Kexian Liu,Jianfeng Guan,Xiaolong Hu,Jing Zhang,Jianli Liu,Hongke Zhang

2024-11-14

Abstract:To meet the diverse needs of users, the rapid advancement of cloud-edge-device collaboration has become a standard practice. However, this complex environment, particularly in untrusted (non-collaborative) scenarios, presents numerous security challenges. Authentication acts as the first line of defense and is fundamental to addressing these issues. Although many authentication and key agreement schemes exist, they often face limitations, such as being tailored to overly specific scenarios where devices authenticate solely with either the edge or the cloud, or being unsuitable for resource-constrained devices. To address these challenges, we propose an adaptive and efficient authentication and key agreement scheme (AEAKA) for Cloud-Edge-Device IoT environments. This scheme is highly adaptive and scalable, capable of automatically and dynamically initiating different authentication methods based on device requirements. Additionally, it employs an edge-assisted authentication approach to reduce the load on third-party trust authorities. Furthermore, we introduce a hash-based algorithm for the authentication protocol, ensuring a lightweight method suitable for a wide range of resource-constrained devices while maintaining security. AEAKA ensures that entities use associated authentication credentials, enhancing the privacy of the authentication process. Security proofs and performance analyses demonstrate that AEAKA outperforms other methods in terms of security and authentication efficiency.

Cryptography and Security

Naixin Kang,Zhenhu Ning,Shiqiang Zhang,Sadaqat ur Rehman,Waqas

DOI: https://doi.org/10.32604/cmc.2023.029711

2023-01-01

Abstract:With the development of sensor technology and wireless communication technology, edge computing has a wider range of applications. The privacy protection of edge computing is of great significance. In the edge computing system, in order to ensure the credibility of the source of terminal data, mobile edge computing (MEC) needs to verify the signature of the terminal node on the data. During the signature process, the computing power of edge devices such as wireless terminals can easily become the bottleneck of system performance. Therefore, it is very necessary to improve efficiency through computational offloading. Therefore, this paper proposes an identity-based edge computing anonymous authentication protocol. The protocol realizes mutual authentication and obtains a shared key by encrypting the mutual information. The encryption algorithm is implemented through a thresholded identity-based proxy ring signature. When a large number of terminals offload computing, MEC can set the priority of offloading tasks according to the user’s identity and permissions, thereby improving offloading efficiency. Security analysis shows that the scheme can guarantee the anonymity and unforgeability of signatures. The probability of a malicious node forging a signature is equivalent to cracking the discrete logarithm puzzle. According to the efficiency analysis, in the case of MEC offloading, the computational complexity is significantly reduced, the computing power of edge devices is liberated, and the signature efficiency is improved.

computer science, information systems,materials science, multidisciplinary

Zhang Yukun,Wei Wenxue

DOI: https://doi.org/10.1007/s12083-022-01333-4

2022-05-28

Abstract:Mobile Edge Computing (MEC), which is a product of 5G technology development, is actually a kind of edge computing form. It takes the base station as the edge server and sinks the cloud computing services to the network edge. To better protect the users and the base stations, a lightweight authentication and key agreement scheme, which is applicable to the MEC field, is proposed in this paper. It achieves secure and efficient key agreement under the premise that the users and the edge servers are completely anonymous and untraceable. For this scheme, instead of the complicated elliptic curve computation and the bilinear pairing computation, it flexibly adopts a number of temporarily generated symmetric keys to realize the identity authentication of the three parties while guaranteeing both the security and efficiency. Compared with other schemes, it is featured in low performance requirements and can better adapt to MEC environment.

computer science, information systems,telecommunications

Guangye Sui,Yunlei Zhao

DOI: https://doi.org/10.1109/cns.2018.8433130

2018-01-01

Abstract:KEA, OPACITY, MQV and HMQV protocols are important implicitly authenticated Diffe-Hellman key-exchange (IADHKE) protocols. By combining the advantages and saving the disadvantages of previous IA-DHKE protocols, OAKE shows promising future. It has been proved that OAKE is secure within Canetti-Krawczyk framework under Gap-CDH assumption. In this work, we present our modified protocol MOAKE and show that MOAKE preserves many advantages of OAKE. We also prove that our new protocol is secure in extended Canetti-Krawczyk framework under Gap-CDH assumption.

Yi Chen,Ai-dong Xu,Hong Wen,Yi-xin Jiang,Teng-yue Zhang

DOI: https://doi.org/10.12783/dteees/icepe2019/28912

2019-01-01

Abstract:Because of heavy cost, using of the traditional Public Key Infrastructure (PKI) authentication schemes is limited for the energy-constrained intelligent devices such as the power edge computing system, in which lightweight secure authentication schemes are urgent needed. In this paper, we propose a lightweight mutual authentication scheme supported by the edge computing, which is a novel cross-layer secure authentication program with asymmetric resources. The novel scheme combines lightweight symmetric cipher and physical-layer Channel State Information (CSI) to provide two-way authentication between terminals and edge devices. Experimental results show that the proposed scheme can significantly reduce the access authentication latency compared with the traditional PKI authentication scheme.

Shaimaa R. Alkaabi,Mark A. Gregory,Shuo Li

DOI: https://doi.org/10.1109/access.2024.3349587

IF: 3.9

2024-01-01

IEEE Access

Abstract:The deployment and operation of Multi-Access Edge Computing (MEC) at the network edge provides low latency computing and storage services for end user devices. Support for device mobility is a functional requirement for MEC and a handover strategy that supports the movement of device and application state between MEC nodes is an underlying technology. The handover strategy utilizes an MEC node selection technique and a handover technique to provide a smooth transition between one MEC node to another. Research into MEC handover strategies has focused on algorithms, queuing, and other considerations. The migration of the MEC device and application state is a complex process that requires resource allocation in the destination MEC node that could involve provisioning application instances and, in some scenarios, support for containers or Virtual Machines to be received from the originating MEC node. This paper reviews MEC handover strategies and provides a description of the MEC reference architecture and proposed handover algorithms and techniques found in the literature. MEC handover challenges and gaps in the body of knowledge are discussed to provide guidance for future work.

computer science, information systems,telecommunications,engineering, electrical & electronic

Hasen Nicanfar,Victor C. M. Leung

DOI: https://doi.org/10.1109/tsg.2012.2226252

IF: 10.275

2013-03-01

IEEE Transactions on Smart Grid

Abstract:This paper aims at providing a key agreement protocol for smart grid to cope with access control of appliances/devices located inside a Home Area Network (HAN) by a set of controllers outside the HAN. The commands/packets initiated by the controllers in crisis cases should be delivered fast and immune from any interruption. The HAN controller, which acts as a gateway, should not cause any delay by decrypting and re-encrypting the packets, nor should it has any chance to modify them. Considering the required level of security and quality of service, we design our protocol with an Elliptic Curve Cryptography (ECC) approach. We improve and implement the Password Authenticated Key Exchange (PAKE) protocol in two steps. First, we propose an auxiliary mechanism that is an ECC version of PAKE, and then extend it to a multilayer consensus model. We reduce the number of hash functions to one, and utilize a primitive password shared between an appliance and HAN controller to construct four valid individual consensus and authenticated symmetric keys between the appliance and upstream controllers by exchanging only 12 packets. Security analysis presents that our protocol is resilient to various attacks. Furthermore, performance analysis shows that the delay caused by the security process is reduced by more than one half.

engineering, electrical & electronic

Christopher Battarbee,Christoph Striecks,Ludovic Perret,Sebastian Ramacher,Kevin Verhaeghe

2024-11-07

Abstract:Authenticated Key Exchange (AKE) between any two entities is one of the most important security protocols available for securing our digital networks and infrastructures. In PQCrypto 2023, Bruckner, Ramacher and Striecks proposed a novel hybrid AKE (HAKE) protocol, dubbed Muckle+, that is particularly useful in large quantum-safe networks consisting of a large number of nodes. Their protocol is hybrid in the sense that it allows key material from conventional and post-quantum primitives, as well as from quantum key distribution, to be incorporated into a single end-to-end shared key. To achieve the desired authentication properties, Muckle+ utilizes post-quantum digital signatures. However, available instantiations of such signatures schemes are not yet efficient enough compared to their post-quantum key-encapsulation mechanism (KEM) counterparts, particularly in large networks with potentially several connections in a short period of time. To mitigate this gap, we propose Muckle# that pushes the efficiency boundaries of currently known HAKE constructions. Muckle# uses post-quantum key-encapsulating mechanisms for implicit authentication inspired by recent works done in the area of Transport Layer Security (TLS) protocols, particularly, in KEMTLS (CCS'20). We port those ideas to the HAKE framework and develop novel proof techniques on the way. Due to our novel KEM-based approach, the resulting protocol has a slightly different message flow compared to prior work that we carefully align with the HAKE framework and which makes our changes to the Muckle+ non-trivial.

Cryptography and Security,Quantum Physics

Seyedsina Nabavirazavi,S. Sitharama Iyengar

DOI: https://doi.org/10.48550/arXiv.2210.16367

2022-10-29

Abstract:The rapid development of IoT networks has led to a research trend in designing effective security features for them. Due to the power-constrained nature of IoT devices, the security features should remain as lightweight as possible. Currently, most of the IoT network traffic is unencrypted. The leakage of smart devices' unencrypted data can come with the significant cost of a privacy breach. To have a secure channel with encrypted traffic, two endpoints in a network have to authenticate each other and calculate a short-term key. They can then communicate through an authenticated and secure channel. This process is referred to as authenticated key exchange (AKE). Although Datagram Transport Layer Security (DTLS) offers an AKE protocol for IoT networks, research has proposed more efficient and case-specific alternatives. This paper presents LAKEE, a straightforward, lightweight AKE protocol for IoT networks. Our protocol employs elliptic curve cryptography for generating a short-term session key. It reduces the communication and computational overhead of its alternatives while maintaining or improving their security strength. The simplicity and low overhead of our protocol make it a fit for a network of constrained devices.

Cryptography and Security

Yingjie Xia,Li Kuang,Kuang Mao

DOI: https://doi.org/10.1007/978-3-642-22418-8_9

2011-01-01

Abstract:This paper proposes an efficient and secure inner network access approach which is based on a heterogeneous Diffie-Hellman key exchange protocol in an unsecured network. The inner and outer network structure is commonly applied in various areas, such as different departments of government, enterprises. As the wireless communication network boosts up, the users in outer network try to use PDA, smart phone to access the inner network to acquire necessary information. Due to the limitation of the storage and computational capability of these mobile terminals, traditional secure inner network access approach which uses special cable to do the access is not suitable for this case. Therefore, we design a heterogeneous key exchange protocol for the mobile terminal in outer network and application server in inner network to negotiate the communication shared key. The gateway between inner and outer network can be protected from the third party attack by the trusted computing. The experimental results show that the heterogeneous key exchange protocol is efficient and secure for inner network access.

Xiaotong Zhou,Debiao He,Jianting Ning,Min Luo,Xinyi Huang

DOI: https://doi.org/10.1109/tifs.2022.3220030

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Edge computing is an emerging distributed computing concept that allows edge servers to provide authorized consumers with various on-demand services. Due to highly dynamic and untrustworthy network environments, various potential security concerns (e.g., unauthorized access, data manipulation, and privacy leakage) have been the critical factors restricting the development of edge computing. A recent heterogeneous framework proposed by Dougherty et al. (CCS’21), named APECS, deploys token-based authorization and multiple attribute-based encryption (MABE) to guarantee access control and data confidentiality. While APECS achieves a secure asynchronous access control without the “always-on” cloud, it suffers from privacy leakage (caused by the public identity information) and fake data spreading issues (due to the data confidentiality). In this paper, we propose an Anonymous and Auditable Distributed Access Control Framework for Edge Computing (AADEC) to relieve these issues. AADEC is based on two building blocks that we designed, namely a conditional anonymous authentication and an auditable MABE with optimized performance. We also define the formal security models and present security proofs for our proposal. The final qualitative comparison and performance benchmark demonstrate that AADEC can achieve a trade-off among anonymity, confidentiality, auditability and efficiency.

Jianjie Zhao,Dawu Gu

DOI: https://doi.org/10.1016/j.jss.2010.07.010

2010-01-01

Abstract:Constructing a secure key exchange protocol is one of the most challenging problems in information security. We propose a provably secure two-round two-party authenticated key exchange (2AKE) protocol based on the well-studied CDH assumption in eCK model to provide the strongest definition of security for key exchange protocol when using the matching session to define the partnership. The underlying hardness assumption (CDH assumption) of our protocol is weaker than these of four other provably secure 2AKE protocols in CK model or eCK model and the computational cost of our protocol is reasonable. We also present a three-round variant of our protocol to realize key conformation.

Mingping Qi,Jianhua Chen

DOI: https://doi.org/10.1007/s11227-021-03836-y

IF: 3.3

2021-01-01

The Journal of Supercomputing

Abstract:Wireless sensor networks (WSNs) are the key technological building block of Internet of Things (IoT), by which remote users can access the real-time data from the sensor nodes. Due to the openness and mobility of such network, it is essential to establish secure links for end-to-end communication with proper authentication. Although amount of research works in this area have been made, so far designing a secure and efficient authenticated key exchange (AKE) protocol for this setting is still an open topic. So, the authors in this paper design a two-factor AKE protocol using elliptic curve cryptography (ECC) for WSNs in the context of IoT, allowing the end users and sensor nodes to exchange information directly after a secure link is established with the help of the corresponding gateway node. The heuristic security analysis has shown that the new protocol can provide various expected security attributes and resist various known attacks. Moreover, the performance study states that the new protocol is efficient enough and has certain efficiency advantages in the aspects of computation and communication costs compared with the same type of ECC-based AKE protocols for IoT applications.

An-Li Peng,Yuh-Min Tseng,Sen-Shan Huang

DOI: https://doi.org/10.1109/jsyst.2020.3038216

IF: 4.802

2021-12-01

IEEE Systems Journal

Abstract:Authenticated key exchange (AKE) protocol for client–server environments is a significant cryptographic primitive that provides communication confidentiality and mutual authentication between clients and servers. In an Internet of Things (IoT) environment, clients typically employ IoT devices with limited computing capability to interact with servers through the Internet. Numerous AKE protocols suitable for IoT devices, called AKE-IoT protocols, have been proposed. Recently, side-channel attacks have been conducted to defeat traditional cryptographic protocols because a side-channel adversary can retrieve partial content of long-term or short-term secret keys. Several leakage-resilient AKE (LRAKE) protocols were presented to counteract such attacks. Unfortunately, the existing LRAKE protocols are not suitable for IoT devices because expensive pairing operations are required for client sides. In this article, we propose the first efficient LRAKE protocol suitable for IoT devices, named LRAKE-IoT. By the unbalanced computation method, no pairing operation is required for client sides in our protocol. In the generic bilinear pairing group model, security analysis is conducted to demonstrate the security of the proposed protocol in the continuous-leakage-resilient extended-Canetti–Krawczyk model. Finally, computational experiences on two IoT devices are given to show that the proposed protocol is well-suited for IoT devices.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

YANG Jinxiang,PENG Yonggang,CAI Tiantian,XI Wei,DENG Qingtang

DOI: https://doi.org/10.11930/j.issn.1004-9649.202204082

2023-01-01

Abstract:Edge computing effectively relieves the computing pressure of cloud platform and reduces the consumption of network transmission bandwidth, but it brings new security problems as well, the traditional authentication mechanism no longer applies to“cloud-edge-end” network architecture. We proposed a lightweight two-way authentication protocol based on cloud-edge collaboration. In view of the limited resources of massive power terminal, the protocol is only based on a Hash and XOR operation to achieve certification, so it reduces the pressure of terminal calculation and transmission bandwidth. Its security was successfully verified by AVISPA tool together with informal analysis. The analysis and simulation results show that the protocol can resist replay attack, impersonation attack and so on. In addition, the comparison with similar protocols shows that the protocol has less computation and communication overhead.

Ou Ruan,Yuanyuan Zhang,Mingwu Zhang,Jing Zhou,Lein Harn

DOI: https://doi.org/10.1109/jsyst.2017.2685524

IF: 4.802

2018-01-01

IEEE Systems Journal

Abstract:Authenticated key exchange (AKE) scheme is one of the most widely used cryptographic primitives in practice, even in the Internet-of-Things (IoT) environments. In order to resist side-channel attacks, several works have been proposed for defining leakage-resilient (LR) security models and constructing LR-AKE protocols. However, all these LR-AKE schemes employed the traditional X.509 certificate-based public-key infrastructure authentication framework, where the online transmission and verification of the public-key certificate are the major drawbacks. In this paper, we first propose a general framework for constructing identity-based AKE protocols in the bounded after-the-fact LR extended-Canetti–Krawczyk security model, and show a formal proof in the standard model. Our proposed scheme offers a flexible approach to simplify the certificate management. Moreover, our result could be extended to the bounded-retrieval model, yielding the first LR-AKE protocol in this model.

Debiao He,Yitao Chen,Jianhua Chen

DOI: https://doi.org/10.1007/s13369-013-0575-4

IF: 2.807

2013-01-01

Arabian Journal for Science and Engineering

Abstract:To ensure secure communications in public network environments, various three-party authenticated key exchange (3PAKE) protocols were proposed to provide the transaction confidentiality and efficiency. In 2009, Yang et al. proposed an efficient 3PAKE protocol based upon elliptic curve cryptography (ECC) for mobile-commerce environments. The adoption of elliptic curve cryptography in their 3PAKE protocol results in low computation costs and light communication loads. However, Tan demonstrated that Yang et al.'s protocol suffers from the impersonation attack. Tan also proposed an enhanced protocol to improve the security and the performance. However, Nose pointed that Tan's protocol suffers from the impersonation attack and the man-in-the-middle attack. To improve the security, we propose an ID-based 3PAKE using ECC. The analysis shows our protocol is more suitable and practical for mobile-commerce environments.

Jun JIANG,Chen HE,Ling-ge JIANG

2005-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:Based on the provable security model of Canetti and Krawczyk (CK), a new session key exchange (KE) protocol with mutual authentication was proposed focusing on the secure first hop in heterogeneous wireless network BRAIN (Broadband Radio Access for IP based Network). By using the CK model, a hybrid KE (HKE) protocol in the ideal world with security proof was first proposed. Then three provably secure message transmission authenticators were reused and integrated to form a new authenticator appropriate for heterogeneous wireless scenario. Finally the practical HKE (PHKE) protocol is induced by using this authenticator. The protocol is not only secure with security proof, but also efficient for considering the asymmetric wireless environment.

Huanhuan Lian,Tianyu Pan,Huige Wang,Yunlei Zhao

DOI: https://doi.org/10.1007/978-3-030-88428-4_32

2021-01-01

Abstract:Identity-based authenticated key exchange (ID-AKE) allows two parties (whose identities are just their public keys) to agree on a shared session key over open channels. At ESORICS 2019, Tomida et al. proposed a highly efficient ID-AKE protocol, referred to as the TFNS19-protocol, under the motivation of providing authentication and secure communication for huge number of low-power IoT devices. The TFNS19-protocol currently stands for the most efficient ID-AKE based on bilinear pairings, where each user remarkably performs only a single pairing operation. But it does not consider users' identity privacy, and the security is based on relatively non-standard assumptions. In this work, we formulate and design identity-based identity-concealed AKE (IB-CAKE) protocols. Here, identity concealment means that the session transcript does not leak users' identity information. We present a simple and highly practical IB-CAKE protocol, which is computationally more efficient than the remarkable TFNS19-protocol in total. We present a new security model for IB-CAKE, and show it is stronger than the ID-eCK model used for the TFNS19-protocol. The security of our IB-CAKE protocol is proved under relatively standard assumptions in the random oracle model, assuming the security of the underlying authenticated encryption and the gap bilinear Diffie-Hellman (Gap-BDH) problem. Finally, we provide the implementation results for the proposed IB-CAKE scheme, and present performance benchmark.

Cong Wang,Peng Huo,Maode Ma,Tong Zhou,Yiying Zhang

DOI: https://doi.org/10.1007/s00607-023-01188-4

2023-06-28

Computing (Vienna/New York)

Abstract:With the gradual maturity of Smart Grid (SG), security challenges become the most important issues that need to be addressed urgently. In recent years, many schemes adopt mutual authentication and key agreement to ensure secure communication in SG. However, most existing methods have their own shortcomings in either security or efficiency which make them difficult to satisfy the security requirements of SG. In this paper, we propose a provable secure and lightweight authenticated key agreement scheme based on the Elliptic Curve Cryptosystem (ECC) for the cloud-edge-end collaboration SG communication network. The proposed scheme can guarantee the security of the communication and provide anonymity for both the edge server and the smart meters. The anonymity of the smart meters can be provided by a pseudonym mechanism. By rigorous security analysis, the proposed scheme can resist to the typical attacks including replay attacks and identity forgery attacks. The security properties are also evaluated by using the Canetti and Krawczyk (CK) adversary model. The performance simulation results denotes that the proposed scheme not only owns stronger security functions but also improves computation efficiency by 24.5% on average than other four schemes. By simulation results, the proposed scheme has been shown to hold high efficiency.