Netinfo Security

Research on Secure Identity Authentication Based on Homomorphic Encryption and Biometric

Lin YOU, Jiahao LIANG

2018, 18 (4): 1-8. doi: 10.3969/j.issn.1671-1122.2018.04.001

Abstract ( 994 )

HTML ( 13 )

PDF (1791KB) ( 281 )

The rapid development and wide application of big data technology have brought new security challenges to the traditional identity authentication technologies. Therefore, it is of great practical significance to develop secure identity authentication technologies adapting to complex network environment. On the basis of authentication technologies based on traditional biometric, this paper presents an identity authentication scheme based on homomorphic encryption and biometric. The scheme utilizes the homomorphic encryption technology based on RLWE and a message encoding technology to encrypt the users' biometric information and outsource them for storage. The matching process of the user's identity information is performed in the encrypted domain. Random numbers are adopted during the data transmission process to resist replay attacks. This paper uses a variety of typical attack methods in big data environment to prove the security of the scheme. The results show that the scheme has good applicability to complex network environment.

Figures and Tables | References | Related Articles | Metrics

Research on vTPCM Trust Management Technology for Cloud Computing Environment

Jianbiao ZHANG, Shisong YANG, Shanshan TU, Xiao WANG

2018, 18 (4): 9-14. doi: 10.3969/j.issn.1671-1122.2018.04.002

Abstract ( 931 )

HTML ( 17 )

PDF (1148KB) ( 245 )

With the continuous expansion of cloud computing technology, its security issues have been worried about. In the face of the urgent need to solve the cloud computing security issues, the Trusted Computing TPCM-based dual-system architecture enables the provision of proactive immune trusted security mechanisms for each virtual machine on the cloud computing platform, thus preventing the cloud environment virtual machine technology-related security issues. However, this paper first puts forward the overall architecture of managing vTPCM instances, which aims at solving the management of the lifecycle of vTPCM instance and virtual machine. Then, the paper analyzes the vTPCM instance and the virtual machine lifecycle, This paper proposes a management scheme based on Trusted Computing to solve the problem of lifecycle synchronization in virtual machine migration process and the mapping between virtual machine accesses vTPCM instance and physical machine access TPCM, so as to effectively improve the association between vTPCM and virtual machine.

Figures and Tables | References | Related Articles | Metrics

A Mimic-automaton-based Model for the MSISDN Virtualization and Its Method for Verifying the Security

Weijun ZHU, Yongwen FAN, Shaohuan BAN

2018, 18 (4): 15-22. doi: 10.3969/j.issn.1671-1122.2018.04.003

Abstract ( 528 )

HTML ( 6 )

PDF (1816KB) ( 466 )

MSISDN (Mobile Station International ISDN) numbers are used as communication identifiers and they are open to the public, causing users’ information is stolen. MSISDN virtualization can protect user data by introducing the mimic defense mechanism. However, the security of this technique cannot be analysis in the whole state space due to the lack of method. First, one can use a finite state automaton to describe the state transitions of the MSISDN virtualization. A cellular automaton is employed to describe the dynamic structure of the MSISDN virtualization. A hierarchical automaton is employed to express the different granularities of the MSISDN virtualization. Second, a mimic automaton is obtained by combining the various types of automata mentioned above in the certain logical relationship. And this mimic automaton can describe the behaviors of MSISDN virtualization. Third, a given formula in linear temporal logic (LTL) can express the security property of MSISDN virtualization. Final, the security problem of the MSISDN virtualization is reduced to the following LTL model checking problem. The MSISDN virtualization satisfies the security requirement, if the model checking result shows that the mimic automaton satisfies this given LTL formula. The MSISDN virtualization does not satisfy the security requirement, if the model checking result shows that the mimic automaton does not satisfy the given LTL formula. On the basis of it, one can automatically verify the security property of the MSISDN virtualization in the whole state space. And the simulations demonstrate the efficiency of the new method.

Figures and Tables | References | Related Articles | Metrics

Research on SDN Terminal Access Control Based on OpenFlow

Zhanzhen WEI, Shourong WANG, Zhaobin LI, Weilong LI

2018, 18 (4): 23-31. doi: 10.3969/j.issn.1671-1122.2018.04.004

Abstract ( 654 )

HTML ( 3 )

PDF (2295KB) ( 227 )

In order to solve the security access problem of SDN terminal based on OpenFlow, an in-depth study of terminal secure access solutions in existing SDN networks is conducted, this paper proposes an network terminal access control system for SDN based on OpenFlow. The system drew on the traditional access control technology combined with the new SDN network based on OpenFlow. It mainly realized the functions of user identity authentication, terminal security status evaluation, authorized services for the user and different QoS control for authorized users in SDN networked environment and analyzed the security of the design system in detail. The network simulation is carried out in Mininet with the second developed RYU controller, and the experiments of access control function test and communication delay performance are carried out. The results showed that this mechanism had a flexible network access control security policy to detect and solved the security threats posed by unsafe terminal access in SDN, which not only realized the user identity authentication but also ensured the security of access terminal and achieved different security status of the terminal’s access authorization. Moreover, the performance test results shows that the OpenFlow-based SDN network terminal access control system can meet the actual needs in terms of authentication delay, platform evaluation delay and communication delay.

Figures and Tables | References | Related Articles | Metrics

A Big Data Integrity Auditing Scheme Based on User Authorization in Cloud Storage

Xiuqing LU, Hequn XIAN

2018, 18 (4): 32-37. doi: 10.3969/j.issn.1671-1122.2018.04.005

Abstract ( 438 )

HTML ( 2 )

PDF (1941KB) ( 146 )

As cloud storage has many advantages, such as large storage, scalability and low-cost, more and more users choose to store their big data on the remote cloud storage server. The availability, high reliability and data sharing services of cloud storage not only bring convenience to users, but also lead to many security problems and among them, the research on data integrity has become a hot topic in recent years. Recently, lots of auditing schemes have been proposed, but these schemes can't efficiently realize fine-grained updating operations. To solve the problem, this paper propose a big data integrity audit scheme supporting fine-grained updating operations. Firstly, we design an authenticated data structure supporting fine-grained updating—dynamic index table. In the process of data insertion and deletion, the elements in the dynamic index table don't need to be moved, so that the efficiency of data dynamic updating is improved. Secondly, in order to prevent malicious parties from launching denial-of-service attacks to the cloud storage server, this paper propose a big data integrity audit scheme based on user authorization. That is, only third-party verifiers authorized by users can initiate integrity verification challenges which improve system security. Finally, the simulation experiments show that this auditing scheme is of high efficiency.

Figures and Tables | References | Related Articles | Metrics

Analyzer for Caché Database Communication Protocol

Lin LI, Zhenhuan LI, Xiaolin CHANG, Zhen HAN

2018, 18 (4): 38-46. doi: 10.3969/j.issn.1671-1122.2018.04.006

Abstract ( 574 )

HTML ( 12 )

PDF (4980KB) ( 158 )

Intersystems Caché is an advanced commercial database management system with proprietary license. It has been widely applied in industries, especially in healthcare environments. Its private communication protocol makes it hard, if not impossible, to audit the messages between Caché remote clients and Caché server. This paper develops an analyzer, which could filter Caché database data from packets between Caché clients and Caché server. The packets are obtained from network monitors. The details of the analyzer are given. We carry out extensive experiments to verify the correctness of the analyzer in terms of auditing common Caché database operations. This analyzer enables the analysis of the behaviors of remote database clients and then enables the management and audit of the database operation of Caché clients.

Figures and Tables | References | Related Articles | Metrics

Research on Detection and Interception System for Unknown PHP Object Injection Exploit

Zhenhang CHEN, Zhangyi WANG, Guojun PENG, Zhijian XIA

2018, 18 (4): 47-55. doi: 10.3969/j.issn.1671-1122.2018.04.007

Abstract ( 687 )

HTML ( 4 )

PDF (1597KB) ( 191 )

Most Web applications could not be able to defend the unknown PHP deserialization vulnerabilities attack. The common solution is making some emergency measures after the vulnerabilities have been disclosed. This article studies the PHP deserialization mechanism and takes the sensitive function call stack as a starting point for research. Taking the function call stack of Web application in normal running as the basis of judgment, this article implements an unknown PHP deserialization vulnerabilities dynamic detection and interception system based on the sensitive function call stack. Experimental tests of 6 deserialization vulnerabilities in 4 PHP Web applications show that the system can successfully intercept all current PHP deserialization vulnerabilities attacks and can extract or trace the POP attack chains constructed by the attacks. The system achieves zero false positives with an average performance cost of 3.67%.

Figures and Tables | References | Related Articles | Metrics

Quantum-secret-sharing Scheme Based on Local Distinguishability of Orthogonal Six-qudit Entangled States

Chengji LIU, Zhihui LI, Mengmeng SI, Chenming BAI

2018, 18 (4): 56-64. doi: 10.3969/j.issn.1671-1122.2018.04.008

Abstract ( 609 )

HTML ( 2 )

PDF (1924KB) ( 209 )

Quantum secret sharing can be divided into the secret sharing of quantum states and the secret sharing of classical information according to the form of sharing information. In a perfect (k,n) threshold quantum secret sharing scheme, less than k participants can not get any information about the secret. There are two kinds of eavesdropping attacks in the (k,n) threshold quantum secret sharing scheme: unambiguous attack and guessing attack. Wang et al. propose the concept of judgment space and use this concept to study quantum entangled states that can be used to resist unambiguous attack based on local distinguishability. In this paper, we construct 11 kinds of six-qudit quantum entangled states in the sense of permutation, calculate their judgment space, and propose the rule of distinguishability of judgment space. Based on this rule, we study the local distinguishability of the 11 kinds of six-qudit quantum entangled states, propose a (k,n) threshold quantum secret sharing scheme that can resist unambiguous attack and give a (5,6) threshold quantum secret sharing scheme for illustration. Finally, we discuss the security of the scheme.

References | Related Articles | Metrics

DNS Health Assessment Based on Fuzzy Comprehensive Evaluation

Yi ZHU, Xingshu CHEN, Jinghan CHEN, Guolin SHAO

2018, 18 (4): 65-71. doi: 10.3969/j.issn.1671-1122.2018.04.009

Abstract ( 765 )

HTML ( 7 )

PDF (1678KB) ( 207 )

DNS is the key node in almost all Internet applications and is considered as the central nervous system of the Internet. However, due to the vulnerability of its protocol design, the security of DNS system is facing severe challenges. Monitoring and evaluating DNS traffic can provide support and guarantee for network security, the researches of DNS security evaluation mainly focus on active detection methods or specific network attacks at present. However, these approaches are inadequate for effecting DNS system or other ill-conceived problems. To address these problems, a novel DNS health evaluation model based on fuzzy comprehensive evaluation is proposed in this paper. On the basis of DNS traffic analysis, several evaluation indicators are proposed according to three aspects: the server working state, user usage state and unconventional use state. Taking advantage of this model, it can describe and analyze the activity of DNS, and achieve the result of evaluating the DNS service state without affecting the DNS working environment. Currently, this method has been applied in the campus DNS server, the actual result of the experiment shows that the model can effectively detect the user error configuration, DDoS attacks, massive changes and other abnormal conditions.

Figures and Tables | References | Related Articles | Metrics

An Anonymous Identity-based Encryption Scheme in the Standard Model

Yimin XIA, Chungen XU, Bennian DOU

2018, 18 (4): 72-78. doi: 10.3969/j.issn.1671-1122.2018.04.010

Abstract ( 659 )

HTML ( 9 )

PDF (1539KB) ( 292 )

Aiming at the problem that most of the current identity-based encryptionsare not anonymous, we have proposed a new anonymous identity-based encryption scheme.The new IBE scheme uses bilinear group of composite order. Based on the DBDH(Decisional Bilinear Diffie-Hellman) assumption, it has ANON-IND-sID-CPA security under the standard model.On the other hand,our IBE scheme is anonymous,which means the adversary cannot get any information about the plaintext or receiver’s identity from the ciphertext. In addition,this paper verified the correctness of the scheme and proved the security.Compared to a few of IBE schemes,our new IBE scheme has certain advantages on anonymity and efficiency.

Figures and Tables | References | Related Articles | Metrics

Security System of the Information System in the Cloud

Yan CHEN, Jianyong GE, Jing LAI, Zhen LU

2018, 18 (4): 79-86. doi: 10.3969/j.issn.1671-1122.2018.04.011

Abstract ( 773 )

HTML ( 5 )

PDF (2104KB) ( 227 )

As a new service model, cloud computing has received great attention in recent years. More and more customers choose to migrate information systems to the cloud. With the developing of cloud computing technology, all kinds of cloud security products are constantly emerging, and cloud service providers are providing more and more security services. At the same time, however, cloud service customers still face a lot of confusion when building information systems on the cloud. This paper mainly focuses on the research of the guidelines on the security construction of the information system on the cloud. On the basis of the security responsibility sharing model, the design method of the security system of the information system on the cloud and the key points in the construction of the information system on the cloud are putting forward. While ensuring the security of the information system on the cloud, it also promotes the security of the cloud computing platform and the healthy development of the cloud computing industry.

Figures and Tables | References | Related Articles | Metrics

Table of Content