The Industrial Internet of Things(IIoT)consists of massive devices in different management domains,and the lack of trust among cross-domain entities leads to risks of data security and privacy leakage during informati...The Industrial Internet of Things(IIoT)consists of massive devices in different management domains,and the lack of trust among cross-domain entities leads to risks of data security and privacy leakage during information exchange.To address the above challenges,a viable solution that combines Certificateless Public Key Cryptography(CL-PKC)with blockchain technology can be utilized.However,as many existing schemes rely on a single Key Generation Center(KGC),they are prone to problems such as single points of failure and high computational overhead.In this case,this paper proposes a novel blockchain-based certificateless cross-domain authentication scheme,that integrates the threshold secret sharing mechanism without a trusted center,meanwhile,adopts blockchain technology to enable cross-domain entities to authenticate with each other and to negotiate session keys securely.This scheme also supports the dynamic joining and removing of multiple KGCs,ensuring secure and efficient cross-domain authentication and key negotiation.Comparative analysiswith other protocols demonstrates that the proposed cross-domain authentication protocol can achieve high security with relatively lowcomputational overhead.Moreover,this paper evaluates the scheme based on Hyperledger Fabric blockchain environment and simulates the performance of the certificateless scheme under different threshold parameters,and the simulation results show that the scheme has high performance.展开更多
The Internet of Vehicles(IoV)is extensively deployed in outdoor and open environments to effectively address traffic efficiency and safety issues by connecting vehicles to the network.However,due to the open and varia...The Internet of Vehicles(IoV)is extensively deployed in outdoor and open environments to effectively address traffic efficiency and safety issues by connecting vehicles to the network.However,due to the open and variable nature of its network topology,vehicles frequently engage in cross-domain interactions.During such processes,directly uploading sensitive information to roadside units for interaction may expose it to malicious tampering or interception by attackers,thus compromising the security of the cross-domain authentication process.Additionally,IoV imposes high real-time requirements,and existing cross-domain authentication schemes for IoV often encounter efficiency issues.To mitigate these challenges,we propose CAIoV,a blockchain-based efficient cross-domain authentication scheme for IoV.This scheme comprehensively integrates technologies such as zero-knowledge proofs,smart contracts,and Merkle hash tree structures.It divides the cross-domain process into anonymous cross-domain authentication and safe cross-domain authentication phases to ensure efficiency while maintaining a balance between efficiency and security.Finally,we evaluate the performance of CAIoV.Experimental results demonstrate that our proposed scheme reduces computational overhead by approximately 20%,communication overhead by around 10%,and storage overhead by nearly 30%.展开更多
Due to the rapid advancements in network technology,blockchain is being employed for distributed data storage.In the Internet of Things(IoT)scenario,different participants manage multiple blockchains located in differ...Due to the rapid advancements in network technology,blockchain is being employed for distributed data storage.In the Internet of Things(IoT)scenario,different participants manage multiple blockchains located in different trust domains,which has resulted in the extensive development of cross-domain authentication techniques.However,the emergence of many attackers equipped with quantum computers has the potential to launch quantum computing attacks against cross-domain authentication schemes based on traditional cryptography,posing a significant security threat.In response to the aforementioned challenges,our paper demonstrates a post-quantum cross-domain identity authentication scheme to negotiate the session key used in the cross-chain asset exchange process.Firstly,our paper designs the hiding and recovery process of user identity index based on lattice cryptography and introduces the identity-based signature from lattice to construct a post-quantum cross-domain authentication scheme.Secondly,our paper utilizes the hashed time-locked contract to achieves the cross-chain asset exchange of blockchain nodes in different trust domains.Furthermore,the security analysis reduces the security of the identity index and signature to Learning With Errors(LWE)and Short Integer Solution(SIS)assumption,respectively,indicating that our scheme has post-quantum security.Last but not least,through comparison analysis,we display that our scheme is efficient compared with the cross-domain authentication scheme based on traditional cryptography.展开更多
System-wide information management(SWIM)is a complex distributed information transfer and sharing system for the next generation of Air Transportation System(ATS).In response to the growing volume of civil aviation ai...System-wide information management(SWIM)is a complex distributed information transfer and sharing system for the next generation of Air Transportation System(ATS).In response to the growing volume of civil aviation air operations,users accessing different authentication domains in the SWIM system have problems with the validity,security,and privacy of SWIM-shared data.In order to solve these problems,this paper proposes a SWIM crossdomain authentication scheme based on a consistent hashing algorithm on consortium blockchain and designs a blockchain certificate format for SWIM cross-domain authentication.The scheme uses a consistent hash algorithm with virtual nodes in combination with a cluster of authentication centers in the SWIM consortium blockchain architecture to synchronize the user’s authentication mapping relationships between authentication domains.The virtual authentication nodes are mapped separately using different services provided by SWIM to guarantee the partitioning of the consistent hash ring on the consortium blockchain.According to the dynamic change of user’s authentication requests,the nodes of virtual service authentication can be added and deleted to realize the dynamic load balancing of cross-domain authentication of different services.Security analysis shows that this protocol can resist network attacks such as man-in-the-middle attacks,replay attacks,and Sybil attacks.Experiments show that this scheme can reduce the redundant authentication operations of identity information and solve the problems of traditional cross-domain authentication with single-point collapse,difficulty in expansion,and uneven load.At the same time,it has better security of information storage and can realize the cross-domain authentication requirements of SWIM users with low communication costs and system overhead.KEYWORDS System-wide information management(SWIM);consortium blockchain;consistent hash;cross-domain authentication;load balancing.展开更多
Smart parks serve as integral components of smart cities,where they play a pivotal role in the process of urban modernization.The demand for cross-domain cooperation among smart devices from various parks has witnesse...Smart parks serve as integral components of smart cities,where they play a pivotal role in the process of urban modernization.The demand for cross-domain cooperation among smart devices from various parks has witnessed a significant increase.To ensure secure communication,device identities must undergo authentication.The existing cross-domain authentication schemes face issues such as complex authentication paths and high certificate management costs for devices,making it impractical for resource-constrained devices.This paper proposes a blockchain-based lightweight and efficient cross-domain authentication protocol for smart parks,which simplifies the authentication interaction and requires every device to maintain only one certificate.To enhance cross-domain cooperation flexibility,a comprehensive certificate revocation mechanism is presented,significantly reducing certificate management costs while ensuring efficient and secure identity authentication.When a park needs to revoke access permissions of several cooperative partners,the revocation of numerous cross-domain certificates can be accomplished with a single blockchain write operation.The security analysis and experimental results demonstrate the security and effectiveness of our scheme.展开更多
Mobile technologies make their headway by offering more flexibility to end-users and improve the productivities. Within the application of ubiquitous access and pervasive communication, security (or privacy) and QoS (...Mobile technologies make their headway by offering more flexibility to end-users and improve the productivities. Within the application of ubiquitous access and pervasive communication, security (or privacy) and QoS (Quality of Service) are two critical factors during global mobility, so how to get a smooth and fast handover based on a user privacy protected infrastructure is our focus. Based on a user-centric vir-tual identity defined by EU IST project Daidalos, this paper firstly proposes an effective infrastructure which protects the context-driven access policies for online services in order to avoid attacks by malicious eaves-droppers. In the proposed infrastructure, SMAL and Diameter are used to securely protect and deliver au-thenticated and authorized entities and XACML is used to authorize the user-level privacy policy. On the basis of it, a dynamic fast authentication and authorization handover mechanism is proposed which can save one trip communication time consummation between administrative domains.展开更多
Standard based Pub/Sub middleware, such as OMG Data Distribution Service (DDS), could assume a key role in supporting computer communications requiring continuous state information updating, deterministic deadline to ...Standard based Pub/Sub middleware, such as OMG Data Distribution Service (DDS), could assume a key role in supporting computer communications requiring continuous state information updating, deterministic deadline to data delivering and real time information adjourning. This kind of capability could be well ex-ploited by Peer-To-Peer (P2P) systems, Internet-wide as long as private ones, like in Public Safety or Civil Protection Communication Systems;but Pub/Sub specifications, and DDS/RTPS (Real Time Publish Sub-scribe) as well, usually do not provide Authentication & Authorization (AA) mechanisms. In the present work two important novelties are assessed: a possible scheme to implement AA in DDS/RTPS networks and a time performance evaluation study about embedded Authentication in RTPS.展开更多
The grid technology is recognized as the next generation of Internet and becomcs the center of recent researches in the computer society. Security is one of the most crucial issues to address in Internet and is of the...The grid technology is recognized as the next generation of Internet and becomcs the center of recent researches in the computer society. Security is one of the most crucial issues to address in Internet and is of the same importance in the application of grid technology. As a critical component of grid security, the secure authen- tication needs to be well studied. In this paper, a two-step mobile agent based(TSMAB) authentication architecture is proposed based on Globus security infrastructure (GSI). By using mobile agent (MA) technology, the TSMAB authentication architecture is composed of the junior-authentication and the senior-authentication. Based on the design and the analysis of TSMAB model, the result shows that the efficiency of grid authentication is improved compared with the GSI authentication.展开更多
Considering the secure authentication problem for equipment support information network,a clustering method based on the business information flow is proposed. Based on the proposed method,a cluster-based distributed ...Considering the secure authentication problem for equipment support information network,a clustering method based on the business information flow is proposed. Based on the proposed method,a cluster-based distributed authentication mechanism and an optimal design method for distributed certificate authority( CA)are designed. Compared with some conventional clustering methods for network,the proposed clustering method considers the business information flow of the network and the task of the network nodes,which can decrease the communication spending between the clusters and improve the network efficiency effectively. The identity authentication protocols between the nodes in the same cluster and in different clusters are designed. From the perspective of the security of network and the availability of distributed authentication service,the definition of the secure service success rate of distributed CA is given and it is taken as the aim of the optimal design for distributed CA. The efficiency of providing the distributed certificate service successfully by the distributed CA is taken as the constraint condition of the optimal design for distributed CA. The determination method for the optimal value of the threshold is investigated. The proposed method can provide references for the optimal design for distributed CA.展开更多
With the rising popularity of the Internet and the development of big data technology,an increasing number of organizations are opting to cooperate across domains to maximize their benefits.Most organizations use publ...With the rising popularity of the Internet and the development of big data technology,an increasing number of organizations are opting to cooperate across domains to maximize their benefits.Most organizations use public key infrastructure to ensure security in accessing their data and applications.However,with the continuous development of identity-based encryption(IBE)technology,small-and medium-sized enterprises are increasingly using IBE to deploy internal authentication systems.To solve the problems that arise when crossing heterogeneous authentication domains and to guarantee the security of the certification process,we propose using blockchain technology to establish a reliable cross-domain authentication scheme.Using the distributed and tamper-resistant characteristics of the blockchain,we design a cross-domain authentication model based on blockchain to guarantee the security of the heterogeneous authentication process and present a cross-domain authentication protocol based on blockchain.This model does not change the internal trust structure of each authentication domain and is highly scalable.Furthermore,on the premise of ensuring security,the process of verifying the signature of the root certificate in the traditional cross-domain authentication protocol is improved to verify the hash value of the root certificate,thereby improving the authentication efficiency.The developed prototype exhibits generality and simplicity compared to previous methods.展开更多
随着网络信息技术的快速发展,身份认证的应用范围也在不断扩大。其中,JWT(JSON Web Token)作为基于Token的身份认证技术,被广泛应用于Web应用程序和API领域,以实现简单、可靠的身份验证和安全通信。然而,开发人员对于JWT标准和技术细节...随着网络信息技术的快速发展,身份认证的应用范围也在不断扩大。其中,JWT(JSON Web Token)作为基于Token的身份认证技术,被广泛应用于Web应用程序和API领域,以实现简单、可靠的身份验证和安全通信。然而,开发人员对于JWT标准和技术细节理解不够深入,导致该技术在实践中经常出现各种安全漏洞。文中分析了近年来出现的有关JWT技术的安全问题,包括“none”算法绕过、敏感信息泄露、算法混淆攻击和密钥穷举攻击等,并针对这些问题提出了一种基于国密SM9的JWT强身份认证方案。该方案使用SM9公钥密码算法对JWT进行签名和验证,结合基于时间戳和随机数的验证机制,以提高算法的安全性和可靠性。最后对该方案进行安全性分析,结果表明该方案实现方法相对简单,能够有效地防御各种常见的JWT安全漏洞,同时具有良好的安全性和易用性,为JWT技术的安全应用提供了一种高效可靠的解决方法。展开更多
First,we propose a cross-domain authentication architecture based on trust evaluation mechanism,including registration,certificate issuance,and cross-domain authentication processes.A direct trust evaluation mechanism...First,we propose a cross-domain authentication architecture based on trust evaluation mechanism,including registration,certificate issuance,and cross-domain authentication processes.A direct trust evaluation mechanism based on the time decay factor is proposed,taking into account the influence of historical interaction records.We weight the time attenuation factor to each historical interaction record for updating and got the new historical record data.We refer to the beta distribution to enhance the flexibility and adaptability of the direct trust assessment model to better capture time trends in the historical record.Then we propose an autoencoder-based trust clustering algorithm.We perform feature extraction based on autoencoders.Kullback leibler(KL)divergence is used to calculate the reconstruction error.When constructing a convolutional autoencoder,we introduce convolutional neural networks to improve training efficiency and introduce sparse constraints into the hidden layer of the autoencoder.The sparse penalty term in the loss function measures the difference through the KL divergence.Trust clustering is performed based on the density based spatial clustering of applications with noise(DBSCAN)clustering algorithm.During the clustering process,edge nodes have a variety of trustworthy attribute characteristics.We assign different attribute weights according to the relative importance of each attribute in the clustering process,and a larger weight means that the attribute occupies a greater weight in the calculation of distance.Finally,we introduced adaptive weights to calculate comprehensive trust evaluation.Simulation experiments prove that our trust evaluation mechanism has excellent reliability and accuracy.展开更多
In vehicular ad hoc networks(VANET),the cross-domain identity authentication of users is very important for the development of VANET due to the large cross-domain mobility of vehicle users.The Public Key Infrastructur...In vehicular ad hoc networks(VANET),the cross-domain identity authentication of users is very important for the development of VANET due to the large cross-domain mobility of vehicle users.The Public Key Infrastructure(PKI)system is often used to solve the identity authentication and security trust problems faced by VANET.However,the PKI system has challenges such as too centralized Authority of Certification Authority(CA),frequent cross-domain access to certificate interactions and high authentication volume,leading to high certificate management costs,complex cross-domain authentication paths,easy privacy leakage,and overburdened networks.To address these problems,this paper proposes a lightweight blockchain-based PKI identity management and authentication architecture that uses smart contracts to reduce the heavy burden caused by CAs directly managing the life cycle of digital certificates.On this basis,a trust chain based on smart contracts is designed to replace the traditional CA trust chain to meet the general cross-domain requirements,to effectively avoid the communication pressure caused by a mass of certificate transmissions.For the cross-domain scenario with higher privacy and security requirements the identity attribute authentication service is provided directly while protecting privacy by using the Merkle tree to anchor identity attribute data on and off the blockchain chain.Finally,the proposed scheme was comprehensively analyzed in terms of cost,time consumption and security.展开更多
In the relentless quest for digital sovereignty, organizations face an unprecedented challenge in safeguarding sensitive information, protecting against cyber threats, and maintaining regulatory compliance. This manus...In the relentless quest for digital sovereignty, organizations face an unprecedented challenge in safeguarding sensitive information, protecting against cyber threats, and maintaining regulatory compliance. This manuscript unveils a revolutionary blueprint for cyber resilience, empowering organizations to transcend the limitations of traditional cybersecurity paradigms and forge ahead into uncharted territories of data security excellence and frictionless secrets management experience. Enter a new era of cybersecurity innovation and continued excellence. By seamlessly integrating secrets based on logical environments and applications (assets), dynamic secrets management orchestrates and automates the secrets lifecycle management with other platform cohesive integrations. Enterprises can enhance security, streamline operations, fasten development practices, avoid secrets sprawl, and improve overall compliance and DevSecOps practice. This enables the enterprises to enhance security, streamline operations, fasten development & deployment practices, avoid secrets spawls, and improve overall volume in shipping software with paved-road DevSecOps Practices, and improve developers’ productivity. By seamlessly integrating secrets based on logical environments and applications (assets), dynamic secrets management orchestrates and automates the application secrets lifecycle with other platform cohesive integrations. Organizations can enhance security, streamline operations, fasten development & deployment practices, avoid secrets sprawl, and improve overall volume in shipping software with paved-road DevSecOps practices. Most importantly, increases developer productivity.展开更多
基金supported in part by the Fundamental Research Funds for the Central Universities(Nos.3282024052,3282024058)the“Advanced and Sophisticated”Discipline Construction Project of Universities in Beijing(No.20210013Z0401).
文摘The Industrial Internet of Things(IIoT)consists of massive devices in different management domains,and the lack of trust among cross-domain entities leads to risks of data security and privacy leakage during information exchange.To address the above challenges,a viable solution that combines Certificateless Public Key Cryptography(CL-PKC)with blockchain technology can be utilized.However,as many existing schemes rely on a single Key Generation Center(KGC),they are prone to problems such as single points of failure and high computational overhead.In this case,this paper proposes a novel blockchain-based certificateless cross-domain authentication scheme,that integrates the threshold secret sharing mechanism without a trusted center,meanwhile,adopts blockchain technology to enable cross-domain entities to authenticate with each other and to negotiate session keys securely.This scheme also supports the dynamic joining and removing of multiple KGCs,ensuring secure and efficient cross-domain authentication and key negotiation.Comparative analysiswith other protocols demonstrates that the proposed cross-domain authentication protocol can achieve high security with relatively lowcomputational overhead.Moreover,this paper evaluates the scheme based on Hyperledger Fabric blockchain environment and simulates the performance of the certificateless scheme under different threshold parameters,and the simulation results show that the scheme has high performance.
基金supported by the National Natural Science Foundation of China(62362013)the Guangxi Natural Science Foundation(2023GXNSFAA026294).
文摘The Internet of Vehicles(IoV)is extensively deployed in outdoor and open environments to effectively address traffic efficiency and safety issues by connecting vehicles to the network.However,due to the open and variable nature of its network topology,vehicles frequently engage in cross-domain interactions.During such processes,directly uploading sensitive information to roadside units for interaction may expose it to malicious tampering or interception by attackers,thus compromising the security of the cross-domain authentication process.Additionally,IoV imposes high real-time requirements,and existing cross-domain authentication schemes for IoV often encounter efficiency issues.To mitigate these challenges,we propose CAIoV,a blockchain-based efficient cross-domain authentication scheme for IoV.This scheme comprehensively integrates technologies such as zero-knowledge proofs,smart contracts,and Merkle hash tree structures.It divides the cross-domain process into anonymous cross-domain authentication and safe cross-domain authentication phases to ensure efficiency while maintaining a balance between efficiency and security.Finally,we evaluate the performance of CAIoV.Experimental results demonstrate that our proposed scheme reduces computational overhead by approximately 20%,communication overhead by around 10%,and storage overhead by nearly 30%.
基金This work was supported by the Defense Industrial Technology Development Program(Grant No.JCKY2021208B036).
文摘Due to the rapid advancements in network technology,blockchain is being employed for distributed data storage.In the Internet of Things(IoT)scenario,different participants manage multiple blockchains located in different trust domains,which has resulted in the extensive development of cross-domain authentication techniques.However,the emergence of many attackers equipped with quantum computers has the potential to launch quantum computing attacks against cross-domain authentication schemes based on traditional cryptography,posing a significant security threat.In response to the aforementioned challenges,our paper demonstrates a post-quantum cross-domain identity authentication scheme to negotiate the session key used in the cross-chain asset exchange process.Firstly,our paper designs the hiding and recovery process of user identity index based on lattice cryptography and introduces the identity-based signature from lattice to construct a post-quantum cross-domain authentication scheme.Secondly,our paper utilizes the hashed time-locked contract to achieves the cross-chain asset exchange of blockchain nodes in different trust domains.Furthermore,the security analysis reduces the security of the identity index and signature to Learning With Errors(LWE)and Short Integer Solution(SIS)assumption,respectively,indicating that our scheme has post-quantum security.Last but not least,through comparison analysis,we display that our scheme is efficient compared with the cross-domain authentication scheme based on traditional cryptography.
基金funded by the National Natural Science Foundation of China(62172418)the Joint Funds of the National Natural Science Foundation of China and the Civil Aviation Administration of China(U2133203)+1 种基金the Education Commission Scientific Research Project of Tianjin China(2022KJ081)the Open Fund of Key Laboratory of Civil Aircraft Airworthiness Technology(SH2021111907).
文摘System-wide information management(SWIM)is a complex distributed information transfer and sharing system for the next generation of Air Transportation System(ATS).In response to the growing volume of civil aviation air operations,users accessing different authentication domains in the SWIM system have problems with the validity,security,and privacy of SWIM-shared data.In order to solve these problems,this paper proposes a SWIM crossdomain authentication scheme based on a consistent hashing algorithm on consortium blockchain and designs a blockchain certificate format for SWIM cross-domain authentication.The scheme uses a consistent hash algorithm with virtual nodes in combination with a cluster of authentication centers in the SWIM consortium blockchain architecture to synchronize the user’s authentication mapping relationships between authentication domains.The virtual authentication nodes are mapped separately using different services provided by SWIM to guarantee the partitioning of the consistent hash ring on the consortium blockchain.According to the dynamic change of user’s authentication requests,the nodes of virtual service authentication can be added and deleted to realize the dynamic load balancing of cross-domain authentication of different services.Security analysis shows that this protocol can resist network attacks such as man-in-the-middle attacks,replay attacks,and Sybil attacks.Experiments show that this scheme can reduce the redundant authentication operations of identity information and solve the problems of traditional cross-domain authentication with single-point collapse,difficulty in expansion,and uneven load.At the same time,it has better security of information storage and can realize the cross-domain authentication requirements of SWIM users with low communication costs and system overhead.KEYWORDS System-wide information management(SWIM);consortium blockchain;consistent hash;cross-domain authentication;load balancing.
基金supported in part by the National Natural Science Foundation Project of China under Grant No.62062009the Guangxi Innovation-Driven Development Project under Grant Nos.AA17204058-17 and AA18118047-7.
文摘Smart parks serve as integral components of smart cities,where they play a pivotal role in the process of urban modernization.The demand for cross-domain cooperation among smart devices from various parks has witnessed a significant increase.To ensure secure communication,device identities must undergo authentication.The existing cross-domain authentication schemes face issues such as complex authentication paths and high certificate management costs for devices,making it impractical for resource-constrained devices.This paper proposes a blockchain-based lightweight and efficient cross-domain authentication protocol for smart parks,which simplifies the authentication interaction and requires every device to maintain only one certificate.To enhance cross-domain cooperation flexibility,a comprehensive certificate revocation mechanism is presented,significantly reducing certificate management costs while ensuring efficient and secure identity authentication.When a park needs to revoke access permissions of several cooperative partners,the revocation of numerous cross-domain certificates can be accomplished with a single blockchain write operation.The security analysis and experimental results demonstrate the security and effectiveness of our scheme.
文摘Mobile technologies make their headway by offering more flexibility to end-users and improve the productivities. Within the application of ubiquitous access and pervasive communication, security (or privacy) and QoS (Quality of Service) are two critical factors during global mobility, so how to get a smooth and fast handover based on a user privacy protected infrastructure is our focus. Based on a user-centric vir-tual identity defined by EU IST project Daidalos, this paper firstly proposes an effective infrastructure which protects the context-driven access policies for online services in order to avoid attacks by malicious eaves-droppers. In the proposed infrastructure, SMAL and Diameter are used to securely protect and deliver au-thenticated and authorized entities and XACML is used to authorize the user-level privacy policy. On the basis of it, a dynamic fast authentication and authorization handover mechanism is proposed which can save one trip communication time consummation between administrative domains.
文摘Standard based Pub/Sub middleware, such as OMG Data Distribution Service (DDS), could assume a key role in supporting computer communications requiring continuous state information updating, deterministic deadline to data delivering and real time information adjourning. This kind of capability could be well ex-ploited by Peer-To-Peer (P2P) systems, Internet-wide as long as private ones, like in Public Safety or Civil Protection Communication Systems;but Pub/Sub specifications, and DDS/RTPS (Real Time Publish Sub-scribe) as well, usually do not provide Authentication & Authorization (AA) mechanisms. In the present work two important novelties are assessed: a possible scheme to implement AA in DDS/RTPS networks and a time performance evaluation study about embedded Authentication in RTPS.
文摘The grid technology is recognized as the next generation of Internet and becomcs the center of recent researches in the computer society. Security is one of the most crucial issues to address in Internet and is of the same importance in the application of grid technology. As a critical component of grid security, the secure authen- tication needs to be well studied. In this paper, a two-step mobile agent based(TSMAB) authentication architecture is proposed based on Globus security infrastructure (GSI). By using mobile agent (MA) technology, the TSMAB authentication architecture is composed of the junior-authentication and the senior-authentication. Based on the design and the analysis of TSMAB model, the result shows that the efficiency of grid authentication is improved compared with the GSI authentication.
基金National Natural Science Foundation of China(No.61271152)Natural Science Foundation of Hebei Province,China(No.F2012506008)the Original Innovation Foundation of Ordnance Engineering College,China(No.YSCX0903)
文摘Considering the secure authentication problem for equipment support information network,a clustering method based on the business information flow is proposed. Based on the proposed method,a cluster-based distributed authentication mechanism and an optimal design method for distributed certificate authority( CA)are designed. Compared with some conventional clustering methods for network,the proposed clustering method considers the business information flow of the network and the task of the network nodes,which can decrease the communication spending between the clusters and improve the network efficiency effectively. The identity authentication protocols between the nodes in the same cluster and in different clusters are designed. From the perspective of the security of network and the availability of distributed authentication service,the definition of the secure service success rate of distributed CA is given and it is taken as the aim of the optimal design for distributed CA. The efficiency of providing the distributed certificate service successfully by the distributed CA is taken as the constraint condition of the optimal design for distributed CA. The determination method for the optimal value of the threshold is investigated. The proposed method can provide references for the optimal design for distributed CA.
基金This work was supported in part by Beijing Municipal Natural Science Foundation(19L2020)Foundation of Science and Technology on Information Assurance Laboratory(614211204031117)Industrial Internet Innovation and Development Project(Typical Application and Promotion Project of the Security Technology for the Electronics Industry)of the Ministry of Industry and Information Technology of China in 2018,Foundation of Shanxi Key Laboratory of Network and System Security(NSSOF1900105).
文摘With the rising popularity of the Internet and the development of big data technology,an increasing number of organizations are opting to cooperate across domains to maximize their benefits.Most organizations use public key infrastructure to ensure security in accessing their data and applications.However,with the continuous development of identity-based encryption(IBE)technology,small-and medium-sized enterprises are increasingly using IBE to deploy internal authentication systems.To solve the problems that arise when crossing heterogeneous authentication domains and to guarantee the security of the certification process,we propose using blockchain technology to establish a reliable cross-domain authentication scheme.Using the distributed and tamper-resistant characteristics of the blockchain,we design a cross-domain authentication model based on blockchain to guarantee the security of the heterogeneous authentication process and present a cross-domain authentication protocol based on blockchain.This model does not change the internal trust structure of each authentication domain and is highly scalable.Furthermore,on the premise of ensuring security,the process of verifying the signature of the root certificate in the traditional cross-domain authentication protocol is improved to verify the hash value of the root certificate,thereby improving the authentication efficiency.The developed prototype exhibits generality and simplicity compared to previous methods.
文摘随着网络信息技术的快速发展,身份认证的应用范围也在不断扩大。其中,JWT(JSON Web Token)作为基于Token的身份认证技术,被广泛应用于Web应用程序和API领域,以实现简单、可靠的身份验证和安全通信。然而,开发人员对于JWT标准和技术细节理解不够深入,导致该技术在实践中经常出现各种安全漏洞。文中分析了近年来出现的有关JWT技术的安全问题,包括“none”算法绕过、敏感信息泄露、算法混淆攻击和密钥穷举攻击等,并针对这些问题提出了一种基于国密SM9的JWT强身份认证方案。该方案使用SM9公钥密码算法对JWT进行签名和验证,结合基于时间戳和随机数的验证机制,以提高算法的安全性和可靠性。最后对该方案进行安全性分析,结果表明该方案实现方法相对简单,能够有效地防御各种常见的JWT安全漏洞,同时具有良好的安全性和易用性,为JWT技术的安全应用提供了一种高效可靠的解决方法。
基金This work is supported by the 2022 National Key Research and Development Plan“Security Protection Technology for Critical Information Infrastructure of Distribution Network”(2022YFB3105100).
文摘First,we propose a cross-domain authentication architecture based on trust evaluation mechanism,including registration,certificate issuance,and cross-domain authentication processes.A direct trust evaluation mechanism based on the time decay factor is proposed,taking into account the influence of historical interaction records.We weight the time attenuation factor to each historical interaction record for updating and got the new historical record data.We refer to the beta distribution to enhance the flexibility and adaptability of the direct trust assessment model to better capture time trends in the historical record.Then we propose an autoencoder-based trust clustering algorithm.We perform feature extraction based on autoencoders.Kullback leibler(KL)divergence is used to calculate the reconstruction error.When constructing a convolutional autoencoder,we introduce convolutional neural networks to improve training efficiency and introduce sparse constraints into the hidden layer of the autoencoder.The sparse penalty term in the loss function measures the difference through the KL divergence.Trust clustering is performed based on the density based spatial clustering of applications with noise(DBSCAN)clustering algorithm.During the clustering process,edge nodes have a variety of trustworthy attribute characteristics.We assign different attribute weights according to the relative importance of each attribute in the clustering process,and a larger weight means that the attribute occupies a greater weight in the calculation of distance.Finally,we introduced adaptive weights to calculate comprehensive trust evaluation.Simulation experiments prove that our trust evaluation mechanism has excellent reliability and accuracy.
基金This work was supported in part by the National Natural Science Foundation of China(61871466).
文摘In vehicular ad hoc networks(VANET),the cross-domain identity authentication of users is very important for the development of VANET due to the large cross-domain mobility of vehicle users.The Public Key Infrastructure(PKI)system is often used to solve the identity authentication and security trust problems faced by VANET.However,the PKI system has challenges such as too centralized Authority of Certification Authority(CA),frequent cross-domain access to certificate interactions and high authentication volume,leading to high certificate management costs,complex cross-domain authentication paths,easy privacy leakage,and overburdened networks.To address these problems,this paper proposes a lightweight blockchain-based PKI identity management and authentication architecture that uses smart contracts to reduce the heavy burden caused by CAs directly managing the life cycle of digital certificates.On this basis,a trust chain based on smart contracts is designed to replace the traditional CA trust chain to meet the general cross-domain requirements,to effectively avoid the communication pressure caused by a mass of certificate transmissions.For the cross-domain scenario with higher privacy and security requirements the identity attribute authentication service is provided directly while protecting privacy by using the Merkle tree to anchor identity attribute data on and off the blockchain chain.Finally,the proposed scheme was comprehensively analyzed in terms of cost,time consumption and security.
文摘In the relentless quest for digital sovereignty, organizations face an unprecedented challenge in safeguarding sensitive information, protecting against cyber threats, and maintaining regulatory compliance. This manuscript unveils a revolutionary blueprint for cyber resilience, empowering organizations to transcend the limitations of traditional cybersecurity paradigms and forge ahead into uncharted territories of data security excellence and frictionless secrets management experience. Enter a new era of cybersecurity innovation and continued excellence. By seamlessly integrating secrets based on logical environments and applications (assets), dynamic secrets management orchestrates and automates the secrets lifecycle management with other platform cohesive integrations. Enterprises can enhance security, streamline operations, fasten development practices, avoid secrets sprawl, and improve overall compliance and DevSecOps practice. This enables the enterprises to enhance security, streamline operations, fasten development & deployment practices, avoid secrets spawls, and improve overall volume in shipping software with paved-road DevSecOps Practices, and improve developers’ productivity. By seamlessly integrating secrets based on logical environments and applications (assets), dynamic secrets management orchestrates and automates the application secrets lifecycle with other platform cohesive integrations. Organizations can enhance security, streamline operations, fasten development & deployment practices, avoid secrets sprawl, and improve overall volume in shipping software with paved-road DevSecOps practices. Most importantly, increases developer productivity.