Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

YAO Lin,FAN Qingna,KONG Xiangwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.06.023

2011-01-01

Abstract:As a result of the high mobility of the pervasive computing,the principles communicating with each other usually locate at different domains.To secure the service access and communications,the principles should authenticate each other and establish a fresh session key.A novel inter-domain authentication and key establishment protocol is proposed.The proposed protocol reduces the burden of certificates management by adopting the biometric encryption.After inter-domain mutual authentication,the two principles build a new session key using the signcryption technique.The protocol can defend lots of attacks and its correctness is proven by the SVO logic.

Qi-kun ZHANG,Shu-ru LIU,Yong GAN,Yuan-zhang LI

DOI: https://doi.org/10.19304/j.cnki.issn1000-7180.2015.07.017

2015-01-01

Abstract:An identity‐based cross‐domain authentication protocol is given out ,which is among domains in large‐scale distributed collaborative computing network .It adopts bilinear mapping and short signature technology to achieve mutual authentication between entities in different domains , and can overcome the complexity of certificate transmission and bottlenecks in the scheme of PKI‐based .The analogue and analysis show that this scheme has anonymity ,security and can support mutual anonymous authentication ,and it is applied to the security alliance authentication mechanism in large distributed network .

WAN Ming,ZHOU Hua-chun,LIU Ying,ZHANG Hong-ke

DOI: https://doi.org/10.3969/j.issn.1001-8360.2012.08.012

2012-01-01

Abstract:Aiming at assuring the authenticity and creditability of the terminals in the universal network,this paper proposes a new access authentication scheme based on the for the universal network.By combining the characteristics of the universal network architecture with the advantages of the existing digital certificate,the scheme uses the challenge-response approach to achieve the double-way authentication between the terminals and access network.In addition,the scheme introduces the identity label to bind the user's digital certificate and Access Identifier(AID) of the terminal,and accomplishes the real relation between the user's and the terminal.At the same time,by implementing the sustainable authentication for the terminals,the scheme successfully guarantees the authenticity of the sources in the universal network and effectively promotes the control-ability and manageability of the universal network.Finally,this paper presents a qualitative analysis for the security and the performance of this scheme,and gives a timing analysis for the sustainable authentication of the label.

Ming Wan,Ying Liu,Hongke Zhang

DOI: https://doi.org/10.5815/ijitcs.2010.02.08

2010-01-01

International Journal of Information Technology and Computer Science

Abstract:It has been commonly recognized that the current Internet faces serious security and scaling problems. To address these problems, the architecture of ID/locator separation is the focus of future Internet development. However, the relevant authentication mechanism has not been proposed under this architecture. In this paper, we advance a new authentication mechanism called AuMID under ID/locator separation architecture, and describe the detailed procedures of access authentication and handoff authentication, and simultaneously give the deployment of authentication centers. Besides, AuMID uniquely introduces the Identity Tag which represents the terminal’s identity information to implement the sustainable authentication for the terminal. This mechanism adopts the challenge-response approach and achieves the double-way authentication between the terminal and access network. At the same time, by the use of Identify Tag AuMID successfully guarantees the authenticity of the source under ID/locator separation architecture. In conclusion, this paper gives a qualitative analysis for the scalability and security of this AuMID and an evaluation of handoff authentication delay.

Yong Xu,Yejuan Cheng,Chang Xiao

DOI: https://doi.org/10.14257/ijsia.2015.9.1.26

2015-01-01

International Journal of Security and Its Applications

Abstract:To resolve security issues and management issues of different Certificate Authorities (CAs), this paper proposed a unified authentication scheme, which will make different Certificate Authorities (CAs) be uniformly authenticated. In addition, it showed the whole structure of the scheme, added an extensional registration number to certificates and designed unified authentication process for the scheme. The unified authentication process was modelled and simulated by Coloured Petri Net (CPN) Tools and verified by analyzing the state space of CPN model. In conclusion, this paper provides a unified authentication service and confirms that the proposed scheme is totally controllable, realizable and feasible. The suggested scheme can enhance the efficiency and security of authentication systems and achieve good results in practical applications.

Li Ning,Wang Qing,Lin Wenliang,Deng Zhongliang

DOI: https://doi.org/10.1109/itap.2011.6006367

2011-01-01

Abstract:In the recent years, with the gradually deep researches of the Internet of Things (IOT), the DNS based on identity and IP (IIEDNS) also attracts people's attention. The major task of this paper is to solve the problems of security-authentication. Since the traditional identity-authentication technologies couldn't satisfy the needs to the identity and IP authentication of the IIEDNS, we propose an authentication framework based on directory A, access protocol technology for IIEDNS. We pay enough attention to granting visitor's IP the same authentication right as the server. In this paper, the simulation of designed authentication process under the NS2 simulation environment has been completed, which verifies the correctness and the multi-user availability of authentication framework based on IIEDNS and meets the requirements for the authentication framework of IIEDNS.

Ning Li,Qing Wang,Zhongliang Deng

DOI: https://doi.org/10.1109/icbnmt.2010.5705179

2010-01-01

Abstract:With the development of computer network, its security problem has been urgent at present. Authentication is an important part in the network security. It can prevent illegal user from accessing network. Traditional authentication method is password. But it cannot resist dictionary and playback attack. This paper would design an authentication framework which is effective and security by using LDAP and Kerberos. The problems of existing network are distributed resources, independent certification of each system, a serious duplication of user information, etc. By analyzing existing networks problems, users' needs, and the current internet technology, we describe an authentication framework of IIEDNS based on LDAP & Kerberos to meet the requirement of IOT. It solved the issues of information efficiency and security of information sharing. This framework provides an effective and secure scheme for the authentication on IIEDNS.

YU Hua,CAI Hai-bin,LIU Liang-xu

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.10.048

2006-01-01

Abstract:The Internet/Intranet emergence provided for the business enterprise a fast,efficient,convenient network environment so as to realize informatization,and one of the key security problems of network information system is user authentication.Based on analysis the security problems of existed user authentication system,the model of user authentication system based on PKI and LDAP technology is discussed,and a new reliable efficientscheme is proposed.theprocess ofauthentication and storageof digital certificate.The scheme is realized in an enterprise network and has a good effect.The system will have wide application.

Jianfeng Guan,Jinsuo Jia,Mengxin Liu

DOI: https://doi.org/10.56801/rebicte.v4i.66

2018-01-01

Abstract:The current Internet is an open global interconnected system and lacks of the systematic securitydesign. Most security issues of current Internet are due to the drawbacks of the original design oftraditional Internet. Besides, some optional security mechanisms are independent without enough cooperativemechanism. Therefore, it facilitates the network attacks and brings various security threatsto network services. In this paper we design a security management mechanism and several relevantevaluation methods under Universal Identifier Network (UIN) architecture, aiming to provide a finergranularity, adaptive network security management system, which consists of the following features:(1) supporting multi-dimensional properties description by introducing the detailed user and serviceclassification; (2) supporting the label-based policy-driven management mechanism in perspective ofuser and service to provide the fine granularity access control; (3) providing the multi-dimensionalevaluation metrics. The proposed label-based security management and evaluation methods will providegreat benefits for the future network security.

Peidai Liu,Shuai Gao,Xindi Hou,Ningchun Liu

DOI: https://doi.org/10.1109/ICCCS57501.2023.10150666

2023-01-01

Abstract:In recent years, with the development of mobile Internet, cloud computing, and other technologies, the traditional Internet architecture has been challenging to meet the needs of future network development. As a revolutionary network architecture, SINET provides security and mobility for the network through the identification mapping separation technology. At the same time, the development of programmable data plane technology provides conditions for the large-scale deployment of SINET. In this paper, we proposed an Attribute-based access control(ABAC) mechanism based on multidimensional attributes of users and services in the PDP-based SINET. We designed the workflow of property registration and access requests of the network. We built a network prototype system and verified the function of the access control mechanism. The results show that the access control mechanism proposed in this paper can meet the network's fine-grained security management and control requirements and ensure the secure access of users and services in the network.

Hongwei Meng,Zhong Chen,Jian-bin Hu,Zhi Guan

DOI: https://doi.org/10.1145/2935663.2935676

2016-01-01

Abstract:In order to enable intrinsic security without the Public Key Infrastructure (PKI) deployment, flat self-certifying addresses have been involved into the future Internet architecture (FIA) designs. In contrast to deriving a self-certifying address from hashing of a correspondent prepared public key, we build up this self-certifying relationship along the reverse path using Combined Public Key (CPK). Our design develop the chain of trust embedded in the Internet name/address registration and allocation process for domains, hosts, services and content, to establish intrinsic bindings between three different identities: user-level human-readable names, network-level routable flat identifiers and the correspondent public keys. This binding connects the accountability between real-world space and network space. The use cases of our design are also given in named data networking (NDN) and identity/locator splitting network architecture, i.e. XIA and MobilityFirst. The analysis also shows that identity authentication based on CPK is capable of resource-constrained nodes in large-scale networks without scalability tradeoffs.

Yunmin Wang,Abla Smahi,Huayu Zhang,Hui Li

DOI: https://doi.org/10.3390/s22030747

IF: 3.9

2022-01-19

Sensors

Abstract:Recently, more and more mobile devices have been connected to the Internet. The Internet environment is complicated, and network security incidents emerge endlessly. Traditional blocking and killing passive defense measures cannot fundamentally meet the network security requirements. Inspired by the heuristic establishment of multiple lines of defense in immunology, we designed and prototyped a Double Defense strategy with Endogenous Safety and Security (DDESS) based on multi-identifier network (MIN) architecture. DDESS adopts the idea of a zero-trust network, with identity authentication as the core for access control, which solves security problems of traditional IP networks. In addition, DDESS achieves individual static security defense through encryption and decryption, consortium blockchain, trusted computing whitelist, and remote attestation strategies. At the same time, with the dynamic collection of data traffic and access logs, as well as the understanding and prediction of the situation, DDESS can realize the situation awareness of network security and the cultivation of immune vaccines against unknown network attacks, thus achieving the active herd defense of network security.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

DONG Ying-di,PENG Jin-ye,ZHANG Xiao-bo,ZHANG Zhen-long

DOI: https://doi.org/10.11959/j.issn.1000-436x.2016041

2016-01-01

Abstract:Utilized to security properties of measurement-device-independent quantum key distribution (MDI-QKD)protocol, quantum identity authentication scheme based on MDI (QIA-MDI)protocol was presented. In this protocol, authentication center (AC)and authentication user have encrypted authentication information and next authenticated key by shared key, and then they transmitted the encrypted information to untrusted third party for Bell-state measurement (BSM). The secret authentication information was obtained through the BSM result, which can verify the communicator identity and update shared key. The security performance of the proposed scheme is extensively analyzed and accordingly con?rmed in the case of attacks.

Pinyi Ren

2009-01-01

Abstract:In engineering and emulate environment,administrators often need to unify accounts management and identity authentication within different domain and system.They also need to increase security and reliability of identity authentication.A new method is presented,which uses digital certificate as the way of authentication.Unified identity authentication is designed and implemented in multidomain and multi-system.Application result indicates that using same certificate stored in USBkey users can access resource by local or remote logon which belong to different domain and system.Accordingly not only administrators can uniformly manage all the accounts with several domains but also it improves application security and workability.

Yu Wang,Wenfang Zhang,Xiaomin Wang,Muhammad Khurram Khan,Pingzhi Fan

DOI: https://doi.org/10.1109/tits.2023.3307453

IF: 8.5

2023-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:The Software Defined Network (SDN)-based space-ground integrated railway communication networks have attracted widespread attention from academia and industry. In such environments, the security of initial authentication and handover authentication for moving trains are two important challenges that need to be addressed. In this paper, a secure and efficient authentication key agreement scheme is proposed for the SDN-based space-ground integrated railway networks. Specifically, a lightweight mutual authentication mechanism based on the Number Theory Research Unit (NTRU) is proposed for the initial authentication process, which effectively prevents the unauthorized On-Board Unit (OBU) accessing networks. Then, according to the predictable path, we propose a key generation algorithm based on the hash chain and a fast key distribution mechanism based on the Chinese Remainder Theorem (CRT), which greatly reduce the calculation and communication burden of the key transmission process. On this basis, we adopt a hash-based message authentication code to achieve unified handover authentication in heterogeneous integrated railway networks. The Burrows-Abadi-Needham (BAN) logic proof and informal security analysis demonstrate that the proposed scheme can provide several robust security properties, including forward/backward security, universality, traceability, and resistance against quantum attacks. The performance evaluations show that our scheme outperforms other related schemes in computation cost, communication overhead, and performance under unknown attacks while guaranteeing higher security.

engineering, electrical & electronic,transportation science & technology, civil

Zhong CHEN,Hongwei MENG,Zhi GUAN

DOI: https://doi.org/10.19363/j.cnki.cn10-1380/tn.2016.02.004

2016-01-01

Abstract:The characteristics of intrinsic security in the future Internet architecture have been used to conquer the secu-rity problems of current Internet. Self-certifying addresses are introduced in future Internet architecture (FIA) to enable the intrinsic security properties. However, without PKI, these approaches in FIA miss the intrinsic binding between user-level descriptor, network-level identifier and correspondent public key. To this end, a naming scheme of Self-Certifying Identi-fier in FIA based on Combined Public Key (CPK), named as SCI-CPK, is proposed in this paper. The use cases of identity authentication based on SCI-CPK in FIA designs are also given, including XIA, MobilityFirst and NDN. The analysis shows that the proposed method is benefit of ubiquitous access and vast mobility scenario in the future Internet.

Zhou Zhou,Huang Yongfeng,Li Xing

DOI: https://doi.org/10.3321/j.issn:1001-0505.2007.z1.022

2007-01-01

Abstract:A novel authentication framework,which is named central identity-code assignment and distributed authentication(CIADA),is proposed in order to meet the demands of the secure authentication for nodes in the peer-to-peer(P2P) network.The "trusted third party"(TTP) trust model is improved,and the secure dynamic accumulator is utilized to carry out the authentication protocol.The authentication among nodes is implemented efficiently.The dynamic entering or leaving of nodes is supported,and the authentication among domains and the combination of domains are allowed.CIADA takes full account of the characters of P2P network such as self-organization,dynamic and scalability.It is in the same secure intension as public key infrastructure(PKI) but without the defects in keys' issue and revoking and the authentication among domains of other existed distributed authentication protocols.So CIADA is more suitable for the secure authentication of nodes in the P2P network.

TANG Jianqiang,LIU Ying,WAN Ming,ZHANG Hongke

DOI: https://doi.org/10.3969/j.issn.1673-0291.2012.02.009

2012-01-01

Abstract:Universal identifier-based network is proposed to solve the traditional network IP address ambiguity problems, which has location/identifier separation architecture. In this paper, we propose a user identity authentication protocol (UIAP) and design an access identifier with the digital certificate. This access identifier uniquely identifies a terminal in the universal identifier-based network, and implements the binding of the user identity with the terminal. The UIAP protocol uses Diffie-Hellman key exchange approach to achieve user identity bidirectional authentication, and it applies the puzzle mechanism and the stateless authentication to protect a receiver from DoS attack. The analysis of the security of the protocol proves that the method satisfies the session key security requirements defined in the C-K model.