基于智能卡的动态身份认证机制

由于每次登录时用户提交的认证信息都是固定不变的,传统的口令认证机制容易遭受回放攻击。本文根据一个关于互素数的定理,提出了一种基于智能卡的动态身份认证机制。用户每次登录时,智能卡根据从服务器发来的challenge和事先嵌入智能卡的参数信息,为合法用户计算当前的认证信息。由于每次用户提交的认证信息都是动态可变的,从而有效地防止了回放攻击。     

基于动态身份远程用户认证方案的研究

针对基于动态身份远程用户认证,可有效防止用户关键信息泄露,保证已认证用户通过授权获取网络服务.针对Wen-Li提出的基于动态身份远程用户认证与密钥协商方案进行安全性分析,指出该方案存在安全缺陷,可能导致泄露用户部分关键信息,进而遭受网络攻击.在保留Wen-Li方案优点基础上提出一种改进的远程用户认证方案,重新设计了认证过程中的会话密钥和密钥确认消息,与Wen-Li方案相比,改进方案能够抵御中间人攻击以及盗窃智能卡攻击,并增强了方案的前向安全性.     

Two‐factor authentication scheme using attribute and password

In this study, based on attribute and password, we introduce a new kind of two‐factor authentication protocol that has various applications such as anonymous authentication and privacy protection. Specifically, our proposal is constructed by introducing password authentication into the generic framework of attribute‐based authentication. Consequently, it not only achieves two‐factor authentication, but also enjoys the advantages of attribute authentication and password authentication simultaneously. Furthermore, to formally evaluate the security of the proposed protocol, we present the corresponding security model, within which the detailed security proof of the proposal is given. Copyright © 2014 John Wiley & Sons, Ltd.     

基于Multi-Agent仿真的动态车辆路径算法研究

针对DVRP(Dynamic Vehicle Routing Problem,动态车辆路径问题)的复杂性和灵活性,考虑到DVRP问题中的客户需求、交通流和车队管理,提出将MATSim(Multi-Agent Transport Simulation,多Agent交通仿真)和DVRP算法相结合的策略,利用MATSim仿真框架构造一个动态的现实世界环境,结合DVRP算法来求解DVRP问题。DVRP算法采用的是结合进化算法和局部搜索策略的模因算法,同时给出了3种不同客户拓扑结构下的测试用例,并比较了DVRP算法与蚁群算法和禁忌搜索算法的结果,表明该算法具有更高的效率。     

Dynamic ID authentication scheme using chaotic map

Dynamic ID authentication protects user’s identity from being revealed by any outsider during remote login processes. In independent multi-server environments, a user might have to login different servers for accessing various resources. Password based mechanisms are commonly utilized approaches. Without using complicated modular exponentiation computation, in this paper, the author will propose a Chebyshev chaotic map based dynamic ID authentication scheme for independent multi-server environments in which no trusted relationship exists among servers. The proposed scheme does not rely on the existence of registration center and each user only has to keep one single password for accessing resources of different servers. Compared with related protocols, the proposed one has more superior functionalities and lower computational costs. Furthermore, the session key security of our scheme is formally proved in the random oracle model.     

基于LDAP协议与Kerberos认证机制的统一认证

为开发一个企业级的用户身份认证体系,依据目录服务理论,将LDAP协议和Kerberos认证技术相结合,应用于身份认证服务器的结构设计,进行用户统一身份认证和授权,并进一步分析了系统的安全性。     

基于属性的访问控制模型

利用受限数据库为理论对访问请求、属性权威、策略和判定过程的抽象描述,给出了一个基于属性的访问控制模型,讨论了模型中访问请求、属性权威、策略和判定过程之间的关系,给出了一个访问控制判定过程可终止的一种特定条件.     

采用目录服务Kerberos认证实现统一身份认证

计算机安全系统所需要的是一种具备适应性,稳健性和自治性的技术。针对其适应性和自治性,在开发一个企业级的用户身份认证体系同时,依据目录服务理论,将轻量级目录访问协议和Kerberos认证技术相结合来解决密码安全和身份验证,并且应用于身份认证服务器的结构设计,进行用户统一身份认证和授权,使得整个系统的安全性有了进一步的提高。     

基于联盟身份认证和CALIS联合认证的图书馆资源访问方案

针对图书馆电子资源的访问控制问题,对国际上广泛采用的联盟身份认证技术和在国内图书馆大范围部署的CALIS联合认证进行了分析,提出了将联盟身份认证与CALIS联合认证相结合的方案,并在CARSI联盟的平台上进行了开发、部署和验证,实验结果表明,联盟身份认证与CALIS联合认证相结合的方案可以有效、灵活地对电子资源进行访问控制。     

User authentication based on foot motion

In nearly all current systems, user authentication mechanism is one time and static. Although such type of user authentication is sufficient for many types of applications, in some scenarios, continuous or periodic re-verification of the identity is desirable, especially in high-security application. In this paper, we study user authentication based on 3D foot motion, which can be suitable for periodic identity re-verification purposes. Three-directional (3D) motion of the foot (in terms of acceleration signals) is collected using a wearable accelerometer sensor attached to the ankle of the person. Ankle accelerations from three directions (up-down, forward-backward and sideways) are analyzed for person authentication. Applied recognition method is based on detecting individual cycles in the signal and then finding best matching cycle pair between two acceleration signals. Using experimental data from 30 subjects, obtained EERs (Equal Error Rates) were in the range of 1.6–23.7% depending on motion directions and shoe types. Furthermore, by combining acceleration signals from 2D and 3D and then applying fusing techniques, recognition accuracies could be improved even further. The achieved performance improvements (in terms of EER) were up to 68.8%.     

一种基于混沌的量子身份认证

提出了一种新的基于混沌的量子身份认证方案,该方案将混沌系统对初值条件和参数的极度敏感性及混沌序列的良好伪随机性与量子密码的绝对安全性结合在一起,能够有效地抵抗多次身份认证中由于有限精度导致的混沌特性退化而造成对混沌系统初值和参数的攻击。在方案的实现过程中,利用量子隐形传态原理,解决了多次身份认证中出现的混沌迭代异步问题,实现了每一次身份认证中双方的同步,从而实现了“一次一密”的量子身份认证。整个身份认证过程实现简单,具有动态性和可证明的安全性。     

基于NETFPGA的手背静脉身份认证系统

本作品设计并实现了一种基于近红外手背静脉检测生物特征的个人身份认证系统(VAS系统),在Xilinx公司提供的NetFPGA开发平台上完成了系统开发。实现了手背静脉图像的采集、处理、存储和匹配验证等功能,充分发挥了FPGA硬件功能,采用软硬件协同思想,流水线策略和并行处理的方法,移植和优化了软件算法。同时对NetFPGA平台进行了改造和扩展;还实现了灵活、友好的交互界面,安全级别高,扩展性强。     

Deniable authentication protocol based on Deffie-Hellman algorithm

Deniable authentication is a new kind of authentication, by which means a receiver cannot prove the source of a message to a third party. A deniable authentication protocol, which is based on the Deffie-Hellman key exchange protocol, is presented. It does not require a trusted third party, and the protocol can resist person-in-the-middle attack     

基于随机动态密码的身份认证系统

动态密码在身份认证方面有着广泛的应用,但是由于系统的不安全性容易导致动态密码的泄露。描述了当前各种盗号木马原理,分析了动态密码的安全性以及相关实现机制,给出了基于随机动态密码的身份认证。     

Openstack authentication protocol based on digital certificate

As the industry standard for open source cloud platforms,openstack uses the single-factor authentication method based on username and password that provides by keystone components to identity authentication mechanism,while it is not suitable for application scenarios with high security level requirements.A digital certificate-based identity authentication protocol which had cloud user identification protocol and authentication protocol was designed to meet the requirements.With expending the keystone component to achieve a digital certificate-based identity authentication system,a combination of authentication server,UKey technology,encryption technology and well-established key management and so on was used.According to the research,the system can effectively resist multiple cyber-attacks and improve the security of cloud users when they log in to the cloud platform.     

基于云计算的智能手机社交认证系统

云计算提供无限存储和计算的能力可以弥补移动终端资源受限的缺陷。因此针对已提出的社交认证方法对认证票据的有效期需求时间长且终端资源消耗量大的问题,设计了一种基于云计算的智能手机社交认证系统。该系统综合考虑3种社交网络特性：各好友不同的认证权威性、个体的行为差异性和每次交互事件所携带的信任度。通过实验验证,本认证系统在降低终端能耗和增强身份认证安全性的情况下有效地解决了认证票据有效期短而导致系统性能急剧下降的问题。     

一种基于无线局域网的指纹识别技术研究

随着无线网络快速成长．开始将现有的企业网络环境与无线局域网紧密地整合在一起。利用指纹的唯一性、成本低、储存空间小以及安全度高并容易使用等优点,提出了一套生物指纹特征技术来实现企业在无线局域网中的身份认证。该方法在企业在无线网络安全认证上有较大的实用价值。     

UC安全的基于一次签名的广播认证

研究了基于一次签名的广播认证协议的可证明安全问题.在通用可组合安全框架下,提出了基于一次签名的广播认证的安全模型.首先,形式化定义了一次签名理想函数FOTS和广播认证理想函数FBAUTH.其次,设计了一次签名算法HORS+.然后,在(FOTS,FREG)-混合模型下设计了广播认证方案πBAUTH.组合协议HORS+,在πBAUTH的基础上可以构造出新的基于一次签名的广播认证协议.结果表明,HORS+能够安全实现FOTS:在(FOTS,FREG)-混合模型下,πBAUTH安全实现理想函数FBAUTH的广播认证方案πBAUTH.根据组合定理,新的广播认证协议具有通用可组合安全性适用于能量受限网络中广播消息的认证.     

Dynamic anonymous identity authentication (DAIA) scheme for VANET

With the development of the vehicular ad hoc network, the security and privacy are now becoming vital concerns, especially when the attacker owns more and more resources. In order to address these concerns, a dynamic anonymous identity authentication scheme is proposed using Elliptic Curve Discrete Logarithm Problem and blockchain method, which guarantees the security and fast off‐line authentication for vehicle‐to‐infrastructure. Specifically, a dynamic pseudonym key is generated using tamper proof device (TPD) for off‐line authentication and anonymity when a vehicle roams among different roadside units' (RSUs) communication ranges. Even if all RSUs are compromised, vehicle's identity is still privacy. Moreover, two additional design goals are more suitable for the practical environment: (1) the reduced assumption of TPD; (2) certification authority can trace vehicle under the authorization by law.     

基于高阶相似性的属性网络表示学习

现有的网络表示学习方法缺少对网络中隐含的深层次信息进行挖掘和利用。对网络中的潜在信息做进一步挖掘,提出了潜在的模式结构相似性,定义了网络结构间的相似度分数,用以衡量各个结构之间的相似性,使节点可以跨越不相干的顶点,获取全局结构上的高阶相似性。利用深度学习,融合多个信息源共同参与训练,弥补随机游走带来的不足,使得多个信息源信息之间紧密结合、互相补充,以达到最优的效果。实验选取Lap、DeepWalk、TADW、SDNE、CANE作为对比方法,将3个真实世界网络作为数据集来验证模型的有效性,进行节点分类和链路重构的实验。在节点分类中针对不同数据集和训练比例,性能平均提升1.7个百分点;链路重构实验中,仅需一半维度便实现了更好的性能,最后讨论了不同网络深度下模型的性能提升,通过增加模型的深度,节点分类的平均性能增加了1.1个百分点。