Remote Access Communications Security: Analysis of User Authentication Roles in Organizations

Remote access is a means of accessing resources outside one’s immediate physical location. This has made employee mobility more effective and productive for most organizations. Remote access can be achieved via various channels of remote communication, the most common being Virtual Private Networks (VPNs). The demand for remote access is on the rise, especially during the Covid-19 pandemic, and will continue to increase as most organizations are re-structuring to make telecommuting a permanent part of their mode of operation. Employee mobility, while presenting organizations with some advantages, comes with the associated risk of exposing corporate cyber assets to attackers. The remote user and the remote connectivity technology present some vulnerabilities which can be exploited by any threat agent to violate the confidentiality, integrity and availability (CIA) dimensions of these cyber assets. So, how are users and remote devices authenticated? To what extent is the established connection secured? With employee mobility on the rise, it is necessary to analyze the user authentication role since the mobile employee is not under the monitoring radar of the organization, and the environment from which the mobile employee connects may be vulnerable. In this study, an experiment was setup to ascertain the user authentication roles. The experiment showed the process of 2FA in user authentication and it proved to be an effective means of improving user authentication during remote access. This was depicted via the use of what the user has (mobile phone/soft-token) as a second factor in addition to what the user knows, i.e. password. This authentication method overcomes the security weaknesses inherent in single-factor user authentication via the use of password only. However, the results also showed that though 2FA user authentication ensures security, the remote devices could exhibit further vulnerabilities and pose serious risks to the organization. Thus, a varied implementation was recommended to further enhance the security of remote access communication with regards to the remote user authentication.

High-Capacity Quantum Secure Communication with Authentication Using Einstein-Podolsky-Rosen Pairs

A new protocol for quantum secure communication with authentication is proposed. The proposed protocol has a higher capacity as each EPR pair can carry four classical bits by the XOR operation and an auxiliary photon. Tile security and efficiency are analyzed in detail and the major advantage of this protocol is that it is more efficient without losing security.

Advanced Authentication Mechanisms for Identity and Access Management inCloud Computing

Identity management is based on the creation and management of useridentities for granting access to the cloud resources based on the user attributes.The cloud identity and access management (IAM) grants the authorization tothe end-users to perform different actions on the specified cloud resources. Theauthorizations in the IAM are grouped into roles instead of granting them directlyto the end-users. Due to the multiplicity of cloud locations where data resides anddue to the lack of a centralized user authority for granting or denying cloud userrequests, there must be several security strategies and models to overcome theseissues. Another major concern in IAM services is the excessive or the lack ofaccess level to different users with previously granted authorizations. This paperproposes a comprehensive review of security services and threats. Based on thepresented services and threats, advanced frameworks for IAM that provideauthentication mechanisms in public and private cloud platforms. A threat modelhas been applied to validate the proposed authentication frameworks with different security threats. The proposed models proved high efficiency in protectingcloud platforms from insider attacks, single sign-on failure, brute force attacks,denial of service, user privacy threats, and data privacy threats.

A Privacy Enabled Fast Dynamic Authentication and Authorization for B3G/4G Mobility

Mobile technologies make their headway by offering more flexibility to end-users and improve the productivities. Within the application of ubiquitous access and pervasive communication, security (or privacy) and QoS (Quality of Service) are two critical factors during global mobility, so how to get a smooth and fast handover based on a user privacy protected infrastructure is our focus. Based on a user-centric vir-tual identity defined by EU IST project Daidalos, this paper firstly proposes an effective infrastructure which protects the context-driven access policies for online services in order to avoid attacks by malicious eaves-droppers. In the proposed infrastructure, SMAL and Diameter are used to securely protect and deliver au-thenticated and authorized entities and XACML is used to authorize the user-level privacy policy. On the basis of it, a dynamic fast authentication and authorization handover mechanism is proposed which can save one trip communication time consummation between administrative domains.

Spring Security中设计模式的运用浅析

Spring Security作为Web开发中十分重要的安全框架之一,常被用于Web应用的认证和授权。为了进一步了解SpringSecurity框架的设计和实现,加深对常见设计模式的理解,文章详细介绍了SpringSecurity框架中策略模式、代理模式、适配器模式、责任链模式、模板方法模式的运用,对上述设计模式的概念、基本原理、作用等进行描述,分析SpringSecurity中关键类库在设计模式中承担的作用及执行流程,为开发人员提供一定的学习参考。

Ubiquitous Computing Identity Authentication Mechanism Based on D-S Evidence Theory and Extended SPKI/SDSI

Ubiquitous computing systems typically have lots of security problems in the area of identity authentication by means of classical PKI methods. The limited computing resources, the disconnection network, the classification requirements of identity authentication, the requirement of trust transfer and cross identity authentication, the bi-directional identity authentication, the security delegation and the simple privacy protection etc are all these unsolved problems. In this paper, a new novel ubiquitous computing identity authentication mechanism, named UCIAMdess, is presented. It is based on D-S Evidence Theory and extended SPKI/SDSI. D-S Evidence Theory is used in UCIAMdess to compute the trust value from the ubiquitous computing environment to the principal or between the different ubiquitous computing environments. SPKI-based authorization is expanded by adding the trust certificate in UCIAMdess to solve above problems in the ubiquitous computing environments. The identity authentication mechanism and the algorithm of certificate reduction are given in the paper to solve the multi-levels trust-correlative identity authentication problems. The performance analyses show that UCIAMdess is a suitable security mechanism in solving the complex ubiquitous computing problems.

Recent Developments in Authentication Schemes Used in Machine-Type Communication Devices in Machine-to-Machine Communication: Issues and Challenges

Machine-to-machine (M2M) communication plays a fundamental role in autonomous IoT (Internet of Things)-based infrastructure, a vital part of the fourth industrial revolution. Machine-type communication devices(MTCDs) regularly share extensive data without human intervention while making all types of decisions. Thesedecisions may involve controlling sensitive ventilation systems maintaining uniform temperature, live heartbeatmonitoring, and several different alert systems. Many of these devices simultaneously share data to form anautomated system. The data shared between machine-type communication devices (MTCDs) is prone to risk dueto limited computational power, internal memory, and energy capacity. Therefore, securing the data and devicesbecomes challenging due to factors such as dynamic operational environments, remoteness, harsh conditions,and areas where human physical access is difficult. One of the crucial parts of securing MTCDs and data isauthentication, where each devicemust be verified before data transmission. SeveralM2Mauthentication schemeshave been proposed in the literature, however, the literature lacks a comprehensive overview of current M2Mauthentication techniques and the challenges associated with them. To utilize a suitable authentication schemefor specific scenarios, it is important to understand the challenges associated with it. Therefore, this article fillsthis gap by reviewing the state-of-the-art research on authentication schemes in MTCDs specifically concerningapplication categories, security provisions, and performance efficiency.

Spring Security构建灵活的企业级安全应用

Spring Security 2.x随着对Acegi 1.x的改进，以其配置的灵活性受到企业级开发应用者的青睐。Acegi 1.x也正式命名为Spring Security，成为目前现有的最好的企业级web安全解决方案。本文主要介绍Spring Security 2.x的验证（Authentication）和授权（Authorization）的概论、核心拦截器、配置文件以及如何针对具体的企业级应用部署Spring Security。

A survey of edge computing-based designs for IoT security

Pervasive IoT applications enable us to perceive,analyze,control,and optimize the traditional physical systems.Recently,security breaches in many IoT applications have indicated that IoT applications may put the physical systems at risk.Severe resource constraints and insufficient security design are two major causes of many security problems in IoT applications.As an extension of the cloud,the emerging edge computing with rich resources provides us a new venue to design and deploy novel security solutions for IoT applications.Although there are some research efforts in this area,edge-based security designs for IoT applications are still in its infancy.This paper aims to present a comprehensive survey of existing IoT security solutions at the edge layer as well as to inspire more edge-based IoT security designs.We first present an edge-centric IoT architecture.Then,we extensively review the edge-based IoT security research efforts in the context of security architecture designs,firewalls,intrusion detection systems,authentication and authorization protocols,and privacy-preserving mechanisms.Finally,we propose our insight into future research directions and open research issues.

Security Considerations Based on PKI/CA in Manufacturing Grid

In the manufacturing grid environment, the span of the consideration of security issues is more extensive, and the solutions for them are more complex, therefore these problems in manufacturing grid can＇t longer be addressed by existing security technologies. In order to solve this problem, the paper first puts forward the security architecture of manufacturing grid on the basis of the proposal of the security strategies for manufacturing grid; then the paper introduces key technologies based on public key infrastructure-certificate authority （PKI/CA） to ensure the security of manufacturing grid, such as single sign-on, security proxy, independent authentication and so on. Schemes discussed in the paper have some values to settle security problems in the manufacturing grid environment.

Spring Security构建灵活的企业级安全应用

SpringSecurity2．x随着对Acegil．x的改进，以其配置的灵活性受到企业级开发应用者的青睐。Acegi 1．x也正式命名为Spring Security，成为目前现有的最好的企业级web安全解决方案。本文主要介绍SpringSecurity2．x的验证（Authentication）和授权（Authorization）的概论、核心拦截器、配置文件以及如何针对具体的企业级应用部署SpringSecurity。

Corporate Intranet Security: Packet-Level Protocols for Preventing Leakage of Sensitive Information and Assuring Authorized Network Traffic

Securing large corporate communication networks has become an increasingly difficult task. Sensitive information routinely leaves the company network boundaries and falls into the hands of unauthorized users. New techniques are required in order to classify packets based on user identity in addition to the traditional source and destination host addresses. This paper introduces Gaussian cryptographic techniques and protocols to assist network administrators in the complex task of identifying the originators of data packets on a network and more easily policing their behavior. The paper provides numerical examples that illustrate certain basic ideas.

Spring Security的Web资源保护功能研究与扩展

针对开源安全框架Spring Security的Web资源保护功能进行研究,分析框架的认证和授权两个主要过程,指出了框架对于用户和Web资源的授权信息外化存储这一关键企业级安全特性支持上的不足,进而对此进行了扩展。借助于Spring容器的依赖注入特性和安全框架的扩展性,结合数据库存储授权信息,本文设计了一个基于Spring Security的用户与Web资源授权信息动态存储方案,并给出了关键的程序代码。

A Hybrid and Lightweight Device-to-Server Authentication Technique for the Internet of Things

The Internet of Things(IoT)is a smart networking infrastructure of physical devices,i.e.,things,that are embedded with sensors,actuators,software,and other technologies,to connect and share data with the respective server module.Although IoTs are cornerstones in different application domains,the device’s authenticity,i.e.,of server(s)and ordinary devices,is the most crucial issue and must be resolved on a priority basis.Therefore,various field-proven methodologies were presented to streamline the verification process of the communicating devices;however,location-aware authentication has not been reported as per our knowledge,which is a crucial metric,especially in scenarios where devices are mobile.This paper presents a lightweight and location-aware device-to-server authentication technique where the device’s membership with the nearest server is subjected to its location information along with other measures.Initially,Media Access Control(MAC)address and Advance Encryption Scheme(AES)along with a secret shared key,i.e.,λ_(i) of 128 bits,have been utilized by Trusted Authority(TA)to generate MaskIDs,which are used instead of the original ID,for every device,i.e.,server and member,and are shared in the offline phase.Secondly,TA shares a list of authentic devices,i.e.,server S_(j) and members C_(i),with every device in the IoT for the onward verification process,which is required to be executed before the initialization of the actual communication process.Additionally,every device should be located such that it lies within the coverage area of a server,and this location information is used in the authentication process.A thorough analytical analysis was carried out to check the susceptibility of the proposed and existing authentication approaches against well-known intruder attacks,i.e.,man-in-the-middle,masquerading,device,and server impersonations,etc.,especially in the IoT domain.Moreover,proposed authentication and existing state-of-the-art approaches have been simulated in the real environment of IoT to verify their performance,particularly in terms of various evaluation metrics,i.e.,processing,communication,and storage overheads.These results have verified the superiority of the proposed scheme against existing state-of-the-art approaches,preferably in terms of communication,storage,and processing costs.

An efficient deterministic secure quantum communication scheme based on cluster states and identity authentication

A novel efficient deterministic secure quantum communication scheme based on four-qubit cluster states and single-photon identity authentication is proposed. In this scheme, the two authenticated users can transmit two bits of classical information per cluster state, and its efficiency of the quantum communication is 1/3, which is approximately 1.67 times that of the previous protocol presented by Wang et al [Chin. Phys. Lett. 23 （2006） 2658]. Security analysis shows the present scheme is secure against intercept-resend attack and the impersonator＇s attack. Furthermore, it is more economic with present-day techniques and easily processed by a one-way quantum computer.

An efficient quantum secure direct communication scheme with authentication

In this paper an efficient quantum secure direct communication （QSDC） scheme with authentication is presented, which is based on quantum entanglement and polarized single photons. The present protocol uses Einstein-Podolsky-Rosen （EPR） pairs and polarized single photons in batches. A particle of the EPR pairs is retained in the sender＇s station, and the other is transmitted forth and back between the sender and the receiver, similar to the‘ping-pong＇ QSDC protocol. According to the shared information beforehand, these two kinds of quantum states are mixed and then transmitted via a quantum channel. The EPR pairs are used to transmit secret messages and the polarized single photons used for authentication and eavesdropping check. Consequently, because of the dual contributions of the polarized single photons, no classical information is needed. The intrinsic efficiency and total efficiency are both 1 in this scheme as almost all of the instances are useful and each EPR pair can be used to carry two bits of information.

A Provably Secure and PUF-Based Authentication Key Agreement Scheme for Cloud-Edge IoT

With the exponential growth of intelligent Internet of Things(IoT)applications,Cloud-Edge(CE)paradigm is emerging as a solution that facilitates resource-efficient and timely services.However,it remains an underlying issue that frequent end-edgecloud communication is over a public or adversarycontrolled channel.Additionally,with the presence of resource-constrained devices,it’s imperative to conduct the secure communication mechanism,while still guaranteeing efficiency.Physical unclonable functions(PUF)emerge as promising lightweight security primitives.Thus,we first construct a PUF-based security mechanism for vulnerable IoT devices.Further,a provably secure and PUF-based authentication key agreement scheme is proposed for establishing the secure channel in end-edge-cloud empowered IoT,without requiring pre-loaded master keys.The security of our scheme is rigorously proven through formal security analysis under the random oracle model,and security verification using AVISPA tool.The comprehensive security features are also elaborated.Moreover,the numerical results demonstrate that the proposed scheme outperforms existing related schemes in terms of computational and communication efficiency.

Robust quantum secure direct communication and authentication protocol against decoherence noise based on six-qubit DF state

By using six-qubit decoherence-free （DF） states as quantum carriers and decoy states, a robust quantum secure direct communication and authentication （QSDCA） protocol against decoherence noise is proposed. Four six-qubit DF states are used in the process of secret transmission, however only the ｜0＇〉 state is prepared. The other three six-qubit DF states can be obtained by permuting the outputs of the setup for ｜0＇〉. By using the ｜0＇〉 state as the decoy state, the detection rate and the qubit error rate reach 81.3%, and they will not change with the noise level. The stability and security are much higher than those of the ping-pong protocol both in an ideal scenario and a decoherence noise scenario. Even if the eavesdropper measures several qubits, exploiting the coherent relationship between these qubits, she can gain one bit of secret information with probability 0.042.

Chaotic Map-Based Authentication and Key Agreement Protocol with Low-Latency for Metasystem

With the rapid advancement in exploring perceptual interactions and digital twins,metaverse technology has emerged to transcend the constraints of space-time and reality,facilitating remote AI-based collaboration.In this dynamic metasystem environment,frequent information exchanges necessitate robust security measures,with Authentication and Key Agreement(AKA)serving as the primary line of defense to ensure communication security.However,traditional AKA protocols fall short in meeting the low-latency requirements essential for synchronous interactions within the metaverse.To address this challenge and enable nearly latency-free interactions,a novel low-latency AKA protocol based on chaotic maps is proposed.This protocol not only ensures mutual authentication of entities within the metasystem but also generates secure session keys.The security of these session keys is rigorously validated through formal proofs,formal verification,and informal proofs.When confronted with the Dolev-Yao(DY)threat model,the session keys are formally demonstrated to be secure under the Real-or-Random(ROR)model.The proposed protocol is further validated through simulations conducted using VMware workstation compiled in HLPSL language and C language.The simulation results affirm the protocol’s effectiveness in resisting well-known attacks while achieving the desired low latency for optimal metaverse interactions.

Quantum Secure Direct Communication Protocol with Mutual Authentication Based on Single Photons and Bell States

Quantum secure direct communication(QSDC)can transmit secret messages directly from one user to another without first establishing a shared secret key,which is different from quantum key distribution.In this paper,we propose a novel quantum secure direct communication protocol based on signal photons and Bell states.Before the execution of the proposed protocol,two participants Alice and Bob exchange their corresponding identity IDA and IDB through quantum key distribution and keep them secret,respectively.Then the message sender,Alice,encodes each secret message bit into two single photons(|01>or|10>)or a Bell state(1|φ^(+)>=1/√2(|0>|-|1>1>)),and composes an ordered secret message sequence.To insure the security of communication,Alice also prepares the decoy photons and inserts them into secret message sequence on the basis of the values of IDA and IDB.By the secret identity IDA and IDB,both sides of the communication can check eavesdropping and identify each other.The proposed protocol not only completes secure direct communication,but also realizes the mutual authentication.The security analysis of the proposed protocol is presented in the paper.The analysis results show that this protocol is secure against some common attacks,and no secret message leaks even if the messages are broken.Compared with the two-way QSDC protocols,the presented protocol is a one-way quantum communication protocol which has the immunity to Trojan horse attack.Furthermore,our proposed protocol can be realized without quantum memory.