Cui Yan-Li,Zhang Xing

DOI: https://doi.org/10.1109/cnmt.2009.5374540

2009-01-01

Abstract:In the distributed environment, one important security issue is how to apply further security control to the object that is released to other terminals. The appearance of trusted computing technology has provided an effective solution for this issue in the distributed environment. At the same time, through combining trusted computing technology with the strong isolation and sharing characteristic provided by virtual machine technology has further increased the security and the flexibility of distributed access control. Therefore, this paper uses trusted computing technology to improve the security of the terminal in carrying out the distributed access control, designs a trusted terminal architecture that bases on the trusted computing technology and the virtual machine technology as well as a enhanced mode that suits in distributed access control, and on this basis, analyzes the security of system design.

YAO Lin,FAN Qingna,KONG Xiangwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.06.023

2011-01-01

Abstract:As a result of the high mobility of the pervasive computing,the principles communicating with each other usually locate at different domains.To secure the service access and communications,the principles should authenticate each other and establish a fresh session key.A novel inter-domain authentication and key establishment protocol is proposed.The proposed protocol reduces the burden of certificates management by adopting the biometric encryption.After inter-domain mutual authentication,the two principles build a new session key using the signcryption technique.The protocol can defend lots of attacks and its correctness is proven by the SVO logic.

Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

Junlei Qian,Changchun Hua,Xinping Guan,Tiefeng Xin,Limin Zhang

DOI: https://doi.org/10.1109/access.2019.2909011

IF: 3.9

2019-01-01

IEEE Access

Abstract:Supervisory control and data acquisition (SCADA) is a widely implemented structure to achieve remote measurement and control in many iron and steel plants. In traditional consideration, more attention on physical network separation methods is paid to isolate the SCADA system from management network to keep SCADA in a considered "safe" state. In addition, lots of security solution providers are focusing on the network side security assurance without involving the SCADA communication level protection. This paper investigates a new trusted-ID referenced key scheme for securing SCADA communications efficiently. The advanced encryption standard algorithm is used in the data transmission for its fast calculating speed, and the elliptic curve cryptography digital signature algorithm is used to confirm the data package that is from the right ID which can avoid the measured values and the control instructions to be maliciously modified by attacker. This solution for securing SCADA communication provides an efficient way to protect the data and protocol between the controllers and the remote terminal units (RTUs), and offers an authentication for the communication, which can avoid Man-In-The-Middle attack. Random numbers are used as a session key that can avoid the replay attack. cipher-block chaining mode message authentication code calculation is used to meet the data integrity requirement. Gong Needham Yahalom logic is used to prove the security of this solution, and an example is given to verify its validity.

SUN Chen,LIU Dong,LING Wanshui,LU Yiming

DOI: https://doi.org/10.13335/j.1000-3673.pst.2014.03.029

2014-01-01

Abstract:To ensure the communication security of remote terminal units in distribution automation system, based on the trusted computing theory and security chips technique a hierarchical 3 level authentication mechanism suitable to polytype distribution terminal equipments is proposed, and a secure process for security message transmission of data information from telemetering, telesignaling and remote control is designed, and a mathematical model, which can quantitatively reflect the confidence level of integrity and authenticity of terminal unit status, is put forward. Based on Matlab the interactive process of data information between distribution terminals and the master station is simulated, and utilizing 10 elliptic curves with different key lengths the time expenditure for crypto-operation as well as the securities of elliptic curve cryptography and the timestamp checking mechanism utilized by trusted mechanism are analyzed, and then the confidence level of authenticity of terminal equipments are calculated. Accordingly, those are validated that the proposed trusted mechanism possesses stronger confidentiality and higher accuracy against replay attacks.

Weiting Zhang,Hanyi Zhang,Liming Fang,Zhe Liu,Chunpeng Ge

DOI: https://doi.org/10.1109/jiot.2021.3091760

IF: 10.6

2022-02-01

IEEE Internet of Things Journal

Abstract:The supervisory control and data acquisition (SCADA) system is widely used in industrial control and the contemporary Industrial Internet of Things (IIoT). Unfortunately, due to its relatively weak design in terms of data security and access control, SCADA systems are becoming a favorite target for attackers. End-to-end encryption, such as SSL/TLS protocol, is used to protect the data transmission, but it cannot guarantee security in third-party cloud platforms. In this article, we propose a secure revocable fine-grained access control and data sharing scheme. This scheme not only ensures the confidentiality of the data but also enhances the access control of the SCADA system. Our scheme is based on three key observations. The common communication architecture of SCADA systems cannot protect data security itself. The security supports provided by industrial control protocols are limited. Moreover, the third-party cloud platforms are semitrusted. In addition, we have introduced digital signature technology to assure the integrity of the data in the SCADA system. We prove that our scheme is secure. This scheme has been experimentally evaluated to introduce negligible performance losses while improving data security in the SCADA system.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yu-Sheng Yang,Shih-Hsiung Lee,Wei-Che Chen,Chu-Sing Yang,Yuen-Min Huang,Ting-Wei Hou

DOI: https://doi.org/10.3390/s21082685

IF: 3.9

2021-04-11

Sensors

Abstract:The vigorous development of the Industrial Internet of Things brings the advanced connection function of the new generation of industrial automation and control systems. The Supervisory Control and Data Acquisition (SCADA) network is converted into an open and highly interconnected network, where the equipment connections between industrial electronic devices are integrated with a SCADA system through a Modbus protocol. As SCADA and Modbus are easily used for control and monitoring, the interconnection and operational efficiency between systems are highly improved; however, such connectivity inevitably exposes the system to the open network environment. There are many network security threats and vulnerabilities in a SCADA network system. Especially in the era of the Industrial Internet of Things, any security vulnerability of an industrial system may cause serious property losses. Therefore, this paper proposes an encryption and verification mechanism based on the trusted token authentication service and Transport Layer Security (TLS) protocol to prevent attackers from physical attacks. Experimentally, this paper deployed and verified the system in an actual field of energy management system. According to the experimental results, the security defense architecture proposed in this paper can effectively improve security and is compatible with the actual field system.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

YANG Yang,HUANG Xiaoqing,CAO Yijia,ZHANG Zhidan,HE Jie

2011-01-01

Abstract:As the security specifications for IEC 61850 P2P communication protocol(real-time communication),IEC 62351-6 recommends the adoption of authentication for ensuring the safety of data transmission.To meet the requirement for the data flow and data security objectives in IEC 61850 digital substations,a method of implementing identity authentication with extended safe message through SHA-1 and DES encryption is put forward.Through the security analysis,it can meet the confidentiality,integrity and validity of the message.Further,by taking the bus fault on the unified star and the ring network in the whole D2-1 substation as an example,the OPNET network simulation and calculation are applied to the process of authentication.It is proved that the substation communication program has both good security and real-time character.

Shan Gao,Junjie Chen,Bingsheng Zhang,Kui Ren,Xiaohua Ye,Yongsheng Shen

DOI: https://doi.org/10.23919/cje.2023.00.192

IF: 1.019

2024-01-01

Chinese Journal of Electronics

Abstract:In modern industrial control systems (ICSs), when user retrieving the data stored in field device like smart sensor, there exists two main problems: one is lack of the verification for identification of user and field device; the other is that user and field device need exchange a key to encrypt sensitive data transmitted over the network. We propose a comprehensive authentication and key agreement framework that enables all connected devices in an ICS to mutually authenticate each other and establish a peer-to-peer session key. The framework combines two types of protocols for authentication and session key agreement: The first one is an asymmetric cryptographic key agreement protocol based on transport layer security handshake protocol used for Internet access, while the second one is a newly designed lightweight symmetric cryptographic key agreement protocol specifically for field devices. This proposed lightweight protocol imposes very light computational load and merely employs simple operations like one-way hash function and exclusive-or (XOR) operation. In comparison to other lightweight protocols, our protocol requires the field device to perform fewer computational operations during the authentication phase. The simulation results obtained using OpenSSL demonstrates that each authentication and key agreement process in the lightweight protocol requires only 0.005 ms. Our lightweight key agreement protocol satisfies several essential security features, including session key secrecy, identity anonymity, untraceability, integrity, forward secrecy, and mutual authentication. It is capable of resisting impersonation, man-in-the-middle, and replay attacks. We have employed the Gong-Needham-Yahalom (GNY) logic and automated validation of Internet security protocols and application tool to verify the security of our symmetric cryptographic key agreement protocol.

Yu-Sheng Yang,Shih-Hsiung Lee,Jie-Min Wang,Chu-Sing Yang,Yuen-Min Huang,Ting-Wei Hou

DOI: https://doi.org/10.3390/s23104970

IF: 3.9

2023-05-23

Sensors

Abstract:With the promotion of Industry 4.0, which emphasizes interconnected and intelligent devices, several factories have introduced numerous terminal Internet of Things (IoT) devices to collect relevant data or monitor the health status of equipment. The collected data are transmitted back to the backend server through network transmission by the terminal IoT devices. However, as devices communicate with each other over a network, the entire transmission environment faces significant security issues. When an attacker connects to a factory network, they can easily steal the transmitted data and tamper with them or send false data to the backend server, causing abnormal data in the entire environment. This study focuses on investigating how to ensure that data transmission in a factory environment originates from legitimate devices and that related confidential data are encrypted and packaged. This paper proposes an authentication mechanism between terminal IoT devices and backend servers based on elliptic curve cryptography and trusted tokens with packet encryption using the TLS protocol. Before communication between terminal IoT devices and backend servers can occur, the authentication mechanism proposed in this paper must first be implemented to confirm the identity of the devices and, thus, the problem of attackers imitating terminal IoT devices transmitting false data is resolved. The packets communicated between devices are also encrypted, preventing attackers from knowing their content even if they steal the packets. The authentication mechanism proposed in this paper ensures the source and correctness of the data. In terms of security analysis, the proposed mechanism in this paper effectively withstands replay attacks, eavesdropping attacks, man-in-the-middle attacks, and simulated attacks. Additionally, the mechanism supports mutual authentication and forward secrecy. In the experimental results, the proposed mechanism demonstrates approximately 73% improvement in efficiency through the lightweight characteristics of elliptic curve cryptography. Moreover, in the analysis of time complexity, the proposed mechanism exhibits significant effectiveness.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Yue Lu,Xiuzhen Chen,Changsong Chen

DOI: https://doi.org/10.1109/ssic.2016.7571806

2016-01-01

Abstract:With rapid development of information technology, integration of industrialization and information is becoming closer and closer. SCADA (Supervisory Control and Data Acquisition) systems have been widely used in industrial control systems for promoting social productivity efficiently. In recent years, attacks against SCADA systems have caused serious damage and economic loss. Many robust cryptographic mechanisms have been introduced in SCADA systems in order to improve their defense ability of attacks. However, industry control systems have requirements of high availability, real-time and stability. Thus, designing a lightweight cryptographic mechanism is necessary for SCADA systems to have rapid emergency-response and fault-recovery in some critical situations. This paper puts forward an approach of security authentication for SCADA systems which achieves the two-way authentication and ensures the confidentiality of communication between master and slave stations. The proposed approach employs a bivariate symmetric polynomial to obtain the session key by letting master and slave stations' identity values participate in the polynomial calculation. And further the session key is extended to meet the length requirement of AES encryption key. The extended session key is further used to encrypt communication data transmitted in SCADA systems. The proposed lightweight security authentication method is effective in mutual authentication for master and slave stations and in secure communication, and also meet some special requirements of SCADA systems, including fast response in an emergency situation, real-time data communication, and high availability.

Yuan Tao,Wei Hu,Sheng Li

DOI: https://doi.org/10.1109/icaa53760.2021.00155

2021-01-01

Abstract:Industrial control system requires high availability. In principle, security measures should not adversely affect the basic functions of high availability industrial control system. The method of building a secure and trusted PLC are proposed based on trusted computing. Under the premise of ensuring business security, the security protection system of industrial control system is built through trusted computing, and hardware solutions are provided on the security master controller. In order to prevent the attack from the industrial control system network, the encryption technology is used to ensure the confidentiality and integrity of the communication session, which are between the field of control equipment layer and the process monitoring equipment layer, so as to make the industrial control system in a stable and reliable state.

Wenli Shang,Xudong Wen,Zhuo Chen,Wenze Xiong,Zhiwei Chang,Zhong Cao

DOI: https://doi.org/10.1631/fitee.2400497

IF: 2.526

2024-11-06

Frontiers of Information Technology & Electronic Engineering

Abstract:In edge control systems (ECSs), edge computing demands more local data processing power, while traditional industrial programmable logic controllers (PLCs) cannot meet this demand. Thus, edge intelligent controllers (EICs) have been developed, making their secure and reliable operation crucial. However, as EICs communicate sensitive information with resource-limited terminal devices (TDs), a low-cost, efficient authentication solution is urgently needed since it is challenging to implement traditional asymmetric cryptography on TDs. In this paper, we design a lightweight authentication scheme for ECSs using low-computational-cost hash functions and exclusive OR (XOR) operations; this scheme can achieve bidirectional anonymous authentication and key agreement between the EIC and TDs to protect the privacy of the devices. Through security analysis, we demonstrate that the authentication scheme can provide the necessary security features and resist major known attacks. Performance analysis and comparisons indicate that the proposed authentication scheme is effective and feasible for deployment in ECSs.

engineering, electrical & electronic,computer science, information systems, software engineering

Yu-Sheng Yang,Shih-Hsiung Lee,Wei-Che Chen,Chu-Sing Yang,Yuen-Min Huang,Ting-Wei Hou

DOI: https://doi.org/10.3390/app12010530

2022-01-05

Applied Sciences

Abstract:The advanced connection requirements of industrial automation and control systems have sparked a new revolution in the Industrial Internet of Things (IIoT), and the Supervisory Control and Data Acquisition (SCADA) network has evolved into an open and highly interconnected network. In addition, the equipment of industrial electronic devices has experienced complete systemic integration by connecting with the SCADA network, and due to the control and monitoring advantages of SCADA, the interconnectivity and working efficiency among systems have been tremendously improved. However, it is inevitable that the SCADA system cannot be separated from the public network, which indicates that there are concerns over cyber-attacks and cyber-threats, as well as information security breaches, in the SCADA network system. According to this context, this paper proposes a module based on the token authentication service to deter attackers from performing distributed denial-of-service (DDoS) attacks. Moreover, a simulated experiment has been conducted in an energy management system in the actual field, and the experimental results have suggested that the security defense architecture proposed by this paper can effectively improve security and is compatible with real field systems.

PI Jianyong,LIU Xinsong,LIAO Dongying,WU Ai

DOI: https://doi.org/10.3321/j.issn:1000-1026.2007.14.018

2007-01-01

Abstract:Based on an analysis of the current security scheme for public key infrastructure and certification authorities (PKI/CA) in the power dispatching data network and focusing on the contradiction between real time and security, a novel security scheme for identity authentication and key agreement is proposed. By improving the digital signature and key agreement algorithm based on discrete logarithm in a finite field, the identity authentication and key agreement are merged into one session, and the security scheme is made independent of the third party on-line certificate system. Meanwhile, the redundant functions of the current virtual private network (VPN) framework are cut down to replace the traditional PKI/CA system. The proposed security scheme for the power dispatching data network guarantees both security and real time.

Qiwei Lu,Wenchao Huang,Xudong Gong,Xingfu Wang,Yan Xiong,Fuyou Miao

DOI: https://doi.org/10.48550/arXiv.1307.2977

2013-07-11

Abstract:With the rapid development of MANET, secure and practical authentication is becoming increasingly important. The existing works perform the research from two aspects, i.e., (a)secure key division and distributed storage, (b)secure distributed authentication. But there still exist several unsolved problems. Specifically, it may suffer from cheating problems and fault authentication attack, which can result in authentication failure and DoS attack towards authentication service. Besides, most existing schemes are not with satisfactory efficiency due to exponential arithmetic based on Shamir's scheme. In this paper, we explore the property of verifiable secret sharing(VSS) schemes with Chinese Remainder Theorem (CRT), then propose a secret key distributed storage scheme based on CRT-VSS and trusted computing for MANET. Specifically, we utilize trusted computing technology to solve two existing cheating problems in secret sharing area before. After that, we do the analysis of homomorphism property with CRT-VSS and design the corresponding shares-product sharing scheme with better concision. On such basis, a secure distributed Elliptic Curve-Digital Signature Standard signature (ECC-DSS) authentication scheme based on CRT-VSS scheme and trusted computing is proposed. Furthermore, as an important property of authentication scheme, we discuss the refreshing property of CRT-VSS and do thorough comparisons with Shamir's scheme. Finally, we provide formal guarantees towards our schemes proposed in this paper.

Cryptography and Security

Xinchao Wang,Wei Wang,Cheng Huang,Ping Cao,Youwen Zhu,Qihui Wu

DOI: https://doi.org/10.1109/jsyst.2023.3345370

IF: 4.802

2024-03-19

IEEE Systems Journal

Abstract:Identity authentication is an essential element for industrial Internet of Things (IIoT), which guarantees secure access control for various devices. Existing authentication schemes face some security threats, including temporary secret leakage attack, key recovery attack, and forgery attack. In this article, we introduce a blockchain-based certificateless conditional anonymous authentication (BCCA) scheme specifically designed for IIoT. To optimize the authentication efficiency, BCCA employs elliptic curve design to avoid the relatively time-consuming bilinear pairing operation. Additionally, we introduce a precomputation strategy, allowing users to prepare essential materials in advance, and one-time verification support for batch signatures is applied, thus reducing authentication latency. To further enhance the security, random verification checksums are employed to counter key recovery attack, and a combination of long-term and short-term secrets is used to mitigate temporary secret leakage attack. Simulation results demonstrate that our scheme has advantages in both security and computational cost.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Jingnan Dong,Guangxia Xu,Chuang Ma,Jun Liu,Uchani Gutierrez Omar Cliff

DOI: https://doi.org/10.1109/jiot.2023.3296506

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:In Industrial Internet, mutual authentication between enterprises is a prerequisite for establishing reliable upstream and downstream relationships. Existing authentication methods suffer from complicated certificate management and key escrow problems. Moreover, many authentication mechanisms cannot resist common security attacks and have high computational overhead and communication costs. Therefore, this paper proposes a blockchain-based certificate-free cross-domain authentication mechanism for Industrial Internet. By establishing an Ethereum consortium blockchain as the trusted cornerstone among different regions, industrial enterprises in each region generate the user’s private key with the key generation center in the region, thus avoiding the key escrow problem. This consortium blockchain adopts the proof of authority consensus mechanism for scalability and throughput. Industrial enterprises in different regions invoke smart contracts and query other industrial enterprises for mutual authentication and key negotiation. SVO logic proves the proposed scheme achieves the intended authentication goal, and the automated formal verification tool Scyther proves the scheme’s security. In addition, compared with seven related schemes in the last three years, the experimental results show that the proposed scheme has low communication overhead and computational cost in the authentication key negotiation phase. The experiments on the Ethereum consortium blockchain built by Raspberry Pi prove the effectiveness of the proposed scheme. Finally, the comparative analysis of common security properties proves the reliability of the scheme.

computer science, information systems,telecommunications,engineering, electrical & electronic

ZHANG Chunrui,XU Ke,HAO Xiangdong,LIU Yuan

DOI: https://doi.org/10.3321/j.issn:1000-0054.2009.10.035

2009-01-01

Abstract:Many applications of engineering simulation need to control remote logins to linux systems and control them. However, almost all such applications use a username-password method for the identity authentication which is net very secure since the password can be easily guessed. This paper presents a digital certificate method for identity authentication in the SSH protocol to improve login security. A remote linux login system was developed to provide single sign-on. The results show that the certificate system for remote linux logins improves application security and workability.

Yu Qin,Yingjun Zhang,Wei Feng

DOI: https://doi.org/10.1007/978-3-319-69471-9_37

2017-01-01

Abstract:The new attack technologies have caused great security threats to industry control system, especially APT attacks such as Stuxnet, BlackEnergy, WannaCrypt. Traditional protection methods fail to defend the hackers attacks on the cyber and physical components of ICS. This paper propose an ICS terminal defense solution in establishing the trustworthiness of with trusted execution environment. The check attestation method is employed to optimize ICS software attestation, and the whitelist mechanism is used to enforce the process execution in terminal. We design and implement a trusted terminal defense system in industry control network. The test results shows that the performance of hardware security module and process enforcement meets the real-time requirements. abstract environment.