LI Jian-jun,XU Duan-qing,GUO Wei-qing

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.09.068

2005-01-01

Abstract:Combining with living examples and based on IPSEC,the realization of the VPN system was approached in many internet circumstances of remote access(such as gateway,broadband,xDSL etc.),and in view of the deficiency and the hidden troubles of the traditional static password,introduces a working mechanism was introduced which took into consideration both the tokencard two factor authentication and Windows AD,and proveds to be flexible and liable for the single-sign on clients.

Lin Yao,Xiangwei Kong,Guowei Wu,Qingna Fan,Chi Lin

DOI: https://doi.org/10.1007/s11767-008-0089-5

2010-01-01

Abstract:In pervasive computing environments, users can get services anytime and anywhere, but the ubiquity and mobility of the environments bring new security challenges. The user and the service provider do not know each other in advance, they should mutually authenticate each other. The service provider prefers to authenticate the user based on his identity while the user tends to stay anonymous. Privacy and security are two important but seemingly contradictory objectives. As a result, a user prefers not to expose any sensitive information to the service provider such as his physical location, ID and so on when being authenticated. In this paper, a highly flexible mutual authentication and key establishment protocol scheme based on biometric encryption and Diffie-Hellman key exchange to secure interactions between a user and a service provider is proposed. Not only can a user’s anonymous authentication be achieved, but also the public key cryptography operations can be reduced by adopting this scheme. Different access control policies for different services are enabled by using biometric encryption technique. The correctness of the proposed authentication and key establishment protocol is formally verified based on SVO logic.

YAO Lin,FAN Qing-na,KONG Xiang-wei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2010.32.030

2010-01-01

Abstract:Pervasive computing raises new challenges to the security and privacy of the Internet communication,and conventional authentication protocols cannot meet the requirements of this new pervasive environment.A novel mutual authentication and key establishment scheme to secure the interactions between mobile users and service providers is proposed.Highly integrating biometric encryption and the Diffie-Hellman key exchange,the proposed protocol achieves mutual authentication without revealing any privacy information of the user.Secure session key establishment is enabled by the proposed algorithm.Differentiated service access control is also achieved with the biometric encryption.It is shown that the protocol can resist most of the attacks,especially the denial of service attack.

YAO Lin,FAN Qingna,KONG Xiangwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.06.023

2011-01-01

Abstract:As a result of the high mobility of the pervasive computing,the principles communicating with each other usually locate at different domains.To secure the service access and communications,the principles should authenticate each other and establish a fresh session key.A novel inter-domain authentication and key establishment protocol is proposed.The proposed protocol reduces the burden of certificates management by adopting the biometric encryption.After inter-domain mutual authentication,the two principles build a new session key using the signcryption technique.The protocol can defend lots of attacks and its correctness is proven by the SVO logic.

Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

Mir Ali Rezazadeh Baee,Leonie Simpson,Xavier Boyen,Ernest Foo,Josef Pieprzyk

DOI: https://doi.org/10.1186/s13638-021-01968-6

2021-05-21

EURASIP Journal on Wireless Communications and Networking

Abstract:Abstract In intelligent vehicular networks, vehicles have enhanced sensing capabilities and carry computing and communication platforms to enable new versatile systems known as Vehicular Communication (VC) systems. Vehicles communicate with other vehicles and with nearby fixed equipment to support different applications, including those which increase driver awareness of the surroundings. This should result in improved safety and may optimize traffic. However, VC systems are vulnerable to cyber attacks involving message manipulation. Research aimed at tackling this problem has resulted in the proposal of multiple authentication protocols. Several existing survey papers have attempted to classify some of these protocols based on a limited set of characteristics. However, to date there is no generic framework to support the comparison of these protocols and provide guidance for design and evaluation. Most existing classifications either use computation complexity of cryptographic techniques as a criterion, or they fail to make connections between different important aspects of authentication. This paper provides such a framework, proposing a new taxonomy to enable a consistent means of classifying authentication schemes based upon seven main criteria. The main contribution of this study is a framework to enable protocol designers and investigators to adequately compare and select authentication schemes when deciding on particular protocols to implement in an application. Our framework can be applied in design, making choices appropriate for the intended context in both intra-vehicle and inter-vehicle communications. We demonstrate the application of our framework using two different types of case study: individual analysis and hypothetical design. Additionally, this work makes several related contributions. We present the network model, outline the applications, list the communication patterns and the underlying standards, and discuss the necessity of using cryptography and key management in VC systems. We also review the threats, authentication, and privacy requirements in vehicular networks.

telecommunications,engineering, electrical & electronic

Qi Xie,Deren Chen

DOI: https://doi.org/10.1109/icie.2010.292

2010-01-01

Journal of Networks

Abstract:To use the network services provided by multiple servers in mobile wireless network, a hash function and smart card based multi-server authentication scheme without verification tables and servers' public keys is proposed. The new protocol has many advantages, such as no encryption, signature, verification tables, timestamp, and public keys directory.

Song, Lijun

DOI: https://doi.org/10.1007/s10586-024-04371-0

2024-03-31

Cluster Computing

Abstract:Identity authentication is the key technology to confirm and authorize the legal identity of users, and it plays an important role in the field of information security. However, the current user authentication attributes are usually pre-specified by the server, which has the problem of lack of flexibility. Therefore, a multi-factor authentication scheme based on custom attributes is proposed in this paper. The user creates the authentication policy tree according to the personal identity attribute factor, and constructs the authentication policy set. In order to authenticate quickly, a multi-level cryptographic accumulator is designed. The Level-One cryptographic accumulator is used to accumulate the unique identity of the user, and the Level-Two cryptographic accumulator is used to accumulate the authentication policy set of the user. Based on the untamperable property of the blockchain and combined with the Schnorr digital signature protocol, register the accumulated value and evidence of the multi-level cryptographic accumulator to the blockchain. The user's identity is authenticated by verifying the accumulated value and evidence on the blockchain. In order to verify the performance of the scheme, the throughput and average time delay of registration and authentication methods are tested and analyzed in detail. The results show that by integrating authentication policy tree, multi-level cryptographic accumulator and blockchain network, this scheme can not only achieve multi-factor authentication with custom attributes, but also maintain good performance. It has made a useful contribution to the field of multi-factor identity authentication based on custom attributes.

computer science, information systems, theory & methods

Han Zhang,Yingxu Lai,Ye Chen

DOI: https://doi.org/10.1016/j.simpat.2022.102681

IF: 4.199

2022-10-27

Simulation Modelling Practice and Theory

Abstract:This paper proposes an authentication protocol based on a trusted connection architecture to manage the security and reliability of the cloud service environment during the communication process, improve the trust of the cloud service platform toward vehicles, and ensure that vehicle terminals have reliable access to cloud services. Compared with prior Internet of Vehicle (IoV) authentication schemes, our scheme is the first to include platform identification in the authentication process. Based on the characteristics of the trusted connection architecture, the components that constitute the platform can be assessed for security by verifying the vehicle platform identity and platform integrity metrics, thereby eliminating internal threats. In addition, the protocol proposes an authentication scheme for the IoV environment, in which the trusted authority only needs to generate the user's partial key based on the identity, thereby avoiding the key escrow problem common to identity-based cryptosystems. Finally, the scheme is proven to be highly secure using various approaches, such as Syverson-Van Oorschot (SVO) logical analysis, simulated authentication via automated validation of internet security protocols and applications (AVISPA), and informal security analysis. In the identity authentication step, our method has low computation and communication overhead when compared with other schemes according to the performance analysis results.

computer science, interdisciplinary applications, software engineering

Muath Obaidat,Joseph Brown,Suhaib Obeidat,Majdi Rawashdeh

DOI: https://doi.org/10.3390/s20154212

2020-07-29

Abstract:A significant percentage of security research that is conducted suffers from common issues that prevent wide-scale adoption. Common snags of such proposed methods tend to include (i) introduction of additional nodes within the communication architecture, breaking the simplicity of the typical client-server model, or fundamental restructuring of the Internet ecosystem; (ii) significant inflation of responsibilities or duties for the user and/or server operator; and (iii) adding increased risks surrounding sensitive data during the authentication process. Many schemes seek to prevent brute-forcing attacks; they often ignore either partially or holistically the dangers of other cyber-attacks such as MiTM or replay attacks. Therefore, there is no incentive to implement such proposals, and it has become the norm instead to inflate current username/password authentication systems. These have remained standard within client-server authentication paradigms, despite insecurities stemming from poor user and server operator practices, and vulnerabilities to interception and masquerades. Besides these vulnerabilities, systems which revolve around secure authentication typically present exploits of two categories; either pitfalls which allow MiTM or replay attacks due to transmitting data for authentication constantly, or the storage of sensitive information leading to highly specific methods of data storage or facilitation, increasing chances of human error. This paper proposes a more secure method of authentication that retains the current structure of accepted paradigms, but minimizes vulnerabilities which result from the process, and does not inflate responsibilities for users or server operators. The proposed scheme uses a hybrid, layered encryption technique alongside a two-part verification process, and provides dynamic protection against interception-based cyber-attacks such as replay or MiTM attacks, without creating additional vulnerabilities for other attacks such as bruteforcing. Results show the proposed mechanism outperforms not only standardized methods, but also other schemes in terms of deployability, exploit resilience, and speed.

YANG Jian-jun,JIA Chen-jun,RAN Li-xin

DOI: https://doi.org/10.3785/j.issn.1008-973x.2005.02.014

2005-01-01

Abstract:By analyzing the principle of remote authentication dial in user service (RADIUS) protocol and the applied security algorithm, an improved RADIUS protocol was proposed to enhance the security performance of networks.Based on the improved protocol,AAA (authentication,authority and account) architecture was set up for the Internet service providers.The AAA architecture for wireless gateway does not increase the complexity of the communication systems, and is simple and easy to implement.

Jie Cui,Xiaoyu Zhang,Hong Zhong,Jing Zhang,Lu Liu

DOI: https://doi.org/10.1109/tifs.2019.2946933

IF: 7.231

2020-01-01

IEEE Transactions on Information Forensics and Security

Abstract:With an increasing number of cloud service providers (CSPs), research works on multi-cloud environments to provide solutions to avoid vendor lock-in and deal with the single-point failure problem have expanded considerably. However, a few schemes focus on the conditional privacy protection authentication of vehicular networks under a multi-cloud environment. In this regard, we propose a robust and extensible authentication scheme for vehicular networks to fulfil the ever-growing diversified service demands from users. According to our solution, the vehicles need to register with the trusted authority (TA) only once to achieve a fast and efficient authentication with CSPs. Additionally, as long as the new CSP is successfully registered in TA, it can participate in vehicular service. A cloud broker, which is managed by the TA, is responsible for connecting all the cloud services; consequently, the complexity involved in the selection of CSPs is hidden from the users' view. A detailed security analysis establishes that our scheme can fulfil conditional privacy protection and achieve the security objectives of vehicular networks. Our scheme is based on elliptic curve cryptography and does not employ the complex bilinear pairing operation. An evaluation of performance of the proposed scheme indicates that it is suitable for applications involving vehicular networks.

computer science, theory & methods,engineering, electrical & electronic

Wang Shibin,Mao Kele,Zhan Furui,Liu Dong

DOI: https://doi.org/10.1007/s12083-020-00916-3

IF: 3.488

2020-01-01

Peer-to-Peer Networking and Applications

Abstract:In existing authentication schemes for vehicular ad hoc networks (VANETs), the public key infrastructure (PKI)-based pseudonym certificate, identity-based encryption and group signature technology are usually used to preserve the security and privacy. However, these schemes face some challenges, e.g., the time-consuming certificate revocation list (CRL) checking, identity revocation issue and the computation overhead of group signature, respectively. To cope with these challenges, we propose a hybrid conditional privacy-preserving authentication protocol based on the PKI certificate and identity-based signature. In our scheme, the trust authority (TA) assigns the unique long-term certificate for every registered node. Only the vehicle with valid certificate can apply the anonymous short term identity from the current RSU to sign safety-related message. The identity-based signature avoids the CRL checking and the complex bilinear paring operation. When vehicle is compromised, TA can easily revoke its identity by the only long-term certificate. To further enhance efficiency, vehicle can verify the received messages by the single or batch authentication manner. In addition, we optimize the authentication process to avoid vehicle verifying the repeated and unnecessary signatures. Compared with the current schemes, the simulation result shows that our authentication protocol can effectively reduce verified messages in the case of meeting the requirement of security and privacy.

Haojie Lu

2009-01-01

Abstract:User authentication is mostly carried out by sending a pair of username and password to the server in insecure network,since most users have not a certificate.Just based on this fact,some attacks are achieved.The method of phishing and the common mechanism of protecting key are analyzed,and an authentication scheme employing trusted computing technology is proposed.Since the scheme combines protected storage,authentication chain,and password partition etc,thieving only the password will not have an affect on user security.In the end,the proposed approach is proven to protect against phishing attacks.

Mubarak Umar,Jiandong Wang,Hafsa Kabir Ahmad,Shuangrui Zhao,Feng Li,Shuguang Wang,Minggang Zheng,Yulong Shen,Zhiwei Zhang,Xin Guo

DOI: https://doi.org/10.1016/j.vehcom.2023.100708

IF: 6.7

2023-12-06

Vehicular Communications

Abstract:The Internet of Vehicles (IoV) systems improve road safety through coordination among vehicles, but they are vulnerable to impersonation attack due to their broadcast communication nature. Existing cryptographic authentication approaches are complex for resource-limited IoV devices, which motivated the development of less complex Physical Layer Authentication (PLA) approaches. However, the existing PLA approaches use all channel attributes for all communication scenarios and do not update reference attributes used to authenticate newly observed attributes during authentication, which leads to poor performance when the attributes become insensitive to communication scenarios. To address these limitations, we propose a multiple attributes-based PLA scheme that flexibly selects effective attributes according to current communication scenarios for improved authentication. First, the historical channel attributes including the ricean K-Factor (KF), the Delay Spread (DS), and the Azimuth Spread of Arrival (ASA) together with the communication scenarios (i.e., Line-of-Sight (LoS) and Non-Line-of-Sight (NLoS)) information of transmitters are used to establish a relationship and train a Long Short-Term Memory (LSTM) neural network to identify current communication scenarios. The softmax function is then used to evaluate the scenario identification performance of each attribute and the attributes with maximum softmax values are dynamically selected for authentication. Second, to track and update the reference attributes, we use the historical attributes together with the past location and communication scenarios information of transmitters and train our model to predict future attributes for authentication. Finally, we use the Euclidean distance to measure the similarity between the selected and the predicted attributes to authenticate the transmitters. We validate the effectiveness of our approach and compare its performance with the existing methods through extensive simulations using realistic radio channel characteristics generated from the Quasi Deterministic Radio channel Generator (QuaDRiGa) platform. The results of the evaluation show that our system improves authentication performance and its false alarm and miss detection are respectively 19.19% and 52% lower than the existing approaches.

telecommunications,transportation science & technology

Xueming Zhang,Haitao Deng,Zenggang Xiong,Yanchao Liu,Ying Rao,Yuanlin Lyu,Yuan Li,Delin Hou,Youfeng Li

DOI: https://doi.org/10.1007/s11265-023-01908-1

2024-02-18

Journal of Signal Processing Systems

Abstract:In social aware networks, the routing protocol possesses a considerable amount of sensitive user information during node transmission. When selecting the next hop node for transmitting information in social sensing networks, there is an inherent risk of privacy breach due to malicious nodes attacking innocent nodes within the network. To address the issue of user privacy leakage, this study presents a novel privacy-preserving access control algorithm, termed Attribute Trust-based Security (ATST), which is designed to protect sensitive information. The algorithm, based on encrypting the plaintext message to ensure message security, employs the user's attributes to create an attribute trust measurement model and a network access control structure. This process identifies a trusted next hop node for information transmission. Subsequently, the access control tree model derived from the attribute is utilized during decryption. After the message reached its destination node, only the user who satisfied the access control criteria of the decryption module was authorized to decrypt the ciphertext. By verifying the trust measurement and access control of nodes through the dual trust mechanism, it prevented malicious nodes from entering the network, causing damage to the network and affecting the performance of the network. In addition, the clear text message was encrypted and transmitted, and the final receiving node was verified to ensure the secure transmission of the message to the destination node. The simulation outcomes demonstrate that the ATST algorithm effectively mitigates the effects of malevolent nodes on the network, ensuring message transfer efficiency and reducing the average delay.

computer science, information systems,engineering, electrical & electronic

He,Wei,Li,Xiu,Liu,Wenhuang

DOI: https://doi.org/10.3969/j.issn.1008-0570.2005.33.001

2005-01-01

Abstract:This paper investigates the importance of uniform identity authentication system for building knowledge sharing platform, and presents the general framework of this system. An architecture based on kerberos Protocol and Security Assertion Markup Language is used to solve the issue of the Single User Sign-on to Multiple Services. This paper also discusses the issue of organizing user's id and access control lists with the distributed directory tree method, and a real application model is presented. This system can provide a very effective and secure access on knowledge sharing system.

Xiaodong Yang,Songyu Li,Lan Yang,Xiaoni Du,Caifen Wang

DOI: https://doi.org/10.1109/tits.2024.3367925

IF: 8.5

2024-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:Vehicular ad-hoc networks (VANETs) are integral to the evolution of intelligent transportation systems, offering substantial benefits in managing traffic flow, issuing warnings for potential accidents, and delivering information services to drivers. To ensure the authenticity and integrity of data exchanged within VANETs, numerous authentication schemes based on certificateless aggregate signature (CLAS) have been developed. However, state-of-the-art solutions often fail to be applicable in real-world VANETs due to security weaknesses and operational inefficiencies. Recently, Zhu et al. proposed an efficient CLAS-based authentication scheme with conditional privacy preservation (CPP) for VANETs (IEEE Transactions on Intelligent Transportation Systems, DOI: 10.1109/TITS.2023.3275077). Unfortunately, our analysis reveals that Zhu et al.’s scheme is incapable of withstanding coalition attacks from malicious RSUs and vehicles as well as public-key replacement attacks from dishonest vehicles. To facilitate secure communication in VANETs, we present a security-enhanced, pairing-free and energy-efficient CLAS-based authentication scheme with CPP for VANETs. This scheme has been rigorously proven to be secure against Type I, Type II and Type III attackers. Distinguished from other comparable schemes, our construction significantly reduces communication overhead and energy consumption while simultaneously fortifying security.

engineering, electrical & electronic,transportation science & technology, civil

Chenyu Wang,Ke Ding,Bin Li,Yiming Zhao,Guoai Xu,Yanhui Guo,Ping Wang

DOI: https://doi.org/10.1155/2018/3048697

2018-01-01

Wireless Communications and Mobile Computing

Abstract:With the popularity of cloud computing, information security issues in the cloud environment are becoming more and more prominent. As the first line of defense to ensure cloud computing security, user authentication has attracted extensive attention. Though considerable efforts have been paid for a secure and practical authentication scheme in cloud computing environment, most attempts ended in failure. The design of a secure and efficient user authentication scheme for cloud computing remains a challenge on the one hand and user’s smart card or mobile devices are of limited resource; on the other hand, with the combination of cloud computing and the Internet of Things, applications in cloud environments often need to meet various security requirements and are vulnerable to more attacks. In 2018, Amin et al. proposed an enhanced user authentication scheme in cloud computing, hoping to overcome the identified security flaws of two previous schemes. However, after a scrutinization of their scheme, we revealed that it still suffers from the same attacks (such as no user anonymity, no forward secrecy, and being vulnerable to offline dictionary attack) as the two schemes they compromised. Consequently, we take the scheme of Amin et al. (2018) as a study case, we discussed the inherent reason and the corresponding solutions to authentication schemes for cloud computing environment in detail. Next, we not only proposed an enhanced secure and efficient scheme, but also explained the design rationales for a secure cloud environment protocol. Finally, we applied BAN logic and heuristic analysis to show the security of the protocol and compared our scheme with related schemes. The results manifest the superiority of our scheme.

Yao Liu,Yueting Chai,Yi Liu

DOI: https://doi.org/10.1109/icebe.2015.76

2015-01-01

Abstract:In the current Internet environment, security incidents occur frequently and the potential safety problems are highlighted. In this case, we propose "Internet trusted identity authentication system". The system changes the previous conventional mode of identity authentication, changes the mode of username/password to the relationship bound between net ID and password rule and replaces the traditional dead-password mode with the mode of dynamic password and password rule. At the same time, we should establish the repository of trusted identity to store and manage the net ID and password rule. With the tools of USBKEY, SMS and digital certificates, the system can achieve the function of implementing the real-name network in the Internet, making remembering passwords more convenience, simplifying users' operations online and strengthening the security of personal identification information online, which can improve the safety, reliability and efficiency of the Internet, on the premise that it won't change the Internet functions or the operation habits.