then a multi-identifier management system based on hierarchical consortium blockchain and a scalable space-terrestrial integrated routing scheme are designed to build the efficient management plane and data plane of STI-MIN respectively. The endogenous security mechanism of STI-MIN is also proposed based on trusted computing and identity self-authentication. A testbed covering six provinces or regions of China and a high throughput satellite has been built. The experiment done in the testbed shows that STI-MIN has many merits while comparing it with the traditional network.

Liwei Xu,Han Wu,Jianguo Xie,Qiong Yuan,Ying Sun,Guozhen Shi,Shoushan Luo

DOI: https://doi.org/10.3390/e25050760

IF: 2.738

2023-05-07

Entropy

Abstract:The Space–Air–Ground Integrated Network (SAGIN) expands cyberspace greatly. Dynamic network architecture, complex communication links, limited resources, and diverse environments make SAGIN's authentication and key distribution much more difficult. Public key cryptography is a better choice for terminals to access SAGIN dynamically, but it is time-consuming. The semiconductor superlattice (SSL) is a strong Physical Unclonable Function (PUF) to be the hardware root of security, and the matched SSL pairs can achieve full entropy key distribution through an insecure public channel. Thus, an access authentication and key distribution scheme is proposed. The inherent security of SSL makes the authentication and key distribution spontaneously achieved without a key management burden and solves the assumption that excellent performance is based on pre-shared symmetric keys. The proposed scheme achieves the intended authentication, confidentiality, integrity, and forward security, which can defend against masquerade attacks, replay attacks, and man-in-the-middle attacks. The formal security analysis substantiates the security goal. The performance evaluation results confirm that the proposed protocols have an obvious advantage over the elliptic curve or bilinear pairings-based protocols. Compared with the protocols based on the pre-distributed symmetric key, our scheme shows unconditional security and dynamic key management with the same level performance.

physics, multidisciplinary

Yao Liu,Yueting Chai,Yi Liu

DOI: https://doi.org/10.1109/icebe.2015.76

2015-01-01

Abstract:In the current Internet environment, security incidents occur frequently and the potential safety problems are highlighted. In this case, we propose "Internet trusted identity authentication system". The system changes the previous conventional mode of identity authentication, changes the mode of username/password to the relationship bound between net ID and password rule and replaces the traditional dead-password mode with the mode of dynamic password and password rule. At the same time, we should establish the repository of trusted identity to store and manage the net ID and password rule. With the tools of USBKEY, SMS and digital certificates, the system can achieve the function of implementing the real-name network in the Internet, making remembering passwords more convenience, simplifying users' operations online and strengthening the security of personal identification information online, which can improve the safety, reliability and efficiency of the Internet, on the premise that it won't change the Internet functions or the operation habits.