Research and Practice on High Availability Scheme of Unified Identity Authentication System Based on CAS in Colleges and Universities

Unified identity authentication has become the basic information service provided by colleges and universities for teachers and students. Security, stability, high concurrency and easy maintenance are our requirements for a unified identity authentication system. Based on the practical work experience of China University of Geosciences (Beijing), this paper proposes a high availability scheme of unified identity authentication system based on CAS, which is composed of multiple CAS Servers, Nginx for load balancing, and Redis as a cache database. The scheme has been practiced in China University of Geosciences (Beijing), and the application effect is good, which has practical reference significance for other universities.

Utilizing Certificateless Cryptography for IoT Device Identity Authentication Protocols in Web3

Traditional methods of identity authentication often rely on centralized architectures,which poses risks of computational overload and single points of failure.We propose a protocol that offers a decentralized approach by distributing authentication services to edge authentication gateways and servers,facilitated by blockchain technology,thus aligning with the decentralized ethos of Web3 infrastructure.Additionally,we enhance device security against physical and cloning attacks by integrating physical unclonable functions with certificateless cryptography,bolstering the integrity of Internet of Thins(IoT)devices within the evolving landscape of the metaverse.To achieve dynamic anonymity and ensure privacy within Web3 environments,we employ fuzzy extractor technology,allowing for updates to pseudonymous identity identifiers while maintaining key consistency.The proposed protocol ensures continuous and secure identity authentication for IoT devices in practical applications,effectively addressing the pressing security concerns inherent in IoT network environments and contributing to the development of robust security infrastructure essential for the proliferation of IoT devices across diverse settings.

Identity-Based Edge Computing Anonymous Authentication Protocol

With the development of sensor technology and wireless communication technology,edge computing has a wider range of applications.The privacy protection of edge computing is of great significance.In the edge computing system,in order to ensure the credibility of the source of terminal data,mobile edge computing(MEC)needs to verify the signature of the terminal node on the data.During the signature process,the computing power of edge devices such as wireless terminals can easily become the bottleneck of system performance.Therefore,it is very necessary to improve efficiency through computational offloading.Therefore,this paper proposes an identitybased edge computing anonymous authentication protocol.The protocol realizes mutual authentication and obtains a shared key by encrypting the mutual information.The encryption algorithm is implemented through a thresholded identity-based proxy ring signature.When a large number of terminals offload computing,MEC can set the priority of offloading tasks according to the user’s identity and permissions,thereby improving offloading efficiency.Security analysis shows that the scheme can guarantee the anonymity and unforgeability of signatures.The probability of a malicious node forging a signature is equivalent to cracking the discrete logarithm puzzle.According to the efficiency analysis,in the case of MEC offloading,the computational complexity is significantly reduced,the computing power of edge devices is liberated,and the signature efficiency is improved.

A Post-Quantum Cross-Domain Authentication Scheme Based on Multi-Chain Architecture

Due to the rapid advancements in network technology,blockchain is being employed for distributed data storage.In the Internet of Things(IoT)scenario,different participants manage multiple blockchains located in different trust domains,which has resulted in the extensive development of cross-domain authentication techniques.However,the emergence of many attackers equipped with quantum computers has the potential to launch quantum computing attacks against cross-domain authentication schemes based on traditional cryptography,posing a significant security threat.In response to the aforementioned challenges,our paper demonstrates a post-quantum cross-domain identity authentication scheme to negotiate the session key used in the cross-chain asset exchange process.Firstly,our paper designs the hiding and recovery process of user identity index based on lattice cryptography and introduces the identity-based signature from lattice to construct a post-quantum cross-domain authentication scheme.Secondly,our paper utilizes the hashed time-locked contract to achieves the cross-chain asset exchange of blockchain nodes in different trust domains.Furthermore,the security analysis reduces the security of the identity index and signature to Learning With Errors(LWE)and Short Integer Solution(SIS)assumption,respectively,indicating that our scheme has post-quantum security.Last but not least,through comparison analysis,we display that our scheme is efficient compared with the cross-domain authentication scheme based on traditional cryptography.

An efficient deterministic secure quantum communication scheme based on cluster states and identity authentication

A novel efficient deterministic secure quantum communication scheme based on four-qubit cluster states and single-photon identity authentication is proposed. In this scheme, the two authenticated users can transmit two bits of classical information per cluster state, and its efficiency of the quantum communication is 1/3, which is approximately 1.67 times that of the previous protocol presented by Wang et al [Chin. Phys. Lett. 23 （2006） 2658]. Security analysis shows the present scheme is secure against intercept-resend attack and the impersonator＇s attack. Furthermore, it is more economic with present-day techniques and easily processed by a one-way quantum computer.

Economical multiparty simultaneous quantum identity authentication based on Greenberger-Horne-Zeilinger states

A multiparty simultaneous quantum identity authentication protocol based on Creenberger-Horne-Zeilinger （GHZ） states is proposed. The multi-user can be authenticated by a trusted third party （TTP） simultaneously. Compared with the scheme proposed recently （Wang et al 2006 Chin. Phys. Lett. 23（9） 2360）, the proposed scheme has the advantages of consuming fewer quantum and classical resources and lessening the difficulty and intensity of necessary operations.

Sequence Patterns of Identity Authentication Protocols

From the viewpoint of protocol sequence, analyses are made of the sequence patterns of possible identity authentication protocol under two cases： with or without the trusted third party （TFP）. Ten feasible sequence patterns of authentication protocol with TIP and 5 sequence patterns without TFP are gained. These gained sequence patterns meet the requirements for identity authentication, and basically cover almost all the authentication protocols with TFP and without TFP at present. All of the sequence patterns gained are classified into unilateral or bilateral authentication. Then, according to the sequence symmetry, several good sequence patterns with TFP are evaluated. The accompolished results can provide a reference to design of new identity authentication protocols.

Fine-Grained and Fair Identity Authentication Scheme for Mobile Networks Based on Blockchain

With the popularity of the internet,users hope to better protect their privacy while obtaining network services.However,in the traditional centralized authentication scheme,identity information such as the user's private key is generated,stored,and managed by the network operator.Users can't control their identity information,which will lead to a great threat to the privacy of users.Based on redactable blockchain,we propose a fine-grained and fair identity authentication scheme for mobile networks.In our proposed scheme,the user's identity information is generated and controlled by the users.We first propose a notion of score chameleon hash(SCH),which can delete or update the information of illegal users so as to dynamically update the status of users and provide users with more fine-grained and fair services.We propose another notion of self-updating secret sharing(SUSS),which allows users to update the trapdoor and the corresponding hash key after redacting the blockchain without requiring trusted authority to redistribute the trapdoor.Experimental results show that,compared with the immutable blockchain Bitcoin,the redactable blockchain in our identity authentication scheme provides users with fine-grained and fair redacting functions,and can be adopted with a small additional overhead.

An online identity authentication method for blood smear

Blood smear test is the basic method of blood cytology and is also a standard medical test that can help diagnose various conditions and diseases.Morphological examination is the gold stan-dard to determine pathological changes in blood cell morphology.In the biology and medicine automation trend,blood smears'automated management and analysis is very necessary.An online blood smear automatic microscopic image detection system has been constructed.It includes an online blood smear automatic producing part and a blood smear automatic micro-scopic image detection part.Online identity authentication is at the core of the system.The identifiers printed online always present dot matrix digit code(DMDC)whose stroke is not continuous.Considering the particularities of DMDC and the complexities of online application environment,an online identity authentication method for blood smear with heterological theory is proposed.By synthesizing the certain regional features according to the heterological theory,high identification accuracy and high speed have been guaranteed with few features required.In the experiment,the suficient correct matches bet ween the tube barcode and the identification result verified its feasibility and validity.

A CPK-Based Identity Authentication Scheme for IoT

As the power Internet of Things(IoT)enters the security construction stage,the massive use of perception layer devices urgently requires an identity authentication scheme that considers both security and practicality.The existing public key infrastructure(PKI)-based security authentication scheme is currently difficult to apply in many terminals in IoT.Its key distribution and management costs are high,which hinders the development of power IoT security construction.Combined Public Key(CPK)technology uses a small number of seeds to generate unlimited public keys.It is very suitable for identity authentication in the power Internet of Things.In this paper,we propose a novel identity authentication scheme for power IoT.The scheme combines the physical unclonable function(PUF)with improved CPK technology to achieve mutual identity authentication between power IoT terminals and servers.The proposed scheme does not require third-party authentication and improves the security of identity authentication for power IoT.Moreover,the scheme reduces the resource consumption of power IoT devices.The improved CPK algorithm solves the key collision problem,and the third party only needs to save the private key and the public key matrix.Experimental results show that the amount of storage resources occupied in our scheme is small.The proposed scheme is more suitable for the power IoT.

Identity Authentication Based on Sensors of Smartphone and Neural Networks

The smartphone has become an indispensable electric device for most people since it can assist us in finishing many tasks such as paying and reading. Therefore, the security of smartphones is the most crucial issue to illegal users who cannot access legal users’ privacy information. This paper studies identity authentication using user action. This scheme does not rely on the password or biometric identification. It checks user identity just by user action features. We utilize sensors installed in smartphones and collect their data when the user waves the phone. We collect these data, process them and feed them into neural networks to realize identity recognition. We invited 13 participants and collected about 350 samples for each person. The sampling frequency is set at 200 Hz, and DenseNet is chosen as the neural network to validate system performance. The result shows that the neural network can effectively recognize user identity and achieve an authentication accuracy of 96.69 percent.

Effective Identity Authentication Based on Multiattribute Centers for Secure Government Data Sharing

As one of the essential steps to secure government data sharing,Identity Authentication(IA)plays a vital role in the processing of large data.However,the centralized IA scheme based on a trusted third party presents problems of information leakage and single point of failure,and those related to key escrow.Therefore,herein,an effective IA model based on multiattribute centers is designed.First,a private key of each attribute of a data requester is generated by the attribute authorization center.After obtaining the private key of attribute,the data requester generates a personal private key.Second,a dynamic key generation algorithm is proposed,which combines blockchain and smart contracts to periodically update the key of a data requester to prevent theft by external attackers,ensure the traceability of IA,and reduce the risk of privacy leakage.Third,the combination of blockchain and interplanetary file systems is used to store attribute field information of the data requester to further reduce the cost of blockchain information storage and improve the effectiveness of information storage.Experimental results show that the proposed model ensures the privacy and security of identity information and outperforms similar authentication models in terms of computational and communication costs.

Authentication and Access Control in RFID Based Logistics-customs Clearance Service Platform

The content security requirements of a radio frequency identification （RFID） based logistics-customs clearance service platform （LCCSP） are analysed in this paper. Then, both the unified identity authentication and the access control modules are designed according to those analyses. Finally, the unified identity authentication and the access control on the business level are implemented separately. In the unified identity authentication module, based on an improved Kerberos-based authentication approach, a new control transfer method is proposed to solve the sharing problem of tickets among different servers of different departments. In the access control module, the functions of access controls are divided into different granularities to make the access control management more flexible. Moreover, the access control module has significant reference value for user management in similar systems.

Design of Distributed Authentication Mechanism for Equipment Support Information Network

Considering the secure authentication problem for equipment support information network,a clustering method based on the business information flow is proposed. Based on the proposed method,a cluster-based distributed authentication mechanism and an optimal design method for distributed certificate authority( CA)are designed. Compared with some conventional clustering methods for network,the proposed clustering method considers the business information flow of the network and the task of the network nodes,which can decrease the communication spending between the clusters and improve the network efficiency effectively. The identity authentication protocols between the nodes in the same cluster and in different clusters are designed. From the perspective of the security of network and the availability of distributed authentication service,the definition of the secure service success rate of distributed CA is given and it is taken as the aim of the optimal design for distributed CA. The efficiency of providing the distributed certificate service successfully by the distributed CA is taken as the constraint condition of the optimal design for distributed CA. The determination method for the optimal value of the threshold is investigated. The proposed method can provide references for the optimal design for distributed CA.

An Authentication Method of Distinguishing Proxy's Secure Accident Responsibility

The publish/subscribe （pub/sub） paradigm has asynchronous, loosely-coupled and many-to-many communication properties and is widely used in the application of large-scale distributed computing environment. There is the problem that is mutual trustable between network proxies in terms of pub/sub systems and the problem which is hardly to distinguish accident responsibility while the accident happens in Kerberos based on symmetrical encryption algorithm. A proxy identity authentication algorithm based on RSA encryption is proposed to solve the problem of mutual trust between proxies, and the security of the messages is guaranteed through certificate delegation. The algorithm can distinguish accident responsibility. The feasibility analysis, security analysis and efficiency analysis of the algorithm are carried out.

Design and Implementation of Secure and Reliable Information Interaction Architecture for Digital Twins

In order to improve the comprehensive defense capability of data security in digital twins(DTs),an information security interaction architecture is proposed in this paper to solve the inadequacy of data protection and transmission mechanism at present.Firstly,based on the advanced encryption standard(AES)encryption,we use the keystore to expand the traditional key,and use the digital pointer to avoid the key transmission in a wireless channel.Secondly,the identity authentication technology is adopted to ensure the data integrity,and an automatic retransmission mechanism is added for the endogenous properties of the wireless channel.Finally,the software defined radio(SDR)platform composed of universal software radio peripheral(USRP)and GNU radio is used to simulate the data interaction between the physical entity and the virtual entity.The numerical results show that the DTs architecture can guarantee the encrypted data transmitted completely and decrypted accurately with high efficiency and reliability,thus providing a basis for intelligent and secure information interaction for DTs in the future.

Biometric-based personal identity-authentication system and security analysis

The traditional authentication system is based on the secret key, and is mainly based on public key infrastructure （PKI）. Unfortunately, a key has many disadvantages, for example, the key can be forgotten or stolen, and can be easily cracked. Nowadays, authentication systems using biometric technology have become more prevalent because of the advantages over password-based authentication systems. In this article, several biometfic authentication models are presented, upon which most biometric authentication systems are based. Biometric authentication systems based-on these models provide high security for access control in non-face-to-face environment such as e-commerce, over open network.

A Private User Data Protection Mechanism in TrustZone Architecture Based on Identity Authentication

In Trust Zone architecture, the Trusted Application（TA） in the secure world does not certify the identity of Client Applications（CA） in the normal world that request data access, which represents a user data leakage risk. This paper proposes a private user data protection mechanism in Trust Zone to avoid such risks. We add corresponding modules to both the secure world and the normal world and authenticate the identity of CA to prevent illegal access to private user data. Then we analyze the system security, and perform validity and performance tests.The results show that this method can perform effective identity recognition and control of CA to protect the security of private user data. After adding authentication modules, the data operation time of system increases by about0.16 s, an acceptable price to pay for the improved security.

OWDP and Its Secure Implementation

Here we present one design based on OWDP for secure high-speed IP network performance monitor system. Based on the analysis of OWDP protocol and the high-speed IP network performance's real-time monitor infrastructure, the paper illustrates the potential security problems in OWDP and its possible weakness when applied in the monitor infrastructure. One secure improvement design based on Otway-Rees authentication protocol is put forward, which can improve the security of the implementation of OWDP and the monitor architecture. Having kept OWDP's simplicity and efficiency, the design satisfies the real-time demand of high-speed network performance monitor and will effectively safeguard the monitor procedure against intensive attacks.

Design and Implementation of A Bi-Directional Proxy Server

In this paper, a mechanism of bi-directional proxy is proposed, which supports authentication based on identity, and endue different users with different network access permissions. This technology is purposed with a new idea towards the implementation of network security, which has a promising future in applications. Key words network security - firewall - bi-directional proxy server - identity authentication CLC number TP 368.5 Foundation item: Supported by the National Natural Science Foundation of China (60173051), The National Research Foundation for the Doctoral Program of Higher Education of China (20030145029). Teaching and Research Award Program for Outstanding Young Teachers in Higher Education Institution of the Ministry of Education; National 863 High-tech Program (2003AA414210)Biography: GAO Fu-xiang (1961-), male, Professor, Master, research direction: computer network security.