Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

Jianhong Zhang,Wenle Bai,Yuehai Wang

DOI: https://doi.org/10.1109/access.2019.2899828

IF: 3.9

2019-01-01

IEEE Access

Abstract:The Internet of Things (IoT) is the internetworking of terminal physical devices depends on application programming interfaces and sensors to be connected to the Internet for collecting and exchanging data. According to the characteristics of IoT, it can provide rich services for the terminal user. However, the centralized cloud computing-based storage architecture in IoT faces many challenges, such as data security, identity privacy, and high latency. To overcome these challenges, this paper introduces an IoT network storage architecture based on mobile edge computing, which not only achieves low-latency message response and computation offloading of the terminal user but also preserves identity-privacy of the terminal user. Afterward, we presented a novel non-interactive pairing-free ID-based proxy re-signature scheme (ID-PRS), which is a kernel technique to construct the aforementioned storage architecture. Compared with most of proxy re-signature schemes constructed based on traditional public-key-infrastructure, the proposed scheme avoids expensive pairing operation and intricate certificate-maintenance. And it is demonstrated to be provably secure under the classic security assumptions: integer factoring problem and the RSA assumption. Finally, in contrast to the other two ID-PRS schemes, the proposed ID-PRS scheme has more advantages in terms of security, functionability, and computation costs. Thus, it is very suitable to be applied to the resource-constrained mobile users.

jianqing fu,chunming wu,jian chen,rong fan,lingdi ping

DOI: https://doi.org/10.1109/ICNIT.2010.5508544

2010-01-01

Abstract:In IP Multimedia Subsystem(IMS) of UMTS, IMS information is delivered through the general packet radio service(GPRS) transport network, before a user equipment (UE) can access the IMS service, it must performance both packet-switch domain and IMS authentication. It is inefficient that almost all involved steps in IMS authentication are duplicated. Hence, some one-pass IMS authentications were proposed to increase the efficiency of the IMS authentication. Unfortunately, these protocols have some problems which make them unfeasible. Therefore, we proposed a lightweight one-pass IMS authentication protocol to reduce signaling traffic. Through analysis, we found that it has minimal impact on the network functionality and will not influent the succeeding IMS re-authentication, which makes it more feasible.

Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Li Kuang,Yingjie Xia,Caijun Sun,Jiaming Wu,Liangdi Bao

DOI: https://doi.org/10.19026/rjaset.5.4738

2013-01-01

Abstract:With wide adoption of Service Computing and Mobile Computing, people tend to invoke services with mobile devices, requiring accurate and real-time feedback from services at any time and any place. Among these services, some are private to limited users and require identity authorization before use; hence secure access control in wireless network should be provided. To address the challenge, in this study, we propose the architecture and protocols of a system of access to private services for mobile clients, which combines the technologies of trusted computing, Diffie-Hellman key agreement protocol, digital certificate, DES data encryption algorithm and twice verification. We further show the implementation of the proposed system, in which we have realized the authentication and authorization of mobile clients and then secure data transfer between mobile clients in the unsafe Internet and private services in the Intranet. © 2013 Maxwell Scientific Organization.

Yixin Jiang,Chuang Lin,Hao Yin,Zhen Chen

DOI: https://doi.org/10.1002/wcm.448

2006-01-01

Wireless Communications and Mobile Computing

Abstract:IEEE 802.11 wireless local area networks (WLAN) has been increasingly deployed in various locations because of the convenience of wireless communication and decreasing costs of the underlying technology. However, the existing security mechanisms in wireless communication are vulnerable to be attacked and seriously threat the data authentication and confidentiality. In this paper, we mainly focus on two issues. First, the vulnerabilities of security protocols specified in IEEE 802.11 and 802.1X standards are analyzed in detail. Second, a new mutual authentication and privacy scheme for WLAN is proposed to address these security issues. The proposed scheme improves the security mechanisms of IEEE 802.11 and 802.1X by providing a mandatory mutual authentication mechanism between mobile station and access point (AP) based on public key infrastructure (PKI), offering data integrity check and improving data confidentiality with symmetric cipher block chain (CBC) encryption. In addition, this scheme also provides some other new security mechanisms, such as dynamic session key negotiation and multicast key notification. Hence, with these new security mechanisms, it should be much more secure than the original security scheme. Copyright © 2006 John Wiley & Sons, Ltd.

Liang Cai,Xiaohu Yang,Chun Chen

DOI: https://doi.org/10.1109/AINA.2005.150

2005-01-01

Abstract:More and more mobile applications require the ability to issue digital signatures. Traditionally, digital signatures are based on asymmetric cryptographic techniques which make them computationally expensive. Currently, all mobile devices tend to have limited computational capabilities and equally limited power. This makes them ill-suited for complex cryptographic computations. We designed a Server-aided PKI Service (SaPKI) to offload work from clients in mobile networks such as GSM and CDMA. Mobile clients can utilized the powerful (both CPU speed and power supply) SaPKI server to generate RSA keys and digital signatures. The paper details the implementation of SaPKI Service. A secure "cell phone-banking" application has been implemented on SaPKI architecture in CDMA-1X mobile network. After thorough performance analysis, we concluded that SaPKI can significantly improve the performance of mobile client's cryptographic operation.

Xuqiu Chen,Wei Wang,Wei Gan,Yi Yang,Su Yuan,Meng Li

DOI: https://doi.org/10.1007/978-3-030-97774-0_10

2022-01-01

Abstract:With the rapid development of the power mobile Internet, traditional identity authentication and authentication modes still have identity information theft, are unable to prevent illegal behaviors of internal users, etc., which can no longer meet the security requirements of identity authentication in mobile Internet services. In response to this problem, this paper proposes a mobile terminal identity authentication method on the Identity-Based Cryptography (IBC). During registration, the user's voice is collected through the mobile terminal to establish an identity vector (i-vector) voiceprint model, and features are extracted and added to the identity mark to generate a user ID and a corresponding identity password system; during authentication, the legitimacy of the user is judged based on voice recognition to prevent illegal user intrusion, And then based on the identity password combined with the symmetric encryption algorithm AES to encrypt and decrypt data to achieve terminal identity authentication to resist common attacks in the mobile Internet. Finally, the experimental analysis shows that the method effectively improves the security of the power mobile Internet identity authentication process and has the advantages of low cost and high efficiency. In the power mobile Internet business scenario, this method greatly improves the identification ability of illegal users and the resistance to network malicious attacks.

Daojing He,Sammy Chan,Yan Zhang,Mohsen Guizani,Chun Chen,Jiajun Bu

DOI: https://doi.org/10.1109/MNET.2014.6724101

IF: 10.294

2014-01-01

IEEE Network

Abstract:It is expected that the smart grid will radically add new functionalities to legacy electrical power systems. However, we believe that this will in turn introduce many new security risks. With the smart grid's backbone communication networks and subnetworks, there are possible scenarios when these subnetworks can become vulnerable to attacks. Ensuring security in these networks is challenging because most devices are resource constrained. In addition, different protocols that are used in these networks use their own set of security requirements. In this article, the security requirements of smart grid communication networks are firstly identified. We then point out that although public key infrastructure (PKI) is a viable solution, it has some difficulties to satisfy the requirements in availability, privacy preservation, and scalability. To complement the functions of PKI, we introduce some novel mechanisms so that those security requirements can be met. In particular, we propose a mechanism to efficiently resist Denial-of-Service (DoS) attacks, and some suggestions to the security protocol design for different application categories.

Jason Chia,Swee-Huay Heng,Ji-Jian Chin,Syh-Yuan Tan,Wei-Chuen Yau

DOI: https://doi.org/10.3390/sym13081535

2021-08-20

Symmetry

Abstract:Public key infrastructure (PKI) plays a fundamental role in securing the infrastructure of the Internet through the certification of public keys used in asymmetric encryption. It is an industry standard used by both public and private entities that costs a lot of resources to maintain and secure. On the other hand, identity-based cryptography removes the need for certificates, which in turn lowers the cost. In this work, we present a practical implementation of a hybrid PKI that can issue new identity-based cryptographic keys for authentication purposes while bootstrapping trust with existing certificate authorities. We provide a set of utilities to generate and use such keys within the context of an identity-based environment as well as an external environment (i.e., without root trust to the private key generator). Key revocation is solved through our custom naming design which currently supports a few scenarios (e.g., expire by date, expire by year and valid for year). Our implementation offers a high degree of interoperability by incorporating X.509 standards into identity-based cryptography (IBC) compared to existing works on hybrid PKI–IBC systems. The utilities provided are minimalist and can be integrated with existing tools such as the Enterprise Java Bean Certified Authority (EJBCA).

Han Bao,Xiaoping Zhang,Gaoyuan Wang,Renrui Tian,Jinrong Duan,Youjian Zhao

DOI: https://doi.org/10.1109/icc45041.2023.10279752

2023-01-01

Abstract:Internet of Things (IoT) devices have achieved rapid development but most of them are vulnerable to spoofing attacks and spoofing-related attacks. It is crucial to verify source identity at the near-source end to defend against attacks, save network forwarding resources, and relieve the authentication pressure on the receiver end. In this paper, we propose Smart-PKI, a blockchain-based distributed identity validation scheme for IoT Devices. In the architecture of Smart-PKI, near-source forwarders can verify the authenticity of the source identity of packets and can filter spoofed packets. Besides, we apply Merkle Patricia Trie (MPT) to the Smart-PKI blockchain to enable lightweight blockchain copy storage and efficient retrieval and verification of identity information on forwarders. Meanwhile, Smart-PKI proposes an identity restoration mechanism and enables solutions for the attacks caused by public and private key compromise. Furthermore, we implement Smart-PKI on Network Simulator Version 3 (NS3) and evaluate its performance against reflection denial-of-service (DDoS) attacks. The simulation results demonstrate the effectiveness and efficiency of Smart-PKI and it outperforms existing blockchain-based PKI solutions for IoT devices in terms of network latency for verifying certificates.

Xin Sun,Jiajia Han,Bang Lv,Changhua Sun,Cheng Zeng

DOI: https://doi.org/10.1371/journal.pone.0312690

IF: 3.7

2024-10-31

PLoS ONE

Abstract:With the rise of the Internet of things, the limitations of traditional PKI certificate authentication technology have progressively emerged. Hence, identity-based public key algorithms have been proposed. In this paper, we propose a new approach to generate an identity key, named identity public key (IPK). IPK identity key generation protocol is based on SM2 elliptic curve cryptography and random matrix theory. It builds upon the concept of combined public key (CPK) and resolves the linear collusion issue of CPK as well as the authenticity verification problem of the declared public key of the simplified TF-CPK by enhancing the identity mapping approach. Another main aim of this paper is to prove the security of the IPK identity key generation protocol. Roughly speaking, we verify the security of each part of the private key and the security of the composite private key. We also increase the function and performance comparison with other schemes, such as IBC(SM9) and TF-CPK. Our scheme has the lowest computation cost, which demonstrates its rationality.

multidisciplinary sciences

Yao Liu,Yueting Chai,Yi Liu

DOI: https://doi.org/10.1109/icebe.2015.76

2015-01-01

Abstract:In the current Internet environment, security incidents occur frequently and the potential safety problems are highlighted. In this case, we propose "Internet trusted identity authentication system". The system changes the previous conventional mode of identity authentication, changes the mode of username/password to the relationship bound between net ID and password rule and replaces the traditional dead-password mode with the mode of dynamic password and password rule. At the same time, we should establish the repository of trusted identity to store and manage the net ID and password rule. With the tools of USBKEY, SMS and digital certificates, the system can achieve the function of implementing the real-name network in the Internet, making remembering passwords more convenience, simplifying users' operations online and strengthening the security of personal identification information online, which can improve the safety, reliability and efficiency of the Internet, on the premise that it won't change the Internet functions or the operation habits.

Shan Gao,Junjie Chen,Bingsheng Zhang,Kui Ren,Xiaohua Ye,Yongsheng Shen

DOI: https://doi.org/10.23919/cje.2023.00.192

IF: 1.019

2024-01-01

Chinese Journal of Electronics

Abstract:In modern industrial control systems (ICSs), when user retrieving the data stored in field device like smart sensor, there exists two main problems: one is lack of the verification for identification of user and field device; the other is that user and field device need exchange a key to encrypt sensitive data transmitted over the network. We propose a comprehensive authentication and key agreement framework that enables all connected devices in an ICS to mutually authenticate each other and establish a peer-to-peer session key. The framework combines two types of protocols for authentication and session key agreement: The first one is an asymmetric cryptographic key agreement protocol based on transport layer security handshake protocol used for Internet access, while the second one is a newly designed lightweight symmetric cryptographic key agreement protocol specifically for field devices. This proposed lightweight protocol imposes very light computational load and merely employs simple operations like one-way hash function and exclusive-or (XOR) operation. In comparison to other lightweight protocols, our protocol requires the field device to perform fewer computational operations during the authentication phase. The simulation results obtained using OpenSSL demonstrates that each authentication and key agreement process in the lightweight protocol requires only 0.005 ms. Our lightweight key agreement protocol satisfies several essential security features, including session key secrecy, identity anonymity, untraceability, integrity, forward secrecy, and mutual authentication. It is capable of resisting impersonation, man-in-the-middle, and replay attacks. We have employed the Gong-Needham-Yahalom (GNY) logic and automated validation of Internet security protocols and application tool to verify the security of our symmetric cryptographic key agreement protocol.

M. Toorani,A. A. Beheshti

DOI: https://doi.org/10.1109/ICCS.2008.4737164

2012-03-17

Abstract:The non-repudiation as an essential requirement of many applications can be provided by the asymmetric key model. With the evolution of new applications such as mobile commerce, it is essential to provide secure and efficient solutions for the mobile environments. The traditional public key cryptography involves huge computational costs and is not so suitable for the resource-constrained platforms. The elliptic curve-based approaches as the newer solutions require certain considerations that are not taken into account in the traditional public key infrastructures. The main contribution of this paper is to introduce a Lightweight Public Key Infrastructure (LPKI) for the constrained platforms such as mobile phones. It takes advantages of elliptic curve cryptography and signcryption to decrease the computational costs and communication overheads, and adapting to the constraints. All the computational costs of required validations can be eliminated from end-entities by introduction of a validation authority to the introduced infrastructure and delegating validations to such a component. LPKI is so suitable for mobile environments and for applications such as mobile commerce where the security is the great concern.

Cryptography and Security

Guangwu Hu,Wenlong Chen,Qi Li,Yong Jiang,Ke Xu

DOI: https://doi.org/10.1016/j.future.2016.09.005

IF: 7.307

2016-01-01

Future Generation Computer Systems

Abstract:Despite the Internet has been rapidly developed in the past three decades, its intrinsic security mechanism, e.g., IP source address validation and user identification authentication, is still not well addressed. This results in numerous cyber security threats. In order to enhance the Internet accountability and deter potential cyber-attacks, in this paper, we propose TrueID, an IPv6 header extension scheme which can embed hash-based, creditable and undeniable user identity code inside IPv6 packets. We present the system architecture, header’s format and viable implementation approaches with different credibility granularities. Meanwhile, to verify packet credibility and integrity, we design an Autonomous System (AS) level public-key distribution system which can disseminate user’s public keys between allied ASes safely. Also, the prototype experiment has proved that our scheme possesses these features with desirable performance.

Kai Wang,Chuang Lin,Fangqin Liu

DOI: https://doi.org/10.1109/ICIS.2009.162

2009-01-01

Abstract:IP multimedia subsystem (IMS) is considered as the main solution to the next generation multimedia communication.By examining potential security threats to IMS, we initiate a set of security policies for choice and consider their quality of protection (QoP) based on the strength of the security mechanism. In order to provide secure service to users, it is insufficient to just take the security benefits into consideration. An adequate analysis of the impact of security policies in IMS on the performance quantitatively is necessary and significant. We present a novel study of IMS performance using queuing Petri nets (QPN) to predict the system performance metrics, i.e., the signaling delay, server utilization, which then be used to evaluate the impacts of different security mechanism on system performance quantitatively. With the multi-view security partition introduced, multi-level security service can be provided to diverse users and applications for a best tradeoff between security requirements and system performance.

Ziyi Zhou,Xing Han,Zeyuan Chen,Yuhong Nan,Juanru Li,Dawu Gu

DOI: https://doi.org/10.1109/dsn53405.2022.00059

2022-01-01

Abstract:A recently emerged cellular network based One-Tap Authentication (OTAuth) scheme allows app users to quickly sign up or log in to their accounts conveniently: Mobile Network Operator (MNO) provided tokens instead of user passwords are used as identity credentials. After conducting a first in-depth security analysis, however, we have revealed several fundamental design flaws among popular OTAuth services, which allow an adversary to easily (1) perform unauthorized login and register new accounts as the victim, (2) illegally obtain identities of victims, and (3) interfere OTAuth services of legitimate apps. To further evaluate the impact of our identified issues, we propose a pipeline that integrates both static and dynamic analysis. We examined 1,025/894 Android/iOS apps, each app holding more than 100 million installations. We confirmed 396/398 Android/iOS apps are affected. Our research systematically reveals the threats against OTAuth services. Finally, we provide suggestions on how to mitigate these threats accordingly.

Zengpeng Li,Zheng Yang,Pawel Szalachowski,Jianying Zhou

DOI: https://doi.org/10.1109/jiot.2020.3008773

IF: 10.6

2021-01-15

IEEE Internet of Things Journal

Abstract:Industrial Internet of Things (IIoT) brings together computers, devices, advanced analytics, and people in industries such as transportation, oil plant and power grid, that leads to major efficiency and productivity gains for almost any industrial procedures. Due to the interconnection of devices in IIoT, communication security has become a critical issue to address in many emerging industry standards which require the authentication and key exchange procedure to be done to guarantee the authorized machine access (e.g., from users) and secure the data transmission between machines. To overcome the shortcoming (i.e., low entropy) of the memorable password in user authentication, it is rightfully recommended by industry standards (such as IEC-62443 family) to use multi-factor authentication for higher security levels. Notably, latency is one of the main sources of inefficiency when a device is communicating with other machines on IIoT. To mitigate latency, smooth projective hash function (SPHF) built from wellstudied standard assumptions is used to achieve low-interactivity multi-factor authenticated key exchange protocol (MFAKE), because SPHF allows each party to prove to the others that he knows the right authentication factor(s). In this paper, we are therefore motivated to build a new MFAKE named "secure remote multifactor (SRMF)" to achieve the human involved "machine-to-machine" secure communication in IIoT. That is, SRMF leverages multiple user-centric authentication factors (such as password, biometric fingerprints, and PIN), and it can synergistically support multi-factor registration (MFR), multi-factor authentication (MFA) and multifactor key exchange (MFKE). Further, to prevent authentication factors stored at the server exposing to attackers, the password-harden service (i.e., Pythia-PRF, USENIX'15) inspires us to develop a multifactor hardening service (MFHS) -tilizing an oblivious pseudorandom function (OPRF). The balanced security of the proposed protocol is proved under the model of Bellare-Pointcheval-Rogaway (EUROCRYPTO' 00) along with theoretical and experimental evaluations.

computer science, information systems,telecommunications,engineering, electrical & electronic

Rakshitha S M,Shravana,Riya Biswas,Sushmita Shetty

DOI: https://doi.org/10.48175/ijarsct-2866

2022-03-21

Abstract:The Internet of Things (IoT) connects many of the world's home appliances, from intelligent thermostats to intelligent cars. We had 9 billion connected things by the end of 2015. According to Gartner, the total number of networked devices will approach 50 billion by 2020. The majority of linked devices in the existing network use outdated security technology and encryption, and many do not allow for remote device updates. Given the vast number of IoT devices available, ranging from off-the-shelf motion monitoring to machine tools, it is impossible to determine which functions are associated with any given service or product. In a nutshell, this is the issue: you can't trust the device's security and integrity. K-times anonymous authentication (k-TAA) is an important access control approach used in ecoupon and e-bill. It allows a user to authenticate himself anonymously to a distant server a set number of times. However, most known k-TAA techniques need a lot of processing, which makes them difficult to use on devices with low resources. In 2018, Tian and colleagues published Tian et al presented a remote user authentication system that protects users' privacy. Considering untraceability of k-times In contrast to the typical k-TAA,Tian et almethod .'s is better suited to mobile devices.as a result of avoiding costly pairing operations They're also claim that their system ensures user trust and authenticity. Untraceability k times Unfortunately, we are unable to do so in this paper Analyzing their scheme reveals that it is insecure. Their Neither scheme can stop a rogue user from sending information neither the authentication.