Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

Hongwei Meng,Zhong Chen,Jian-bin Hu,Zhi Guan

DOI: https://doi.org/10.1145/2935663.2935676

2016-01-01

Abstract:In order to enable intrinsic security without the Public Key Infrastructure (PKI) deployment, flat self-certifying addresses have been involved into the future Internet architecture (FIA) designs. In contrast to deriving a self-certifying address from hashing of a correspondent prepared public key, we build up this self-certifying relationship along the reverse path using Combined Public Key (CPK). Our design develop the chain of trust embedded in the Internet name/address registration and allocation process for domains, hosts, services and content, to establish intrinsic bindings between three different identities: user-level human-readable names, network-level routable flat identifiers and the correspondent public keys. This binding connects the accountability between real-world space and network space. The use cases of our design are also given in named data networking (NDN) and identity/locator splitting network architecture, i.e. XIA and MobilityFirst. The analysis also shows that identity authentication based on CPK is capable of resource-constrained nodes in large-scale networks without scalability tradeoffs.

YAO Lin,FAN Qingna,KONG Xiangwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.06.023

2011-01-01

Abstract:As a result of the high mobility of the pervasive computing,the principles communicating with each other usually locate at different domains.To secure the service access and communications,the principles should authenticate each other and establish a fresh session key.A novel inter-domain authentication and key establishment protocol is proposed.The proposed protocol reduces the burden of certificates management by adopting the biometric encryption.After inter-domain mutual authentication,the two principles build a new session key using the signcryption technique.The protocol can defend lots of attacks and its correctness is proven by the SVO logic.

Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Hongwei Meng,Zhong Chen,Jianbin Hu,Chuck Song,Cong Tang

DOI: https://doi.org/10.1109/CC.2017.7927578

2017-01-01

China Communications

Abstract:Integrating mobility and security in the network layer has become a key factor for Future Internet Architecture (FIA). This paper proposes a secure mobility support mechanism in eXpressive Internet Architecture (XIA), a new FIA currently under development as part of the US National Science Foundation's (NSF) program. Utilizing the natural features of ID/locator decoupling and versatile routing in XIA, a general mechanism to support host mobility is proposed. Exploiting the self -certifying identifier, a secure binding update protocol to overcome the potential threats introduced by the proposed mobility support mechanism is also given. We demonstrate that our design in XIA outperforms IP based solutions in terms of efficiency and flexibility. We also outline our initial design to illustrate one derivative benefit of an evolvable architecture: mobility support customizability with no sacrifice of architectural generality.

Bing Zhang,Xinxin Ma,Zhiguang Qin

2011-01-01

Abstract:⎯By analyzing existed Internet of Things’ system security vulnerabilities, a security architecture on trusting one is constructed. In the infrastructure, an off-line identity authentication based on the combined public key (CPK) mechanism is proposed, which solves the problems about a mass amount of authentications and the cross-domain authentication by integrating nodes’ validity of identity authentication and uniqueness of identification. Moreover, the proposal of constructing nodes’ authentic identification, valid authentication and credible communication connection at the application layer through the perception layer impels the formation of trust chain and relationship among perceptional nodes. Consequently, a trusting environment of the Internet of Things is built, by which a guidance of designing the trusted one would be provided. Index Terms⎯Combined public key, elliptic curves cryptography, Internet of Things, radio frequency identification, security system, trusting system.

YU Hua,CAI Hai-bin,LIU Liang-xu

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.10.048

2006-01-01

Abstract:The Internet/Intranet emergence provided for the business enterprise a fast,efficient,convenient network environment so as to realize informatization,and one of the key security problems of network information system is user authentication.Based on analysis the security problems of existed user authentication system,the model of user authentication system based on PKI and LDAP technology is discussed,and a new reliable efficientscheme is proposed.theprocess ofauthentication and storageof digital certificate.The scheme is realized in an enterprise network and has a good effect.The system will have wide application.

Jing Ren,Sheng Wang,Yangming Zhao,Shizhong Xu,Lemin Li

DOI: https://doi.org/10.1049/cp.2011.1456

2011-01-01

Abstract:Security is one of the most urgent problems in today's Internet. For the lack of a clear definition of identifier of entity we seek to manage in the Internet, existing security mechanisms are not well integrated into the Internet architecture. These security mechanisms are designed as separate extensions and their effectiveness are limited. In this paper, we present a new network architecture, Security Enhanced Network Architecture (SENA), to provide a "built-in" security. In SENA, there are four identifiers, including service identifier, connection identifier, endpoint identifier and routing identifier. With a reinforced control plane, the architecture allows network administrators directly manage the mappings between different identifiers and provides security as an integrated solution.

YANG Xin,LI Hui,QUE Jianming,MA Zhentai,LI Gengxin,YAO Yao,WANG Bin,JIANG Fuli

DOI: https://doi.org/10.11896/jsjkx.220600265

2023-01-01

Abstract:Traditional IP-based Internet offers an end-to-end data transport service and has developed rapidly in the past half-century.However,serious security incidents emerged from attacks based on traditional networks.Traditional security mechanisms(e.g.,firewalls,intrusion detection systems) enhance security.However,most of them only provide some remedial strategies rather than solve the address-security problem radically due to the lack of change in network design.The overall in-depth security of the networked system cannot be guaranteed without a fundamental change.In order to meet the development requirements of the next generation of an endogenous security network,one of the future networks,the multi-identifier network(MIN),is introduced as our research background.This paper proposes an efficient scheme in hieratical architecture that provides comprehensive protection by addressing the security aspects pertaining to the network and application layers.At the network layer,the proposed architecture develops a multi-identifier routing scheme with embedded identity-based authentication and packet signature mechanisms to provide data tamper-resistance and traceability.At the application layer,the proposed architecture designs a mimic defensive scheme combined with weighted network centrality measures.This scheme focuses on protecting the core components of the whole network to improve the service's robustness and efficiently resist potential attacks.This paper tests and evaluates the proposed scheme from a theoretical and practical perspective.An analytical model is built based on the random walk for theoretical evaluation.In experiments,the proposed scheme is developed in MIN as MIN-VPN.Then considering IP-VPN as a baseline,anti-attack tests are conducted on IP-VPN and MIN-VPN.The results of theoretical evaluations and experiments show that the proposed scheme provides excellent transmission performance and successful defense against various TCP/IP-based attacks with acceptable defensive cost,demonstrating this security mechanism's effectiveness.In addition,after long-period penetration testing in three international elite security contests,the proposed method is effectively immune to all TCP/IP-based attacks from thousands of professional teams,thus verifying its strong security.

Zhou Zhou,Huang Yongfeng,Li Xing

DOI: https://doi.org/10.3321/j.issn:1001-0505.2007.z1.022

2007-01-01

Abstract:A novel authentication framework,which is named central identity-code assignment and distributed authentication(CIADA),is proposed in order to meet the demands of the secure authentication for nodes in the peer-to-peer(P2P) network.The "trusted third party"(TTP) trust model is improved,and the secure dynamic accumulator is utilized to carry out the authentication protocol.The authentication among nodes is implemented efficiently.The dynamic entering or leaving of nodes is supported,and the authentication among domains and the combination of domains are allowed.CIADA takes full account of the characters of P2P network such as self-organization,dynamic and scalability.It is in the same secure intension as public key infrastructure(PKI) but without the defects in keys' issue and revoking and the authentication among domains of other existed distributed authentication protocols.So CIADA is more suitable for the secure authentication of nodes in the P2P network.

Zuoqi Jiang,Jiangtao Luo,Fei Zhang,Chen He,Mengnan Wang,Yanyong Zhang

DOI: https://doi.org/10.1109/hoticn48464.2019.9063215

2019-01-01

Abstract:The current data-centric security architecture for the Information Centric Network (ICN) does not provide efficient user authentication mechanisms, thus causing undesirable issues such as interest flooding a ttacks (IFA). I no rder to address them, this paper proposes a pseudonym authentication scheme on network layer based on the system of identity-based cryptography (IBC). In the proposed approach, each consumer needs to be authenticated before sending Interest packets into the network. After successful authentication, the consumer will be assigned a temporary nickname to be used in later data request. During the procedure, IBC is adopted to protect real names of consumers and verify the interest origin. As a result, this approach can complete user authentication and protect his real identity simultaneously. The proposed approach is case studied in IFA depression and expected results are achieved.

Xiruo Liu,Meiyuan Zhao,Sugang Li,Feixiong Zhang,Wade Trappe

DOI: https://doi.org/10.3390/fi9030027

2017-06-28

Future Internet

Abstract:The Internet of Things (IoT) is a recent trend that extends the boundary of the Internet to include a wide variety of computing devices. Connecting many stand-alone IoT systems through the Internet introduces many challenges, with security being front-and-center since much of the collected information will be exposed to a wide and often unknown audience. Unfortunately, due to the intrinsic capability limits of low-end IoT devices, which account for a majority of the IoT end hosts, many traditional security methods cannot be applied to secure IoT systems, which open a door for attacks and exploits directed both against IoT services and the broader Internet. This paper addresses this issue by introducing a unified IoT framework based on the MobilityFirst future Internet architecture that explicitly focuses on supporting security for the IoT. Our design integrates local IoT systems into the global Internet without losing usability, interoperability and security protection. Specifically, we introduced an IoT middleware layer that connects heterogeneous hardware in local IoT systems to the global MobilityFirst network. We propose an IoT name resolution service (IoT-NRS) as a core component of the middleware layer, and develop a lightweight keying protocol that establishes trust between an IoT device and the IoT-NRS.

Hongbin Luo,Hongchao Wang,Hongke Zhang,Yajuan Qin,Chunming Qiao

2009-01-01

Abstract:It has been widely recognized that the current Internet routing system faces serious scalability and security issues and one should take a fresh look at novel routing architectures. In this paper, we propose a scalable and secure routing architecture for a future Internet. The proposed architecture is called 4I as it uniquely integrates four recent ideas: locator/identifier separation, customer network/provider network separation, self-certifying identifiers, and routing with capability. We analyze the design challenges in integrating these ideas and propose mechanisms to address these challenges. We analyze the feasibility of 4I by results from emulations and analyses. We show that 4I is not only scalable and secure, but also capable of supporting efficient mobility. While the proposed architecture may not be deployed in the Internet today, it is a promising solution in the long term.

Alexander Herrigel,Xuejia Lai

DOI: https://doi.org/10.1007/978-0-387-34894-0_11

1994-01-01

Abstract:This paper presents a new approach for secure IN internetworking. Based on a threat analysis, an adequate cryptographic protocol is proposed to address the derived security concerns. The cryptographic protocol presented is based on the recently published standardization framework ISO/IEC CD11770-3.

Liang Jin,Xiaoyan Hu,Jiangxing Wu

DOI: https://doi.org/10.1051/sands/2023004

2023-01-01

Abstract:In this paper, we propose a conjecture that endogenous security without any prior knowledge is similar to perfect secrecy without any prior knowledge. To prove the conjecture, we first establish a cryptography model of instinct function security to transform the security problem in the network domain into an encryption problem in the cryptographic domain. Then, we inherit and apply the established ideas and means of the Perfect Secrecy, and propose the concept, definition and corollaries of the perfect instinct function security (PIFS) corresponding to the Perfect Secrecy. Furthermore, we take the DHR system as a concrete implementation of PIFS and propose the DHR Perfect Security Theorem corresponding to Shannon’s Perfect Secrecy Theorem. Finally, we prove that the DHR satisfying the "One-Time Reconstruction" constraint is the sufficient and necessary condition to achieve perfect security. This means that the existence of PIFS is also proven. The analysis shows that any reconfigurable system can be encrypted by its construct and that the PIFS converts the one-way transparent superiority of the attacker into a double-blind problem for both the attacker and the defender, which leads to that the attacker is impossible to obtain useful construction information from the attacks and unable to find a better way than blind trial-and-error or brute-force attacks. Since the attackers are required to have the new powerful ability to crack the structure cryptogram, the threshold of cyber security is raised to at least the same level as cryptogram deciphering, thereafter the ubiquitous cyber threats are destined to be significantly reduced.

Yao Liu,Yueting Chai,Yi Liu

DOI: https://doi.org/10.1109/icebe.2015.76

2015-01-01

Abstract:In the current Internet environment, security incidents occur frequently and the potential safety problems are highlighted. In this case, we propose "Internet trusted identity authentication system". The system changes the previous conventional mode of identity authentication, changes the mode of username/password to the relationship bound between net ID and password rule and replaces the traditional dead-password mode with the mode of dynamic password and password rule. At the same time, we should establish the repository of trusted identity to store and manage the net ID and password rule. With the tools of USBKEY, SMS and digital certificates, the system can achieve the function of implementing the real-name network in the Internet, making remembering passwords more convenience, simplifying users' operations online and strengthening the security of personal identification information online, which can improve the safety, reliability and efficiency of the Internet, on the premise that it won't change the Internet functions or the operation habits.

Mingwei Xu

2009-01-01

Abstract:Identity of users and hosts are necessary in mobile environment and in network management of Internet,and the reality of the identity is even more import in security and trust-worthiness of Internet communication. As there exists some problem in current identity research,such as not supporting global single sign-on and the absence of identity reality,this paper defines a general identifier GID to describe the identity of a user or a endpoint device,and proposes a new Internet architecture based on GID,called IGIDA. This paper also proposes the authenticaion protocol and control mechanism of GID and gives some possible applications in future on IGIDA.

Ashok Anand,Fahad R. Dogar,Dongsu Han,Boyan Li,Hyeontaek Lim,Michel Machado,Wenfei Wu,Aditya Akella,David G. Andersen,John W. Byers,Srinivasan Seshan,Peter Steenkiste

DOI: https://doi.org/10.1145/2070562.2070564

2011-01-01

Abstract:ABSTRACTMotivated by limitations in today's host-based IP network architecture, recent studies have proposed clean-slate network architectures centered around alternative first-class principals, such as content, services, or users. However, much like the host-centric IP design, elevating one principal type above others hinders communication between other principals and inhibits the network's capability to evolve. Our work presents the eXpressive Internet Architecture (XIA), an architecture with native support for multiple principals and the ability to evolve its functionality to accommodate new, as yet unforeseen, principals over time. XIA also provides intrinsic security: communicating entities validate that their underlying intent was satisfied correctly without relying on external databases or configuration. In this paper, we focus on core architectural issues in the XIA data plane. We outline key design requirements relating to native support for multiple principals and intrinsic security. We then use case studies to demonstrate how the XIA design facilitates evolvability and flexibility.

Jiefang Liu,Bin Zhao,Ning Zhou

DOI: https://doi.org/10.3969/j.issn.1001-3695.2015.11.051

2015-01-01

Abstract:Information-centric networking(ICN)has been a novel hotspot in the field of future Internet architecture.Aiming at NRS is vulnerable to masquerading and content poisoning attacks in the NetInf,because of invalid data registration,this pa-per proposed a registration stage,which integrated authentication and authorization scheme and took place before the publica-tion and retrieval.The stage authenticated hosts before they accessed the NetInf system.In addition,the registration stage used the capability-based access policies to solve the problem of unauthorized access.It formally verified the proposed schemes by using formal methods.The results show the schemes improves the security of the NetInf framework.

Guangwu Hu,Wenlong Chen,Qi Li,Yong Jiang,Ke Xu

DOI: https://doi.org/10.1016/j.future.2016.09.005

IF: 7.307

2016-01-01

Future Generation Computer Systems

Abstract:Despite the Internet has been rapidly developed in the past three decades, its intrinsic security mechanism, e.g., IP source address validation and user identification authentication, is still not well addressed. This results in numerous cyber security threats. In order to enhance the Internet accountability and deter potential cyber-attacks, in this paper, we propose TrueID, an IPv6 header extension scheme which can embed hash-based, creditable and undeniable user identity code inside IPv6 packets. We present the system architecture, header’s format and viable implementation approaches with different credibility granularities. Meanwhile, to verify packet credibility and integrity, we design an Autonomous System (AS) level public-key distribution system which can disseminate user’s public keys between allied ASes safely. Also, the prototype experiment has proved that our scheme possesses these features with desirable performance.