Internet key exchange (IKE) is an automated key exchange mechanism that is used to facilitate the transfer of IPSec security associations (SAs). Public key infrastructure (PKI) is considered as a key element for provi...Internet key exchange (IKE) is an automated key exchange mechanism that is used to facilitate the transfer of IPSec security associations (SAs). Public key infrastructure (PKI) is considered as a key element for providing security to new distributed communication networks and services. In this paper, we concentrate on the properties of the protocol of Phase 1 IKE. After investigating IKE protocol and PKI technology, we combine IKE protocol and PKI and present an implementation scheme of the IKE based on PKI. Then, we give a logic analysis of the proposed protocol with the BAN-logic and discuss the security of the protocol. The result indicates that the protocol is correct and satisfies the security requirements of Internet key exchange.展开更多
Public Key Infrastructure (PKI) is a comprehensive information security framework for providing secure information and communication over the internet. Its need and use has grown over the years and continually grows. ...Public Key Infrastructure (PKI) is a comprehensive information security framework for providing secure information and communication over the internet. Its need and use has grown over the years and continually grows. This research work examines the current PKI framework’s validation process as operated by vendors and subscribers to identify the drawbacks and propose enhanced approaches to its validation mechanism. Using an approach of reviewing secondary data, critical weaknesses of integrity, proof of trust and single point-of-failure were identified with the current PKI framework. This study therefore advances proposed solutions to address the identified weaknesses by specifically introducing multiple Certificate Authorities, storage, visibility and searchability of subscriber information in public repository. A comprehensive detail of its implementation is proposed to address the identified weaknesses of uncertain integrity, trust for certificate authorities and prevent a single point of failure. Furthermore, the proposed enhancements are validated with the protection motivation theory and a framework for empirically testing the enhancements is suggested. Further research would be required to factor in multi-factor authentication without compromising performance.展开更多
In the proposed photo certificate, the principal component is the image, for example, the user's photo. User-related fields, such as the subject's name, the issuer's name, and the expiration period, which are meani...In the proposed photo certificate, the principal component is the image, for example, the user's photo. User-related fields, such as the subject's name, the issuer's name, and the expiration period, which are meaningful to users, are embedded into the surface of the photo by using a visible watermark algorithm, so that the reader can capture this information without the requirement for special software. The remaining fields in the certificate are embedded into a marked photo. Later, the whole photo certificate is eryptographically signed by certification authority (CA) private key to guarantee the integrity of our photo certificate. By such arrangement, the eertificate's verification is divided into two layers. The first layer is human visual system oriented and the second layer is the software-oriented. User can determine whether the user's photo and its subject's name are consistent and cheek whether the expired period is valid first. The second layer's verification is lunched only when the first layer's verification is passed. To sum up, the proposed photo certificate not only inherits the functions of a traditional certificate, but also provides a friendlier operational environment of X.509 certificate.展开更多
Wireless body area networks(WBANs)are an emerging technology for the real-time monitoring of physiological signals.WBANs provide a mechanism for collecting,storing,and transmitting physiological data to healthcare pro...Wireless body area networks(WBANs)are an emerging technology for the real-time monitoring of physiological signals.WBANs provide a mechanism for collecting,storing,and transmitting physiological data to healthcare providers.However,the open wireless channel and limited resources of sensors bring security challenges.To ensure physiological data security,this paper provides an efficient Certificateless Public Key Infrastructure Heterogeneous Ring Signcryption(CP-HRSC)scheme,in which sensors are in a certificateless cryptosystem(CLC)environment,and the server is in a public key infrastructure(PKI)environment.CLC could solve the limitations of key escrow in identity-based cryptography(IBC)and certificate management for public keys in PKI.While PKI is suited for the server because it is widely used on the Internet.Furthermore,this paper designs a ring signcryption method that allows the controller to anonymously encrypt physiological data on behalf of a set of sensors,but the server does not exactly know who the sensor is.The construction of this paper can achieve anonymity,confidentiality,authentication,non-repudiation,and integrity in a logically single step.Under the computational Diffie-Hellman(CDH)problem,the formal security proof is provided in the random oracle model(ROM).This paper demonstrates that this scheme has indistinguishability against adaptive chosen ciphertext attacks(IND-CCA2)and existential unforgeability against adaptive chosen message attacks(EUF-CMA).In terms of computational cost and energy usage,a comprehensive performance analysis demonstrates that the proposed scheme is the most effective.Compared to the three existing schemes,the computational cost of this paper’s scheme is reduced by about 49.5%,4.1%,and 8.4%,and the energy usage of our scheme is reduced by about 49.4%,3.7%,and 14.2%,respectively.展开更多
With the rising popularity of the Internet and the development of big data technology,an increasing number of organizations are opting to cooperate across domains to maximize their benefits.Most organizations use publ...With the rising popularity of the Internet and the development of big data technology,an increasing number of organizations are opting to cooperate across domains to maximize their benefits.Most organizations use public key infrastructure to ensure security in accessing their data and applications.However,with the continuous development of identity-based encryption(IBE)technology,small-and medium-sized enterprises are increasingly using IBE to deploy internal authentication systems.To solve the problems that arise when crossing heterogeneous authentication domains and to guarantee the security of the certification process,we propose using blockchain technology to establish a reliable cross-domain authentication scheme.Using the distributed and tamper-resistant characteristics of the blockchain,we design a cross-domain authentication model based on blockchain to guarantee the security of the heterogeneous authentication process and present a cross-domain authentication protocol based on blockchain.This model does not change the internal trust structure of each authentication domain and is highly scalable.Furthermore,on the premise of ensuring security,the process of verifying the signature of the root certificate in the traditional cross-domain authentication protocol is improved to verify the hash value of the root certificate,thereby improving the authentication efficiency.The developed prototype exhibits generality and simplicity compared to previous methods.展开更多
We propose a digital rights management (DRM) system based on mobile agent to protect the copyrights of content providers. In the system, the content provider creates a time limited blackbox out of an original agent ...We propose a digital rights management (DRM) system based on mobile agent to protect the copyrights of content providers. In the system, the content provider creates a time limited blackbox out of an original agent and dispatches it to the user end to enforce DRM functions. The blackbox is an agent that can resist the attacks from the malicious user in a certain time interval. Owing to digital rights redistribution support, the user whose rights belong to redistribution category can transfer his rights to other users. Moreover, by introducing public key infrastructure (PKI) and certificate authority (CA) role, the security of the session can be ensured. An analysis of system security and performance and a comparison with traditional DRM system is given.展开更多
Vehicular Ad-hoc NETworks(VANETs)enable cooperative behaviors in vehicular environments and are seen as an integral component of Intelligent Transportation Systems(ITSs).The security of VANETs is crucial for their suc...Vehicular Ad-hoc NETworks(VANETs)enable cooperative behaviors in vehicular environments and are seen as an integral component of Intelligent Transportation Systems(ITSs).The security of VANETs is crucial for their successful deployment and widespread adoption.A critical aspect of preserving the security and privacy of VANETs is the efficient revocation of the ability of misbehaving or malicious vehicles to participate in the network.This is usually achieved by revoking the validity of the digital certificates of the offending nodes and by maintaining and distributing an accurate Certificate Revocation List(CRL).The immediate revocation of misbehaving vehicles is of prime importance for the safety of other vehicles and users.In this paper,we present a decentralized revocation approach based on Shamir’s secret sharing to revoke misbehaving vehicles with very low delays.Besides enhancing VANETs’security,our proposed protocol limits the size of the revocation list to the number of the revoked vehicles.Consequently,the authentication process is more efficient,and the communication overhead is reduced.We experimentally evaluate our protocol to demonstrate that it provides a reliable solution to the scalability,efficiency and security of VANETs.展开更多
Traditional public key infrastructure(PKI)only provides authentication for network communication,and the standard X.509 certificate used in this architecture reveals the user’s identity.This lack of privacy protectio...Traditional public key infrastructure(PKI)only provides authentication for network communication,and the standard X.509 certificate used in this architecture reveals the user’s identity.This lack of privacy protection no longer satisfies the increasing demands for personal privacy.Though an optimized anonymous PKI certificate realizes anonymity,it has the potential to be abused due to the lack of identity tracking.Therefore,maintaining a balance between user anonymity and traceability has become an increasing requirement for current PKI.This paper introduces a novel traceable self-randomization certificate authentication scheme based on PKI architecture that achieves both anonymity and traceability.We propose a traceable self-randomization certificate authentication scheme based on the short randomizable signature.Specifically,certificate users can randomize the initial certificate and public key into multiple anonymous certificates and public keys by themselves under the premise of traceability,which possesses lower computational complexity and fewer interactive operations.Users can exhibit different attributes of themselves in different scenarios,randomizing the attributes that do not necessarily need to be displayed.Through security and performance analysis,we demonstrate the suitability of the improved PKI architecture for practical applications.Additionally,we provide an application of the proposed scheme to the permissioned blockchain for supervision.展开更多
Purchases of electric vehicles have been increasing in recent years. These vehicles differ from traditional fossil-fuel-based vehicles especially in the time consumed to keep them running. Electric-Vehicle-charging Se...Purchases of electric vehicles have been increasing in recent years. These vehicles differ from traditional fossil-fuel-based vehicles especially in the time consumed to keep them running. Electric-Vehicle-charging Service Providers(EVSPs) must arrange reasonable charging times for users in advance. Most EVSP services are based on third-party platforms, but reliance on third-party platforms creates a lack of security, leaving users vulnerable to attacks and user-privacy leakages. In this paper, we propose an anonymous blockchain-based system for charging-connected electric vehicles that eliminates third-party platforms through blockchain technology and the establishment of a multi-party security system between electric vehicles and EVSPs. In our proposed system, digital certificates are obtained by completing distributed Public Key Infrastructure(distributed-PKI) identity registration,with the user registration kept separate from the verification process, which eliminates dependence on the EVSP for information security. In the verification process, we adopt smart contracts to solve problems associated with centralized verification and opaque services. Furthermore, we utilize zero-knowledge proof and ring-signature superposition to realize completely anonymous verification, which ensures undeniability and unforgeability with no detriment to anonymity. The evaluation results show that the user anonymity, information authenticity, and system security of our system fulfill the necessary requirements.展开更多
文摘Internet key exchange (IKE) is an automated key exchange mechanism that is used to facilitate the transfer of IPSec security associations (SAs). Public key infrastructure (PKI) is considered as a key element for providing security to new distributed communication networks and services. In this paper, we concentrate on the properties of the protocol of Phase 1 IKE. After investigating IKE protocol and PKI technology, we combine IKE protocol and PKI and present an implementation scheme of the IKE based on PKI. Then, we give a logic analysis of the proposed protocol with the BAN-logic and discuss the security of the protocol. The result indicates that the protocol is correct and satisfies the security requirements of Internet key exchange.
文摘Public Key Infrastructure (PKI) is a comprehensive information security framework for providing secure information and communication over the internet. Its need and use has grown over the years and continually grows. This research work examines the current PKI framework’s validation process as operated by vendors and subscribers to identify the drawbacks and propose enhanced approaches to its validation mechanism. Using an approach of reviewing secondary data, critical weaknesses of integrity, proof of trust and single point-of-failure were identified with the current PKI framework. This study therefore advances proposed solutions to address the identified weaknesses by specifically introducing multiple Certificate Authorities, storage, visibility and searchability of subscriber information in public repository. A comprehensive detail of its implementation is proposed to address the identified weaknesses of uncertain integrity, trust for certificate authorities and prevent a single point of failure. Furthermore, the proposed enhancements are validated with the protection motivation theory and a framework for empirically testing the enhancements is suggested. Further research would be required to factor in multi-factor authentication without compromising performance.
文摘In the proposed photo certificate, the principal component is the image, for example, the user's photo. User-related fields, such as the subject's name, the issuer's name, and the expiration period, which are meaningful to users, are embedded into the surface of the photo by using a visible watermark algorithm, so that the reader can capture this information without the requirement for special software. The remaining fields in the certificate are embedded into a marked photo. Later, the whole photo certificate is eryptographically signed by certification authority (CA) private key to guarantee the integrity of our photo certificate. By such arrangement, the eertificate's verification is divided into two layers. The first layer is human visual system oriented and the second layer is the software-oriented. User can determine whether the user's photo and its subject's name are consistent and cheek whether the expired period is valid first. The second layer's verification is lunched only when the first layer's verification is passed. To sum up, the proposed photo certificate not only inherits the functions of a traditional certificate, but also provides a friendlier operational environment of X.509 certificate.
基金supported by the Postgraduate Research&Practice Innovation Program of Jiangsu Province (Grant No.SJCX22_1677).
文摘Wireless body area networks(WBANs)are an emerging technology for the real-time monitoring of physiological signals.WBANs provide a mechanism for collecting,storing,and transmitting physiological data to healthcare providers.However,the open wireless channel and limited resources of sensors bring security challenges.To ensure physiological data security,this paper provides an efficient Certificateless Public Key Infrastructure Heterogeneous Ring Signcryption(CP-HRSC)scheme,in which sensors are in a certificateless cryptosystem(CLC)environment,and the server is in a public key infrastructure(PKI)environment.CLC could solve the limitations of key escrow in identity-based cryptography(IBC)and certificate management for public keys in PKI.While PKI is suited for the server because it is widely used on the Internet.Furthermore,this paper designs a ring signcryption method that allows the controller to anonymously encrypt physiological data on behalf of a set of sensors,but the server does not exactly know who the sensor is.The construction of this paper can achieve anonymity,confidentiality,authentication,non-repudiation,and integrity in a logically single step.Under the computational Diffie-Hellman(CDH)problem,the formal security proof is provided in the random oracle model(ROM).This paper demonstrates that this scheme has indistinguishability against adaptive chosen ciphertext attacks(IND-CCA2)and existential unforgeability against adaptive chosen message attacks(EUF-CMA).In terms of computational cost and energy usage,a comprehensive performance analysis demonstrates that the proposed scheme is the most effective.Compared to the three existing schemes,the computational cost of this paper’s scheme is reduced by about 49.5%,4.1%,and 8.4%,and the energy usage of our scheme is reduced by about 49.4%,3.7%,and 14.2%,respectively.
基金This work was supported in part by Beijing Municipal Natural Science Foundation(19L2020)Foundation of Science and Technology on Information Assurance Laboratory(614211204031117)Industrial Internet Innovation and Development Project(Typical Application and Promotion Project of the Security Technology for the Electronics Industry)of the Ministry of Industry and Information Technology of China in 2018,Foundation of Shanxi Key Laboratory of Network and System Security(NSSOF1900105).
文摘With the rising popularity of the Internet and the development of big data technology,an increasing number of organizations are opting to cooperate across domains to maximize their benefits.Most organizations use public key infrastructure to ensure security in accessing their data and applications.However,with the continuous development of identity-based encryption(IBE)technology,small-and medium-sized enterprises are increasingly using IBE to deploy internal authentication systems.To solve the problems that arise when crossing heterogeneous authentication domains and to guarantee the security of the certification process,we propose using blockchain technology to establish a reliable cross-domain authentication scheme.Using the distributed and tamper-resistant characteristics of the blockchain,we design a cross-domain authentication model based on blockchain to guarantee the security of the heterogeneous authentication process and present a cross-domain authentication protocol based on blockchain.This model does not change the internal trust structure of each authentication domain and is highly scalable.Furthermore,on the premise of ensuring security,the process of verifying the signature of the root certificate in the traditional cross-domain authentication protocol is improved to verify the hash value of the root certificate,thereby improving the authentication efficiency.The developed prototype exhibits generality and simplicity compared to previous methods.
基金the National Natural Science Foundation of China (60502024)the Electronic Development Fund of Ministry of Informa-tion Industry of China ([2007]329)the Natural Science Foundation of Hubei Province (2005ABA267)
文摘We propose a digital rights management (DRM) system based on mobile agent to protect the copyrights of content providers. In the system, the content provider creates a time limited blackbox out of an original agent and dispatches it to the user end to enforce DRM functions. The blackbox is an agent that can resist the attacks from the malicious user in a certain time interval. Owing to digital rights redistribution support, the user whose rights belong to redistribution category can transfer his rights to other users. Moreover, by introducing public key infrastructure (PKI) and certificate authority (CA) role, the security of the session can be ensured. An analysis of system security and performance and a comparison with traditional DRM system is given.
文摘Vehicular Ad-hoc NETworks(VANETs)enable cooperative behaviors in vehicular environments and are seen as an integral component of Intelligent Transportation Systems(ITSs).The security of VANETs is crucial for their successful deployment and widespread adoption.A critical aspect of preserving the security and privacy of VANETs is the efficient revocation of the ability of misbehaving or malicious vehicles to participate in the network.This is usually achieved by revoking the validity of the digital certificates of the offending nodes and by maintaining and distributing an accurate Certificate Revocation List(CRL).The immediate revocation of misbehaving vehicles is of prime importance for the safety of other vehicles and users.In this paper,we present a decentralized revocation approach based on Shamir’s secret sharing to revoke misbehaving vehicles with very low delays.Besides enhancing VANETs’security,our proposed protocol limits the size of the revocation list to the number of the revoked vehicles.Consequently,the authentication process is more efficient,and the communication overhead is reduced.We experimentally evaluate our protocol to demonstrate that it provides a reliable solution to the scalability,efficiency and security of VANETs.
基金This work was supported by the National Key R&D Program of China(No.2020YFB1005600)Beijing Natural Science Foundation(No.M21031)+4 种基金the Natural Science Foundation of China(Nos.U21A20467,61932011,62002011,and 61972019)the Populus Euphratica Foundation(No.CCF-HuaweiBC2021009)the Open Research Fund of Key Laboratory of Cryptography of Zhejiang Province(No.ZCL21007)Zhejiang Soft Science Research Program(No.2023C35081)the Youth Top Talent Support Program of Beihang University(No.YWF-22-L-1272).
文摘Traditional public key infrastructure(PKI)only provides authentication for network communication,and the standard X.509 certificate used in this architecture reveals the user’s identity.This lack of privacy protection no longer satisfies the increasing demands for personal privacy.Though an optimized anonymous PKI certificate realizes anonymity,it has the potential to be abused due to the lack of identity tracking.Therefore,maintaining a balance between user anonymity and traceability has become an increasing requirement for current PKI.This paper introduces a novel traceable self-randomization certificate authentication scheme based on PKI architecture that achieves both anonymity and traceability.We propose a traceable self-randomization certificate authentication scheme based on the short randomizable signature.Specifically,certificate users can randomize the initial certificate and public key into multiple anonymous certificates and public keys by themselves under the premise of traceability,which possesses lower computational complexity and fewer interactive operations.Users can exhibit different attributes of themselves in different scenarios,randomizing the attributes that do not necessarily need to be displayed.Through security and performance analysis,we demonstrate the suitability of the improved PKI architecture for practical applications.Additionally,we provide an application of the proposed scheme to the permissioned blockchain for supervision.
基金supported by the Natural Science Foundation of Beijing (No.M21029)the National Key Basic R&D Program of China (No.2018YFB1800302)the National Natural Science Foundation of China (No.61802005)。
文摘Purchases of electric vehicles have been increasing in recent years. These vehicles differ from traditional fossil-fuel-based vehicles especially in the time consumed to keep them running. Electric-Vehicle-charging Service Providers(EVSPs) must arrange reasonable charging times for users in advance. Most EVSP services are based on third-party platforms, but reliance on third-party platforms creates a lack of security, leaving users vulnerable to attacks and user-privacy leakages. In this paper, we propose an anonymous blockchain-based system for charging-connected electric vehicles that eliminates third-party platforms through blockchain technology and the establishment of a multi-party security system between electric vehicles and EVSPs. In our proposed system, digital certificates are obtained by completing distributed Public Key Infrastructure(distributed-PKI) identity registration,with the user registration kept separate from the verification process, which eliminates dependence on the EVSP for information security. In the verification process, we adopt smart contracts to solve problems associated with centralized verification and opaque services. Furthermore, we utilize zero-knowledge proof and ring-signature superposition to realize completely anonymous verification, which ensures undeniability and unforgeability with no detriment to anonymity. The evaluation results show that the user anonymity, information authenticity, and system security of our system fulfill the necessary requirements.
