Certificate Management Research Articles

A pairing-free certificateless searchable public key encryption scheme for IoMT

To ensure confidentiality, medical information is usually encrypted before it is sent to a third party for processing. Encryption technology can protect the privacy of data, but it limits the ability to search for data. The problem is usually solved by using public key encryption with keyword search (PEKS). Recently, some certificateless PEKS (CPEKS) schemes have been proposed. Not only do they allow users to search encrypted data, but they do not have the problems of certificate management and key escrow. However, they rely on the high-consumption bilinear pairing, and some of them are vulnerable to Inside Keyword Guessing Attacks (IKGA). To address these issues, we design a lightweight CPEKS scheme for the Medical Internet of Things (IoMT) that does not include bilinear pairing. In the random oracle model, our scheme is proved to be secure. The analysis results show that the proposed scheme has better overall performance than the existing schemes according to the security property, computation cost, and communication cost. Finally, an IoMT application scenario of our scheme is given.

Pembangunan Rumah Yang Dilakukan Masyarakat Di Bantaran Kali Anafre Kota Jayapura

The Purpose of writing this reasearch is to comprehensively describe the neglect of the construction of residential houses by the people on the banks of the Anafre river, Jayapura City. This type of research is using a qualitative method, using a social phenomenological paradigm, to data analysis using a flow model. The study's findings, the construction of dwellings on the Anafre River's banks is an endeavor by inhabitants to acquire a residential house. Many others have copied the government and private buildings that have enlivened the growth on the banks of the Anafre River. Residential house building is done permanently or semi-permanently depending on the demands of the occupants. Without licensing certificates, giving up customs and building permissions for buildings on the Anafre River's banks violates current legislation; these letters are proof of physical and legal facts. The convenience of the Jayapura City BPN in the form of a certificate management policy based on the submission of a recommendation letter from the Ministry of PUPR of Jayapura City, which is in violation of Government Regulation No. 38 of 2011 concerning the River. Many locals are unaware of the convenience of Jayapura City BPN housing on the banks of the Anafre River, which is placed behind the Paldam housing (army settlement), so that civilians building houses in the area feel safe from eviction.

Provably Secure Receiver-Unrestricted Group Key Management Scheme for Mobile Ad Hoc Networks.

Mobile ad hoc networks (MANETs) are self-configuring networks of wireless nodes, i.e., mobile devices. Since communications in MANETs occur via wireless channels, it is of significance to secure communications among wireless and mobile nodes. Group key management, as a widely used method for securing group communications, has potentially been used in MANETs for years. Most recently, a secure receiver-unrestricted group key management scheme for MANETs has been proposed, which is used to establish a secure channel among a group of wireless nodes without a trusted dealer, which has some advantages such as eliminating the certificate management problem and receiver restriction. However, a formal security analysis of this scheme is still lacking. Therefore, in this paper, we propose the complete security proof to demonstrate that the scheme satisfies the essential security properties including authentication, message confidentiality, known-key security and dynamic secrecy. We also give a brief discussion about the efficiency of the scheme.

A practical study of post-quantum enhanced identity-based encryption

One of the most expensive processes inside Public-Key Infrastructure (PKI) is certificate management. Identity-based Encryption (IBE) is seen as an alternative to alleviate the associated cost. This is especially relevant in many mission-critical applications characterized by resource-constrained endpoints. MIKEY-SAKKE is a protocol globally endorsed to secure mission-critical applications through the use of IBE. However, its security is threatened by the rapid development of quantum computers. Therefore, quantum-secure IBE should be deployed to meet the security and performance boundaries of the different applications. In order to develop quantum-secure IBE, traditional protocols can be enhanced by integrating Post-Quantum Cryptography (PQC) primitives, such as the finalists of the NIST PQC Round 3 standardization process, or by deploying fully dedicated post-quantum IBE constructions, such as the DLP-IBE scheme. To this end, this paper presents the following contributions. First, it evaluates the performance of MIKEY-SAKKE in constrained embedded devices. Second, it extracts the requirements that post-quantum cryptographic primitives should meet to allow a plug-and-play replacement of the traditional security primitives with quantum-secure primitives. Third, it benchmarks the different alternatives for deploying post-quantum IBE, which includes the NIST PQC Round 3 finalists for Key Encapsulation Mechanism (KEM) and digital signature, as well as the DLP-IBE scheme. Finally, it analyses the impact of the post-quantum primitives on quantum-secure MIKEY-SAKKE. The results show that none of the examined quantum-secure primitives meet all the specified requirements to achieve a post-quantum plug-and-play approach. Combining the different post-quantum KEM/IBE and signature schemes yields a range of trade-offs compared to the current MIKEY-SAKKE, either having slower computation or larger keys and ciphertexts/signatures or both.

CD-BCM:Cross-Domain Batch Certificates Management Based On Blockchain

AbstractWith the development of information networks, the entities from different network domains interact with each other more and more frequently. Therefore, identity management and authentication are essential in cross-domain setting. The traditional Public Key Infrastructure (PKI) architecture has some problems, including single point of failure, inefficient certificate revocation status management and also lack of privacy protection, which cannot meet the demand of cross-domain identity authentication. Blockchain is suitable for multi-participant collaboration in multi-trust domain scenarios. In this paper, a cross-domain certificate management scheme CD-BCM based on the consortium blockchain is proposed. For the issue of Certificate Authority’s single point of failure, we design a multi-signature algorithm. In addition, we propose a unified structure for batch certificates verification and conversion, which improve the efficiency of erroneous certificate identification. Finally, by comparing with current related schemes, our scheme achieves good functionality and scalability in the scenario of cross-domain certificate management.

Lightweight certificateless privacy-preserving integrity verification with conditional anonymity for cloud-assisted medical cyber–physical systems

Cloud-assisted medical cyber–physical systems (MCPSs) leverage the power of cloud computing for scalable storage and management of outsourced medical data. Based on the crucial outsourced medical data, guardians could know patient’s health condition timely, doctors can make accurate diagnoses of patients, and medical research centers could also conduct medical big data analysis. However, medical data is highly sensitive and demands strong protection. Meanwhile, the integrity of outsourced medical data is vulnerable to hardware failures, software bugs or human errors. To date, a large number of data privacy-preserving integrity auditing schemes have been presented, but most of them suffer from the burden of complex public key certificate management or the key escrow problem of identity-based cryptography. In this paper, we propose a lightweight certificateless privacy-preserving integrity verification scheme (LCPPIV) with conditional anonymity for cloud-assisted MCPSs by developing an elliptic-curve digital signature and a key exchange mechanism, which can achieve the functionalities of medical data privacy protection, integrity verification of outsourced medical data, conditional anonymity, batch auditing, and secure compensation mechanism, simultaneously. Theoretical security analysis demonstrates that our scheme is provably secure in the random oracle model, with resistance to the public key replacement attack, malicious-but-passive-KGC attack, and response auditing proofs forgery. The performance evaluations indicate that LCPPIV is much more practical for cloud-assisted MCPSs compared with state-of-art data auditing schemes.

Pairing-Free Certificateless Aggregate Signcryption Scheme for Vehicular Sensor Networks

Smart vehicle applications play an increasingly significant role in constructing intelligent transportation systems. Vehicles with sensors are able to form temporary vehicular sensor networks dynamically, in which a mass of data are collected, shared, and aggregated to the traffic administration for improving road safety and efficiency. In such networks, vehicles exchange urgent or sensitive information with others in open wireless channels. To ensure secure and privacy-preserving communications, we develop a new pairing-free certificateless aggregate signcryption scheme based on the elliptic curve cryptosystem. The certificateless setting prevents the proposed scheme from both certificate management and key escrow issues. Aggregate signcryption without pairings realizes the aggregation and simultaneous authentication of multisource data by efficient cryptographic computing. The proposed scheme is proved to achieve confidentiality and unforgeability with the random oracle model. The security analysis shows that the proposed scheme provides forward secrecy, immunity to various known attacks, and pseudonym-based conditional privacy for vehicles. The performance analysis demonstrates that it satisfies more security properties with higher computation efficiency and lower communication overhead than state-of-the-art schemes.

Privacy-preserving certificateless public auditing supporting different auditing frequencies

Public auditing enables a verifier, say a third party auditor (TPA), to verify whether the cloud correctly stores the user’s cloud data. To date, a lot of public auditing schemes have been proposed. However, none of them consider the problem of auditing frequency. In practice, to reduce the cost of auditing service and avoid waste of resources, the users prefer to frequently verify the integrity of high-value data and check the integrity of low-value data with low frequency. In this paper, we propose a privacy-preserving certificateless public auditing scheme supporting different auditing frequencies. In this scheme, a novel auditing strategy is provided, in which the TPA is allowed to complete auditing tasks on high-value and low-value files with different auditing frequencies. The user’s privacy can be achieved by utilizing permutation technology to confuse the real file index. Hence, the TPA cannot distinguish the files with high value. We also use the random masking technology to mask the auditing proof, which guarantees the privacy of user data. The proposed scheme avoids the complicated certificate management and key escrow since it is designed in the certificateless cryptography. We prove that the proposed scheme is secure. The experimental results are shown to validate the efficiency of the proposed scheme.

An efficient and provably secure certificateless protocol for the power internet of things

The Power Internet of Things (IoT) is a specific application of the IoT in the power grid. The threat existing in the Power IoT mainly comes from the terminal deployed in the open environment, which has the risk of being tampered with and impersonated. Thus, we design a certificateless anonymous key agreement protocol for the Power IoT to solve the problem of terminal access. The proposed protocol completes session key agreement in only one round exchange of key materials on the basis of certificatelessness, which saves the cost of certificate management. It also achieves anonymity by encrypting the authentication information to ensure the identity privacy of terminals. In addition, the protocol prevents malicious connections of internal systems by setting up software defined perimeter (SDP) controllers to complete pre-access authentication of terminals. Moreover, an improved eCK security model is designed and applied to demonstrate the proposed protocol. An experiment and analyses indicate that our scheme has advantages in terms of the communication and computation costs that are suitable for Power IoT.

PCAS: Cryptanalysis and improvement of pairing-free certificateless aggregate signature scheme with conditional privacy-preserving for VANETs

Certificateless aggregate signature (CLAS) is an effective approach for the multiple authentications in multi-users and multi-information environments like the vehicular ad hoc networks (VANETs), which can address the certificate management issue in the traditional public key cryptography (PKC) and solve the key escrow problem in identity-based cryptography (IBC). In recent years, a new CLAS mechanism (LICLAS) is presented for the authentication of sensors in healthcare wireless medical sensor networks (HWMSNs). In this paper, we make an analysis and prove that LICLAS is not able to against forgery attacks. Thus, we present an improved CLAS scheme (PCAS) for vehicle authentication in VANETs, which satisfies the privacy and security requirements. PCAS constructs the signature algorithm based on Elliptic Curve Cryptography (ECC) to avoid bilinear pairing and Map-to-Hash function operations. In order to further improve security and efficiency of PCAS, the vehicle key generation and signature algorithm is revised. The pseudonym mechanism is also adopted to achieve conditional privacy preservation. Besides, PCAS allows to execute a batch verification of messages, where RSUs may verify the aggregated signatures from vehicles to reduce time overhead. Under the assumption that the elliptic curve discrete logarithm problem (ECDLP) is hard, PCAS is proved to be existentially unforgeable against adaptive chosen message attacks in the random oracle model. Through the performance analysis, under the same time complexity, PCAS is shown to more effective. Compared with LICLAS, for a single message and 2000 messages, the transmission overhead of PCAS is reduced by 25% and 25% respectively, and the computation overhead is reduced by 16.56% and 25.34% respectively.

A Lattice-Based Certificateless Traceable Ring Signature Scheme

A ring signature (RS) scheme enables a group member to sign messages on behalf of its group without revealing the definite signer identify, but this also leads to the abuse of anonymity by malicious signers, which can be prevented by traceable ring signatures (TRS). Up until that point, traceable ring signatures have been secure based on the difficult problem of number-theoretic (discrete logarithms or RSA), but since the advent of quantum computers, traditional traceable ring signatures may no longer be secure. Thus Feng proposed a lattice based TRS, which are resistant to attacks by quantum computers. However, that works did not tackle the certificate management problem. To close this gap, a quantum-resistant certificateless TRS scheme was proposed in the study. To the best of our knowledge, this is the first lattice based certificateless TRS. In detail, a specific TRS scheme was combined with the lattice-based certificateless signature technology to solve the certificate management problem while avoid key escrow problem. Additionally, a better zero-knowledge protocol is used to improve the computational efficiency of the scheme, and by reducing the soundness error of the zero-knowledge protocol, the number of runs of the zero-knowledge protocol is reduced, so that the communication overhead of the scheme is reduced. Under random oracle model, the proposed scheme satisfies tag-linkability, anonymity, exculpability and is secure based on the SIS problem and the DLWE problem. In conclusion, the proposed scheme is more practical and promising in e-voting.

A Comprehensive Survey on Certificate-Less Authentication Schemes for Vehicular Ad hoc Networks in Intelligent Transportation Systems.

Data transmission in intelligent transportation systems is being challenged by a variety of factors, such as open wireless communication channels, that pose problems related to security, anonymity, and privacy. To achieve secure data transmission, several authentication schemes are proposed by various researchers. The most predominant schemes are based on identity-based and public-key cryptography techniques. Due to limitations such as key escrow in identity-based cryptography and certificate management in public-key cryptography, certificate-less authentication schemes arrived to counter these challenges. This paper presents a comprehensive survey on the classification of various types of certificate-less authentication schemes and their features. The schemes are classified based on their type of authentication, the techniques used, the attacks they address, and their security requirements. This survey highlights the performance comparison of various authentication schemes and presents the gaps in them, thereby providing insights for the realization of intelligent transportation systems.

Cross-domain identity authentication scheme based on blockchain and PKI system

In vehicular ad hoc networks (VANET), the cross-domain identity authentication of users is very important for the development of VANET due to the large cross-domain mobility of vehicle users. The Public Key Infrastructure (PKI) system is often used to solve the identity authentication and security trust problems faced by VANET. However, the PKI system has challenges such as too centralized Authority of Certification Authority (CA), frequent cross-domain access to certificate interactions and high authentication volume, leading to high certificate management costs, complex cross-domain authentication paths, easy privacy leakage, and overburdened networks. To address these problems, this paper proposes a lightweight blockchain-based PKI identity management and authentication architecture that uses smart contracts to reduce the heavy burden caused by CAs directly managing the life cycle of digital certificates. On this basis, a trust chain based on smart contracts is designed to replace the traditional CA trust chain to meet the general cross-domain requirements, to effectively avoid the communication pressure caused by a mass of certificate transmissions. For the cross-domain scenario with higher privacy and security requirements the identity attribute authentication service is provided directly while protecting privacy by using the Merkle tree to anchor identity attribute data on and off the blockchain chain. Finally, the proposed scheme was comprehensively analyzed in terms of cost, time consumption and security.

Improved Certificateless Aggregate Signature Scheme Against Collusion Attacks for VANETs

Vehicle ad-hoc networks (VANETs) can offer numerous benefits, but also face many privacy and security issues. There exist the certificate management burden and key escrow issue in traditional public key infrastructure (PKI)-based and identity (ID)-based privacy-preserving authentication schemes, respectively. In addition, the security of some existing cryptographic schemes depends on strong assumptions about the ideal tamper-proof devices. To address these issues, a certificateless aggregate signature (CLAS) scheme for VANETs has been proposed, which was claimed provably unforgeable. However, we found that this scheme cannot resist collusion attacks, which means the equivalent validity of the aggregate signature would be broken. Therefore, this article proposes an improved CLAS scheme against collusion attacks for VANETs (CA-CLAS). Security and performance analyses show that the proposed CA-CLAS scheme not only offers privacy and security guarantees for VANETs, but also improves efficiency compared to existing authentication schemes.

Analysis and Improvement of an Efficient Certificateless Aggregate Signature With Conditional Privacy Preservation in VANETs

Certificateless aggregate signature reduces the trust in key generation center and eases the inconvenience of certificate management at a low cost of communication and computation. Because of these merits, a lot of new certificateless aggregate signature schemes have been proposed to provide enough security and privacy in vehicular ad hoc networks (VANETs). However, many of these schemes are insecure against various attacks. In this article, we analyze the security of an efficient certificateless aggregate signature with conditional privacy preservation in Internet of vehicles. The results of the analysis show that it is insecure against forgery attack. In order to overcome the security vulnerability, we put forth an improved scheme. Then, the formal and informal security analysis of our improved scheme both are provided, which show that the improved scheme meets the expected security requirements and is secure against several known attacks in VANETs. Finally, performance evaluation shows that our improved scheme is feasible for the VANETs in terms of computation and communication overhead.

Efficient and Anonymous Cross-Domain Authentication for IIoT Based on Blockchain

The rapid development of the Industrial Internet of Things (IIoT) has realized the intelligence of industrial manufacturing and improved production efficiency. For improved collaboration, devices from different management domains (e.g., factories) connected through various communication technologies exchange information and share resources. However, they face security and privacy issues when cross-domain communication requires authentication. The limitations of existing schemes include the risk of a single point of failure in a trusted center, leakage of device privacy, high certificate management costs, and low authentication efficiency. Because blockchain with features such as decentralization and tamper-proof can effectively solve some of these problems, we design an efficient and anonymous cross-domain authentication scheme based on blockchain to achieve reliable communication between cross-domain IIoT devices. Specifically, our scheme improves authentication efficiency while enabling device anonymity to ensure that identities are not linkable, and combines blockchain and dynamic accumulator technology to achieve fast authentication. Security analysis demonstrates that our scheme can resist common attacks, and a performance evaluation proves its feasibility and efficiency.

PACM: Privacy-Preserving Authentication Scheme With on-Chain Certificate Management for VANETs

Privacy-preserving authentication is designed to protect vehicular ad-hoc networks (VANETs) from illegitimate users and fake messages while maintaining the privacy of legitimate users’ identities. However, existing authentication schemes have disadvantages such as non-transparent certificate issuance and revocation, high identity authentication and certificate revocation overhead. In this paper, we propose an efficient privacy-preserving authentication scheme with on-chain certificate management (PACM) in VANETs, where the service manager (SM) of each domain serves as a node of the blockchain to build a distributed system. Specifically, based on elliptic curve cryptography (ECC) and exclusive-OR operations, we achieve secure and lightweight mutual authentication between vehicles and roadside units (RSUs) by regularly updated pseudonyms. Then, we adopt the blockchain to record the issuance and revocation of all certificates, which makes SM’s activities transparent. Moreover, we introduce the counting garbled bloom filter (CGBF) to enable fast query and revocation of certificates. Besides, we design a non-forgeable and non-repudiable billing mechanism based on the hash chain technology. Security analysis and experimental results show that PACM achieves stronger security with less overhead.

THE INCLUSION OF RPA IN THE DIGITAL TRANSFORMATION

THE INCLUSION OF RPA IN THE DIGITAL TRANSFORMATION

Certificateless Public Key Authenticated Encryption with Keyword Search Achieving Stronger Security

Transforming data into ciphertexts and storing them in the cloud database is a secure way to simplify data management. Public key encryption with keyword search (PEKS) is an important cryptographic primitive as it provides the ability to search for the desired files among ciphertexts. As a variant of PEKS, certificateless public key authenticated encryption with keyword search (CLPAEKS) not only simplifies certificate management but also could resist keyword guessing attacks (KGA). In this paper, we analyze the security models of two recent CLPAEKS schemes and find that they ignore the threat that, upon capturing two trapdoors, the adversary could directly compare them and distinguish whether they are generated using the same keyword. To cope with this threat, we propose an improved security model and define the notion of strong trapdoor indistinguishability. We then propose a new CLPAEKS scheme and prove it to be secure under the improved security model based on the intractability of the DBDH problem and the DDH problem in the targeted bilinear group.

FS-IBEKS: Forward secure identity-based encryption with keyword search from lattice

Public Key Encryption with Keyword Search (PEKS) makes it possible for a cloud server (CS) to match a trapdoor and a ciphertext. However, with the upgrowth of quantum techniques, most of the existing PEKS schemes will be broken by quantum computers in the coming future. Moreover, they are also under the threat of potential key exposure. Lattice-based forward secure PEKS scheme (FS-PEKS) overcomes the two problems above by combining the techniques of forward security and lattice-based cryptography. However, FS-PEKS schemes work in public key infrastructure (PKI), which will incur complicated certificate management procedures. In this work, to overcome the key management issue but still guarantee security even when attackers corrupt the keys, we extend the FS-PEKS scheme into the identity-based framework and present a forward secure identity-based encryption with keyword search (FS-IBEKS) scheme from lattice. The proposed scheme is secured under the selective identity against chosen plaintext attack (IND-sID-CPA) in the random oracle model. To further improve the security, we present another FS-IBEKS scheme into the standard model and give concrete security proof under the adaptive identity against chosen plaintext attack (IND-ID-CPA). The comprehensive performance evaluation demonstrates that our FS-IBEKS schemes are feasible for cloud computing.