Your search keyword '"Fushan WEI"' showing total 42 results

1. LightSEEN: Real-Time Unknown Traffic Discovery via Lightweight Siamese Networks

Author

Jiaxing Guo, Xieli Zhang, Chunxiang Gu, Ji Li, Fushan Wei, Xinyi Hu, and Wenfen Liu

Subjects

Science (General), Article Subject, Computer Networks and Communications, Computer science, Network packet, business.industry, Feature vector, Encryption, computer.software_genre, Q1-390, Network management, Closed-world assumption, Traffic classification, Convergence (routing), T1-995, Data mining, business, Baseline (configuration management), computer, Technology (General), Information Systems

Abstract

With the increase in the proportion of encrypted network traffic, encrypted traffic identification (ETI) is becoming a critical research topic for network management and security. At present, ETI under closed world assumption has been adequately studied. However, when the models are applied to the realistic environment, they will face unknown traffic identification challenges and model efficiency requirements. Considering these problems, in this paper, we propose a lightweight unknown traffic discovery model LightSEEN for open-world traffic classification and model update under practical conditions. The overall structure of LightSEEN is based on the Siamese network, which takes three simplified packet feature vectors as input on one side, uses the multihead attention mechanism to parallelly capture the interactions among packets, and adopts techniques including 1D-CNN and ResNet to promote the extraction of deep-level flow features and the convergence speed of the network. The effectiveness and efficiency of the proposed model are evaluated on two public data sets. The results show that the effectiveness of LightSEEN is overall at the same level as the state-of-the-art method and LightSEEN has even better true detection rate, but the parameter used in LightSEEN is 0.51 % of the baseline and its average training time is 37.9 % of the baseline.

Published

2021

2. Automated State-Machine-Based Analysis of Hostname Verification in IPsec Implementations

Author

Jiaxing Guo, Chunxiang Gu, Xi Chen, Siqi Lu, and Fushan Wei

Subjects

Hostname, Authentication, Network security, business.industry, computer.internet_protocol, Computer science, Cryptography, Cryptographic protocol, Certificate, Computer security, computer.software_genre, Security testing, Computer Science Applications, Control and Systems Engineering, IPsec, Electrical and Electronic Engineering, business, computer

Abstract

Owing to the advent and rapid development of Internet communication technology, network security protocols with cryptography as their core have gradually become an important means of ensuring secure communications. Among numerous security protocols, certificate authentication is a common method of identity authentication, and hostname verification is a critical but easily neglected process in certificate authentication. Hostname verification validates the identity of a remote target by checking whether the hostname of the communication partner matches any name in the X.509 certificate. Notably, errors in hostname verification may cause security problems with regard to identity authentication. In this study, we use a model-learning method to conduct security testing for hostname verification in internet protocol security (IPsec). This method can analyze the problems entailed in implementing hostname verification in IPsec by effectively inferring the deterministic finite automaton model that can describe the matching situation between the certificate subject name and the hostname for different rules. We analyze two popular IPsec implementations, Strongswan and Libreswan, and find five violations. We use some of these violations to conduct actual attack tests on the IPsec implementation. The results show that under certain conditions, attackers can use these flaws to carry out identity impersonation attacks and man-in-the-middle attacks.

Published

2021

3. An Intelligent Terminal Based Privacy-Preserving Multi-Modal Implicit Authentication Protocol for Internet of Connected Vehicles

Author

Pandi Vijayakumar, Fushan Wei, Sherali Zeadally, Debiao He, and Neeraj Kumar

Subjects

Password, 050210 logistics & transportation, Authentication, Computer science, business.industry, Mechanical Engineering, 05 social sciences, Computer security, computer.software_genre, Authentication server, Computer Science Applications, Terminal (electronics), Authentication protocol, 0502 economics and business, Automotive Engineering, Ciphertext, The Internet, business, computer, Intelligent transportation system

Abstract

The Internet of connected Vehicles (IOV) can collect, process, compute and release the information of intelligent transportation systems. IOV is an integrated service system that can support the applications for automatic driving, intelligent transport and information services. As the number of incidents on IOV has been on the rise in the past few years, IOV security is becoming increasingly important in the IOV architecture. One of the most notable risks of IOV faces is intelligent terminal security. The vehicle’s intelligent terminal can be used to launch for further attacks on the on-board operating system to penetrate into the internal network of connected vehicle, and consequently threaten the safety of the vehicle. Thus, it is of paramount importance that we protect the security of the intelligent terminal. We propose two intelligent terminal based privacy-preserving multi-modal implicit authentication protocols to protect the security of the intelligent terminal in IOV. The proposed protocols use the password and the vehicle owner’s behavior features as the authentication factors to protect the security of the intelligent terminal. Since the vehicle owner’s behavior features are sensitive and the privacy information of the user must be protected, we also consider the privacy protection of the behavior features. Our protocols do not reveal any information about the vehicle owner’s behavior features to the authentication server and the adversary except the ciphertext size of the feature vector. We analyze the security of our proposed protocol and compare them with other related protocols in terms of computation and communications costs. Our results demonstrate that our proposed protocols yield better security and efficiency.

Published

2021

4. CLD-Net: A Network Combining CNN and LSTM for Internet Encrypted Traffic Classification

Author

Xinyi Hu, Chunxiang Gu, and Fushan Wei

Subjects

Science (General), Article Subject, Artificial neural network, Computer Networks and Communications, business.industry, Network packet, Computer science, Encryption, computer.software_genre, Convolutional neural network, Q1-390, Traffic classification, Feature (machine learning), T1-995, The Internet, Data mining, business, computer, Technology (General), Information Systems, Private network

Abstract

The development of the Internet has led to the complexity of network encrypted traffic. Identifying the specific classes of network encryption traffic is an important part of maintaining information security. The traditional traffic classification based on machine learning largely requires expert experience. As an end-to-end model, deep neural networks can minimize human intervention. This paper proposes the CLD-Net model, which can effectively distinguish network encrypted traffic. By segmenting and recombining the packet payload of the raw flow, it can automatically extract the features related to the packet payload, and by changing the expression of the packet interval, it integrates the packet interval information into the model. We use the ability of Convolutional Neural Network (CNN) to distinguish image classes, learn and classify the grayscale images that the raw flow has been preprocessed into, and then use the effectiveness of Long Short-Term Memory (LSTM) network on time series data to further enhance the model’s ability to classify. Finally, through feature reduction, the high-dimensional features learned by the neural network are converted into 8 dimensions to distinguish 8 different classes of network encrypted traffic. In order to verify the effectiveness of the CLD-Net model, we use the ISCX public dataset to conduct experiments. The results show that our proposed model can distinguish whether the unknown network traffic uses Virtual Private Network (VPN) with an accuracy of 98% and can accurately identify the specific traffic (chats, audio, or file) of Facebook and Skype applications with an accuracy of 92.89%.

Published

2021

5. Efficient cloud-aided verifiable secret sharing scheme with batch verification for smart cities

Author

Jian Shen, Fushan Wei, Xingming Sun, Dengzhi Liu, and Yang Xiang

Subjects

Scheme (programming language), Security analysis, Computer Networks and Communications, business.industry, Electronic voting, Computer science, Electronic cash, 020206 networking & telecommunications, Cloud computing, 02 engineering and technology, Computer security, computer.software_genre, Secret sharing, Hardware and Architecture, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Verifiable secret sharing, business, computer, Software, computer.programming_language

Abstract

With the wide usage of the information and communication technology (ICT) in smart cities, people’s lives become easier and more convenient. Cloud computing, as a burgeoning technology of the ICT, provides consumers with unlimited computing capabilities and storage resources. Using the cloud to promote the progress of the ICT-based applications meets the requirement of the practical usage, and is also in line with the sustainable development. As we all know, the secret sharing is a hot topic in the security community. Many security-assurance applications can be realized with the assistance of secret sharing. In this paper, an efficient cloud-aided verifiable secret sharing scheme is proposed based on the polynomial commitment for smart cities, which can be used in a variety of practical applications such as electronic voting and revocable electronic cash. In the proposed scheme, users can verify the received shares from the cloud. Moreover, in order to meet the requirement of the real-world usage, we extend our scheme to support the batch verification with the aid of a third-party arbitration center. In addition, the aggregate signature is used to verify whether a subset of users possess the shares that indeed sent by the cloud. The security analysis shows that the proposed scheme can satisfy the security requirements of the verifiable secret sharing (VSS) and the performance analysis shows that our scheme is more efficient than previous schemes in terms of the communication and the computation.

Published

2020

6. tCLD-Net: A Transfer Learning Internet Encrypted Traffic Classification Scheme Based on Convolution Neural Network and Long Short-Term Memory Network

Author

Xinyi Hu, Fushan Wei, Yihang Chen, and Chunxiang Gu

Subjects

Computer science, business.industry, Deep learning, Internet traffic, Encryption, computer.software_genre, Convolutional neural network, Traffic classification, Feature (machine learning), The Internet, Artificial intelligence, Data mining, business, Transfer of learning, computer

Abstract

The Internet is about to enter the era of full encryption. Traditional traffic classification methods only work well in non-encrypted environments. How to identify the specific types of network encrypted traffic in an encrypted environment without decryption is one of the foundations for maintaining cyberspace security. Traffic classification based on machine learning relies heavily on the prior knowledge of experts to construct feature sets. Although traffic classification based on deep learning can reduce human intervention, it requires a large amount of labeled data for parameter determination. This paper proposes a tCLD-Net model that combines transfer learning and deep learning. It can be trained on a small amount of labeled data to distinguish network encrypted traffic with a high accuracy. It pre-trains a CLD-Net model in the source domain data set, and fixes the parameters of the convolutional neural network module in it, and trains and tests it in the target domain data set. In order to verify the effectiveness of the tCLD-Net model, we use the ISCX public data set to conduct experiments. The results show that our proposed model can complete 100 epoches training in 208 seconds when the training set only occupies 20% of the target domain. And achieve a classification accuracy rate about 86%. This is 4% higher than the model without pre-training, and the training time is only one third of the model without pre-training.

Published

2021

7. Model Learning and Model Checking of IPSec Implementations for Internet of Things

Author

Xi Chen, Jiaxing Guo, Chunxiang Gu, and Fushan Wei

Subjects

Model checking, Finite-state machine, General Computer Science, IPSec protocol, business.industry, Computer science, computer.internet_protocol, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, General Engineering, Computer security, computer.software_genre, model checking, IPv6, Secure communication, model learning, IPsec, General Materials Science, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, 6LoWPAN, Implementation, Protocol (object-oriented programming), computer, lcsh:TK1-9971

Abstract

With the development of Internet of Things (IoT) technology, the demand for secure communication by smart devices has dramatically increased, and the security of the IoT protocol has become the focus of cyberspace. Recently, some scholars have attempted to extend the IPSec protocol to IPv6 over Low-Power Wireless Personal Area Networks (6LoWPAN) to ensure end-to-end security, which makes it essential to analyze the vulnerability of the IPSec protocol to enhance the security of the IoT. In this study, we use a method combining model learning and model checking to analyze the dynamic vulnerability of IPSec protocol implementations. This method automatically infers the black-box model and compares it with the relevant specifications to expose the defects of the system implementation and search its logic vulnerabilities. We first employ model learning on three IPSec implementations to infer state machine models; then, we use model checking to verify that these models satisfy basic security properties and conform to the RFCs. Our analysis reveals three new security issues: a wrong interaction causing server exception and two violations of the standard.

Published

2019

8. Bitcoin Theft Detection Based on Supervised Machine Learning Algorithms

Author

Binjie Chen, Fushan Wei, and Chunxiang Gu

Subjects

Boosting (machine learning), Science (General), Article Subject, Computer Networks and Communications, Computer science, 02 engineering and technology, Machine learning, computer.software_genre, Q1-390, 0202 electrical engineering, electronic engineering, information engineering, T1-995, AdaBoost, Technology (General), Mahalanobis distance, Local outlier factor, business.industry, Supervised learning, 020207 software engineering, Perceptron, Random forest, Support vector machine, ComputingMethodologies_PATTERNRECOGNITION, 020201 artificial intelligence & image processing, Artificial intelligence, business, Algorithm, computer, Information Systems

Abstract

Since its inception, Bitcoin has been subject to numerous thefts due to its enormous economic value. Hackers steal Bitcoin wallet keys to transfer Bitcoin from compromised users, causing huge economic losses to victims. To address the security threat of Bitcoin theft, supervised learning methods were used in this study to detect and provide warnings about Bitcoin theft events. To overcome the shortcomings of the existing work, more comprehensive features of Bitcoin transaction data were extracted, the unbalanced dataset was equalized, and five supervised methods—the k-nearest neighbor (KNN), support vector machine (SVM), random forest (RF), adaptive boosting (AdaBoost), and multi-layer perceptron (MLP) techniques—as well as three unsupervised methods—the local outlier factor (LOF), one-class support vector machine (OCSVM), and Mahalanobis distance-based approach (MDB)—were used for detection. The best performer among these algorithms was the RF algorithm, which achieved recall, precision, and F1 values of 95.9%. The experimental results showed that the designed features are more effective than the currently used ones. The results of the supervised methods were significantly better than those of the unsupervised methods, and the results of the supervised methods could be further improved after equalizing the training set.

Published

2021

9. Security Analysis and Design of Authentication Key Agreement Protocol in Medical Internet of Things

Author

Fushan Wei, Siqi Lu, Xi Chen, Jiaxing Guo, and Chunxiang Gu

Subjects

Key-agreement protocol, Authentication, Security analysis, 020205 medical informatics, Computer science, Data security, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, Identity theft, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), Replay attack, Secure transmission, computer

Abstract

With the rise and rapid development of the Internet of Things, the electronic healthcare (e-health) system gradually become a universal trend in the global medical industry. As a typical e-health application, Telecare Medical Information System (TMIS) can assist patients and medical staffs in monitoring and communicating for medical aid. However, TMIS usually runs in untrusted public channels, which makes it urgent to provide a secure authentication scheme to achieve user authentication, data security, and privacy protection purposes. In 2014, Li et al. proposed a biometric-based remote user authentication scheme that supported secure transmission and provided patient privacy protection. However, we analyze the scheme of Li et al. and identify that this scheme is vulnerable to identity theft attack, user impersonation attack, replay attack, and key compromise impersonation attack. We improve the original scheme to solve these problems and give the security proof as well as formal analysis of our scheme. Besides, we provide detailed heuristic security analysis to verify that our scheme can resist potential attacks and provide various security properties. Finally, performance analysis shows that the security of the improved protocol is enhanced without excessively increasing the computational cost.

Published

2020

10. A Survey on Blockchain Anomaly Detection Using Data Mining Techniques

Author

Chunxiang Gu, Fushan Wei, Xi Chen, and Ji Li

Subjects

Power graph analysis, Blockchain, Network security, business.industry, Systematic survey, Specific detection, Computer science, Deep learning, computer.software_genre, Graph (abstract data type), Anomaly detection, Artificial intelligence, Data mining, business, computer

Abstract

With the more and more extensive application of blockchain, blockchain security has been widely concerned by the society and deeply studied by scholars, of which anomaly detection is an important problem. Data mining techniques, including conventional machine learning, deep learning and graph learning, have been concentrated for anomaly detection in the last few years. This paper presents a systematic survey of the blockchain anomaly detection results using data mining techniques. The anomaly detection methods are classified into 2 main categories, namely universal detection methods and specific detection methods, which contain 8 subclasses. For each subclass, the corresponding research are listed and compared, presenting a systematic and categorized overview of the current perspectives for blockchain anomaly detection. In addition, this paper contributes in discussing the advantages and disadvantages for the data mining techniques employed, and suggesting future directions for anomaly detection methods. This survey helps researchers to have a general comprehension of the anomaly detection field and its application in blockchain data.

Published

2019

11. Privacy-Preserving and Lightweight Key Agreement Protocol for V2G in the Social Internet of Things

Author

Yang Xiang, Fushan Wei, Tianqi Zhou, Jian Shen, and Xingming Sun

Subjects

Key-agreement protocol, Security analysis, Authentication, Computer Networks and Communications, business.industry, Computer science, 020208 electrical & electronic engineering, Internet privacy, 020206 networking & telecommunications, 02 engineering and technology, Mutual authentication, Computer security model, Computer security, computer.software_genre, Computer Science Applications, Smart grid, Hardware and Architecture, Signal Processing, 0202 electrical engineering, electronic engineering, information engineering, The Internet, business, Protocol (object-oriented programming), computer, Information Systems

Abstract

The concept of the Social Internet of Things (SIoT) can be viewed as the integration of prevailing social networking and the Internet of Things, which is making inroads into the daily operation of many industries. Smart grids, which are cost-effective and environmentally friendly applications, are a promising field of the SIoT. However, security and privacy concerns are the dark aspects of smart grids. The goal of this paper is to address the security and privacy issues in the vehicle-to-grid (V2G) networks with the intention of promoting a more extensive deployment of V2G networks for smart grids. Driven by this motivation, in this paper, we propose a robust key agreement protocol that can achieve mutual authentication without exposing the real identities of users. Efficiency is also a major concern in resource-constrained environments. By leveraging only hash functions and bitwise exclusive-OR operations, the proposed protocol is highly efficient compared with pairing-based protocols. In addition, we define a formal security model for our privacy-preserving key agreement protocol for V2G networks. Using this model, a formal security analysis shows that the proposed protocol is secure. Moreover, an informal security analysis demonstrates that our protocol can withstand different types of attacks.

Published

2018

12. Cryptanalysis and Security Enhancement of Three Authentication Schemes in Wireless Sensor Networks

Author

Bin Li, Yiming Zhao, Ping Wang, Wenting Li, and Fushan Wei

Subjects

Article Subject, Computer Networks and Communications, Computer science, 0211 other engineering and technologies, 02 engineering and technology, Computer security, computer.software_genre, lcsh:Technology, lcsh:Telecommunication, law.invention, law, Forward secrecy, lcsh:TK5101-6720, 0202 electrical engineering, electronic engineering, information engineering, Electrical and Electronic Engineering, Password, 021110 strategic, defence & security studies, Authentication, Cryptographic primitive, lcsh:T, business.industry, Password cracking, 020206 networking & telecommunications, Lightweight protocol, Smart card, business, Cryptanalysis, computer, Wireless sensor network, Information Systems, Anonymity

Abstract

Nowadays wireless sensor networks (WSNs) have drawn great attention from both industrial world and academic community. To facilitate real-time data access for external users from the sensor nodes directly, password-based authentication has become the prevalent authentication mechanism in the past decades. In this work, we investigate three foremost protocols in the area of password-based user authentication scheme for WSNs. Firstly, we analyze an efficient and anonymous protocol and demonstrate that though this protocol is equipped with a formal proof, it actually has several security loopholes been overlooked, such that it cannot resist against smart card loss attack and violate forward secrecy. Secondly, we scrutinize a lightweight protocol and point out that it cannot achieve the claimed security goal of forward secrecy, as well as suffering from user anonymity violation attack and offline password guessing attack. Thirdly, we find that an anonymous scheme fails to preserve two critical properties of forward secrecy and user friendliness. In addition, by adopting the “perfect forward secrecy (PFS)” principle, we provide several effective countermeasures to remedy the identified weaknesses. To test the necessity and effectiveness of our suggestions, we conduct a comparison of 10 representative schemes in terms of the underlying cryptographic primitives used for realizing forward secrecy.

Published

2018

13. On the Security of a Privacy-Aware Authentication Scheme for Distributed Mobile Cloud Computing Services

Author

Fushan Wei, Qi Jiang, and Jianfeng Ma

Subjects

Challenge-Handshake Authentication Protocol, 021103 operations research, Computer Networks and Communications, Computer science, Data_MISCELLANEOUS, 0211 other engineering and technologies, 020206 networking & telecommunications, 02 engineering and technology, Mutual authentication, Multi-factor authentication, Computer security, computer.software_genre, Computer Science Applications, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Control and Systems Engineering, Generic Bootstrapping Architecture, Authentication protocol, Lightweight Extensible Authentication Protocol, 0202 electrical engineering, electronic engineering, information engineering, Electrical and Electronic Engineering, Challenge–response authentication, computer, Data Authentication Algorithm, Information Systems

Abstract

Recently, Tsai and Lo proposed a privacy aware authentication scheme for distributed mobile cloud computing services. It is claimed that the scheme achieves mutual authentication and withstands all major security threats. However, we first identify that their scheme fails to achieve mutual authentication, because it is vulnerable to the service provider impersonation attack. Beside this major defect, it also suffers from some minor design flaws, including the problem of biometrics misuse, wrong password, and fingerprint login, no user revocation facility when the smart card is lost/stolen. Some suggestions are provided to avoid these design flaws in the future design of authentication schemes.

Published

2018

14. A general compiler for password-authenticated group key exchange protocol in the standard model

Author

Fushan Wei, Neeraj Kumar, Sang-Soo Yeo, and Debiao He

Subjects

Password, Computer science, business.industry, Applied Mathematics, Distributed computing, Hash function, 020206 networking & telecommunications, 0102 computer and information sciences, 02 engineering and technology, Oakley protocol, computer.software_genre, 01 natural sciences, Authenticated Key Exchange, 010201 computation theory & mathematics, Universal composability, 0202 electrical engineering, electronic engineering, information engineering, Discrete Mathematics and Combinatorics, Compiler, business, computer, Protocol (object-oriented programming), Computer network, Standard model (cryptography)

Abstract

Password-authenticated group key exchange (PGKE) protocols are critical for ensuring secure group communications for mobile devices. Until now, only few PGKE protocols have been proposed. However, literature about group key exchange (GKE) protocols consists of many research proposals in last few years. In this paper, we present a protocol compiler based on smooth projective hash functions. The proposed compiler can transform any GKE protocol into a secure PGKE protocol by adding 2 rounds of communication. We conduct the security of our compiler in the standard model without using various other assumptions. Our compiler is round-efficient in the sense that a constant-round PGKE can be derived from the proposal if the underlying protocol is a constant-round GKE protocol.

Published

2018

15. A Provably Secure Anonymous Two-Factor Authenticated Key Exchange Protocol for Cloud Computing

Author

Chuangui Ma, Fushan Wei, and Ruijie Zhang

Subjects

Algebra and Number Theory, Computer science, business.industry, 020206 networking & telecommunications, Cloud computing, 02 engineering and technology, Theoretical Computer Science, Authenticated Key Exchange, Computational Theory and Mathematics, Factor (programming language), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, computer, Protocol (object-oriented programming), Information Systems, computer.programming_language, Computer network

Published

2018

16. A provably secure password-based anonymous authentication scheme for wireless body area networks

Author

Jian Shen, Fushan Wei, Li Li, Ruijie Zhang, and Pandi Vijayakumar

Subjects

Password, Password policy, Zero-knowledge password proof, General Computer Science, business.industry, Computer science, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, One-time password, Random oracle, S/KEY, Control and Systems Engineering, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Zero-knowledge proof, Electrical and Electronic Engineering, business, computer, Anonymity, Computer network

Abstract

Wireless body area networks (WBANs) comprise many tiny sensor nodes which are planted in or around a patient’s body. These sensor nodes can collect biomedical data of the patient and transmit these valuable data to a data sink or a personal digital assistant. Later, health care service providers can get access to these data through authorization. The biomedical data are usually personal and privacy. Consequently, data confidentiality and user privacy are primary concerns for WBANs. In order to achieve these goals, we propose an anonymous authentication scheme for WBANs based on low-entropy password and prove its security in the random oracle model. Our scheme enjoys strong anonymity in the sense that only the client knows his identity during the authentication phase of the scheme. Compared with other related proposals, our scheme is efficient in terms of computation. Moreover, the authentication of the client relies on human-rememberable password, which makes our scheme more suitable for applications in WBANs.

Published

2018

17. An untraceable temporal-credential-based two-factor authentication scheme using ECC for wireless sensor networks

Author

Yuanyuan Yang, Youliang Tian, Qi Jiang, Fushan Wei, Jian Shen, and Jianfeng Ma

Subjects

Scheme (programming language), Authentication, Computer Networks and Communications, business.industry, Computer science, 020206 networking & telecommunications, 02 engineering and technology, Mutual authentication, Multi-factor authentication, Computer security, computer.software_genre, Computer Science Applications, Hardware and Architecture, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Smart card, Elliptic curve cryptography, business, computer, Wireless sensor network, Computer network, computer.programming_language

Abstract

Recently, He et al. proposed an anonymous two-factor authentication scheme following the concept of temporal-credential for wireless sensor networks (WSNs), which is claimed to be secure and capable of withstanding various attacks. However, we reveal that the authentication phase of their scheme has several pitfalls. Firstly, their scheme is susceptible to malicious user impersonation attack, in which a legal but malicious user can impersonate as other registered users. In addition, their scheme is also vulnerable to stolen smart card attack. Furthermore, the scheme cannot provide untraceability and is prone to tracking attack. Then we put forward an untraceable two-factor authentication scheme based on elliptic curve cryptography (ECC) for WSNs. Our new scheme makes up for the missing security features necessary for real-life applications while maintaining the desired features of the original scheme. We prove that the scheme fulfills mutual authentication in the Burrows-Abadi-Needham (BAN) logic. Moreover, by way of informal security analysis, we show that the proposed scheme can resist a variety of attacks and provide more security features than He et al.’s scheme.

Published

2016

18. Efficient privacy preserving predicate encryption with fine-grained searchable capability for Cloud storage

Author

Xu An Wang, Fushan Wei, Jianfeng Ma, Fatos Xhafa, Weiyi Cai, and Universitat Politècnica de Catalunya. Departament de Ciències de la Computació

Subjects

Cloud storage, Theoretical computer science, Computació en núvol, General Computer Science, Computer science, 02 engineering and technology, computer.software_genre, Encryption, Xifratge (Informàtica), Multiple encryption, Informàtica::Seguretat informàtica [Àrees temàtiques de la UPC], Filesystem-level encryption, 0202 electrical engineering, electronic engineering, information engineering, Cloud computing, Electrical and Electronic Engineering, Data encryption (Computer science), 020203 distributed computing, Database, Predicate encryption, business.industry, Data confidentiality, Cloud data search framework, Client-side encryption, Control and Systems Engineering, Probabilistic encryption, 40-bit encryption, 020201 artificial intelligence & image processing, Attribute-based encryption, On-the-fly encryption, business, Data privacy, computer, Public-key encryption with fine-grained keyword search

Abstract

We present an efficient predicate encryption system for the class of inner-product predicates that is fully secure without random oracles.PEFKS can not only test whether multiple keywords were present in the ciphertext, but also can evaluate the relations of the keywords, such as equal, disjunction/conjunction.We prove that IND-AH-CPA secure PE implies the existence of IND- PEFKS-CPA secure PEFKS, and develop a transformation of PE to PEFKS. The transformation is efficient. We also use it to construct a PEFKS scheme from our PE.We present a privacy preserving framework for implementing efficient predicate encryption with ne-grained searchable capability and roughly analysis its security. Display Omitted With the fast development in Cloud storage technologies and ever increasing use of Cloud data centres, data privacy and confidentiality has become a must. Indeed, Cloud data centres store each time more sensitive data such as personal data, organizational and enterprise data, transactional data, etc. However, achieving confidentiality with flexible searchable capability is a challenging issue. In this article, we show how to construct an efficient predicate encryption with fine-grained searchable capability. Predicate Encryption ( PE ) can achieve more sophisticated and flexible functionality compared with traditional public key encryption. We propose an efficient predicate encryption scheme by utilizing the dual system encryption technique, which can also be proved to be IND-AH-CPA (indistinguishable under chosen plain-text attack for attribute-hiding) secure without random oracle. We also carefully analyse the relationship between predicate encryption and searchable encryption. To that end, we introduce a new notion of Public-Key Encryption with Fine-grained Keyword Search ( PEFKS ). Our results show that an IND-AH-CPA secure PE scheme can be used to construct an IND-PEFKS-CPA (indistinguishable under chosen plain-text attack for public-key encryption with fine-grained keyword search) secure PEFKS scheme. A new transformation of PE-to-PEFKS is also proposed and used to construct an efficient PEFKS scheme based on the transformation from the proposed PE scheme. Finally, we design a new framework for supporting privacy preserving predicate encryption with fine-grained searchable capability for Cloud storage. Compared to most prominent frameworks, our framework satisfies more features altogether and can serve as a basis for developing such frameworks for Cloud data centres.

Published

2016

19. DOAS: Efficient data owner authorized search over encrypted cloud data

Author

Yinbin Miao, Junwei Zhang, Fushan Wei, Zhiquan Liu, Jianfeng Ma, and Ximeng Liu

Subjects

020203 distributed computing, Security analysis, Cryptographic primitive, Database, Computer Networks and Communications, business.industry, Computer science, Data security, 020206 networking & telecommunications, Cloud computing, 02 engineering and technology, computer.software_genre, Encryption, Computer security, Random oracle, Ciphertext, 0202 electrical engineering, electronic engineering, information engineering, Chosen-plaintext attack, business, computer, Software

Abstract

Data outsourcing service can shift the local data storage and maintenance to cloud service provider (CSP) to ease the burden from data owner, but it brings the data security threats as CSP is always considered to honest-but-curious. Therefore, searchable encryption (SE) technique which allows cloud clients (including data owner and data user) to securely search over ciphertext through keywords and selectively retrieve files of interest is of prime importance. However, in practice, data user’s access permission always dynamically varies with data owner’s preferences. Moreover, existing SE schemes which are based on attribute-based encryption (ABE) incur heavy computational burden through attribution revocation and policy updating. To allow data owner to flexibly grant access permissions, we design a secure cryptographic primitive called as efficient data owner authorized search over encrypted data scheme through utilizing identity-based encryption (IBE) technique. The formal security analysis proves that our scheme is secure against chosen-plaintext attack (CPA) and chosen-keyword attack (CKA) without random oracle. Besides, empirical experiments over real-world dataset show that our scheme is efficient and feasible with regard to data access control.

Published

2016

20. VMKDO: Verifiable multi-keyword search over encrypted cloud data for dynamic data-owner

Author

Zhiquan Liu, Jianfeng Ma, Fushan Wei, Ximeng Liu, Yinbin Miao, and Limin Shen

Subjects

020203 distributed computing, Cloud computing security, Cryptographic primitive, Database, Computer Networks and Communications, business.industry, Computer science, Dynamic data, Data_MISCELLANEOUS, Data security, Cloud computing, 02 engineering and technology, Computer security, computer.software_genre, Encryption, Data retrieval, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, computer, Cloud storage, Software

Abstract

The advantages of cloud computing encourage individuals and enterprises to outsource their local data storage and computation to cloud server, however, data security and privacy concerns seriously hinder the practicability of cloud storage. Although searchable encryption (SE) technique enables cloud server to provide fundamental encrypted data retrieval services for data-owners, equipping with a result verification mechanism is still of prime importance in practice as semi-trusted cloud server may return incorrect search results. Besides, single keyword search inevitably incurs many irrelevant results which result in waste of bandwidth and computation resources. In this paper, we are among the first to tackle the problems of data-owner updating and result verification simultaneously. To this end, we devise an efficient cryptographic primitive called as verifiable multi-keyword search over encrypted cloud data for dynamic data-owner scheme to protect both data confidentiality and integrity. Rigorous security analysis proves that our scheme is secure against keyword guessing attack (KGA) in standard model. As a further contribution, the empirical experiments over real-world dataset show that our scheme is efficient and feasible in practical applications.

Published

2016

21. VCSE: Verifiable conjunctive keywords search over encrypted data without secure-channel

Author

Fushan Wei, Cunbo Lu, Yinbin Miao, Jianfeng Ma, Xu An Wang, and Zhiquan Liu

Subjects

Security analysis, Service (systems architecture), Cryptographic primitive, Computer Networks and Communications, Computer science, business.industry, 020206 networking & telecommunications, Cryptography, 02 engineering and technology, Encryption, Computer security, computer.software_genre, Data integrity, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Verifiable secret sharing, business, computer, Software, Secure channel

Abstract

Data outsourcing service has gained remarkable popularity with considerable amount of enterprises and individuals, as it can relief heavy computation and management burden locally. While in most existing models, honest-but-curious cloud service provider (CSP) may return incorrect results and inevitably give rise to serious security breaches, thus the results verification mechanism should be raised to guarantee data accuracy. Furthermore, the construction of secure-channel incurs heavy cryptographic operations and single keyword search returns many irrelevant results. Along these directions, we further design a significantly more effective and secure cryptographic primitive called as verifiable conjunctive keywords search over encrypted data without secure-channel scheme to assure data integrity and availability. Formal security analysis proves that it can effectively stand against outside keyword-guessing attack. As a further contribution, our actual experiments show that it can admit wide applicability in practice.

Published

2016

22. Robust extended chaotic maps-based three-factor authentication scheme preserving biometric template privacy

Author

Fushan Wei, Shuai Fu, Guangsong Li, Jianfeng Ma, Qi Jiang, and Abdulhameed Alelaiwi

Subjects

Engineering, Data_MISCELLANEOUS, Aerospace Engineering, Ocean Engineering, 02 engineering and technology, Computer security, computer.software_genre, 01 natural sciences, One-time password, Password strength, S/KEY, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, Electrical and Electronic Engineering, 010301 acoustics, Password, Password policy, business.industry, Applied Mathematics, Mechanical Engineering, 020206 networking & telecommunications, Mutual authentication, Multi-factor authentication, Control and Systems Engineering, Challenge–response authentication, business, computer

Abstract

Due to its high level of security, three-factor authentication combining password, smart card and biometrics has received much interest in the past decades. Recently, Islam proposed a dynamic identity-based three-factor authentication scheme using extended chaotic map which attempts to fulfill three-factor security and resist various known attacks, offering many advantages over existing works. However, in this paper we first show that the process of password verification in the login phase is invalid. Besides this defect, it is also vulnerable to user impersonation attack and off-line password guessing attack, under the condition that the smart card is lost or stolen. Furthermore, it fails to preserve biometric template privacy in the case that the password and the smart card are compromised. To remedy these flaws, we propose a robust three-factor authentication scheme, which not only resists various known attacks, but also provides more desired security features. We demonstrate that our scheme provides mutual authentication using the Burrows–Abadi–Needham logic. Our scheme provides high security strength as well as low computational cost.

Published

2015

23. A New Privacy-Aware Handover Authentication Scheme for Wireless Networks

Author

Qi Jiang, Fushan Wei, Chuangui Ma, and Guangsong Li

Subjects

Scheme (programming language), Computer science, Wireless network, business.industry, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Data_MISCELLANEOUS, Computer security, computer.software_genre, Computer Science Applications, Handover authentication, Electrical and Electronic Engineering, business, computer, Computer network, computer.programming_language

Abstract

A fast handover authentication scheme is essential to seamless services for delay-sensitive applications in wireless networks. User privacy is a notable issue which should be considered in secure communications. This paper proposes a new privacy-aware handover authentication scheme. The proposed scheme achieves user privacy with good performance.

Published

2014

24. A Compact Construction for Non-monotonic Online/Offline CP-ABE Scheme

Author

Fushan Wei, Qingfeng Cheng, Junqi Zhang, and Xinglong Zhang

Subjects

Scheme (programming language), Theoretical computer science, Computational complexity theory, business.industry, Computer science, Cryptography, Encryption, Public-key cryptography, Multiplication, business, Mobile device, computer, Access structure, computer.programming_language

Abstract

Nowadays the mobile devices are becoming the necessities in our life, while they are generally resource-constrained, CP-ABE schemes designed for mobile devices should have the property of low computational complexity, therefore Online/Offline mechanism has prospect future in cryptographic mechanism. In this paper, we attempt to construct an unbounded Online/Offline CP-ABE scheme based on a non-monotonic access structure. During the offline phase, most of the computations for encryption are done; during the online phase, we transform the non-monotonic access structure with positive attribute sets into a monotonic access structure which is based on the LSSS access structure with positive and negative attribute sets, then it only needs a small amount of addition and multiplication operations for the rest components of encryption. Compared with the original non-monotonic CP-ABE scheme, our scheme remains the same on the public keys and the master secret keys, with only a small increase in computational complexity. The computational complexity during online phase is very small.

Published

2017

25. Ciphertext-Policy Attribute Based Encryption with Large Attribute Universe

Author

Siyu Xiao, Fushan Wei, Aijun Ge, and Chuangui Ma

Subjects

Scheme (programming language), business.industry, Computer science, Cloud computing, Data_CODINGANDINFORMATIONTHEORY, computer.software_genre, Encryption, Ciphertext, Attribute domain, Data mining, Attribute-based encryption, Constant (mathematics), business, computer, Broadcast encryption, computer.programming_language

Abstract

Ciphertext-policy attribute-based encryption(CP-ABE) has become a crucial technical for cloud computing in that it enables one to share data with users under the access policy defined by himself. Generally, the universe of attributes is not fixed before the system setup in practice. So in this paper, we propose a CP-ABE scheme with large attribute universe based on the scheme presented by Chen et al. The number of attributes is independent of the public parameter in our scheme, and it inherents the excellent properties of both constant ciphertext and constant computation cost.

Published

2016

26. m2-ABKS: Attribute-Based Multi-Keyword Search over Encrypted Personal Health Records in Multi-Owner Setting

Author

Fushan Wei, Zhiquan Liu, Yinbin Miao, Jianfeng Ma, Ximeng Liu, and Xu An Wang

Subjects

Security analysis, Cryptographic primitive, business.industry, Computer science, Medicine (miscellaneous), 020206 networking & telecommunications, Health Informatics, Access control, Cloud computing, 02 engineering and technology, Encryption, Computer security, computer.software_genre, Health Information Management, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Confidentiality, Attribute-based encryption, business, Cloud storage, computer, Information Systems

Abstract

Online personal health record (PHR) is more inclined to shift data storage and search operations to cloud server so as to enjoy the elastic resources and lessen computational burden in cloud storage. As multiple patients' data is always stored in the cloud server simultaneously, it is a challenge to guarantee the confidentiality of PHR data and allow data users to search encrypted data in an efficient and privacy-preserving way. To this end, we design a secure cryptographic primitive called as attribute-based multi-keyword search over encrypted personal health records in multi-owner setting to support both fine-grained access control and multi-keyword search via Ciphertext-Policy Attribute-Based Encryption. Formal security analysis proves our scheme is selectively secure against chosen-keyword attack. As a further contribution, we conduct empirical experiments over real-world dataset to show its feasibility and practicality in a broad range of actual scenarios without incurring additional computational burden.

Published

2016

27. An efficient and practical threshold gateway-oriented password-authenticated key exchange protocol in the standard model

Author

Chuangui Ma, Ruijie Zhang, Fushan Wei, Jianfeng Ma, and Xu An Wang

Subjects

TheoryofComputation_MISCELLANEOUS, Challenge-Handshake Authentication Protocol, Password, Otway–Rees protocol, General Computer Science, Computer science, business.industry, 020206 networking & telecommunications, 0102 computer and information sciences, 02 engineering and technology, Authentication server, Computer security, computer.software_genre, 01 natural sciences, Authenticated Key Exchange, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, 010201 computation theory & mathematics, Server, Authentication protocol, 0202 electrical engineering, electronic engineering, information engineering, business, computer, Key exchange, Computer network

Abstract

With the assistance of an authentication server, a gateway-oriented password-authenticated key exchange (GPAKE) protocol can establish a common session key shared between a client and a gateway. Unfortunately, a GPAKE protocol becomes totally insecure if an adversary can compromise the authentication server and steal the passwords of the clients. In order to provide resilience against adversaries who can hack into the authentication server, we propose a threshold GPAKE protocol and then present its security proof in the standard model based on the hardness of the decisional Diffie-Hellman (DDH) problem. In our proposal, the password is shared among $n$ authentication servers and is secure unless the adversary corrupts more than $t+1$ servers. Our protocol requires $n>3t$ servers to work. Compared with existing threshold PAKE protocols, our protocol maintains both stronger security and greater efficiency.

Published

2016

28. Cryptanalysis and Improvement of an Enhanced Two-Factor User Authentication Scheme in Wireless Sensor Networks

Author

Qi Jiang, Fushan Wei, Jianfeng Ma, Chuangui Ma, and Jian Shen

Subjects

Scheme (programming language), Biometrics, business.industry, Computer science, Key distribution, 020206 networking & telecommunications, 02 engineering and technology, Multi-factor authentication, Computer security, computer.software_genre, Computer Science Applications, law.invention, Control and Systems Engineering, law, Sensor node, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Smart card, Electrical and Electronic Engineering, business, Cryptanalysis, Wireless sensor network, computer, computer.programming_language

Abstract

In order to address the scenario in which the user wants to access the real-time data directly from the sensor node in wireless sensor networks (WSNs), Das proposed a two-factor authentication scheme. In 2010, Khan et al. pointed out that Das's scheme has some security flaws and proposed an improved scheme. Recently, Yuan demonstrated that Khan et at.'s improvement is still insure against several attacks. Yuan also proposed an enhanced two-factor user authentication scheme using user's biometrics to fix the security flaws in Khan et al.'s scheme. In this paper, we show that Yuan's scheme still suffers from the stolen smart card attack and the GW-node impersonation attack. Moreover, biometric keys are misused in Yuan's scheme such that even the valid user cannot pass the biometric verification. To remedy these problems, we propose an improved two-factor authenticated key distribution scheme based on fuzzy extractors. Security and performance analysis demonstrates that our scheme is more secure and efficient thanprevious schemes. DOI: http://dx.doi.org/10.5755/j01.itc.45.1.11949

Published

2016

29. Two Factor Authenticated Key Exchange Protocol for Wireless Sensor Networks: Formal Model and Secure Construction

Author

Ruijie Zhang, Chuangui Ma, and Fushan Wei

Subjects

Provable security, Computer science, Cryptography, 02 engineering and technology, Oakley protocol, Computer security, computer.software_genre, law.invention, Random oracle, law, 0202 electrical engineering, electronic engineering, information engineering, Password, Authentication, business.industry, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, 020206 networking & telecommunications, Computer security model, Authenticated Key Exchange, Key distribution in wireless sensor networks, 020201 artificial intelligence & image processing, Smart card, Cryptanalysis, business, Wireless sensor network, computer, Computer network

Abstract

Two-factor authenticated key exchange (TFAKE) protocols are critical tools for ensuring identity authentication and secure data transmission in wireless sensor networks (WSNs). Until now, numerous TFAKE protocols based on smart cards and passwords are proposed for WSNs. Unfortunately, most of them are found insecure against various attacks. Researchers focus on cryptanalysis of these protocols and then fixing the loopholes. Little attention has been paid to design rationales and formal security models of these protocols. In this paper, we first put forward a formal security model for TFAKE protocols in WSNs. We then present an efficient TFAKE protocol for WSNs without using expensive asymmetric cryptology mechanisms. Our protocol can be proven secure in the random oracle model and achieves user anonymity. Compared with other TFAKE protocols, our protocol is more efficient and enjoys provable security.

Published

2016

30. Outsourced Data Modification Algorithm with Assistance of Multi-assistants in Cloud Computing

Author

Fushan Wei, Jiguo Li, Jun Shen, Jian Shen, and Xiong Li

Subjects

020203 distributed computing, Authentication, Database, Revocation, Computer science, business.industry, Dynamic data, 020206 networking & telecommunications, Cloud computing, 02 engineering and technology, computer.software_genre, Term (time), User experience design, Computer data storage, 0202 electrical engineering, electronic engineering, information engineering, business, Algorithm, computer, Cloud storage

Abstract

The rapid development of cloud storage in these years has caused a wave of research craze. To improve the cloud user experience, a large amount of schemes are proposed with various practical performances, for instance, long term correct data storage and dynamic data modification. In most works, however, the authors seem to completely ignore the hard fact that data owner alone could not have enough energy to discover and correct all the inappropriate data outsourced in cloud. Others did consider it, and gave more than one user both read and write permissions, which leads to chaotic management of multiusers. In this paper, we propose a novel algorithm, in which the data owner and several authenticated assistants form a team to support dynamic data modification together. Assistants are in charge of detecting problems in cloud data and discussing a corresponding modification suggestion, while data owner is responsible for the implementation of the modification. In addition, our algorithm supports identity authentication, efficient malicious assistant revocation, as well as lazy update. Sufficient numerical analysis validates the performance of our algorithm.

Published

2016

31. Improved Anonymous Authentication Scheme with Enhanced Security for Wireless Communications

Author

Cong Liu, Chuangui Ma, and Fushan Wei

Subjects

Scheme (programming language), General Computer Science, Computer science, business.industry, General Mathematics, Anonymous authentication, Wireless, business, Computer security, computer.software_genre, computer, computer.programming_language, Computer network

Published

2012

32. Gateway-oriented password-authenticated key exchange protocol in the standard model

Author

Zhenfeng Zhang, Chuangui Ma, and Fushan Wei

Subjects

Password, Dictionary attack, Computer science, Authentication server, Computer security, computer.software_genre, Random oracle, Authenticated Key Exchange, Hardware and Architecture, Default gateway, Session key, computer, Software, Key exchange, Information Systems, Standard model (cryptography)

Abstract

A gateway-oriented password-based authenticated key exchange (GPAKE) is a 3-party protocol, which allows a client and a gateway to establish a common session key with the help of an authentication server. GPAKE protocols are suitable for mobile communication environments such as GSM (Global System for Mobile Communications) and 3GPP (The Third Generation Partnership Project). To date, most of the published protocols for GPAKE have been proven secure in the random oracle model. In this paper, we present the first provably-secure GPAKE protocol in the standard model. It is based on the 2-party password-authenticated key exchange protocol of Jiang and Gong. The protocol is secure under the DDH assumption (without random oracles). Furthermore, it can resist undetectable on-line dictionary attacks. Compared with previous solutions, our protocol achieves stronger security with similar efficiency.

Published

2012

33. Analysis and improvement of a new authenticated group key agreement in a mobile environment

Author

Qingfeng Cheng, Fushan Wei, and Chuangui Ma

Subjects

Key-agreement protocol, Authentication, Otway–Rees protocol, Computer science, business.industry, Mutual authentication, Oakley protocol, Computer security, computer.software_genre, Public-key cryptography, Electrical and Electronic Engineering, Key management, business, computer, Group key

Abstract

In 2009, Lee et al. (Ann Telecommun 64:735–744, 2009) proposed a new authenticated group key agreement protocol for imbalanced wireless networks. Their protocol based on bilinear pairing was proven the security under computational Diffie–Hellman assumption. It remedies the security weakness of Tseng’s nonauthenticated protocol that cannot ensure the validity of the transmitted messages. In this paper, the authors will show that Lee et al.’s authenticated protocol also is insecure. An adversary can impersonate any mobile users to cheat the powerful node. Furthermore, the authors propose an improvement of Lee et al.’s protocol and prove its security in the Manulis et al.’s model. The new protocol can provide mutual authentication and resist ephemeral key compromise attack via binding user’s static private key and ephemeral key.

Published

2010

34. A Secure User Authentication Scheme against Smart-Card Loss Attack for Wireless Sensor Networks Using Symmetric Key Techniques

Author

Chuangui Ma, Fushan Wei, and Lei Chen

Subjects

Password, Password policy, Article Subject, Computer Networks and Communications, business.industry, Computer science, General Engineering, Multi-factor authentication, Computer security, computer.software_genre, lcsh:QA75.5-76.95, Symmetric-key algorithm, Authentication protocol, Network Access Control, Session key, Smart card, lcsh:Electronic computers. Computer science, Challenge–response authentication, business, Wireless sensor network, computer, Data Authentication Algorithm, Computer network

Abstract

User authentication in wireless sensor networks (WSNs) is a critical security issue due to their unattended and hostile deployment in the field. In order to protect the security of real-time data query from an external user, many two-factor (password and smart-card) user authentication schemes are proposed. However, most of them are insecure against various attacks. This paper summarizes attacks and security requirements for two-factor user authentication in WSNs. Based on security requirements, a user authentication and session key establishment scheme is also proposed, and this scheme can resist smart-card loss attack merely by using symmetric key techniques. Security and performance analysis demonstrate that, compared to the existing schemes, the proposed approach is more secure and highly efficient.

Published

2015

35. mOT+: An Efficient and Secure Identity-Based Diffie-Hellman Protocol over RSA Group

Author

Fushan Wei, Baoping Tian, and Chuangui Ma

Subjects

Diffie–Hellman key exchange, Public-key cryptography, Computer science, business.industry, Forward secrecy, Ephemeral key, Session key, Adversary, Diffie hellman protocol, business, Computer security, computer.software_genre, computer

Abstract

In 2010, Rosario Gennaro et al. revisited the old and elegant Okamoto-Tanaka scheme and presented a variant of it called mOT. However the compromise of ephemeral private key will lead to the leakage of the session key and the user's static private key. In this paper, we propose an improved version of mOTdenoted as mOT+. Moreover, based on RSA assumption and CDH assumption we provide a tight and intuitive security reduction in the id-eCK model. Without any extra computational cost, mOT+ achieves security in the id-eCK model, and furthermore it also meets full perfect forward secrecy against active adversary.

Published

2015

36. A Lightweight Anonymous Authentication Protocol Using k-Pseudonym Set in Wireless Networks

Author

Jianfeng Ma, Fushan Wei, Xinghua Li, Hai Liu, and Weidong Yang

Subjects

Challenge-Handshake Authentication Protocol, Authentication, business.industry, Computer science, Email authentication, Shared secret, Multi-factor authentication, Computer security, computer.software_genre, Authentication server, Chip Authentication Program, Public-key cryptography, Attack model, Generic Bootstrapping Architecture, Authentication protocol, Lightweight Extensible Authentication Protocol, Challenge–response authentication, business, computer, Data Authentication Algorithm, Computer network

Abstract

In recent years, since people pay more and more attention to the protection of their privacy, anonymous authentication in wireless networks has become a hot topic. Currently, most anonymous authentication schemes are based on the asymmetric keys whose tedious computation leads to serious resource consumption, therefore, they are unsuitable for mobile devices with limited capacity. To solve this problem, by introducing the k-pseudonym set we propose an anonymous authentication protocol based on a shared secret key. In the authentication process, the user sends the k- pseudonym set which includes his real identity and other k-1 pseudonyms. After the authentication server traversals the shared keys with each of the users in the set and verifies the authentication information, it can determine the real user and complete the authentication. In this methodology, the construction of the pseudonym set is a key issue, and we give two attack models and respectively present the construction methods of the k-pseudonym set under those two models. Compared with the existing schemes, our scheme outperforms them in the security and practicality. Especially, user untractability can be realized. A testbed is set up and extensive experiments are conducted, and the results show the authentication latency of our scheme is short and it changes a little with the increase of k.

Published

2014

37. Gateway-Oriented Password-Authenticated Key Exchange Based on Chameleon Hash Function

Author

Fushan Wei, Chuangui Ma, and Fengxiu Gao

Subjects

Dictionary attack, Network security, Computer science, Hash function, Computer security, computer.software_genre, Authentication server, One-time password, S/KEY, Default gateway, Session key, Password, Authentication, business.industry, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Cryptographic protocol, Hash-based message authentication code, Authenticated Key Exchange, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Authentication protocol, Hash chain, Challenge–response authentication, Semantic security, business, computer, Computer network

Abstract

A gateway-oriented password-based authenticated key exchange (GPAKE) is a three-party protocol, which allows a client and a gateway to establish a common session key with the help of an authentication server. Besides the semantic security of the session key, the desirable security properties of a GPAKE protocol also include password protection with respect to malicious gateways and key privacy with respect to honest-but-curious authentication servers. Unfortunately, previous solutions are suspectable to undetectable on-line dictionary attacks by a malicious gateway. To overcome this shortcoming, we propose a GPAKE protocol based on chameleon hash function in this paper. By the merit of chameleon hash function, the authentication server can distinguish an honest authentication request by a client from an on-line impersonation attack by a malicious gateway. The proposed protocol is secure against undetectable on-line dictionary attacks. In addition, it is as efficient as previous solutions.

Published

2012

38. Gateway-Oriented Password-Authenticated Key Exchange Protocol with Stronger Security

Author

Chuangui Ma, Fushan Wei, and Zhenfeng Zhang

Subjects

Password, Authenticated Key Exchange, Authentication, Dictionary attack, Computer science, Default gateway, Session key, Computer security model, Computer security, computer.software_genre, Authentication server, computer

Abstract

A gateway-oriented password-based authenticated key exchange (GPAKE) is a three-party protocol, which allows a client and a gateway to establish a common session key with the help of an authentication server. To date, most of the published GPAKE protocols have been subjected to undetectable on-line dictionary attacks. The security models for GPAKE are not strong enough to capture such attacks. In this paper, we define a new security model for GPAKE, which is stronger than previous models and captures desirable security requirement of GPAKE. We also propose an efficient GPAKE protocol and prove its security under the DDH assumption in our model. Our scheme assumes no preestablished secure channels between the gateways and the server unlike previous schemes, but just authenticated channels between them. Compared with related schemes, our protocol achieves both higher efficiency and stronger security.

Published

2011

39. Multi-Factor Authenticated Key Exchange Protocol in the Three-Party Setting

Author

Ying Liu, Fushan Wei, and Chuangui Ma

Subjects

Password, Authenticated Key Exchange, Protocol (science), Authentication, Biometrics, Computer science, Factor (programming language), Challenge–response authentication, Computer security, computer.software_genre, computer, computer.programming_language, Random oracle

Abstract

A great deal of authenticated key exchange (AKE) protocols have been proposed in recent years. Most of them were based on 1-factor authentication. In order to increase the security for AKE protocols, various authentication means can be used together. In fact, the existing multi-factor AKE protocols provide an authenticated key exchange only between a client and a server. This paper presents a new multifactor AKE protocol in the three-party settings (3MFAKE), in which the authentication means combine a password, a secure device, and biometric authentications. We also prove the security of the protocol in the random oracle model.

Published

2011

40. Formal Analysis and Improvement of Two-Factor Authenticated Key Exchange Protocol

Author

Fushan Wei, Ying Liu, and Chuangui Ma

Subjects

Password, Password policy, Encrypted key exchange, Zero-knowledge password proof, business.industry, Computer science, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, Authenticated Key Exchange, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, business, computer, Computer network

Abstract

Many two-factor authenticated key exchange protocols have been proposed, and the common ones are based on a secure device and a user's password. But most of them do not use the one-time password system. In one-time password systems, users have many passowrds and use each password only once. This paper presents a new two-factor authenticated key exchange protocol using one-time passwords and a secure device, which achieves mutual authentication, session key agreement, and resistance to phishing attacks. This paper also gives a formal proof for security of the protocol.

Published

2010

41. An Efficient Password Authenticated Key Exchange Protocol with Bilinear Parings

Author

Chuangui Ma, Fushan Wei, Shumin Chen, and Xiaofei Ding

Subjects

Password, Zero-knowledge password proof, Computer science, business.industry, Bilinear interpolation, Computer security, computer.software_genre, Password strength, Random oracle, Authenticated Key Exchange, Forward secrecy, business, Protocol (object-oriented programming), computer, Computer network

Abstract

In recent years, many password authenticated key exchange (PAKE) protocols have been proposed. However, many of them have been broken or have no security proof. In this paper, we propose an efficient password authenticated key exchange protocol using bilinear pairings. Compared with previous PAKE protocol using bilinear pairings, our protocol is quite efficient both in communication cost and computational cost. Moreover, this paper proves that the novel protocol is forward secrecy under the Bilinear Diffie-Hellman (BDH) assumption in the random oracle model.

Published

2009

42. Anonymous gateway-oriented password-based authenticated key exchange based on RSA

Author

Fushan Wei, Qingfeng Cheng, and Chuangui Ma

Subjects

Password, Dictionary attack, Computer science, Computer Networks and Communications, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Gateway (computer program), Computer security, computer.software_genre, Authentication server, Random oracle, Computer Science Applications, Authenticated Key Exchange, Default gateway, Signal Processing, Session key, computer, Key exchange, Anonymity

Abstract

A gateway-oriented password-based authenticated key exchange (GPAKE) is a three-party protocol, which allows a client and a gateway to establish a common session key with the help of an authentication server. To date, most of the published protocols for GPAKE have been based on Diffie-Hellman key exchange. In this article, we present the first GPAKE protocol based on RSA, then prove its security in the random oracle model under the RSA assumption. Furthermore, our protocol can resist both e-residue and undetectable on-line dictionary attacks. Finally, we investigate whether or not a GPAKE protocol can achieve both client anonymity and resistance against undetectable on-line dictionary attacks by a malicious gateway. We provide an affirmative answer by adding client anonymity with respect to the server. Preprint submitted to EURASIP JWCN October 16, 2011 to our basic protocol.