Loading...
Netinfo Security

Table of Content

    10 August 2020, Volume 20 Issue 8 Previous Issue    Next Issue
    For Selected: Toggle Thumbnails
    Key Management Scheme for IoT Based on Blockchain Technology
    SHI Runhua, SHI Ze
    2020, 20 (8):  1-8.  doi: 10.3969/j.issn.1671-1122.2020.08.001
    Abstract ( 862 )   HTML ( 31 )   PDF (8896KB) ( 201 )  

    A blockchain key distribution scheme for the Internet of things is proposed. First, the quantum random number generator is used to continuously generate random numbers, which are securely stored on the cloud storage. Second, the initiator selects a reasonable random number length according to the security requirements of different services and pays the corresponding bill to the proxy server. Third, the proxy server uploads purchasing records to the blockchain node for verifications and broadcast to the entire network. After the initiator’s gateway successfully queries the transaction records on the blockchain according to the transaction hash value, the interface devices of random numbers authenticate the identities of the gateways of the initiator and the sharer. Then, the random number stream is automatically stored in the smart card by smart contracts. Finally, the initiator and the sharer gain the corresponding smart card to get the shared key, respectively. The proposed scheme can effectively distribute the keys in IoTs so that it can realize secure communications between sensor devices in different subnets of IoTs.

    Figures and Tables | References | Related Articles | Metrics
    Multi-factor Authentication Protocol Based on Hardware Fingerprint and Biometrics
    ZHANG Xiao, LIU Jiqiang
    2020, 20 (8):  9-15.  doi: 10.3969/j.issn.1671-1122.2020.08.002
    Abstract ( 432 )   HTML ( 11 )   PDF (7486KB) ( 103 )  

    This paper proposes a multi-factor authentication protocol for short-range communication between smart devices. It can prevent the common attacks, such as smartphone lost attack, man-in-the-middle attack, replay attack, by combining the user’s account key as a knowledge factor, the smart device speaker hardware fingerprint as a ownership factor, and the user’s facial information as a biological information factor. This protocol proposes is suitable for no extra hardware short-range communication methods. This paper uses the high-security features of audio channel to continuously authentication while authentication side received data signals. Security analysis and experiments prove that the protocol has high application value in high security scenario, such as smart home, mobile payment, and contactless access control.

    Figures and Tables | References | Related Articles | Metrics
    Data Sharing Scheme Based on the Blockchain and the Proxy Re-encryption
    LI Li, ZENG Qingxian, WEN Yihong, WANG Shicheng
    2020, 20 (8):  16-24.  doi: 10.3969/j.issn.1671-1122.2020.08.003
    Abstract ( 867 )   HTML ( 37 )   PDF (11626KB) ( 443 )  

    Achieving secure data sharing in an untrusted environment is always a difficult problem. Traditional centralized solutions have problems that data is easily leaked, data is easily tampered, data destination is difficult to track, and supervision is difficult. Data sharing scheme based on public-key system has some problems such as high communication cost, high computation cost and poor practicability. To solve the above problems, this paper proposes a data sharing scheme based on blockchain. The scheme maintains a credible ledger through the blockchain to ensure the traceability of data and immutability of the access control authority. On this basis, a proxy re-encryption scheme based on Schnorr is constructed, which realizes the secure data sharing by a proxy re-encryption secret key. Compared with the traditional schemes, the proposed scheme has better security and traceability, and has been successfully applied in the medical data sharing project.

    Figures and Tables | References | Related Articles | Metrics
    Research on Reversible Data Hiding Technology in Homomorphic Encrypted Domain
    ZHANG Minqing, ZHOU Neng, LIU Mengmeng, KE Yan
    2020, 20 (8):  25-36.  doi: 10.3969/j.issn.1671-1122.2020.08.004
    Abstract ( 598 )   HTML ( 9 )   PDF (14707KB) ( 160 )  

    The reversible data hiding in homomorphic encrypted domain is the intersection of cryptography and information hiding technology. It also plays the dual role of content privacy protection and secret information transmission, which has good application prospects and practical value. Reversible data hiding in homomorphic encrypted domain has become an important research direction of reversible data hiding in encrypted domain. This article first introduced the background of the development in this field, pointed out and analyzed the current technical difficulties. Then, three types of algorithms based on vacating room before encryption, vacating room after encryption and vacating redundancy in encryption in the current reversible data hiding in homomorphic encrypted domain were studied. In order to improve the security and embedding capacity of the reversible data hiding algorithm in encrypted domain, a reversible data hiding algorithm in encrypted domain based on homomorphic addition of cryptographic technology was proposed. By applying the embedding technology in encrypted domain to more cryptographic algorithms, the application scope of the reversible data hiding technology in encrypted domain is improved. Finally, we summarize the main algorithm category and homomorphic encryption techniques utilized in this field and propose several hot directions for future research.

    Figures and Tables | References | Related Articles | Metrics
    A SDN Access Control Mechanism Based on Zero Trust
    WU Yunkun, JIANG Bo, PAN Ruixuan, LIU Yuling
    2020, 20 (8):  37-46.  doi: 10.3969/j.issn.1671-1122.2020.08.005
    Abstract ( 749 )   HTML ( 32 )   PDF (10634KB) ( 227 )  

    Software defined network (SDN) is a new network architecture which separates logic control and data forwarding. It can provide the Internet with smooth evolution ability to meet the current and future needs.SDN not only becomes a new development direction of future internet, but also gives a new way to solve the problem of network security. At present, SDN network lacks effective network dynamic access control mechanism. Therefore, this paper proposes a zero-trust based access control method for SDN network. Firstly, the security concept of "zero trust" is introduced to construct the network access control framework under SDN network. The proposed framework achieves the real-time monitoring and trust measurement of insider user behaviors. Moreover, it can adjust user resource access privilege according to the measurement results dynamically. Then, the set of user behavior trust metrics for SDN network is designed, and the behavior metrics supported by Openflow in SDN network are selected to make the index results easy to measure. The dynamic measurement mechanism of user trust based on behavior as well as the SDN network resource access control using flow table is proposed. From the viewpoint of "never trust and always verify", the behavior of users in the network is monitored periodically, and the trust value of users is measured according to their behavior data. When the user trust degree drops to an untrusted degree, the flow table is quickly issued to prevent the user from continuing to access the network. Finally, the effectiveness of the proposed model and method is verified by simulations. The experiments show that our method can achieve more fine-grained and dynamic access control.

    Figures and Tables | References | Related Articles | Metrics
    An Active Discovering and Secure Using Method of Hardware Cryptographic Resources Based on TrustZone
    YUAN Lu, HUANG Chenlin, LI Yun, CHENG Hua
    2020, 20 (8):  47-54.  doi: 10.3969/j.issn.1671-1122.2020.08.006
    Abstract ( 467 )   HTML ( 5 )   PDF (8958KB) ( 79 )  

    In order to solve the problems that various cryptographic equipment providers are independent, the workload of security maintenance is large and the development of security applications is inconvenient, the researchers set up a cryptographic service framework at the operating system level to unify all kinds of hardware and software cryptographic resources. However, on the one hand, existing cryptographic service frameworks do not have the ability to actively discover and apply the hardware cryptographic resources, and users still need to manually load the cryptographic device and mount the cryptographic resources into the cryptographic service framework before they can be invoked and used in the security applications. On the other hand, high level security hardware cryptographic devices may be unauthorized accessed and used. In order to solve the above problems, this paper proposes a method of active discovery and secure use of hardware cryptographic resources based on TrustZone, which extends the cryptographic service framework through the secure isolation computing environment provided by TrustZone, and makes the cryptographic service framework have the ability to actively detect and securely load the system hardware cryptographic resources through the interaction with the operating system kernel. The prototype system is implemented on FT-2000/4 processer platform. The test results show that the proposed method can successfully realize the active discovery and secure use of hardware cryptographic resources.

    Figures and Tables | References | Related Articles | Metrics
    Secure Virtual Machine Placement Method Based on Grouping in Cloud Environment
    CHEN Wanying, WANG Yunpeng, ZHAO Keyu, LIU Xiaojie
    2020, 20 (8):  55-61.  doi: 10.3969/j.issn.1671-1122.2020.08.007
    Abstract ( 481 )   HTML ( 11 )   PDF (8185KB) ( 98 )  

    In the cloud environment, virtual machines of different users are usually placed on the same physical machine, and this sharing of physical resources poses a serious threat to users' private data. Malicious users can improve the probability of co-existence with the target virtual machine by starting a large number of virtual machines or by taking advantage of the loopholes in the virtual machine placement strategy. In order to defend it actively, a placement method which considers the safety, energy consumption and load balance is proposed. First will be randomly assigned a virtual machine with the same probability, in order to prevent malicious users to obtain and make use of the virtual machine in place of some of the characteristics, in order to reduce the malicious user too much by starting the virtual machine to increase the probability of coexistence with the target virtual machine, the virtual machine when a user is assigned to the group number exceeds a certain value, will be assigned to the new group. Then, considering the situation of energy consumption and load balance, it is allocated to the appropriate physical host. The experimental results show that the probability of co-existence between virtual machines of different users is reduced and the security of virtual machine placement is guaranteed to a certain extent.

    Figures and Tables | References | Related Articles | Metrics
    Attribute-based Encryption Scheme without Key Escrow Supporting Attribute Revocation in Cloud Environment
    SONG Shuo, ZHANG Xinglan
    2020, 20 (8):  62-70.  doi: 10.3969/j.issn.1671-1122.2020.08.008
    Abstract ( 428 )   HTML ( 5 )   PDF (10741KB) ( 99 )  

    In order to solve the problem of key escrow and the efficiency of attribute revocation in ABE, this paper proposes an attribute-based encryption revocation scheme that supports decryption outsourcing and no key escrow. In the scheme, if a user’s attribute is revoked, the attribute authority first generates a sibling intractable function based on the latest attribute update key and broadcasts it to users who have not revoked the attribute. Then the users update their own private key by using the sibling intractable function. Finally, the attribute authority updates the ciphertext in the cloud server according to the attribute update key to realize the attribute revocation. In the process of attribute revocation, this scheme reduces the computation and communication of the attribute authority, and uses semi-honest cloud server to perform partial decryption to reduce the computation of the user, and introduces the central authority and the attribute authority to jointly generate the user’s private key to solve the key escrow problem. The security proof and performance analysis show that, the scheme is based on the assumption of q-Parallel BDHE to achieve the chosen plaintext security under the standard model, which has higher computational efficiency than similar schemes.

    Figures and Tables | References | Related Articles | Metrics
    Research on K-Nearest Neighbor High Speed Matching Algorithm in Network Intrusion Detection
    XU Guotian
    2020, 20 (8):  71-80.  doi: 10.3969/j.issn.1671-1122.2020.08.009
    Abstract ( 396 )   HTML ( 5 )   PDF (12290KB) ( 82 )  

    K-nearest neighbor matching algorithm is widely used in network intrusion detection. When the number of samples and feature dimensions increase significantly, the query efficiency of K-nearest neighbor matching algorithm based on Ball-tree structure decreases significantly and cannot meet the requirements of real-time detection. In order to solve this problem, this paper proposes a high-speed K-nearest neighbor matching algorithm based on "reduce tree". Firstly, the original sample set is effectively clipped to construct a minimum-scale "reduce tree" while ensuring that the "reduce tree" preserves the distribution morphology of the original sample set in multi-dimensional space to the greatest extent. Secondly, in K-nearest neighbor search, K_g(2≤K_g≤K ) initial nearest neighbor points are quickly located in the "reduce tree", and then K-nearest neighbor query is carried out on the search binary tree by using the spatial distance between the initial nearest neighbor points and the target point as the pruning radius. Compared with the original K-nearest neighbor matching algorithm, the initial nearest neighbor position of the improved algorithm is not fixed, but dynamically located around the target point, effectively shortening the pruning distance, more sample points are pruned and deleted in the query process, significantly reducing the calculation amount and improving the overall query efficiency. The experimental results show that the improved K-nearest neighbor high-speed matching algorithm maintains high query efficiency when processing high-dimensional and massive sample data, and the growth ratio of some sample sets reaches 93.81%.

    Figures and Tables | References | Related Articles | Metrics
    Research on Comprehensive Effectiveness Analysis of Network Security System Based on Information Metrics and Loss
    LAI Jiangliang, HOU Yifan, LU Xuming
    2020, 20 (8):  81-88.  doi: 10.3969/j.issn.1671-1122.2020.08.010
    Abstract ( 458 )   HTML ( 3 )   PDF (9026KB) ( 61 )  

    In the process of informationization, network security is more important and pivotal. In order to deal with the increasingly serious security risk, a large number of security systems are deployed in the network to protect the application system. How to evaluate the effect of security systems in actual environment has been a problem to be faced. The effectiveness analyses of security system provide necessary quantitative indicators for security scheme design and systems selection. However, the current analyses in a general sense just focus on the protection effect that ignores the security system’s negative effect on the protected system. This paper constructs a comprehensive effectiveness analysis method of security system based on information metrics and loss. The method considers the protection effect and negative effect and provides a new idea for the research on effectiveness analysis on security systems.

    Figures and Tables | References | Related Articles | Metrics
    PUF-based Anti-physical Cloning RFID Security Authentication Protocol
    WANG Li, LI Erxia, JI Yuchen, LI Xiaoyong
    2020, 20 (8):  89-97.  doi: 10.3969/j.issn.1671-1122.2020.08.011
    Abstract ( 589 )   HTML ( 8 )   PDF (9120KB) ( 96 )  

    Security authentication protocol is an important means to solve the forward channel security and identity identification problems of radio frequency identification (RFID) system. In view of the insecure problem of RFID system tags and reader channels and the vulnerability of tags to physical attacks, combining physical unclonable function (PUF) technology with traditional RFID security protocol, a PUF-based anti-physical cloning RFID protocol is proposed. The communication primitives are guaranteed by the two cryptographic primitives PUF and hash function, all communication of the protocol is encrypted to ensure the exclusiveness and security of the information, and the label information and the key information are updated after each round of authentication. The analysis results of protocol performance show that, the proposed protocol can prevent not only eavesdropping, tampering, replay attacks, but also physical attacks and tag clone attacks, thus improving the security of RFID system. At the same time, the proposed protocol does not take up too much resources and can be applied to low-cost resource-constrained RFID systems.

    Figures and Tables | References | Related Articles | Metrics