Certificate Authority (CA) is the core of public key infrastructure. However, the traditional structure of CA is either hierarchical or reticular, and none of them is suitable for security require-nients come from the...Certificate Authority (CA) is the core of public key infrastructure. However, the traditional structure of CA is either hierarchical or reticular, and none of them is suitable for security require-nients come from the new trend in enterprise cooperation, namely virtual enterprise (VE). In this paper a new idea - virtual certificate authority (VCA), is proposed, as well as its implemen-tation. The goal of VCA is to provide global certificate service over vital enterprise while keeping CA of each participant intact as much as possible. Unlike PEM, PGP, and BCA, by using secret sharing scheme, virtual CA avoids the need for TTP and supports virtual enterprise's feature of dynamical construction and destruction.展开更多
Smart parks serve as integral components of smart cities,where they play a pivotal role in the process of urban modernization.The demand for cross-domain cooperation among smart devices from various parks has witnesse...Smart parks serve as integral components of smart cities,where they play a pivotal role in the process of urban modernization.The demand for cross-domain cooperation among smart devices from various parks has witnessed a significant increase.To ensure secure communication,device identities must undergo authentication.The existing cross-domain authentication schemes face issues such as complex authentication paths and high certificate management costs for devices,making it impractical for resource-constrained devices.This paper proposes a blockchain-based lightweight and efficient cross-domain authentication protocol for smart parks,which simplifies the authentication interaction and requires every device to maintain only one certificate.To enhance cross-domain cooperation flexibility,a comprehensive certificate revocation mechanism is presented,significantly reducing certificate management costs while ensuring efficient and secure identity authentication.When a park needs to revoke access permissions of several cooperative partners,the revocation of numerous cross-domain certificates can be accomplished with a single blockchain write operation.The security analysis and experimental results demonstrate the security and effectiveness of our scheme.展开更多
The grid technology is recognized as the next generation of Internet and becomcs the center of recent researches in the computer society. Security is one of the most crucial issues to address in Internet and is of the...The grid technology is recognized as the next generation of Internet and becomcs the center of recent researches in the computer society. Security is one of the most crucial issues to address in Internet and is of the same importance in the application of grid technology. As a critical component of grid security, the secure authen- tication needs to be well studied. In this paper, a two-step mobile agent based(TSMAB) authentication architecture is proposed based on Globus security infrastructure (GSI). By using mobile agent (MA) technology, the TSMAB authentication architecture is composed of the junior-authentication and the senior-authentication. Based on the design and the analysis of TSMAB model, the result shows that the efficiency of grid authentication is improved compared with the GSI authentication.展开更多
This paper theoretically analyzes a deficiency of the existing scheme, and proposes a distributed multi-hop certification authority scheme for mobile Ad Hoc networks. In our design, we distribute the certification aut...This paper theoretically analyzes a deficiency of the existing scheme, and proposes a distributed multi-hop certification authority scheme for mobile Ad Hoc networks. In our design, we distribute the certification authority functions through a threshold secret sharing mechanism, in which each node holds a secret share and multiple nodes jointly provide complete services. Certification authority is not limited in a local neighborhood but can be completed within multi-hop location. In addition, we replace broadcast by multicast to improve system performance and reduce communication overhead. This paper resolves some technical problems of ubiquitous certification authority services, and presents a wieldy multi-hop certification authority algorithm. Simulation results confirm the availability and effectiveness of our design.展开更多
Considering the secure authentication problem for equipment support information network,a clustering method based on the business information flow is proposed. Based on the proposed method,a cluster-based distributed ...Considering the secure authentication problem for equipment support information network,a clustering method based on the business information flow is proposed. Based on the proposed method,a cluster-based distributed authentication mechanism and an optimal design method for distributed certificate authority( CA)are designed. Compared with some conventional clustering methods for network,the proposed clustering method considers the business information flow of the network and the task of the network nodes,which can decrease the communication spending between the clusters and improve the network efficiency effectively. The identity authentication protocols between the nodes in the same cluster and in different clusters are designed. From the perspective of the security of network and the availability of distributed authentication service,the definition of the secure service success rate of distributed CA is given and it is taken as the aim of the optimal design for distributed CA. The efficiency of providing the distributed certificate service successfully by the distributed CA is taken as the constraint condition of the optimal design for distributed CA. The determination method for the optimal value of the threshold is investigated. The proposed method can provide references for the optimal design for distributed CA.展开更多
We propose a digital rights management (DRM) system based on mobile agent to protect the copyrights of content providers. In the system, the content provider creates a time limited blackbox out of an original agent ...We propose a digital rights management (DRM) system based on mobile agent to protect the copyrights of content providers. In the system, the content provider creates a time limited blackbox out of an original agent and dispatches it to the user end to enforce DRM functions. The blackbox is an agent that can resist the attacks from the malicious user in a certain time interval. Owing to digital rights redistribution support, the user whose rights belong to redistribution category can transfer his rights to other users. Moreover, by introducing public key infrastructure (PKI) and certificate authority (CA) role, the security of the session can be ensured. An analysis of system security and performance and a comparison with traditional DRM system is given.展开更多
A new buyer-seller watermarking protocol is proposed by applying a double encryption method and a novel mechanism of embedding a buyer's watermark. The protocol can effectively prevent against collusion attacks and t...A new buyer-seller watermarking protocol is proposed by applying a double encryption method and a novel mechanism of embedding a buyer's watermark. The protocol can effectively prevent against collusion attacks and the man in the middle attack if the third party is not trusted. Also, based on the proposed scheme for the first-hand transaction, a new buyer-reseller watermarking protocol and a formal multi-party watermarking protocol are also proposed. The proposed buyer-resell watermarking protocol only needs the original seller to provide transfer certificate and encryption-decryption service to support the second-hand transaction, and the multi-party watermarking protocol with distributed certificate authorities can overcome the difficulty in the combination of multicast mechanism with multiple unique watermarks and allow a seller to multicast the watermarked digital contents and key transaction information to n buyers. Furthermore, the idea of zero knowledge proof is also applied into the proposed scheme to allow the seller to take an effective control on the task performed by the third party.展开更多
A new sanitizable signature scheme is proposed, in which the security flaw of Miyazaki's sanitizable signature scheme SUMI-4 is improved. The new scheme overcomes the shortcomings of the original scheme SUM1-4 by usi...A new sanitizable signature scheme is proposed, in which the security flaw of Miyazaki's sanitizable signature scheme SUMI-4 is improved. The new scheme overcomes the shortcomings of the original scheme SUM1-4 by using sanitizable authorization certificates. The new scheme enables the primitive signer to limit the sanitizer's power and still satisfies the security request of sanitizable signature.展开更多
Advanced connectivity in substations brings along cybersecurity considerations. Especially, the use of standardized data objects and message structures stipulated by IEC 61850 makes them much more vulnerable to unauth...Advanced connectivity in substations brings along cybersecurity considerations. Especially, the use of standardized data objects and message structures stipulated by IEC 61850 makes them much more vulnerable to unauthorized access and manipulation. In order to tackle these vulnerabilities, different methods are investigated by researchers all over the world. An important aspect of such efforts is the real-time performance consideration since power systems are bound by the rules of physics and all control/communication tasks need to be completed in a certain time frame. Security schemes for substation communication have been proposed in the recent literature. However, they must be improved to ensure a full security solution. Recently published IEC 62351 standard aims to fill this gap. Node authentication is vital for substation communication networks based on IEC 61850 to mitigate a variety of attacks such as man-in-the-middle(MITM) attack. This short communication presents a node authentication mechanism based on transport layer security(TLS) with certificates to address this knowledge gap. It also investigates the real-time performance by implementing the proposed scheme with Python.展开更多
Dissimilar to traditional networks, the features of mobile wireless devices that can actively form a network without any infrastructure mean that mobile ad hoc networks frequently display partition due to node mobilit...Dissimilar to traditional networks, the features of mobile wireless devices that can actively form a network without any infrastructure mean that mobile ad hoc networks frequently display partition due to node mobility or link failures. These indicate that an ad hoc network is difficult to provide ou-llne access to a trusted authority server. Therefore, applying traditional Public Key Infrastructure (PKI) security framework to mobile ad hoc networks will cause insecurities. This study proposes a scalable and elastic key management scheme integrated into Cluster Based Secure Routing Protocol (CBSRP) to enhance security and non-repudiation of routing authentication, and introduces an ID-Based internal routing authentication scheme to enhance the routing performance in an internal cluster. Additionally, a method of performing routing authentication between internal and external clusters, as well as inter-cluster routing authentication, is developed. The proposed cluster-based key management scheme distributes trust to an aggregation of cluster heads using a threshold scheme faculty, provides Certificate Authority (CA) with a fault tolerance mechanism to prevent a single point of compromise or failure, and saves CA large repositories from maintaining member certificates, making ad hoc networks robust to malicious behaviors and suitable for numerous mobile devices.展开更多
基金the High Technoeogy Research and Debelopment Program of China
文摘Certificate Authority (CA) is the core of public key infrastructure. However, the traditional structure of CA is either hierarchical or reticular, and none of them is suitable for security require-nients come from the new trend in enterprise cooperation, namely virtual enterprise (VE). In this paper a new idea - virtual certificate authority (VCA), is proposed, as well as its implemen-tation. The goal of VCA is to provide global certificate service over vital enterprise while keeping CA of each participant intact as much as possible. Unlike PEM, PGP, and BCA, by using secret sharing scheme, virtual CA avoids the need for TTP and supports virtual enterprise's feature of dynamical construction and destruction.
基金supported in part by the National Natural Science Foundation Project of China under Grant No.62062009the Guangxi Innovation-Driven Development Project under Grant Nos.AA17204058-17 and AA18118047-7.
文摘Smart parks serve as integral components of smart cities,where they play a pivotal role in the process of urban modernization.The demand for cross-domain cooperation among smart devices from various parks has witnessed a significant increase.To ensure secure communication,device identities must undergo authentication.The existing cross-domain authentication schemes face issues such as complex authentication paths and high certificate management costs for devices,making it impractical for resource-constrained devices.This paper proposes a blockchain-based lightweight and efficient cross-domain authentication protocol for smart parks,which simplifies the authentication interaction and requires every device to maintain only one certificate.To enhance cross-domain cooperation flexibility,a comprehensive certificate revocation mechanism is presented,significantly reducing certificate management costs while ensuring efficient and secure identity authentication.When a park needs to revoke access permissions of several cooperative partners,the revocation of numerous cross-domain certificates can be accomplished with a single blockchain write operation.The security analysis and experimental results demonstrate the security and effectiveness of our scheme.
文摘The grid technology is recognized as the next generation of Internet and becomcs the center of recent researches in the computer society. Security is one of the most crucial issues to address in Internet and is of the same importance in the application of grid technology. As a critical component of grid security, the secure authen- tication needs to be well studied. In this paper, a two-step mobile agent based(TSMAB) authentication architecture is proposed based on Globus security infrastructure (GSI). By using mobile agent (MA) technology, the TSMAB authentication architecture is composed of the junior-authentication and the senior-authentication. Based on the design and the analysis of TSMAB model, the result shows that the efficiency of grid authentication is improved compared with the GSI authentication.
文摘This paper theoretically analyzes a deficiency of the existing scheme, and proposes a distributed multi-hop certification authority scheme for mobile Ad Hoc networks. In our design, we distribute the certification authority functions through a threshold secret sharing mechanism, in which each node holds a secret share and multiple nodes jointly provide complete services. Certification authority is not limited in a local neighborhood but can be completed within multi-hop location. In addition, we replace broadcast by multicast to improve system performance and reduce communication overhead. This paper resolves some technical problems of ubiquitous certification authority services, and presents a wieldy multi-hop certification authority algorithm. Simulation results confirm the availability and effectiveness of our design.
基金National Natural Science Foundation of China(No.61271152)Natural Science Foundation of Hebei Province,China(No.F2012506008)the Original Innovation Foundation of Ordnance Engineering College,China(No.YSCX0903)
文摘Considering the secure authentication problem for equipment support information network,a clustering method based on the business information flow is proposed. Based on the proposed method,a cluster-based distributed authentication mechanism and an optimal design method for distributed certificate authority( CA)are designed. Compared with some conventional clustering methods for network,the proposed clustering method considers the business information flow of the network and the task of the network nodes,which can decrease the communication spending between the clusters and improve the network efficiency effectively. The identity authentication protocols between the nodes in the same cluster and in different clusters are designed. From the perspective of the security of network and the availability of distributed authentication service,the definition of the secure service success rate of distributed CA is given and it is taken as the aim of the optimal design for distributed CA. The efficiency of providing the distributed certificate service successfully by the distributed CA is taken as the constraint condition of the optimal design for distributed CA. The determination method for the optimal value of the threshold is investigated. The proposed method can provide references for the optimal design for distributed CA.
基金the National Natural Science Foundation of China (60502024)the Electronic Development Fund of Ministry of Informa-tion Industry of China ([2007]329)the Natural Science Foundation of Hubei Province (2005ABA267)
文摘We propose a digital rights management (DRM) system based on mobile agent to protect the copyrights of content providers. In the system, the content provider creates a time limited blackbox out of an original agent and dispatches it to the user end to enforce DRM functions. The blackbox is an agent that can resist the attacks from the malicious user in a certain time interval. Owing to digital rights redistribution support, the user whose rights belong to redistribution category can transfer his rights to other users. Moreover, by introducing public key infrastructure (PKI) and certificate authority (CA) role, the security of the session can be ensured. An analysis of system security and performance and a comparison with traditional DRM system is given.
基金Internation al S&T Cooperation Project from National Ministry of Science and Technology(2006D FA73180)Research Fund for the Doc toral Program of Higher Education of China (20060497005).
文摘A new buyer-seller watermarking protocol is proposed by applying a double encryption method and a novel mechanism of embedding a buyer's watermark. The protocol can effectively prevent against collusion attacks and the man in the middle attack if the third party is not trusted. Also, based on the proposed scheme for the first-hand transaction, a new buyer-reseller watermarking protocol and a formal multi-party watermarking protocol are also proposed. The proposed buyer-resell watermarking protocol only needs the original seller to provide transfer certificate and encryption-decryption service to support the second-hand transaction, and the multi-party watermarking protocol with distributed certificate authorities can overcome the difficulty in the combination of multicast mechanism with multiple unique watermarks and allow a seller to multicast the watermarked digital contents and key transaction information to n buyers. Furthermore, the idea of zero knowledge proof is also applied into the proposed scheme to allow the seller to take an effective control on the task performed by the third party.
基金Supported by the National Natural Science Foundation of China (60273268)the Key Project of Ministry of Education, China (208139)
文摘A new sanitizable signature scheme is proposed, in which the security flaw of Miyazaki's sanitizable signature scheme SUMI-4 is improved. The new scheme overcomes the shortcomings of the original scheme SUM1-4 by using sanitizable authorization certificates. The new scheme enables the primitive signer to limit the sanitizer's power and still satisfies the security request of sanitizable signature.
文摘Advanced connectivity in substations brings along cybersecurity considerations. Especially, the use of standardized data objects and message structures stipulated by IEC 61850 makes them much more vulnerable to unauthorized access and manipulation. In order to tackle these vulnerabilities, different methods are investigated by researchers all over the world. An important aspect of such efforts is the real-time performance consideration since power systems are bound by the rules of physics and all control/communication tasks need to be completed in a certain time frame. Security schemes for substation communication have been proposed in the recent literature. However, they must be improved to ensure a full security solution. Recently published IEC 62351 standard aims to fill this gap. Node authentication is vital for substation communication networks based on IEC 61850 to mitigate a variety of attacks such as man-in-the-middle(MITM) attack. This short communication presents a node authentication mechanism based on transport layer security(TLS) with certificates to address this knowledge gap. It also investigates the real-time performance by implementing the proposed scheme with Python.
文摘Dissimilar to traditional networks, the features of mobile wireless devices that can actively form a network without any infrastructure mean that mobile ad hoc networks frequently display partition due to node mobility or link failures. These indicate that an ad hoc network is difficult to provide ou-llne access to a trusted authority server. Therefore, applying traditional Public Key Infrastructure (PKI) security framework to mobile ad hoc networks will cause insecurities. This study proposes a scalable and elastic key management scheme integrated into Cluster Based Secure Routing Protocol (CBSRP) to enhance security and non-repudiation of routing authentication, and introduces an ID-Based internal routing authentication scheme to enhance the routing performance in an internal cluster. Additionally, a method of performing routing authentication between internal and external clusters, as well as inter-cluster routing authentication, is developed. The proposed cluster-based key management scheme distributes trust to an aggregation of cluster heads using a threshold scheme faculty, provides Certificate Authority (CA) with a fault tolerance mechanism to prevent a single point of compromise or failure, and saves CA large repositories from maintaining member certificates, making ad hoc networks robust to malicious behaviors and suitable for numerous mobile devices.