Showing papers by "Xiaodong Lin published in 2007"

GSIS: A Secure and Privacy-Preserving Protocol for Vehicular Communications

Abstract: In this paper, we first identify some unique design requirements in the aspects of security and privacy preservation for communications between different communication devices in vehicular ad hoc networks. We then propose a secure and privacy-preserving protocol based on group signature and identity (ID)-based signature techniques. We demonstrate that the proposed protocol cannot only guarantee the requirements of security and privacy but can also provide the desired traceability of each vehicle in the case where the ID of the message sender has to be revealed by the authority for any dispute event. Extensive simulation is conducted to verify the efficiency, effectiveness, and applicability of the proposed protocol in various application scenarios under different road systems.

Secure Vehicular Communications Based on Group Signature and ID-Based Signature Scheme

Abstract: Vehicular communication networking is a promising approach of facilitating road safety, traffic management, and infotainment dissemination for drivers and passengers. However, it is subject to various malicious abuses and security attacks which hinder it from practical implementation. In this paper, we propose a novel security protocol based on group signature and identity-based signature scheme to meet the unique requirements of vehicular communication networks. The proposed protocol not only guarantees security and anonymity, but also provides easy traceability property when the identity of the sender of a message has to be revealed by the authority. To further enable Internet access, the network architecture incorporating with the proposed security protocol is introduced. Simulation is conducted to analyze the system performance which proves the feasibility of the proposed scheme.

ASRPAKE: An Anonymous Secure Routing Protocol with Authenticated Key Exchange for Wireless Ad Hoc Networks

Abstract: In this paper, we present a novel anonymous secure routing protocol for mobile ad hoc networks (MANETs). The proposed protocol not only provides anonymity from all the intermediate nodes, but also integrates the authenticated key exchange mechanisms into the routing algorithm design. Furthermore, a new attack on anonymous services, called snare attack, is introduced, where a compromised node lures a very important node (VIN) into communicating with him and traces back to the VIN by following the route path. An adversary can then snare the VIN and launch decapitation strike on the VIN. Finally, we present a novel DECOY mechanism as a countermeasure to enhance anonymity of VINs and defeat snare attack.

TTP Based Privacy Preserving Inter-WISP Roaming Architecture for Wireless Metropolitan Area Networks

Abstract: We propose a novel inter-WISP roaming architecture based on trusted third party (TTP) and partially blind signature technique in wireless metropolitan area networks (WMAN). The proposed architecture aims to not only greatly improve user privacy and identity anonymity even in the presence of cooperation between the wireless Internet service provider (WISPs) and the TTP, but also dramatically reduce the required size of central database devised to minimize any possible service abuse. In addition, an efficient billing scheme among mobile users (MUs), WISPs and TTP, is introduced to address billing issues associated with roaming. Moreover, a localized inter-WISP authentication scheme is also proposed to support seamless handoff. Detailed analysis on a number of important performance metrics, such as computation time, handoff latency and power consumption, is conducted to verify the performance of the proposed schemes.

Measuring Intrusion Impacts for Rational Response: A State-based Approach

Abstract: Although intrusion detection systems (IDSs) are playing significant roles in defending information systems against attacks, they can only partially reflect the true system states due to false alarms, low detection rate, inaccurate reports, and inappropriate responses. Automated response component built upon such systems therefore must consider the imperfect picture inferred from them and take actions accordingly. This paper presents a stat- based approach to measuring intrusion impacts on the basis of IDS reports, and analyzing costs and benefits of response polices supposed to be taken. Specifically, assuming the system evolves as a Markov process conditioned upon the current system state, imperfect observation and action, a partially observable Markov decision process to model the efficacy of IDSs (as well as alert correlation technology) as providing a probabilistic assessment of the state of system assets, and to maximize rewards (cost and benefit) by taking appropriate actions in response to the estimated states. The objective is to move the system towards more secure states with respect to particular security metrics. We use a real trace benchmark data to evaluate our approach, and demonstrate its promising performance.

Performance Enhancement for Secure Vehicular Communications

Abstract: In this paper, we propose a new TESLA (timed efficient stream loss-tolerant authentication) based secure vehicular communication (TSVC) protocol with privacy preserving, aiming to achieve less communication overhead without compromising the security and privacy requirements. With TSVC, the communication overhead can be significantly reduced due to the message authentication code (MAC) tag attached in each packet and only a fast hash operation is required to verify each packet. Simulation results show that TSVC maintains acceptable message latency with much smaller packet size while significantly reducing the message loss ratio compared with that by the existing PKI-based protocols especially when the traffic is denser.

Two-Factor Localized Authentication Scheme for WLAN Roaming

Abstract: In the paper, we propose an efficient two-factor localized authentication scheme suitable for WLAN roaming. The proposed authentication scheme can greatly improve the security compared with the previously reported counterparts, where two independent factors, such as "what you know" and "what you have", are utilized in the authentication process for a mobile user (MO). Some important issues specific to the wireless environment are considered in the design of the scheme, such as limited computation power, memory space, and battery capacity of mobile stations (MSs), and ping-pong movement problem when roaming across WLANs. The detailed implementation of the proposed scheme is presented, where some of the key performance measures and security are analyzed. Numerical results demonstrate that the proposed scheme can significantly outperform the legacy authentication schemes in terms of signaling overhead, power consumption, and authentication latency without losing the capability of preserving the system security.

A Novel Compromise-Resilient Authentication System for Wireless Mesh Networks

Abstract: User authentication is essential in service-oriented communication networks to identify and reject any unauthorized network access. The state-of-the-art practice in securing wireless networks is based on the technique of authentication, authorization and accounting (AAA) framework where an AAA server is adopted to authenticate mobile users (MUs), handle authorization requests, and collect accounting data. However, the traditional AAA framework is by way of a single authentication server, and cannot tolerate AAA server failure due to various malicious attacks such as denial-of-service (DoS) attack, or any other failure event such that the authentication server is compromised due to misuse, misconfiguration and malicious access, etc. Thus, a more resilient approach is to adopt multiple authentication servers, where any authentication request is handled by more than one authentication servers in order to resist any compromise event of an authentication server. To meet this design objective, we introduce a novel compromise-resilient authentication system based on (t, n) threshold signature technique. With the proposed system, only t or more out of n authentication servers can cooperatively allow a MU to have network access, and any t-1 or less cannot. Case study of reliability analysis is conducted to demonstrate the effectiveness of the system. The proposed authentication system is expected to particularly contribute to wireless mesh networking (WMN) in metropolitan areas where thousands of nodes may coexist and are managed under a single control plane such that duplicated AAA servers are necessary.

Secure Localized Authentication and Billing for Wireless Mesh Networks

Abstract: The future metropolitan-area wireless mesh networks (WMNs) are expected to have compromise-prone mesh access points (MAPs) with high frequency of inter-domain roaming/handoff events. To achieve security without losing efficiency, this paper introduces a novel secure localized authentication and billing (SLAB) scheme. Our scheme aims to address both security guarantee and performance in terms of system compromise resilience capability, inter-domain handoff authentication latency, and workload of the roaming broker (RB). We demonstrate that the proposed scheme can be a practical solution for achieving secure roaming and billing in metropolitan-area WMNs.

PPBR: Privacy-Aware Position-Based Routing in Mobile Ad Hoc Networks

Abstract: Position-based routing for Mobile Ad-Hoc Networks is a promising approach to reduce route overhead by using the location information of each node. However, in most of the previously reported position-based routing protocols, a node has to periodically broadcast its current position coordinates and identifiers to its one-hop neighbors. Such information could be easily eavesdropped on by an adversary if it is not protected, and consequently, location privacy would be violated. In this paper, we propose a novel privacy-aware position-based routing protocol (PPBR), in which a node takes dynamic pseudo identifiers instead of its real identity in advertising its position. Furthermore, PPBR provides end-to-end anonymity to any intermediate nodes along the route. The theoretical analysis shows that the probability of tracking a node under PPBR through traffic analysis would be very small. We compare the performance of PPBR with that by GPSR and AODV through extensive simulation, which demonstrates the effectiveness and efficiency of the proposed scheme. We also show that frequent update of the pseudo identifier of each node yields an insignificant impact on routing performance and overhead.

Towards compromise-resilient localized authentication architecture for wireless mesh networks

Abstract: In this paper, a novel compromise-resilient localized authentication scheme is proposed for metropolitan-area wireless mesh networks (WMNs), which aims to mitigate the impact caused by a compromise event on one or multiple mesh access points (MAPs) before they are identified and removed from the network. As a proactive mechanism based on a "best practice" strategy - Defence in Depth, the proposed scheme can protect critical WMN functionalities, such as user authentication and handoff support, even in presence of compromised MAPs.

A keyless facility access control system with wireless enabled personal devices

Abstract: Nowadays, wireless personal devices, such as cell phones and Personal Data Assistants (PDAs), have gradually taken an important part of our daily lives. With two-factor authentication, the wireless personal devices can be further promoted to more security demanding and mission-critical applications, such as e-commerce, home surveillance, and medical monitoring, etc. Facility access is one of applications that have demonstrated a tremendous market potential for replacing the conventional physical key approach. In this paper, we present a novel keyless facility access control system by using wireless personal devices, where the devices serve as a second authentication factor to assure security. The proposed system is not only cost-efficient, but also capable of mitigating security threats existing in the traditional key control system. Furthermore, the proposed authentication protocol is featured in two different authentication processes for the first time and subsequent accesses by using a one-time authentication mechanism based on one-way hash chain while considering the resource constraints of the wireless personal devices and E-lock. Finally, a role-based access control (RBAC) system is adopted to reduce the complexity of key maintenance.