ECG-Cryptography and Authentication in Body Area Networks
网络常用术语缩写a-z
A3GPP(The 3rd Generation Partnership Project,第三代移动通信伙伴项目)AAL层(ATM Adaptation Layer,ATM适配层)ABM(Asynchronous Balanced Mode,异步平衡方式)ABR(Avaliable Bit Rate,可用比特率业务)AC(Access Control,访问控制)ACK(Acknowledgment,确认)ACL(Access Control Lists,访问控制列表)ACL链路(Asynchronous Connection-Less,异步无连接链路)ACSE(Association Control Service Element,连接控制服务元素)Active Directory(活动目录)ADCCP(Advanced Data Communication Control Procedure,高级数据通信控制过程)address overloading(地址超载)ADS(Active Directory Service,活动目录服务)ADSL(Asymmetric Digital Subscriber Line,非对称数字用户线路)AES(Advanced Encryption Standard,高级加密标准)AH(Authentication Header,身份验证头)AM(Amplitude Modulation,调幅)AMI(Alternate Mark Inversion,信号交替反转码)AMPS(Advanced Mobile Phone System,先进移动电话系统)AP(Access Point,无线访问点)ARM(Asynchronous Response Mode,异步响应方式)ARP(Address Resolution Protocol,地址转换协议)ARPA(Advanced Research Project Agency,高级研究计划局)ARQ(Automatic Repeat Request,自动请求重发方式)AS(Autonomous System,自治系统)ASIC(Application Specific Integrated Circuit,专用集成电路)ASK(Amplitude Shift Keying,幅移键控)ASP(Active Server Page,活动服务器页面)ATM交换(Asynchronous Transfer Mode Switching,异步传输模式交换)ATM(Asynchronous Transfer Mode,异步传输模式)ATU-C(ADSL Termination Unit-Central,中央ADSL终结单元)ATU-R(ADSL Termination Unit-Remote,远端ADSL终结单元)BB/S(Browser / Server,浏览器/ 服务器模型)B/W/D(Browser / Web Server / Database Server,浏览器/ 网站服务器/ 数据库服务器)模型Bc(Committed Burst,承诺突发量)BCA(Brand Certificate Authority,品牌认证中心)BDR(Backup Designated Router,备份指定路由器)Be(Excess Burst,超突发量)BECN(Backward Explicit Congestion Notification,后向显式拥塞通知)BGMP(Border Gateway Multicast Protocol,边界网关组播协议)BGP(Border Gateway Protocol,边界网关协议)B-ICI(B-ISDN Inter-Carrier Interface,B-ISDN内部载波接口)BIS(Boundary Intermediate System,边界中间系统)B-ISDN(Broad-band Intergrated Services Digital Network,宽带ISDN)BITS(Bump-In-The-Stack,堆栈插件)BITW(Bump-In-The-Wire,线路插件)BOOTP(Bootstrap Protocol,引导协议)BPDU(Bridge Protocol Data Unit,网桥协议数据单元)BRI(Basic Rate Interface,基本速率接口)BS(Basic Station,基站)BSI(British Standards Institute,英国标准协会)BSS(Basic Service Set,基本服务集)BUS(Broadcast / Unknown Server,广播和未知服务器)CC/S(Client / Server,客户/ 服务器模型)CA(Certificate Authority,认证中心)CAC(Call Admission Control,呼叫准入控制)CAP(Carrierless Amplitude and Phase Modulation,无载波幅度相位调制)CAP调制(Carrierless Amplitude and Phase Modulation,无载波幅度相位调制)CATV(Community Antenna Television,有线电视)CBR(Constant Bit Rate,固定比特率业务)CC (Common Criteria,通用标准)CCK(Complementary Code Keying, 补偿编码键控)CCU(Communication Control Unit,通信控制单元)CDDI(Copper Distributed Data Interface ,铜缆分布式数据接口)CDK(Conbined Double Key,组合双钥)CDMA(Code Distribute Multiple Access,码分多址)CDV(Cell Delay Variation,信元延迟变化)CDVT(Cell Variation Delay tolerance,信元可变延迟极值)CER(Cell Error Ratio,信元错误比例)CERN(Conseil European Pour Recherches Nucleaires,【法文】欧洲量子物理实验室)CGI(common gate interface,公共网关接口)CHAP(Challenge Handshake Authentication Protocol,挑战握手认证协议)CIDR(Classless Inter-Domain Routing,无类域间路由)CIR(Committed Information Rate,承诺信息速率)CL(Circuit Layer,电路层)CLNP (ConnectionLess Network Protocol ,无连接网络协议:OSI网络模型中提供无连接的数据服务)CLNS(Connectionless Network Services,无连接网络服务)CLP(Cell Loss Priority,信元丢失优先级)CLR(Cell Loss Ratio,信元丢失比例)CMIP(Common Management Information Protocol,公共管理信息协议)CMIS(Common Management Information Service,公共管理信息服务)CMOT(Common Management Over TCP/IP,TCP/IP协议上的公共管理协议)CMR(Cell Misinsertion Ratio,信元错误目的地比例)CMTS(Cable Modem Termination System,电缆调制解调器终端系统)COM(Components Object Model,组件对象模型)CORBA(Common Object Request Broker Architecture,公共对象请求代理体系结构)CPE(Customer Premises Equipment,用户屋内设备)CPK(Conbined Public Key,组合公钥)CPN(Customer Premise Network,用户驻地网)CPS(Common Part Sublayer,MAC子层的公共部分)CRC(Cyclic Redundancy Code,循环冗余码)CRL(Certificate Revocation List,证书撤消表)CR-LDP(Constraint-based LDP,基于路由受限标签分发协议)CS(Circuit Switched Domain,电路交换域)CS(Convergence Sublayer,传输会聚子层)CSCW(Computer Supported Cooperative Work,计算机支持的协同工作)CSLIP(Comprss SLIP,压缩串行线路IP)CSMA/CA(Carrier Sense Multiple Access with Collision Avoidance,载波侦听多路访问/冲突避免)CSMA/CD(Carrier Sense Multiple Access with Collision Detection,带冲突检测的载波监听多路访问)CSNP(Complete Sequence Number PDU,完全序号PDU)CSU(Channel Service Unit,信道服务单元)CS子层(Convergence Sublayer,汇集子层)CTD(Cell Transfer Delay,信元传送延迟)DDA(Destination address,目的地址)DACS(Digital Access and Cross-connect System,数字存取交叉连接交换系统)DAMPS(Digital Adanced Mobile Phone System,数字高级移动电话系统)DARPA(Defense Advanced Research Project Agency,美国国防部高级研究计划局)DAS(Direct Attached Storage,直接连接存储)DAS(Dual Attachment Station, 双连接站点)DBD(Database Description Packet,数据库描述)DCAP(Data Link Switching Client Access Protocol,数据转接客户访问协议)DCE(Data Circuit Equipment,数据电路终端设备)DCE(Data Communication Equipment,数据连接设备)DCF(Distributed Coordination Function,分布协调功能)DCOM(Distributed Components Object Model,分布式组件对象模型)DDN(Digital Data Network,数字数据网)DDoS(Distributed Denial of Service,分布式拒绝服务)DDR(Dial on Demand Routing,按需拨号路由)DE(Discard Eligibility,允许丢弃)DES(Data Encryption Standard,数据加密标准)DFS(Distributed File System,分布式文件系统)DHCP(Dynamic Host Configuration Protocol,动态主机配置协议)DIFS(DCF InterFrame Spacing,DCF帧间间隔)DIS(Designated Intermediate System,指定中间系统)DLCI(Data-Link Connection Identifier,数据链路识别码)DLE(Data Link Escape,转义字符)DM(Delta Modulation,增量调制)DMT(Discrete Multi-Tone,离散多音频调制)DMZ(DeMilitarized Zone,非军事化区)DNS(Domain Name Service,域名系统服务)DOI(Domain of Interpretation,解释域)DoS(Denial of Service,DoS攻击就是拒绝服务)DPA(Demand Priority Access,需求优先访问)DQDB(Distributed Queue Dual Bus,分布式队列双总线)DR(Designated Router,指定路由器)DRMASS(Digital Radio Multiple Access Subscriber System,数字式无线通信多路存取用户系统)DS(Differentiated Services,区分服务)DS(Distribution System,分布式系统)DSA(Digital Signature Algorithm,数字签名算法)DSAP(Destination Service Access Point,目的服务访问点)DSLAM (Digital Subscriber Line Access Multiplexer,数字用户线接入复用器)DSP(Digital Signal Processor,数字信号处理器)DSS(Digital Signature Standard,数字签名标准)DSS(Distribution System Service,分布式系统服务)DSSS(Direct Sequence Spread Spectrum,直接序列扩频)DSU(Data Service Unit,数据服务单元)DTD(Document Type Definition,文档类型定义)DTE(Data Terminal Equipment,数据终端设备)DUAL算法(Diffusing Update Algorithm,弥散更新算法)DVMRP(Distance Vector Multicast Routing Protocol,基于距离矢量算法的组播路由选择协议)D-V算法(Distance Vector Algorithm,距离矢量路由算法)EEAI(Enterprise Application Integration,企业应用集成)EAP(Extensible Authentication Protocol,可扩展认证协议)eBGP(external BGP,外部BGP)EC(Echo Cancellation,回波抵消)EC(Electronic Commerce,电子商务)ECA(End user CA,终端用户CA)ECC(Elliptic Curves Cryptography,椭圆曲线密码算法)ECN(Explicit Congestion Notification,显式拥塞通知)ED(End Delimiter,结束定界符)EDI(Electronic Data Interchange,电子数据交换)EDIFACT(EDI For Administration, Commerce and Transport)EGA(Electronic Government Affair,电子政务)EGP(Exterior Gateway Protocol,外部网关协议)EGPs(Exterior Gateway Protocols,外部网关协议族)EIFS(Extended InterFrame Spacing,扩展帧间间隔)EIGRP(Enhanced Interior Gateway Routing Protocol,增强的内部网关路由协议)EJB(Enterprise JavaBeans,企业级JavaBeans)ELAN(Emulated LAN,仿真局域网)Email(Electronic Mail,电子邮件)ERP(Enterprise Resource Planning,企业资源计划)ES(End system,端系统)ES-IS(End System to Intermediate System Routing Exchange Protocol,终端系统到中间系统路由选择交换协议)ESP(Encapsulating Security Payload,封装安全性净荷)ESS(Extended Service Set,扩展服务集)ETSI(European Telecom Standards Institute,欧洲电信标准学会)ETX(End Of Text,文本结束符)FFC(Frame Control,帧控制)FCS(Frame check sequence,帧检验序列)FDD(Frequency Division Duplexing,频分双工制)FDDI(Fiber Distributed Data Interface,光纤分布式数据接口)FDM(Frequency Division Multiplexing,频分多路复用)FDMA(Frequent Division Multiple Access,频分多址访问)FEC(Forward Error Correct,前向纠错重发方式)FEC(Forwarding Equivalence Class,转发等价类)FECN(Forward Explicit Congestion Notification,前向显式拥塞通知)FHSS(Frequency Hopping Spread Spectrum,跳频扩频)FIFO(First In First Out,先进先出)Finger(User Information Protocol,用户信息协议)FL(Forward Link,前向链路)FM(Frequency Modulation,调频)FPS(Fast Packet Switching,快速分组交换)FR(Frame Relay,帧中继)FS(Frame State,帧状态)FSK(Frequency Shift Keying,频移键控)FT1(Fractional T1,部分T1)FTAM(File Transfer, Access&Management,文件传输、访问和管理)FTP(File Transfer Protocol,文件传输协议)FTTB(Fiber To The Building,光纤到楼)FTTH(Fiber To The Home,光纤到户)FWA(Fixed Wireless Access,固定无线接入技术)GGEO(Geostationary Earth Orbit,地球同步轨道)GFC(General Flow Control,通用流量控制)GGP(Gateway-To-Gateway Protocol,网关到网关协议)GPS(Global Positioning Service,全球定位服务)GRE(Generic Routing Encapsulation,通用路由封装)GSM(Global System for Mobile Communications,移动通信全球系统)HHDLC(High Level Data Link Control,高级数据链路控制)HDSL(High data rate DSL,高数据速率数字用户线路)HEC(Header Error Control,信元头差错控制)HEC(Hybrid Error Correct,混合纠错方式)HFC(Hybrid Fiber-Coax,混合光纤-同轴电缆网)HMAC(Hash-Base Message Authentication Code)HMAC-HAS-1(Secure Hash Alogrithm Version 1)HPR(High Priority Request,高优先级请求)HR-DSSS(High-Rate Direct Sequence Seuquence Spectrum,高速率的直接序列扩频)HSDPA(High Speed Downlink Packet Access,高速下行分组接入)HTML(Hypertext Markup Language,超文件标记语言)HTTP(Hypertext Transfer Protocol,超文本传输协议)IIANA(Internet Assigned Numbers Authority ,Internet网络号分配机构)IAP(Internet Access Provider,Internet 接入提供商)iBGP(inter BGP,内部BGP)IBSS(Integrated Business Support System,综合业务支撑系统)ICI(Interface Control Information,接口控制信息)ICMP(Internet Control Message Protocol,Internet控制信息协议)ICP(Internet Content Provider,Internet内容提供商)ICV(Integrality Check Value,包的完整性验证值)IDC(Internet Data Center,互联网数据中心)IDEA(International Data Encryption Algorithm,国际数据解密算法)IDRP(Inter-Domain Router Protocol,域间路由协议)IDS(Intrusion Detection System,入侵检测系统)IDSL(ISDN DSL,ISDN数字用户线路)IDU(Interface Data Unit,接口数据单元)IEC(International Electrotechnical Commission,国际电工委员会)IEEE(Institute of Electrical and Electronics Engineers,美国电气与电子工程师协会)IANA(Internet Assigned Numbers Authority,互联网地址指派机构)IETF(Internet Engineering T ask Force,互联网工程任务组)IGAP(IGMP for user Authentication Protocol,IGMP 用户认证协议)IGMP(Internet Group Management Protocol,Internet 组管理协议)IGPs(Interior Gateway Protocols,内部网关协议族)IGRP(Interior Gateway Routing Protocol,内部网关路由协议)IKE(Internet Key Management,密钥交换协议)ILD(Injection Laser Diode,注入型激光二极管)IMAP(Internet Message Access Protocol,因特网信息访问协议)IMS(IP Multimedia Sub-system,IP多媒体子系统)InARP(Inverse Address Resolution Protocol,帧中继环境的地址解析协议)INFO(Information,信息)InternetNIC(Internet's Network Information Center,Internet网络信息中心)IOS(Internetwork Operating System,网络操作系统)IP(Internet Protocol,网际协议)IPCP(IP Control Protocol,IP控制协议)IPDC(IP Device Control,IP设备控制)IPSec(IP Security,IP层安全协议)IPv4(Internet Protocol version 4,网际协议第4版)IPv6(Internet Protocol version 6,网际协议第6版)IPv6CP(IPv6 Control Protocol,IPv6控制协议)IPXCP(IPX PPP Control Protocol,PPP的IPX控制协议)IR(Infrared Ray,红外线)IRCP/IRC(Internet Relay Chat Protocol,因特网在线聊天协议)IRDP(ICMP Router Discovery Protocol,ICMP路由器发现协议)IS(Intermediate System,中间系统)ISAKMP(Internet Security Association and Key Management Protocol,Internet安全协作和密钥管理协议)ISDN(Integrated Services Digital Network,综合业务数字网络)IS-IS(Intermediate System to Intermediate System,中间系统到中间系统)ISM(Industrial Scientific and Medical)频段ISO (International Organization for Standardization,国际标准化组织)ISP(Internet Service Provider,Internet服务提供商)ITOT(ISO Transport service On top of the TCP,基于TCP/IP 的ISO 传输协议)ITU(International Telecommunications Union,国际电信联盟)JJSP(Java Server Pages)KKDC(Key Distribution Center,密钥分发中心)KMI(Key Management Infrastruture,密钥管理基础设施)LL2F(Level 2 Forwarding protocol,第二层转发协议)L2TP(Layer 2 Tunneling Protocol,第二层隧道协议)L3S(Layer 3 Switching,第三层交换技术)LAC(L2TP Access Concentrator,L2TP访问集中器)LAN(Local Area Network,局域网)LANE(LAN Emulation Over ATM,ATM网上的局域网仿真)LAP(Link Access Procedure,链路访问过程)LAPB(Link Access Procedure Balanced,平衡式链路访问过程)LAPD(Link Access Protocol on D Channel,D信道上的链路访问过程)LAPF(Link Access Procedure to Frame mode bearer service,帧模式承载业务链路访问过程)LAPM(Link Access Procedure for Modem,调制解调器的链路访问过程)LAPS(Link Access Procedure-SDH,SDH链路访问过程)LATA(Local Access and Transport Area,本地访问传输区域)LCP(Link Control Protocol,链路控制协议)LDAP(Lightweight Directory Access Protocol,轻量级目录访问协议)LDK(Lapped Double Key,多重双钥)LDP(Label Distribution Protocol,标记分发协议)LE(Local Exchange,本地交换机)LEC(LAN Emulation Client,局域网仿真客户)LEC(Local Exchange Carrier,本地交换电信局)LECS(LAN Emulation Configuration Server,局域网仿真配置服务器)LED(Light Emitting Diode,发光二极管)LEO(Low-Earth Orbit,低地球轨道)LER(Label Edge Router,标签边缘路由器)LES(LAN Emulation Server,局域网仿真服务器)LF(Low Frequency,低频)LIS(Logical IP Subnet,逻辑IP子网)LLC(Logical Link Control,逻辑链路控制)LMDS(Local Multipoint Distribution System,本地多点分分布式系统)LMI(Local Management Interface,本地网络接口)LNP(Local Number Portability,电话携号转网)LNS(L2TP Network Server,L2TP网络服务器)LOH(Line OverHead,线路开销)LPK(Lapped Public Key,多重公钥)LSA(Link State Advertisements,链路状态通告)LSACK(Link-State Acknowledgement,链路状态应答)LSP(Link-State Packets,链路状态数据报)LSR(Label Switching Router,标记交换路由器)LSR(Link State Request,链路状态请求)LSU(Link State Update,链路状态更新)L-S算法(Link State Algorithm,链路状态路由算法)MMAC(Medium Access Control,媒体访问控制)MAC(Message Authentication Code,消息认证代码)MAN(Metropolitan Area Network,城域网)MARS(Multicast Address Resolution Server,组播地址解析协议)MBGP(Multicast Border Gateway Protocol,组播边界网关协议)MBONE(Internet Multicast Backbone,互联网组播主干,或称多目主干)MC(Mutiple Carrier,多载波)MCR(Minimum Cell Rate,最小信元速率)MD(Standard For Message Digest,消息摘要标准)MDF(Main Distribution Frame,主配线架)MEO(Medium-Earth Orbit,中间轨道)MF(Medium Frequency,中频)MH(Modified Huffman,修正的霍夫曼编码)MHAC-MD5(Message Digest Version 5)MIB(Management Information Base,管理信息库)MIC(Message Integrity Code,信息完整性编码)MIME(Multipurpose Internet Mail Extensions,多用途因特网邮件扩展协议)M-JPEG(Motion- Join Photographic Experts Group,运动-联合图像专家组)MMDS(Microwave Multipoint Distribution Systems,无线微波多点分布式系统)MMR(Modified Modified Read,改进的二维压缩编码)Mobile IP(IP Mobility Support Protocol for IPv4 and IPv6,移动IP协议)MODEM(Modulation and Demodulation,调制解调器)MOSPF(Multicast Extensions OSPF,组播扩展OSPF协议)MOTIS(Message Oriented Text Interchange System,面向消息的文件互换系统)MPC(Multi-Protocol Client,多协议客户端)MPDU(MAC层协议数据单元)MPEG(Moving Pictures Experts Group,运动图像专家组)MPLS(Multi-Protocol Label Switching,多协议标记交换)MPOA(Multi-Protocol Over ATM,ATM上的多协议)MPS(Multi-Protocol Server多协议服务器)MR(Modified Read,改进的像素相对地址指定码)MRP(Material Requirements Planning,物料需求计划)MS(Mobile Station,移动站)MSAP(MAC Service Access Point,MAC服务访问点)MSDP(Multicast Resource Discovery Protocol,组播资源发现协议)MTU(Maximum Transmission Unit,最大传输单元)MZAP(Multicast-scope Zone Announcement Protocol,组播区域范围公告协议)NNAK(Network Allocation Vector,网络分配向量)NARP(NBMA Address Resolution Protocol,NBMA地址解析协议)NAS(Network Attached Storage,网络连接存储)NASP(Network Service Access Point,网络层服务访问点)NA T(Network Address Translation,网络地址转换)NBMA(Non-Broadcast Multi-Access,非广播多路访问)NCP(Network Control Protocol,网络控制协议)NCU(Network Control Unit,网络控制单元)NDIS(Network Drive Interface Specification,网络驱动接口规范)NDS(Novell Directory Service,Novell目录服务)NetBEUI(NetBIOS Enhanced User Interface / NetBIOS,NetBIOS 增强用户接口)NetBIOS(Network Basic Input Output System,网络基本输入输出系统)NFS(Network File System,网络文件系统)NHRP(Next Hop Resolution Protocol,下一跳解析协议)NIC(Network Interface Card,网卡)NID(Network Interface Device,网络接口设备)N-ISDN(Narrow-band Intergrated Services Digital Network,窄带ISDN)NISI(National Information Security Infrastructure,国家信息安全基础设施)NLRI(Network Layer Reachability Information,网络可达性信息)NMS(Network Management Station,网管工作站)NMT(Nordic Mobile Telephone,北欧移动电话)NNI(Nerwork-Network Interface,网络-网络接口)NNTP(Network News Transfer Protocol,网络新闻传输协议)NOS(Network Operating System,网络操作系统)NPAT(Network Port Address Translation,网络端口地址转换)NPR(Normal Priority Request,普通优先级请求)NRM(Normal Response Mode,正常响应方式)NRT-VBR(Not Realtime-Variable Bit Rate,非实时可变比特率业务)NRZ(Non Return-to-Zero,非归零编码)NRZ-I(Non Return-to-Zero Invert,非归零反相编码)NRZ-L(Non Return-to-Zero-Level,非归零电平编码)NSAP(Network Service Access Point,网络服务访问点)NSF(National Scientific Foundation,美国国家科学基金会)NSP(Network Service Provider,网络服务提供商)NT1(Network Terminal type 1,1类网络终端)NT1+(Network Terminal type 1 Plus,1+类网络终端)NT2(Network Terminal type 2,2类网络终端)NTP(Network Time Protocol,网络时间协议)NTRU(Number Theory Research Unit)NVT(Net Virtual Terminal,网络虚拟终端)OOC(Optical Carrier,光载波)ODI(Open Data Interface,开放式数据接口)OFDM(Orthogonal Frequency Division Multiplexing,正交频分多路复用)OGSA(Open Grid Services Architecture,开放网格体系结构)OMG(Object Management Group,对象管理组织)OSF(Open Software Foundation,开放式软件基金会)OSI RM(Open System Interconnection Reference Model,开放系统互联参考模型)OSI(Open Systems Interconnection,开放系统互连体系结构)OSPF(Open Shortest Path First,开放式最短路径优先协议)PPA(Preamble,前导码)PAD(Packet Assembler/Disassembly,分组组装/拆装器)PAM(Pulse Amplitude Modulation,脉冲振幅调制)PAN(Personal Area Network,个人网)PAP(Password Authentication Protocol,密码认证协议)PAT(Port Address Translations,端口地址转换)PBX(Private Branch Exchange,分组交换机)PBXs(Private Branch Exchanges,专用分组交换机)PCF(Point Coordination Function,点协调功能)PCI(Protocol Control Information,协议控制信息)PCM(Pulse Code Modulation,脉冲编码调制)PCR(Peak Cell Rate,峰值信元速率)PDC(Personal Digital Cellular,个人数字蜂窝)PDN(Public Data Network,公共数据网)PDU(Protocol Data Unit,协议数据单元)PDUs(Protocal Data Units,协议数据单元)PEM(Privacy Enhanced Mail)PC(Pervasive Computing,普适计算)PES(Proposed Encryption Standard,分组密码建议)PGM(Pragmatic General Multicast Protocol,实际通用组播协议)PGP(Pretty Good Privacy)PHP(Personal Home Page:Hypertext Preprocessor)PHY(Physical Layer Protocol,物理层协议)PIFS(PCF InterFrame Spacing,PCF帧间间隔)PIM-DM(Protocol Independent Multicast-Dense Mode,密集模式独立组播协议)PIM-SM(Protocol Independent Multicast-Sparse Mode,稀疏模式独立组播协议)PKI(Public Key Infrastructure,公开密钥基础设施)PLP(Packet Level Protocol,分组层协议)PM(Phase Modulation,调相)PMD(Physical-Medium Dependent,物理介质相关)PMI(Privilege Management Infrastructure,授权管理基础设施)POH(Path OverHead,通道开销)POP(Point Of Presence,访问点)POP(Post Office Protocol,邮局协议)POSIX (Portable Operating System Interface ,可移植操作系统接口)POTS(Plain Old Telephone Service,普通老式电话业务)PPP(Point to Point Protocol,点对点协议)PPPoA(PPP over ATM AAL5,基于ATM AAL5的PPP协议)PPPoE(PPP over Ethernet,以太网上的PPP)PPTP(Point-to-Point Tunneling Protocol,点对点隧道协议)PRI(Primary Rate Interface,一次群速率接口)PS(Packet Switched Domain,分组交换域)PSE(Packet Switched Equipment,分组交换机)PSK(Phase Shift Keying,相移键控)PSN(Packet Switched Network,分组交换网)PSNP(Partial Sequence Number PDU,部分序号PDU)PSTN(Public Switched Telephone Network,公共交换电话网)PT(Payload Type,净负荷类型指示)PTE(Path Terminating Element,路径端接设备)PVC(Permanent Virtual Circuit,永久虚电路)QQAM(Quadrature Amplitude Modulation,正交调幅)QAM-16(16相正交幅度调制)QAM-64(64相正交幅度调制)QoS(Quality of Server,网络服务质量)QPSK(正交移相键控)RRA(Requistration Authority,证书申请机构)RADIUS(Remote Authentication Dial-In User Service,远程认证拨号用户服务)RADSL(Rate-Adaptive DSL,速率自适应数字用户线路)RARP(Reverse Address Resolution Protocol,反向地址转换协议)RCA(Root Certificate Authority,根认证中心)RDC(Routing Domain Confederation,路由域联盟)RDP(Reliable Data Protocol,可靠数据协议)RGMP(Router-port Group Management Protocol,路由器端口组管理协议)RI(Routing information,路由信息)RIB(Routing Information Base,路由信息库)RIP(Routing information Protocol,路由信息协议)RIPng(RIP Next Generation for IPv6,IPv6环境中的下一代路由信息协议)RL(Reverse Link,反向链路)RLC(Run Length Coding,游程长度编码)RLOGIN(Remote Login in Unix,UNIX远程登录)RMON(Remote Monitor,远程监控)RMON(Remote Monitoring MIBs in SNMP,SNMP远程监控消息信息块)ROSE(Remote Operations Service Element,远程操作服务元素)RPC(Remote Procedure Call,远程过程调用)RSVP(Resource ReSerVation Protocol,资源预留协议)RSVP-TE(RSVP - Traffic Extension,基于流量工程扩展的资源预留协议)RT-VBR(Realtime-Variable Bit Rate,实时可变比特率业务)RUDP(Reliable UDP,可靠用户数据报协议)RWhois(RWhois Protocol / Remote Directory Access Protocol,远程目录访问协议)RZ(Return-to-Zero,归零编码)SS/MIME(Secure/Multipurpose Internet Mail Extensions,安全的多功能Internet电子邮件扩充)SA(Security Association,安全关联)SA(Source Addresses,源地址)SAD(Security Association Database,安全关联数据库)SAN(Storage Area Network,存储区域网络)SAP(Service Access Point,服务访问点)SAR子层(Segmentation And Reassembly Sublayer,拆分和重组子层)SAS(Single Attachment Station, 单连接站点)SC(Single Carrier,单载波)S-C(Splitter-Central,局端分离器)SCO链路(Synchronous Connection Oriented,面向连接的同步链路)SCR(Sustained Cell Rate,持续信元速率)SD(Start Delimiter,起始定界符)SDH(Synchronous Digital Hierarchy,同步数字系列)SDK(Seeded Double Key,种子化双钥)SDLC(Synchronous Data Link Control,同步数据链路控制)SDSL(Synchronous or Single-line DSL,单线对数字用户线路)SDU(Service Data Unit,服务数据单元)SEAL(Simple Efficient Adaptation Layer,简单有效的适配层)SECBR(Severly-Errored Cell Block Ratio,严重错误信元块比例)SET(Secure Electonic Transcation,安全电子交易协议)SFD(Start-of-Frame Delimiter,帧首定界符)SG(Security Gateway,安全网关)SGML(Stardand Generalized Markup Language,标准通用标记语言)SGMP(Simple Gateway Management Protocol,简单网关管理协议)SHA(Secure Hash Algorithm,安全散列算法)S-HTTP(Secure HTTP,安全的http协议)SIFS(Short InterFrame Spacing,短帧间间隔)SIP(SMDS Interface Protocol,SMDS接口协议)SIPP(Simple Internet Protocol Plus,简单Internet协议)SKEME(Secue Key Exchange Mechanism,Internet安全密钥交换机制)SKIP(Simple Key-exchange Internet Protocol简单密钥管理协议)SLIP(Serial Line IP,串行线路IP协议)SLP(Service Location Protocol,服务定位协议)SMDS(Switched Multimegabit Data Service,交换式多兆比特数据服务)SMI(Structure of Management Information,管理信息结构)SMT(Station Management,站点管理)SMTP(Simple Mail Transfer Protocol,简单邮件传输协议)SN(Services Node,业务节点)SNA(Systems Network Architecture,系统网络体系结构)SNI(Service Node Interface,业务节点接口)SNMP(Simple Network Management Protocol,简单网络管理协议)SNP(Sequence Number PDU,序号PDU)SNTP(Simple Network Time Protocol,简单网络时间协议)SOA(Service-Oriented Architecture,面向服务的体系结构)SOAP(Simple Object Access Protocol,简单对象访问协议)SOCKS(Protocol for sessions traversal across firewall securely,防火墙安全会话转换协议)SOH(Section OverHead,段开销)SOH(Start Of Header,报文头开始字符)SONET(Synchronous Optiical Network,同步光纤网络)SPD(Security Policy Database,安全策略数据库)SPE(Synchronous Payload Envelope,同步净荷包)SPF算法(Shortest Path First Algorithm,最短路径优先算法)SPK(Seeded Public Key,种子化公钥)S-R(Splitter-Remote,分离器)SS(Security Sublayer,安全子层)SS(Spread Spectrum,扩频)SS7(Signaling System No.7,7号信令系统)SSAP(Source Service Access Point,源服务访问点)SSCS(Service Specific Convergence Sublayer,服务特定会聚子层)SSH(Secure Shell Protocol,安全外壳协议)SSL(Secure Socket Layer,安全套接字协议层)STEP(Standard for The Exchange of Product model data,产品模型数据交换标准)STM(Synchronous Transfer Mode,同步传输模式)STP(Shielded Twisted Pair,屏蔽双绞线)STP(Spanning-Tree Protocol,生成树协议)STS(Synchronous Transport Signal,同步传输信号)SVC(Switched Virtual Circuit,交换虚电路/呼叫虚电路)SYN(synchronous Character,同步字符)TTA(Terminal Adapter,终端适配器)TACS(Total Access Communication System,全向接续通信系统)TALI(Transport Adapter Layer Interface,传输适配层接口)TCP(Transmission Control Protocol,传输控制协议)TCU(Trunk Coupling Unit,干线耦合器)TC子层(Transmission Convergence Sublayer,传输汇集子层)TDD(Time Division Duplexing,时分双工制)TDM(Time Division Multiplexing,时分多路复用)TDMA(Time Division Multiple Address,时分多址)TE(Terminal Equipment,终端设备)TE1(Terminal Equipment type 1,1类终端设备)TE2(Terminal Equipment type 2,2类终端设备)Telnet(TCP/IP Terminal Emulation Protocol,TCP/IP终端仿真协议)TFTP(Trivial File Transfer Protocol,简单文本传输协议)TGS(Ticket Granting Server,票据授权服务器)TIB(Tag Information Base,标记信息数据库)TKIP(Temporal Key Integrity Protocol,暂时密钥完整性协议)TLS(Transport Layer Security Protocol,安全传输层协议)TLS(Transport Layer Security,安全传输层)TM(Transmission Media Layer,传输媒质层)TMN(Telecommunications Management Network,电信管理网络)TOH(Transport OverHead,传输开销)TP(Transmission Path Layer,传输通道层)TP-DDI(Twisted-Pair Distributed Data Interface,双绞线铜缆分布式数据接口)TP-PMD(Twisted-Pair Physical Medium-Dependent,与物理介质相关的双绞线对)TSAP(Transport Service Access Point,传输层的服务访问点)TTL(Time To Live,生存时间)UUAWG(Unibersal ADSL Working Group)UBR(Unspecified Bit Rate,未指定比特率业务)UDDI(Universal Description Discovery & Integration,统一描述、发现和集成协议)UDP(User Datagram Protocol,用户数据报协议)UNI(User Network Interface,用户网络接口)URL(Uniform Resource Locator,统一资源定位符)UTP(Unshielded Twisted Pair,非屏蔽双绞线)UTRA(Universal Terrestrial Radio Access,通用地面无线接入)UWB(Ultra Wide Band超宽带)VV ACM(View-based Access Control Model,基于视图的访问控制模型)VCI(Virtual Channel Identifier,虚信道标识)VDSL(Very High Data Rate DSL,甚高比特率数字用户线路)VLAN(Virtual Local Area Network,虚拟局域网)VLF(Very Low Frequency,甚低频)VLSM(Variable Length Subnet Mask, 可变长子网掩码)VMPS服务器(VLAN Membership Policy Server,VLAN成员策略服务器)VOD(Video On Demand,视频点播系统)V oIP(V oice over IP,基于IP协议的语音服务)VPDN(Virtual Private Dial-Network)VPI(Virtual Path Identifier,虚通路标识)VPN(Virtual Private Network,虚拟专用网络)VRRP(Virtual Router Redundancy Protocol,虚拟路由冗余协议)VSAT(Very Small Aperture Terminal,甚小口径地球站)VTP(VLAN Trunk Protocol,VLAN干道协议)WWAN(Wide Area Network,广域网)WDM(Wave Length Division Multiplexing,波分多路利用)Web Service(Web服务)WEP(Wired Equivalent Privacy,有线等效保密)WMAN(Wireless Metropolitan Area Network,无线城域网)Work Flow(工作流)WPA(Wi-Fi Protected Access,Wi-Fi网络保护访问)WPAN(Wireless Personal Area Net,无线个人网)WSDL(Web Service Description Language,Web服务描述语言)XX.400(Message Handling Service Protocol,信息处理服务协议)xDSL(Digital Subscriber Line Technologies,数字用户线路)XLink(XML Linking Language,XML链接语言)XML(eXtensible Markup Language,可扩展的标记语言)XQuery(XML Query Language,XML查询语言)XSL(eXtensible Stylesheet Language,可扩展样式语言)X-Window/X Protocol(X-Window System Protocol,X 视窗协议)YZ。
密码编码学与网络安全(第五版)答案
Chapter 1: Introduction (5)Chapter 2: Classical Encryption Techniques (7)Chapter 3: Block Ciphers and the Date Encryption Standard (13)Chapter 4: Finite Fields (21)Chapter 5: Advanced Encryption Standard (28)Chapter 6: More on Symmetric Ciphers (33)Chapter 7: Confidentiality Using Symmetric Encryption (38)Chapter 8: Introduction to Number Theory (42)Chapter 9: Public-Key Cryptography and RSA (46)Chapter 10: Key Management; Other Public-Key Cryptosystems (55)Chapter 11: Message Authentication and Hash Functions (59)Chapter 12: Hash and MAC Algorithms (62)Chapter 13: Digital Signatures and Authentication Protocols (66)Chapter 14: Authentication Applications (71)Chapter 15: Electronic Mail Security (73)Chapter 16: IP Security (76)Chapter 17: Web Security (80)Chapter 18: Intruders (83)Chapter 19: Malicious Software (87)Chapter 20: Firewalls (89)A NSWERS TO Q UESTIONS1.1The OSI Security Architecture is a framework that provides a systematic way of definingthe requirements for security and characterizing the approaches to satisfying thoserequirements. The document defines security attacks, mechanisms, and services, and the relationships among these categories.1.2 Passive attacks have to do with eavesdropping on, or monitoring, transmissions.Electronic mail, file transfers, and client/server exchanges are examples oftransmissions that can be monitored. Active attacks include the modification of transmitted data and attempts to gain unauthorized access to computer systems.1.3 Passive attacks: release of message contents and traffic analysis. Active attacks:masquerade, replay, modification of messages, and denial of service.1.4 Authentication: The assurance that the communicating entity is the one that it claims to be.Access control: The prevention of unauthorized use of a resource (i.e., this service controls who can have access to a resource, under what conditions access can occur, and what those accessing the resource are allowed to do).Data confidentiality: The protection of data from unauthorized disclosure.Data integrity: The assurance that data received are exactly as sent by an authorized entity(i.e., contain no modification, insertion, deletion, or replay).Nonrepudiation: Provides protection against denial by one of the entities involved in a communication of having participated in all or part of the communication.Availability service: The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performancespecifications for the system (i.e., a system is available if it provides services according to the system design whenever users request them).1.5 See Table 1.3.C HAPTER 2C LASSICAL E NCRYPTION T ECHNIQUESR2.1 Plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm.2.2 Permutation and substitution.2.3 One key for symmetric ciphers, two keys for asymmetric ciphers.2.4 A stream cipher is one that encrypts a digital data stream one bit or one byte at atime. A block cipher is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length.2.5 Cryptanalysis and brute force.2.6 Ciphertext only. One possible attack under these circumstances is the brute-forceapproach of trying all possible keys. If the key space is very large, this becomesimpractical. Thus, the opponent must rely on an analysis of the ciphertext itself, generally applying various statistical tests to it. Known plaintext. The analyst may be able to capture one or more plaintext messages as well as their encryptions.With this knowledge, the analyst may be able to deduce the key on the basis of the way in which the known plaintext is transformed. Chosen plaintext. If the analyst is able to choose the messages to encrypt, the analyst may deliberately pickpatterns that can be expected to reveal the structure of the key.2.7 An encryption scheme is unconditionally secure if the ciphertext generated by thescheme does not contain enough information to determine uniquely thecorresponding plaintext, no matter how much ciphertext is available. Anencryption scheme is said to be computationally secure if: (1) the cost of breaking the cipher exceeds the value of the encrypted information, and (2) the timerequired to break the cipher exceeds the useful lifetime of the information.2.8 The Caesar cipher involves replacing each letter of the alphabet with the letterstanding k places further down the alphabet, for k in the range 1 through 25.2.9 A monoalphabetic substitution cipher maps a plaintext alphabet to a ciphertextalphabet, so that each letter of the plaintext alphabet maps to a single unique letter of the ciphertext alphabet.2.10 The Playfair algorithm is based on the use of a 5 5 matrix of letters constructedusing a keyword. Plaintext is encrypted two letters at a time using this matrix.2.11 A polyalphabetic substitution cipher uses a separate monoalphabetic substitutioncipher for each successive letter of plaintext, depending on a key.2.12 1. There is the practical problem of making large quantities of random keys. Anyheavily used system might require millions of random characters on a regularbasis. Supplying truly random characters in this volume is a significant task.2. Even more daunting is the problem of key distribution and protection. For everymessage to be sent, a key of equal length is needed by both sender and receiver.Thus, a mammoth key distribution problem exists.2.13 A transposition cipher involves a permutation of the plaintext letters.2.14 Steganography involves concealing the existence of a message.2.1 a. No. A change in the value of b shifts the relationship between plaintext lettersand ciphertext letters to the left or right uniformly, so that if the mapping isone-to-one it remains one-to-one.b. 2, 4, 6, 8, 10, 12, 13, 14, 16, 18, 20, 22, 24. Any value of a larger than 25 isequivalent to a mod 26.c. The values of a and 26 must have no common positive integer factor other than1. This is equivalent to saying that a and 26 are relatively prime, or that thegreatest common divisor of a and 26 is 1. To see this, first note that E(a, p) = E(a,q) (0 ≤ p≤ q < 26) if and only if a(p–q) is divisible by 26. 1. Suppose that a and26 are relatively prime. Then, a(p–q) is not divisible by 26, because there is noway to reduce the fraction a/26 and (p–q) is less than 26. 2. Suppose that a and26 have a common factor k > 1. Then E(a, p) = E(a, q), if q = p + m/k≠ p.2.2 There are 12 allowable values of a (1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25). There are 26allowable values of b, from 0 through 25). Thus the total number of distinct affine Caesar ciphers is 12 26 = 312.2.3 Assume that the most frequent plaintext letter is e and the second most frequentletter is t. Note that the numerical values are e = 4; B = 1; t = 19; U = 20. Then we have the following equations:1 = (4a + b) mod 2620 = (19a + b) mod 26Thus, 19 = 15a mod 26. By trial and error, we solve: a = 3.Then 1 = (12 + b) mod 26. By observation, b = 15.2.4 A good glass in the Bishop's hostel in the Devil's seat—twenty-one degrees andthirteen minutes—northeast and by north—main branch seventh limb east side—shoot from the left eye of the death's head— a bee line from the tree through the shot fifty feet out. (from The Gold Bug, by Edgar Allan Poe)2.5 a.The first letter t corresponds to A, the second letter h corresponds to B, e is C, sis D, and so on. Second and subsequent occurrences of a letter in the keysentence are ignored. The resultciphertext: SIDKHKDM AF HCRKIABIE SHIMC KD LFEAILAplaintext: basilisk to leviathan blake is contactb.It is a monalphabetic cipher and so easily breakable.c.The last sentence may not contain all the letters of the alphabet. If the firstsentence is used, the second and subsequent sentences may also be used untilall 26 letters are encountered.2.6The cipher refers to the words in the page of a book. The first entry, 534, refers topage 534. The second entry, C2, refers to column two. The remaining numbers are words in that column. The names DOUGLAS and BIRLSTONE are simply words that do not appear on that page. Elementary! (from The Valley of Fear, by Sir Arthur Conan Doyle)2.7 a.2 8 10 7 9 63 14 54 2 8 1056 37 1 9ISRNG BUTLF RRAFR LIDLP FTIYO NVSEE TBEHI HTETAEYHAT TUCME HRGTA IOENT TUSRU IEADR FOETO LHMETNTEDS IFWRO HUTEL EITDSb.The two matrices are used in reverse order. First, the ciphertext is laid out incolumns in the second matrix, taking into account the order dictated by thesecond memory word. Then, the contents of the second matrix are read left toright, top to bottom and laid out in columns in the first matrix, taking intoaccount the order dictated by the first memory word. The plaintext is then read left to right, top to bottom.c.Although this is a weak method, it may have use with time-sensitiveinformation and an adversary without immediate access to good cryptanalysis(e.g., tactical use). Plus it doesn't require anything more than paper and pencil,and can be easily remembered.2.8 SPUTNIK2.9 PT BOAT ONE OWE NINE LOST IN ACTION IN BLACKETT STRAIT TWOMILES SW MERESU COVE X CREW OF TWELVE X REQUEST ANYINFORMATION2.10 a.b.2.11 a. UZTBDLGZPNNWLGTGTUEROVLDBDUHFPERHWQSRZb.UZTBDLGZPNNWLGTGTUEROVLDBDUHFPERHWQSRZc. A cyclic rotation of rows and/or columns leads to equivalent substitutions. Inthis case, the matrix for part a of this problem is obtained from the matrix ofProblem 2.10a, by rotating the columns by one step and the rows by three steps.2.12 a. 25! ≈ 284b. Given any 5x5 configuration, any of the four row rotations is equivalent, for atotal of five equivalent configurations. For each of these five configurations,any of the four column rotations is equivalent. So each configuration in factrepresents 25 equivalent configurations. Thus, the total number of unique keysis 25!/25 = 24!2.13 A mixed Caesar cipher. The amount of shift is determined by the keyword, whichdetermines the placement of letters in the matrix.2.14 a. Difficulties are things that show what men are.b. Irrationally held truths may be more harmful than reasoned errors.2.15 a. We need an even number of letters, so append a "q" to the end of the message.Then convert the letters into the corresponding alphabetic positions:The calculations proceed two letters at a time. The first pair:The first two ciphertext characters are alphabetic positions 7 and 22, whichcorrespond to GV. The complete ciphertext:GVUIGVKODZYPUHEKJHUZWFZFWSJSDZMUDZMYCJQMFWWUQRKRb. We first perform a matrix inversion. Note that the determinate of theencryption matrix is (9 ⨯ 7) – (4 ⨯ 5) = 43. Using the matrix inversion formulafrom the book:Here we used the fact that (43)–1 = 23 in Z26. Once the inverse matrix has beendetermined, decryption can proceed. Source: [LEWA00].2.16 Consider the matrix K with elements k ij to consist of the set of column vectors K j,where:andThe ciphertext of the following chosen plaintext n-grams reveals the columns of K:(B, A, A, …, A, A) ↔ K1(A, B, A, …, A, A) ↔ K2:(A, A, A, …, A, B) ↔ K n2.17 a.7 ⨯ 134b.7 ⨯ 134c.134d.10 ⨯ 134e.24⨯ 132f.24⨯(132– 1) ⨯ 13g. 37648h.23530i.1572482.18 key: legleglegleplaintext: explanationciphertext: PBVWETLXOZR2.19 a.b.2.20your package ready Friday 21st room three Please destroy this immediately.2.21 y the message out in a matrix 8 letters across. Each integer in the key tellsyou which letter to choose in the corresponding row. Result:He sitteth between the cherubims. The isles may be gladthereof. As the rivers in the south.b.Quite secure. In each row there is one of eight possibilities. So if the ciphertextis 8n letters in length, then the number of possible plaintexts is 8n.c. Not very secure. Lord Peter figured it out. (from The Nine Tailors)3.1 Most symmetric block encryption algorithms in current use are based on the Feistelblock cipher structure. Therefore, a study of the Feistel structure reveals theprinciples behind these more recent ciphers.3.2 A stream cipher is one that encrypts a digital data stream one bit or one byte at atime. A block cipher is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length.3.3 If a small block size, such as n = 4, is used, then the system is equivalent to aclassical substitution cipher. For small n, such systems are vulnerable to a statistical analysis of the plaintext. For a large block size, the size of the key, which is on the order of n 2n, makes the system impractical.3.4 In a product cipher, two or more basic ciphers are performed in sequence in such away that the final result or product is cryptographically stronger than any of the component ciphers.3.5 In diffusion, the statistical structure of the plaintext is dissipated into long-rangestatistics of the ciphertext. This is achieved by having each plaintext digit affect thevalue of many ciphertext digits, which is equivalent to saying that each ciphertext digit is affected by many plaintext digits. Confusion seeks to make the relationship between the statistics of the ciphertext and the value of the encryption key ascomplex as possible, again to thwart attempts to discover the key. Thus, even if the attacker can get some handle on the statistics of the ciphertext, the way in which the key was used to produce that ciphertext is so complex as to make it difficult todeduce the key. This is achieved by the use of a complex substitution algorithm. 3.6 Block size: Larger block sizes mean greater security (all other things being equal)but reduced encryption/decryption speed. Key size: Larger key size means greater security but may decrease encryption/decryption speed. Number of rounds: The essence of the Feistel cipher is that a single round offers inadequate security but that multiple rounds offer increasing security. Subkey generation algorithm:Greater complexity in this algorithm should lead to greater difficulty ofcryptanalysis. Round function: Again, greater complexity generally means greater resistance to cryptanalysis. Fast software encryption/decryption: In many cases, encryption is embedded in applications or utility functions in such a way as topreclude a hardware implementation. Accordingly, the speed of execution of the algorithm becomes a concern. Ease of analysis: Although we would like to make our algorithm as difficult as possible to cryptanalyze, there is great benefit inmaking the algorithm easy to analyze. That is, if the algorithm can be concisely and clearly explained, it is easier to analyze that algorithm for cryptanalyticvulnerabilities and therefore develop a higher level of assurance as to its strength.3.7 The S-box is a substitution function that introduces nonlinearity and adds to thecomplexity of the transformation.3.8 The avalanche effect is a property of any encryption algorithm such that a smallchange in either the plaintext or the key produces a significant change in theciphertext.3.9 Differential cryptanalysis is a technique in which chosen plaintexts with particularXOR difference patterns are encrypted. The difference patterns of the resultingciphertext provide information that can be used to determine the encryption key.Linear cryptanalysis is based on finding linear approximations to describe thetransformations performed in a block cipher.3.1 a. For an n-bit block size are 2n possible different plaintext blocks and 2n possibledifferent ciphertext blocks. For both the plaintext and ciphertext, if we treat theblock as an unsigned integer, the values are in the range 0 through 2n– 1. For amapping to be reversible, each plaintext block must map into a uniqueciphertext block. Thus, to enumerate all possible reversible mappings, the blockwith value 0 can map into anyone of 2n possible ciphertext blocks. For anygiven mapping of the block with value 0, the block with value 1 can map intoany one of 2n– 1 possible ciphertext blocks, and so on. Thus, the total numberof reversible mappings is (2n)!.b. In theory, the key length could be log2(2n)! bits. For example, assign eachmapping a number, from 1 through (2n)! and maintain a table that shows themapping for each such number. Then, the key would only require log2(2n)! bits, but we would also require this huge table. A more straightforward way todefine the key is to have the key consist of the ciphertext value for eachplaintext block, listed in sequence for plaintext blocks 0 through 2n– 1. This iswhat is suggested by Table 3.1. In this case the key size is n⨯ 2n and the hugetable is not required.3.2 Because of the key schedule, the round functions used in rounds 9 through 16 aremirror images of the round functions used in rounds 1 through 8. From this fact we see that encryption and decryption are identical. We are given a ciphertext c.Let m' = c. Ask the encryption oracle to encrypt m'. The ciphertext returned by the oracle will be the decryption of c.3.3 a.We need only determine the probability that for the remaining N – t plaintextsP i, we have E[K, P i] ≠ E[K', P i]. But E[K, P i] = E[K', P i] for all the remaining P iwith probability 1 – 1/(N–t)!.b.Without loss of generality we may assume the E[K, P i] = P i since E K(•) is takenover all permutations. It then follows that we seek the probability that apermutation on N–t objects has exactly t' fixed points, which would be theadditional t' points of agreement between E(K, •) and E(K', •). But apermutation on N–t objects with t' fixed points is equal to the number of wayst' out of N–t objects can be fixed, while the remaining N–t–t' are not fixed.Then using Problem 3.4 we have thatPr(t' additional fixed points) = ⨯Pr(no fixed points in N – t – t' objects)=We see that this reduces to the solution to part (a) when t' = N–t.3.4Let be the set of permutations on [0, 1, . . ., 2n– 1], which is referredto as the symmetric group on 2n objects, and let N = 2n. For 0 ≤ i≤ N, let A i be all mappings for which π(i) = i. It follows that |A i| = (N– 1)! and= (N–k)!. The inclusion-exclusion principle states thatPr(no fixed points in π)=== 1 – 1 + 1/2! – 1/3! + . . . + (–1)N⨯ 1/N!= e–1 +Then since e–1≈ 0.368, we find that for even small values of N, approximately37% of permutations contain no fixed points.3.53.6 Main key K = 111…111 (56 bits)Round keys K1 = K2=…= K16 = 1111..111 (48 bits)Ciphertext C = 1111…111 (64 bits)Input to the first round of decryption =LD0RD0 = RE16LE16 = IP(C) = 1111...111 (64 bits)LD0 = RD0 = 1111...111 (32 bits)Output of the first round of decryption = LD1RD1LD1 = RD0= 1111…111 (32 bits)Thus, the bits no. 1 and 16 of the output are equal to ‘1’.RD1 = LD0 F(RD0, K16)We are looking for bits no. 1 and 16 of RD1 (33 and 48 of the entire output).Based on the analysis of the permutation P, bit 1 of F(RD0, K16) comes from thefourth output of the S-box S4, and bit 16 of F(RD0, K16) comes from the second output of the S-box S3. These bits are XOR-ed with 1’s from the correspondingpositions of LD0.Inside of the function F,E(RD0) ≈ K16= 0000…000 (48 bits),and thus inputs to all eight S-boxes are equal to “000000”.Output from the S-box S4 = “0111”, and thus the fourth output is equal to ‘1’,Output from the S-box S3 = “1010”, and thus the second output is equal to ‘0’.From here, after the XOR, the bit no. 33 of the first round output is equal to ‘0’, and the bit no. 48 is equal to ‘1’.3.7 In the solution given below the following general properties of the XOR functionare used:A ⊕ 1 = A'(A ⊕ B)' = A' ⊕ B = A ⊕ B'A' ⊕ B' = A ⊕ BWhere A' = the bitwise complement of A.a. F (R n, K n+1) = 1We haveL n+1 = R n; R n+1 = L n⊕ F (R n, K n+1) = L n⊕ 1 = L n'ThusL n+2 = R n+1 = L n' ; R n+2 = L n+1 = R n'i.e., after each two rounds we obtain the bit complement of the original input,and every four rounds we obtain back the original input:L n+4 = L n+2' = L n ; R n+2 = R n+2' = R nTherefore,L16 = L0; R16 = R0An input to the inverse initial permutation is R16 L16.Therefore, the transformation computed by the modified DES can berepresented as follows:C = IP–1(SWAP(IP(M))), where SWAP is a permutation exchanging the positionof two halves of the input: SWAP(A, B) = (B, A).This function is linear (and thus also affine). Actually, this is a permutation, the product of three permutations IP, SWAP, and IP–1. This permutation ishowever different from the identity permutation.b. F (R n, K n+1) = R n'We haveL n+1 = R n; R n+1 = L n⊕ F(R n, K n+1) = L n⊕ R n'L n+2 = R n+1 = L n⊕ R n'R n+2 = L n+1⊕ F(R n+1, K n+2) = R n≈ (L n⊕ R n')' = R n⊕ L n⊕ R n'' = L nL n+3 = R n+2 = L nR n+3 = L n+2⊕ F (R n+2, K n+3) = (L n≈ R n') ⊕ L n' = R n' ⊕1 = R ni.e., after each three rounds we come back to the original input.L15 = L0; R15 = R0andL16 = R0(1)R16 = L0⊕ R0' (2)An input to the inverse initial permutation is R16 L16.A function described by (1) and (2) is affine, as bitwise complement is affine,and the other transformations are linear.The transformation computed by the modified DES can be represented asfollows:C = IP–1(FUN2(IP(M))), where FUN2(A, B) = (A ⊕ B', B).This function is affine as a product of three affine functions.In all cases decryption looks exactly the same as encryption.3.8 a. First, pass the 64-bit input through PC-1 (Table 3.4a) to produce a 56-bit result.Then perform a left circular shift separately on the two 28-bit halves. Finally,pass the 56-bit result through PC-2 (Table 3.4b) to produce the 48-bit K1.:in binary notation: 0000 1011 0000 0010 0110 01111001 1011 0100 1001 1010 0101in hexadecimal notation: 0 B 0 2 6 7 9 B 4 9 A 5b. L0, R0 are derived by passing the 64-plaintext through IP (Table 3.2a):L0 = 1100 1100 0000 0000 1100 1100 1111 1111R0 = 1111 0000 1010 1010 1111 0000 1010 1010c. The E table (Table 3.2c) expands R0 to 48 bits:E(R0) = 01110 100001 010101 010101 011110 100001 010101 010101d. A = 011100 010001 011100 110010 111000 010101 110011 110000e. (1110) = (14) = 0 (base 10) = 0000 (base 2)(1000) = (8) = 12 (base 10) = 1100 (base 2)(1110) = (14) = 2 (base 10) = 0010 (base 2)(1001) = (9) = 1 (base 10) = 0001 (base 2)(1100) = (12) = 6 (base 10) = 0110 (base 2)(1010) = (10) = 13 (base 10) = 1101 (base 2)(1001) = (9) = 5 (base 10) = 0101 (base 2)(1000) = (8) = 0 (base 10) = 0000 (base 2)f. B = 0000 1100 0010 0001 0110 1101 0101 0000g. Using Table 3.2d, P(B) = 1001 0010 0001 1100 0010 0000 1001 1100h. R1 = 0101 1110 0001 1100 1110 1100 0110 0011i. L1 = R0. The ciphertext is the concatenation of L1 and R1. Source: [MEYE82]3.9The reasoning for the Feistel cipher, as shown in Figure 3.6 applies in the case ofDES. We only have to show the effect of the IP and IP–1 functions. For encryption, the input to the final IP–1 is RE16|| LE16. The output of that stage is the ciphertext.On decryption, the first step is to take the ciphertext and pass it through IP. Because IP is the inverse of IP–1, the result of this operation is just RE16|| LE16, which isequivalent to LD0|| RD0. Then, we follow the same reasoning as with the Feistel cipher to reach a point where LE0 = RD16 and RE0 = LD16. Decryption is completed by passing LD0|| RD0 through IP–1. Again, because IP is the inverse of IP–1, passing the plaintext through IP as the first step of encryption yields LD0|| RD0, thusshowing that decryption is the inverse of encryption.3.10a.Let us work this from the inside out.T16(L15|| R15) = L16|| R16T17(L16|| R16) = R16|| L16IP [IP–1 (R16|| L16)] = R16|| L16TD1(R16|| L16) = R15|| L15b.T16(L15|| R15) = L16|| R16IP [IP–1 (L16|| R16)] = L16|| R16TD1(R16 || L16) = R16|| L16 f(R16, K16)≠ L15|| R153.11PC-1 is essentially the same as IP with every eighth bit eliminated. This wouldenable a similar type of implementation. Beyond that, there does not appear to be any particular cryptographic significance.3.13a.The equality in the hint can be shown by listing all 1-bit possibilities:We also need the equality A ⊕ B = A' ⊕ B', which is easily seen to be true. Now, consider the two XOR operations in Figure 3.8. If the plaintext and key for anencryption are complemented, then the inputs to the first XOR are alsocomplemented. The output, then, is the same as for the uncomplementedinputs. Further down, we see that only one of the two inputs to the secondXOR is complemented, therefore, the output is the complement of the outputthat would be generated by uncomplemented inputs.b.In a chosen plaintext attack, if for chosen plaintext X, the analyst can obtain Y1= E[K, X] and Y2 = E[K, X'], then an exhaustive key search requires only 255rather than 256 encryptions. To see this, note that (Y2)' = E[K', X]. Now, pick atest value of the key T and perform E[T, X]. If the result is Y1, then we knowthat T is the correct key. If the result is (Y2)', then we know that T' is the correctkey. If neither result appears, then we have eliminated two possible keys withone encryption.3.14 The result can be demonstrated by tracing through the way in which the bits areused. An easy, but not necessary, way to see this is to number the 64 bits of the key as follows (read each vertical column of 2 digits as a number):2113355-1025554-0214434-1123334-0012343-2021453-0202435-0110454- 1031975-1176107-2423401-7632789-7452553-0858846-6836043-9495226-The first bit of the key is identified as 21, the second as 10, the third as 13, and so on.The eight bits that are not used in the calculation are unnumbered. The numbers 01 through 28 and 30 through 57 are used. The reason for this assignment is to clarify the way in which the subkeys are chosen. With this assignment, the subkey for the first iteration contains 48 bits, 01 through 24 and 30 through 53, in their naturalnumerical order. It is easy at this point to see that the first 24 bits of each subkey will always be from the bits designated 01 through 28, and the second 24 bits of each subkey will always be from the bits designated 30 through 57.3.15 For 1 ≤ i ≤ 128, take c i∈ {0, 1}128 to be the string containing a 1 in position i andthen zeros elsewhere. Obtain the decryption of these 128 ciphertexts. Let m1,m2, . . . , m128 be the corresponding plaintexts. Now, given any ciphertext c which does not consist of all zeros, there is a unique nonempty subset of the c i’s which we can XOR together to obtain c. Let I(c) ⊆ {1, 2, . . . , 128} denote this subset.ObserveThus, we obtain the plaintext of c by computing . Let 0 be the all-zerostring. Note that 0 = 0⊕0. From this we obtain E(0) = E(0⊕0) = E(0) ⊕ E(0) = 0.Thus, the plaintext of c = 0 is m = 0. Hence we can decrypt every c ∈ {0, 1}128.3.16a. This adds nothing to the security of the algorithm. There is a one-to-onereversible relationship between the 10-bit key and the output of the P10function. If we consider the output of the P10 function as a new key, then thereare still 210 different unique keys.b. By the same reasoning as (a), this adds nothing to the security of the algorithm.3.17s = wxyz + wxy + wyz + wy + wz + yz + w + x + zt = wxz + wyz + wz + xz + yz + w + y3.18OK4.1 A group is a set of elements that is closed under a binary operation and that isassociative and that includes an identity element and an inverse element.4.2 A ring is a set of elements that is closed under two binary operations, addition andsubtraction, with the following: the addition operation is a group that iscommutative; the multiplication operation is associative and is distributive over the addition operation.C HAPTER 4F INITE F IELDS。
关于密码学的英文文章范文
关于密码学的英文文章范文Cryptography is the art of writing or solving codes, a practice as old as human communication itself. It plays avital role in securing our digital world, ensuring privacyand integrity in the information we exchange.From ancient ciphers like the Caesar cipher to modern encryption algorithms, the evolution of cryptography has been driven by the need for secure communication. Today, it safeguards our online transactions, protects sensitive data, and enables secure communication channels.The science of cryptography is grounded in mathematics, particularly in number theory and algebra. It requires a deep understanding of complex algorithms and protocols to create systems that are both secure and efficient.One of the most well-known encryption methods is the RSA algorithm, which relies on the difficulty of factoring large numbers. It's widely used in securing internet communications, such as when you visit a website with an HTTPS connection.However, cryptography is not just about creating unbreakable codes; it's also about ensuring that the right people have access to the information. This is where the concept of digital signatures and public key infrastructure comes into play, allowing for both authentication and non-repudiation.As we move towards a more interconnected world, the importance of cryptography continues to grow. It's not just about protecting our secrets; it's about building trust in our digital interactions.In the face of ever-evolving cyber threats, the field of cryptography is constantly adapting. Researchers and cryptographers are always on the lookout for new methods to enhance security, ensuring that our digital world remains safe and secure.The future of cryptography is promising, with advancements in quantum computing presenting both challenges and opportunities. As we develop new encryption methods to withstand these emerging technologies, the art of cryptography will continue to be a cornerstone of our digital security.。
cryptography
cryptography Cryptography: An Introduction to Secure CommunicationIntroductionIn today's digital age, the security of sensitive information has become a major concern for individuals, organizations, and governments alike. The practice of cryptography plays a crucial role in safeguarding this information from unauthorized access, manipulation, and theft. In this document, we will explore the fundamentals of cryptography, its history, different types of cryptographic algorithms, and its applications in various fields.1. History of CryptographyCryptography can be traced back to ancient times when it was used to send secret messages during wars and conflicts. The early methods of cryptography involved simple substitution ciphers, where each letter in a message was replaced by another letter following a fixed pattern. Over the years, cryptography evolved, and more complex algorithms were developed to ensure stronger security.2. Symmetric CryptographySymmetric cryptography, also known as secret-key cryptography, is a fundamental technique in which the same key is used for both encryption and decryption of messages. The sender and receiver share this secret key, which should be kept confidential to ensure secure communication. The Advanced Encryption Standard (AES) and Data Encryption Standard (DES) are examples of symmetric cryptographic algorithms widely used today.3. Asymmetric CryptographyAsymmetric cryptography, also known as public-key cryptography, uses two keys - a private key and a public key. The private key is kept secret by the owner, while the public key is shared with others. Messages encrypted with the public key can only be decrypted using the corresponding private key, providing a higher level of security. The most popular algorithm used in asymmetric cryptography is the Rivest-Shamir-Adleman (RSA) algorithm.4. Hash FunctionsHash functions are an essential component of cryptography. They are algorithms that convert data of any size into a fixed-size hash value. A hash function always produces the same hash value for the same input data and is designed to be computationally irreversible, ensuring that it is nearly impossible to obtain the original data from the hash value. Hash functions are extensively used in data integrity checks and digital signatures.5. Cryptographic ApplicationsCryptography finds applications in various fields, ensuring the security of sensitive information and enabling secure communication. Some of the common applications include:a. Internet Security: Cryptography is used in Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols to secure data transmitted over the internet, thereby protecting online transactions and sensitive information.b. Digital Signatures: Cryptography enables the creation of digital signatures, which provide authentication, integrity, and non-repudiation to electronic documents and messages.c. Password Protection: Cryptographic techniques are used in password hashing algorithms to protect user passwords. This ensures that even if the stored passwords are compromised, they cannot be easily deciphered.d. Virtual Private Networks (VPNs): Cryptography plays a critical role in securing VPNs, providing a secure tunnel for remote users to access corporate networks over the internet.e. Blockchain Technology: Cryptography forms the backbone of blockchain technology, securing transactions and ensuring the immutability of data stored in a decentralized network.6. Challenges and Future TrendsWhile cryptography has significantly advanced over the years, it still faces challenges and opportunities for growth. With the rise of quantum computing and the potential threat it poses to traditional encryption algorithms, researchers are exploring post-quantum cryptography techniques. Additionally, advancements in homomorphic encryption and secure multi-party computation hold the potential for securecomputation on encrypted data without revealing the underlying information.ConclusionCryptography is a fundamental tool in securing communication and protecting sensitive information in today's digital world. With its rich history and continuous advancements, cryptography continues to play a vital role in ensuring privacy, integrity, and authenticity. Understanding the different types of cryptographic algorithms and their applications will empower individuals and organizations to make informed decisions when it comes to secure communication.。
几种常见ECG数据格式及对比
⼏种常见ECG数据格式及对⽐SCP、DICOM、HL7aECG、GDF格式及对⽐本⽂档⾸先给出SCP、DICOM、HL7aECG、GDF四种⼼电信号格式的具体数据结构,然后分析其各⾃的特点及适⽤范围。
⼀、SCP-ECG format这种格式是专门针对ECG数据的标准格式,其中包含了ECG数据波形,患者信息,ECG采集信息以及测量诊断信息等丰富内容。
SCP-ECG格式主要分为Title(2 bytes for CRC-checksum and 4 bytes for size of ECG record)和Section0-Section11两部分。
其中Title,Section0,Section1是必须有的,其他部分则是可选的。
具体数据结构如下:Table 1. Structure of SCP-ECG records.Mandatory 2 bytes - checksum - crc -CCITT over the entire record(excluding this word)Mandatory 4 bytes - (unsigned) size of the entire ecg record (in bytes)Mandatory (Section 0)pointers to data-areas in the recordMandatory (Section 1)header information - patient data/ecg acquisition dataOptional (Section 2)huffman tables used in encoding of ecg data (if used)Optional (Section 3)ecg lead definitionOptional (Section 4)QRS locations (if reference beats are encoded)Optional (Section 5)encoded reference beat data if reference beats are storedOptional (Section 6)"residual signal" after reference beat subtraction if reference beats are stored, otherwise encoded rhythm dataOptional (Section 7)global measurementsOptional (Section 8)textual diagnosis from the "interpretive" deviceOptional (Section 9)manufacturer specific diagnostic and over-reading data from the "interpretive" deviceOptional (Section 10)lead measurement resultsOptional(Section 11)universal statement codes resulting from the interpretation 缺点:(1)只⽀持静态⼼电信息,不⽀持信号平均⼼电即晚电位信息,不⽀持动态⼼电信息(HOLTER)和运动⼼电信息(Exer- cise ECG)等;(2)仅仅⽀持RS232串⼝传输,使⽤⼆进制⽅式存储不利于⽹络传输的信息交换;(3)使⽤的复杂压缩算法难以进⾏实现和测试,也不能⽀持预约等其他⼯作流。
使用ECG编辑修饰心电门控双源MDCT血管成像中带状伪影的新技术
王 丹译 章 士正 校
se o i n o arils h m i-iia x e in e ( O : tn ss a d my c da c e a nt l p r c D I i i e e
国际 医 学放 射 学 杂 志 It t nlJunlo dclR do g 0 9 Jn3 () ne i a ora fMe i ail y2 0 a ;21 ma o a o
均行 T E、V M、 c E I B Q c及 1 R 检查 。 .TM I 5 梯度 回波电影 , 使
原 文 栽 于 E r do,0 8 1 (1 :46 2 1 . u Rail2 0 ,8 1 )2 0 - 4 3
时进行 了传统的冠状动脉造影 ( A ) C G 检查 。由 1 位有经验 的 介人心脏病专家对上述结果进行 回顾性分析。 结果 5 %的病 0 人诊断准确。 对于所有病人 , S T均获得足够好的影像质量 DC 并可准确显示解剖变异 。 因此 , S T可作为一种准确显示冠 DC 状动脉变异 的起源 、 走行及形态 的诊断工具。 关键词 双源 c ; T 冠状动脉变异 ; 冠状动脉血管成像 ; 心
9 0 B G o i e , h eh r n s - al . . ne a .m g l 70R , rnn n T e tel d. m igd j g @r u c. g N a e :e o d n
摘要 本研究 的 目的是评价 双源 C ( S T 显示 冠状 动 TDC ) 脉 变异 的能力 。早期发现 和评估冠状动脉变异非常重要 , 因 为它可能伴有 心肌缺血并 可能引起猝 死。在 2 0例行增 强 3 DC S T的病人 中, 1 有 6例 [2例男性 , 1 平均年 龄( 0 1 ) ] 5 ̄4 岁 检测 到了冠状动脉变异 ( 发生率 为 7 , %)包含 了 6种不 同的 变异类 型 ( 例冠状 动脉瘘 , 3 4例旋 支变 异 , 4例右冠状动 脉 变异 , 3例左冠状动 脉变异 , 1例左冠状动 脉主干缺如 , 1例
Authenticated Routing
Authenticated Routing for Ad Hoc Networks Kimaya Sanzgiri,Daniel LaFlamme,Bridget Dahill,Brian Neil Levine,Member,IEEE,Clay Shields,Member,IEEE,and Elizabeth M.Belding-Royer,Member,IEEEAbstract—Initial work in ad hoc routing has considered only the problem of providing efficient mechanisms forfinding paths in very dynamic networks,without considering security.Because of this,there are a number of attacks that can be used to manipulate the routing in an ad hoc network.In this paper,we describe these threats,specifically showing their effects on ad hoc on-demand dis-tance vector and dynamic source routing.Our protocol,named au-thenticated routing for ad hoc networks(ARAN),uses public-key cryptographic mechanisms to defeat all identified attacks.We de-tail how ARAN can secure routing in environments where nodes are authorized to participate but untrusted to cooperate,as well as environments where participants do not need to be authorized to participate.Through both simulation and experimentation with our publicly available implementation,we characterize and eval-uate ARAN and show that it is able to effectively and efficiently discover secure routes within an ad hoc network.Index Terms—Ad hoc networks,secure routing.I.I NTRODUCTIONS ECURING protocols for mobile ad hoc networks presents unique challenges due to characteristics such as lack of pre-deployed infrastructure,centralized policy and control.In this paper,we make a number of contributions to the design of se-cure ad hoc routing protocols.1First,we describe exploits that are possible against ad hoc routing protocols.We show specifi-cally that two protocols that are under consideration by the In-ternet Engineering Task Force(IETF)for standardization,ad hoc on-demand distance vector(AODV)[2]and dynamic source routing(DSR)[3],although efficient in terms of network perfor-mance,are replete with securityflaws.Second,we define and distinguish the heterogeneous environments that make use of ad hoc routing and differ in their assumed predeployment and security requirements.This approach is important because sat-isfying a tighter set of security requirements than an application requires is unwarranted and wasteful of resources.Manuscript received October17,2003;revised October15,2004.This work was supported in part by the National Science Foundation under Award ANI-522564,Award ANI-0335302,and Award EIA-0080199,in part by an Air Force Office of Scientific Research(AFOSR)Multidisciplinary University Research Initiative(MURI)Grant,and in part by the U.S.Department of Justice,Office of Justice Programs under Grant2000-DT-CX-K001.Contents are solely the responsibility of the authors and do not necessarily represent the official views of the Department of Justice(DoJ)or National Science Foundation(NSF).K.Sanzgiri and E.M.Belding-Royer are with the Department of Computer Science,University of California,Santa Barbara,CA93106USA(e-mail: kimaya@).Flamme,B.Dahill,and B.N.Levine are with the Department of Com-puter Science,University of Massachusetts,Amherst,MA01060USA.C.Shields is with the Department of Computer Science,Georgetown Univer-sity,Washington,DC20057USA.Digital Object Identifier10.1109/JSAC.2004.8425471This paper represents many refinements and extensions to our original work from IEEE ICNP2002[1].Third,we propose a secure routing protocol,authenticated routing for ad hoc networks(ARAN),that detects and protects against malicious actions by third parties and peers.ARAN in-troduces authentication,message integrity,and nonrepudiation to routing in an ad hoc environment as a part of a minimal se-curity policy.We detail how ARAN can be used in two environments: where mobile users are federated and can be precertified(e.g., on a campus)though remain untrusted;and where they are unknown to each other and cannot be precertified(e.g.,a “rooftop”access point).To our knowledge,ARAN is thefirst proposal for securing ad hoc routing for rooftop networks. We analyze the security of ARAN and evaluate its net-work performance through measurement of both our publicly available implementation and extensive simulations.Wefind that although there is a greater performance cost to ARAN as compared to DSR or AODV,the increase in cost is minimal and outweighed by the increased security.This paper is organized as follows.Section II presents an overview of recent work on ad hoc network security.Section III describes the security exploits possible in ad hoc routing proto-cols.Three ad hoc environments and the security requirements of any ad hoc network are defined in Section IV.Section V presents our secure ad hoc routing protocol,ARAN.A secu-rity analysis of ARAN is provided in Section VI,while Section VII evaluates ARAN through implementation and simulations. Finally,Section VIII offers concluding remarks.II.B ACKGROUNDSeveral proposed ad hoc routing protocols,for example [2]–[6],have security vulnerabilities and exposures that easily allow for routing attacks.While these vulnerabilities are common to many protocols,in this paper,we focus on two protocols that are under consideration by the IETF for stan-dardization:AODV[2]and DSR[3].The fundamental differences between ad hoc networks and standard Internet protocol(IP)networks necessitate the devel-opment of new security services.This point has been recog-nized,and several researchers have examined security problems in ad hoc networks.Numerous solutions have been proposed for providing a secure and reliable certification authority in ad hoc networks[7]–[10].Another problem that has received attention is that of stimulating cooperation among nodes in an ad hoc network and addressing malicious packet dropping[11]–[16]. Strategies used include detecting and punishing noncooperating nodes,rewarding nodes for forwarding packets,concealing the true destination of packets from intermediate nodes,and using redundant data transmissions over multiple paths.0733-8716/$20.00©2005IEEEThe issue of secure routing in particular has received signif-icant attention.Hu et al.have proposed ARIADNE[17],a se-cure version of DSR.ARIADNE can use predeployed pairwise symmetric keys or predeployed asymmetric cryptography for authentication.The former is more efficient,but requires shared secrets between communicating nodes,which may not always be feasible to establish.A third option for ARIADNE is the TESLA authentication scheme,which is also based on asym-metric encryption,thus requiring a certification authority or pre-deployed keys.TESLA requires that packets are delayed by the longest round-trip time(RTT)in the network before they are sent(thus route creation incurs this delay in both request and response phases).Chu et al.developed a secure proactive routing protocol based on DSDV[6]called SEAD[18],which is also based on public-key signed hash chains.SAODV[19],an early attempt to secure the AODV routing protocol,has numerous security vulnerabilities.For instance,it allows a malicious intermediate node to spoof its identity,ille-gally modify the hop count on route request messages,and fab-ricate route error messages.The use of security parameters,such as the trust level of a node in a hierarchical organization,as a routing metric is pro-posed in[20].To secure the scheme,the authors suggest that all nodes at the same level of trust should share a common se-cret.This is not very practical,and has many key-management issues.In an alternative scheme,Papadimitratos et al.[21]propose the secure routing protocol(SRP);however,this is vulnerable to attacks such as fabricated route error messages.Routing security in sensor networks has been analyzed in[22].The wormhole attack against secure ad hoc routing protocols is studied and a solution is presented in[23],though imple-menting the solution requires specialized hardware to achieve a high degree of clock synchronization.Awerbuch et al.design a flooding-free reactive routing protocol based on Swarm Intelli-gence and the distributed reinforcement learning paradigm[24], which is secure against a dynamic Byzantine adversarial model. Finally,intrusion detection techniques for ad hoc networks have been studied[25],[26].Our work differs from other work in that we do not assume any hardware modifications or synchronized clocks,and only minimal advance keying from a trusted authority.We also ac-count for the costs of distributing cryptographic material instead of assuming it is predeployed.In comparison against related work(e.g.,[17],[27]),ARAN has higher computational costs at each node,which has impli-cations for power costs and latency.However,the dominant en-ergy cost of wireless networking on handheld devices is the idle system with an idle radio[28];the costs of ARAN’s cryptog-raphy represent a small price in comparison.ARAN’s compu-tational delays are comparable to the mandatory authentication delays required by TESLA[27],a hash-chain-based approach to security.TESLA mandates delays equal to twice the diam-eter RTT of the network in addition to processing delays,even if the path is between direct neighbors.TABLE IV ULNERABILITIES OF AODV,DSR,ANDARANIII.E XPLOITS A GAINST E XISTING P ROTOCOLS Several popular ad hoc routing protocols allow for many dif-ferent types of attacks.In this section,we classify and briefly describe modification,impersonation,and fabrication exploits against ad hoc routing protocols.Detailed descriptions of the at-tacks can be found in our previous work[1].In addition,several attacks are possible in the forwarding operation.Data packets can be dropped,replayed,or redirected.In Section V,we pro-pose a protocol that is not exploitable in these ways.Our focus is on vulnerabilities and exposures that result from the specification of the ad hoc routing protocol,and not from problems with IEEE802.11.Additionally,denial-of-service at-tacks based on noncooperation and packet dropping,or resource depletion by aggressive route requestflooding,are possible in all ad hoc routing protocols.We do not deal with the issue of en-suring protocol compliance,and look only at security problems arising from manipulation of the network routing.The attacks presented below are described in terms of the AODV and DSR protocols,which we use as representatives of ad hoc on-demand protocols.Table I provides a summary of each protocol’s vulnerability to the following exploits.A.Attacks Using ModificationMalicious nodes can cause redirection of network traffic and DoS attacks by altering control messagefields or by forwarding routing messages with falsified values.Below,we briefly de-scribe several modification attacks against AODV and DSR. 1)Redirection by Modified Route Sequence Num-bers:Protocols such as AODV and DSDV assign mono-tonically increasing sequence numbers to routes toward specific destinations.A route with a higher sequence number is pre-ferred over one with a lower sequence number.Thus,in AODV, any node may divert traffic through itself by advertising a route to a node with a destination sequence num greater than the authentic value.2)Redirection With Modified Hop Counts:In AODV,a redi-rection attack is possible by modification of the hop countfield in route discovery messages.When routing decisions cannot be made by other metrics,AODV uses the hop countfield to deter-mine a shortest path.Malicious nodes can increase the chances they are included on a newly created route by resetting the hopcountfield of the route request(RREQ)to zero.Similarly,by setting the hop countfield of the RREQ to infinity,created routes will tend to not include the malicious node.Such an attack is most threatening when combined with spoofing,described in Section III-B.3)Denial-of-Service With Modified Source Routes:DSR utilizes source routes,thereby explicitly stating routes in data packets.These routes lack any integrity checks and a simple denial-of-service attack can be launched in DSR by altering the source routes in packet headers,such that the packet can no longer be delivered to the destination.4)Tunneling:Ad hoc networks have an implicit assumption that any node can be located adjacent to any other node.A tun-neling attack is where two or more nodes collaborate to encapsu-late and exchange messages along existing data paths.Such col-laborating nodes can pretend to be neighbors,and falsely repre-sent the length of available paths by preventing honest interme-diate nodes from correctly incrementing the path length metric. It is also possible that instead of tunneling through existing multi-hop routes,the malicious nodes can use a long-range di-rectional wireless link or a wired link between them.Such a link gives the attackers an unfair advantage toward occurring on the shortest delay route between a source and destination.This has been referred to as the wormhole attack in recent literature[17], [23].However,if the malicious nodes truly lie on the shortest delay path,it could be argued that the selection of this path is not a subversion of the routing protocol.A mechanism for de-fending against wormhole attacks is presented in[23].B.Attacks Using ImpersonationSpoofing occurs when a node misrepresents its identity in the network,such as by altering its medium access control(MAC) or IP address in outgoing packets,and is readily combined with other attacks,such as those based on modification.The advan-tage of spoofing is that the attack cannot be traced back to the malicious node.C.Attacks Using FabricationFabrication attacks involve the generation of false routing messages.Such attacks can be difficult to verify as invalid con-structs,especially in the case of fabricated error messages that claim a neighbor cannot be contacted.1)Falsifying Route Errors in AODV and DSR:In AODV and DSR,if the destination node or an intermediate node along an active path moves,the node upstream of the link break broad-casts a route error message to all active upstream neighbors. This message causes the corresponding route to be invalidated in all upstream nodes.A denial-of-service attack can be launched by continually sending route error messages indicating a broken link on the route,thereby preventing the source from communi-cating with the destination.2)Route Cache Poisoning in DSR:In DSR,a node over-hearing any packet may add the routing information contained in that packet’s header to its own route cache,even if that node is not on the path from source to destination.An attacker could easily exploit this method of learning routes and poison route caches by transmitting packets containing invalid routes in their headers.IV.S ECURITY R EQUIREMENTS OF A D H OC N ETWORKS Applications for ad hoc networks include military operations, emergency rescue missions,and simple provisioning of wire-less network access,such as at a conference or in a classroom. In this section,we classify ad hoc networks into three distinct environments that differ in security needs and assumed prede-ployment.These classes are defined because it is difficult to con-struct a single secure ad hoc routing protocol to suit the needs of many heterogeneous wireless applications.The lower secu-rity requirements of some environments do not justify use of costly protocols that satisfy stricter security policies.The envi-ronments defined in this section enable us to clearly state where we expect to apply our secure protocol.A good secure routing algorithm prevents each of the exploits presented in Section III;it must ensure that no node can prevent successful route discovery and maintenance between any other nodes other than by nonparticipation.We define a set of three discrete ad hoc wireless environ-ments:open,managed-open and managed-hostile.These differ not only in the level of security needed,but also in that some have opportunity for exchange of security parameters before the nodes are deployed.In sum,all secure ad hoc routing protocols must satisfy the following requirements to ensure that path discovery from source to destination functions correctly in the presence of malicious adversaries.1)Route signaling cannot be spoofed.2)Fabricated routing messages cannot be injected into thenetwork.3)Routing messages cannot be altered in transit,exceptaccording to the normal functionality of the routing protocol.4)Routing loops cannot be formed through malicious action.5)Routes cannot be redirected from the shortest path bymalicious action.These requirements help define an open environment along with the following distinction:all nodes can be considered authorized.This scenario might exist,for example,for a user walking through an urban environment or driving on a highway. Managed-open environments are accordingly distinguished by an additional requirement.6)Unauthorized nodes must be excluded from route compu-tation and discovery.This requirement does not preclude the fact that authenticated peers may act maliciously as well.Additionally,we assume that the managed-open environment has the opportunity for predeployment or exchange of public keys,session keys,or certificates.We expect mobile nodes in this environment reside within some common context or geo-graphic proximity.Such an ad hoc network might be formed by peers at a conference,or students on a campus.We define a managed-hostile environment to have require-ments listed above,as well as the following.7)The network topology must neither be exposed to adver-saries nor to authorized nodes by the routing messages.A managed-hostile environment is formed,for example,by mil-itary nodes in a battle environment,or perhaps by emergencyresponse crews in a disaster area.In such an environment,nodes are deployed by a common source.Consequently,there may be opportunity for predeployed exchange of security parameters.The distinguishing security threat of the managed-hostile envi-ronment is that every node is vulnerable to physical capture and take-over of equipment,where hostile entities can then pose as friendly entities at a compromised node.Therefore,exposure of node location from the routing protocol messages is not de-sirable,else adversaries may gain an opportunity to annihilate users.In Section V ,we present the ARAN protocol,which meets the needs of the managed-open and open environments.It does not provide a solution to the managed-hostile environment because it exposes the routing topology.V .A UTHENTICATED R OUTING FOR A D H OC N ETWORKS (ARAN)In this section,we detail the operation of ARAN.ARAN uses cryptographic certi ficates to prevent most of the attacks pre-sented in Section III and detect erratic behavior.ARAN consists of a preliminary certi fication process followed by a route instantiation process that guarantees end-to-end authentication.The protocol is simple compared to most nonsecured ad hoc routing protocols,and does not include routing optimizations present in the latter.It should be noted that these optimizations are the chief cause of most exploits listed in Section III.Route discovery in ARAN is accomplished by a broadcast route discovery message from a source node that is replied to by the destination node.The routing messages are authenticated end-to-end and only authorized nodes participate at each hop between source and destination.A.Certi fication of Authorized NodesARAN uses cryptographic certi ficates to bring authenti-cation,message-integrity and nonrepudiation to the route discovery process.ARAN,therefore,requires the use of a trusted certi ficateserver ,whose public key is known to all valid nodes (or multiple servers may be used [10]).Nodes use these certi ficates to authenticate themselves to other nodes during the exchange of routing messages.The use of public keys and certi ficates is common in many secure ad hoc routing protocols,but most assume the existence of such information without any explicit description of how it is transmitted.While ARAN may appear more expensive,it is in part because we ac-count for the distribution of the cryptographic keying material.In managed-open environments,keys are a priori generated and exchanged through an existing,perhaps out-of-band,rela-tionshipbetween and each node.Before entering the ad hoc network,each node must request a certi ficatefrom .Each node receives exactly one certi ficate after securely authenticating its identityto .Details of how certi ficates are revoked are ex-plained in Section V-G.Section V-H describes the certi fication process for open environments.A node receives a certi ficate from as follows:(1)TABLE IIT ABLE OF V ARIABLES AND N OTATIONThe certi ficate contains the IP address of ,the publickey of,a timestamp of when the certi ficate was created,and a time at which the certi ficate expires.Table II summarizes our notation.These variables are concatenated and signed by .All nodes must maintain fresh certi ficates with the trusted server.B.Authenticated Route DiscoveryThe goal of end-to-end authentication is for the source to verify that the intended destination was reached.The source trusts the destination to select the return path.The source node begins route instantiation to destination by broadcasting to its neighbors a route discovery packet (RDP)(2)The RDP includes a packet type identi fier (“RDP ”),the IP ad-dress of the destination’s certi ficate ,and a nonce,all signed with ’s private key.Note that the RDP is only signed by the source and not encrypted,so the con-tents can be viewed publicly.The purpose of the nonce is to uniquely identify an RDP coming from a source.Each time performs route discovery,it monotonically increases the nonce.The nonce is 5bytes in size,and is thus large enough that it will not need to be recycled within the lifetime of the network.2Note that a hop count is not included with the message.When a node receives an RDP message,it sets up a reverse path back to the source by recording the neighbor from which it received the RDP.This is in anticipation of eventually re-ceiving a reply message that it will need to forward back to the source.The receiving node uses ’s public key,which it extracts from ’s certi ficate,to validate the signature and verify that ’s certi ficate has not expired.The receiving node also checks thetuple to verify that it has not already processed thisRDP;nodes do not forward messages with already-seen tuples.The receiving node signs the contents of the message,appends its own certi ficate,and forward broadcasts the message to each of its neighbors.The signature prevents spoo fing attacks that may alter the route or form loops.2If a source sends a new RDP every millisecond,with a 5byte nonce,it wouldtake more than 34years for the value to wrap around.Let be a neighbor that has receivedfrom the RDP broad-cast,which it subsequentlyrebroadcasts(3)Upon receiving theRDP,’sneighbor validates the signa-tures forboth ,the RDP initiator,and ,the neighbor it re-ceived the RDP from,using the certi ficates in theRDP.thenremoves ’s certi ficate and signature,records as its prede-cessor,signs the contents of the message originally broadcastby and appends its own certi ficate.then rebroadcasts theRDP(4)Each intermediate node along the path repeats the same stepsas .C.Authenticated Route SetupEventually,the message is received by thedestination,,who replies to the first RDP that it receives for a source and a given nonce.This RDP need not have traveled along the path with the least number of hops;the least-hop path may have a higher delay,either legitimately or maliciously manifested.In this case,however,a noncongested,nonleast-hop path is likely to be preferred to a congested least-hop path because of the re-duction in delay.Because RDPs do not contain a hop count or speci fic recorded source route,and because messages are signed at each hop,malicious nodes have no opportunity to redirect traf fic with the exploits we described in Section III.After receiving the RDP,the destination unicasts a reply (REP)packet back along the reverse path to the source.Let the first node that receives the REP sentby benode(5)The REP includes a packet type identi fier (“REP ”),the IP ad-dressof,the certi ficate belongingto and the nonce sentby .Nodes that receive the REP forward the packet back to the predecessor from which they received the original RDP.Each node along the reverse path back to the source signs the REP and appends its own certi ficate before forwarding the REP to the next hop.Let ’s next hop to the source benode(6)validates ’s signature on the received message,removes the signature and certi ficate,then signs the contents of the message and appends its own certi ficate before unicasting the REPto.(7)Each node checks the nonce and signature of the previous hop as the REP is returned to the source.This avoids attacks where malicious nodes instantiate routes by impersonation and replay of X ’s message.When the source receives the REP,it veri-fies the destination ’s signature and the nonce returned by the destination.D.Route MaintenanceARAN is an on-demand protocol.When no traf fic has oc-curred on an existing route for that route ’s lifetime,the route is simply deactivated in the route table.Data received on an in-active route causes nodes to generate an error (ERR)message.Nodes also use ERR messages to report links in active routes that are broken due to node movement.All ERR messages mustbe signed.For a route betweensourceanddestination ,anodegenerates the ERR message for itsneighbor asfollows:(8)This message is forwarded along the path toward the source without modi fication.A nonce ensures that the ERR message is fresh.It is extremely dif ficult to detect when ERR messages are fab-ricated for links that are truly active and not broken.However,the signature on the message prevents impersonation and en-ables nonrepudiation.A node that transmits a large number of ERR messages,whether the ERR messages are valid or fabri-cated,should be avoided.E.Responses to Erratic BehaviorErratic behavior can come from a malicious node,but it can also come from a friendly node that is malfunctioning.ARAN ’s response does not differentiate between the two and regards all erratic behavior as the same.Erratic behavior includes the use of invalid certi ficates,improperly signed messages,and misuse of route error messages.ARAN ’s response to erratic behavior is a local decision and the details are left to implementors.We discuss how susceptible ARAN is to this behavior in the next section.F .Potential OptimizationsAlthough we have speci fied the use of public certi ficates here,it is clear that intermediary nodes (and in our examples)can easily agree upon and exchange session keys using the certi fi-cates that authenticate their participation in route creation.Two nodes can easily share a symmetric key generated with their own private key and the public key of the other.A session key can last the duration of their juxtaposition and can be a symmetrickey,to reduce processing costs;equivalently,juxtaposed peers can create low-cost hash chains between themselves for authentication of future ing these optimizations would decrease computational overhead and power consump-tion.However,even if these optimizations are used,we require that sources and destinations must include full public-key sig-natures for end-to-end route discovery and setup messages.G.Key RevocationIn some environments with strict security criteria,the re-quired certi ficate revocation mechanism must be very reliable and expensive.Due to the desired low overhead in wireless networks and the lower standards of security sought in the managed-open and open environments,a best-effort immediate revocation service can be provided that is backed up by the use of limited-time certi ficates.。
LIFEPAK 20 20e 心电图监测器、外科救治器和同步心电图救治器的操作指南说明书
12.Prepares for additional countershocks if needed by repeating steps #6–12.
13.Presses CODE SUMMARY for documentation.
3. Prepares patient: • Bares patient’s chest. • Prepares electrode sites with brisk dry rub. • Describes additional preparation needed for patient with excessive hair, oily or damp skin.
4. Applies ECG electrodes: • Confirms package is sealed and use by date has not passed. • Attaches an electrode to each lead wire. • Inspects electrode gel for moisture content. • Identifies appropriate electrode sites for 3-wire cable in upper right, upper left, lower left torso areas; or 5-wire cable in upper right and left, lower right and left torso, and (c) in V4 location or as directed by local protocol. • Applies electrode flat to skin, smoothing tape outwardly and avoiding pressing on center of electrode. • Secures cable clasp to patient’s clothing (optional).
可证安全旳传统公钥密码-无证书公钥密码异构聚合签密方案
可证安全旳传统公钥密码-无证书公钥密码异构聚合签密方案张玉磊;王欢;马彦丽;刘文静;王彩芬【期刊名称】《电子与信息学报》【年(卷),期】2018(040)005【摘要】Heterogeneous signcryption can be used to guarantee the confidentiality and the unforgeability in the different cryptographies. By analyzing some existing heterogeneous signcryption schemes, it is found that they only deal with a single message and can not achieve batch verification. Aggregation signcryption can not only take n distinct signcryption on n messages signed by n distinct users, but also provide a batch verification and reduce the cost of verification. In this paper, a Traditional Public Key Infrastructure (TPKI)-CertificateLess Public Key Cryptography (CLPKC) heterogeneous aggregation signcryption scheme is proposed,which can ensure the confidentiality and authentication between the TPKI and CLPKC. The scheme does not require bilinear pairings when it is aggregated. It is proved that the scheme has indistinguishability against adaptive chosen ciphertext attack and existential unforgeability against adaptive chosen messages attack under gap bilinear Diffie-Hellman and computational Diffie-Hellman problem and Discrete logarithm.%异构签密可以保证异构密码系统之间数据的机密性和不可伪造性.分析现有的异构签密方案,发现它们只针对单个消息,无法实现批验证.聚合签密能够把不同用户对多个消息产生的签密密文同时发送给接收者,而且可以提供批量验证,降低验证开销.该文提出一个传统公钥密码-无证书公钥密码异构聚合签密方案,该方案不仅能够保证传统公钥密码(TPKI)和无证书公钥密码(CLPKC)系统间通信的机密性和认证性,而且聚合验证时不需要双线性对.在随机预言模型下,基于间隙双线性Diffie-Hellman困难问题、计算Diffie-Hellman困难问题和离散对数问题,证明该方案满足自适应性选择密文攻击下的不可区分性和自适应选择消息下的不可伪造性.【总页数】8页(P1079-1086)【作者】张玉磊;王欢;马彦丽;刘文静;王彩芬【作者单位】西北师范大学计算机科学与工程学院兰州 730070;西北师范大学计算机科学与工程学院兰州 730070;西北师范大学计算机科学与工程学院兰州730070;西北师范大学计算机科学与工程学院兰州 730070;西北师范大学计算机科学与工程学院兰州 730070【正文语种】中文【中图分类】TP309【相关文献】1.一种可证安全的异构聚合签密方案 [J], 牛淑芬;牛灵;王彩芬;杜小妮2.可证安全的紧致无证书聚合签密方案 [J], 张玉磊;王欢;李臣意;张永洁;王彩芬3.公钥密码方案的可证明安全性注记 [J], 任艳丽;谷大武4.无证书公钥密码体制→传统公钥基础设施异构环境下部分盲签密方案 [J], 王彩芬;许钦百;刘超;成玉丹;赵冰5.可证安全的隐私保护多接收者异构聚合签密方案 [J], 刘祥震; 张玉磊; 郎晓丽; 骆广萍; 王彩芬因版权原因,仅展示原文概要,查看原文内容请购买。
通用可组合符号化分析群组密钥协商协议英文
论文集锦Un ive r s a lly C o m p o s a b le S y m b o lic An a lys is o f Gr o u p Ke y E x c h a n g eP r o t o c o lZhang Zijia n,Zhu Liehuang,Liao Le jia nSchool of Computer Science and Technology,Beijing Ins titute of T echnology,Beijing100081,P.R.ChinaAb st r act:Canetti and Her zo g have alread y pr opos ed un iversally co mpo sable sym bolic analysis(UCSA)to analyze mutual authentication and key exchange protocols.However,they do not analyze group key exchange protocol.Therefore, this paper explores an approach to analyze group key exchange protocols,which realize automation and guarantee the soundness of cryptography. Considered that there exist many kinds of group key exchange protocols and the par ticipants’number of each pr otocol is arbitrary.So this paper takes the case of Burmester-Desmedt(BD) protocol with three participants against passive adversary(3-BD-Passive).In a nutshell,our works lay the root for analyzing group key exchange pro tocols autom atically with out sacr if icin g soundness of cryptography.Key wor ds:universally composable symbolic an aly sis;un iversally co mpo sab le;mappin g algorithm;burmester-desmedt protocol;group key exchange protocolI.INTRODUCTIONMany studies have been carried out to analyze the security proper ties of group key exchange protocols[1-2].But most of them are based on provable security in computational model which could guarantee the soundness of cryptography but not realize automation.On the contrary,the other s ar e based on Dolev-Yao mod el which realize automation easily but cannot guarantee the soundness of cryptography.Abadi and Rogaway[3]have bridged the gap between symbolic model and computational model on some distribution ensembles.Their works are theoretically significant,because they show the possibility to analyze cryptogr aphic protocols automatically in symbolic model besides guarantee the sou ndn ess of cry pto gr ap hy.Af ter that, combined universally composable(UC)model [4]and symbolic model,Canetti and Herzog[5] have proposed universally composable symbolic analysis(UCSA)to analyze mutual authentication and key exchange protocols automatically based on[3].Essentially,they have proved that security properties of a complex protocol can be satis ed in UC model,if it can be decomposed to some simple single-session protocols which satisfy the security properties respectively in symbolic model.In other words,according to[5],when analyzing a complex2011.09356336论文集锦2011.0163363论文集锦2011.063论文集锦lemma1and lemma2,the conclusion of theorem 2is obvious.VI.CONCLUSIONSIn this paper,we explored an approach by which we can analyze group key exchange protocols automatically and guarantee the soundness of cryptography.In addition,a secure BD protocol with three par ticipan ts ag ainst active ad ver sar y can be constructed from3-BD-Passive by the compiler of [1].Furthermore,a secure BD protocol with three participants can be constructed to resist insider attack by the compiler of[2].In a nutshell,our works lay root to analyze group key exchang e pr otocols with arbitrar y number of participants automatically without sacri ce soundness of cryptography.Acknowledgemen tsThis paper is supported b y N atio nal Natural Science Foundation of China No.61003262,National Natural Science Foundation of China No.60873237,and Doctoral Fund of Ministry of Education of China No.20070007071.References[1]KA TZ J,YUNG M.Scalable Protocols for AuthenticatedGroup Key Exchange[J].Journal of Cryptology,2007, 20(1):85–113.[2]KATZ J,SHIN J S.Modeling Insider Attacks on Groupkey Exchange Protocols[C]//Proceedings of the12th ACM Conference on Computer and Communications Security.New Y ork:ACM Press,2005:180–189.[3]ABADI M,ROGAWAY P.Reconciling Two Views ofCryptography(the Computational Soundness of Formal encryption)[J].Journal of cryptology,2002,15(2):103–127.[4]CANETTI R.Universally Composable Security:A NewParadigm for Cryptographic Protocols[C]//Proceedings ofthe42nd Annual Syposium on Foundations of ComputerScience.IEEE Computer Society,2001:136–145.[5]CANETTI R.Universally Composable Symbolic SecurityAnalysis[J].Journal of Cryptology,2010,23(1):1–65.[6]BLANCHET B.Automatic Veri cation of Correspondencesfor Security Protocols[J].Journal of Computer Security,2009,17(4):363–434.[7]BURMESTER M,DESMEDT Y.A Secure and Ef cientConference Key Distribution System[C]//Advances inCryptology-Eurocrypt,LNCS950,Berlin:Springer-Verlag,1994:275–286.[8]BURMESTER M,DESMEDT Y.Efficient and SecureConference Key Distribution[C]//Proceedings of SecurityProtocols,LNCS1189,Berlin:Springer-Verlag,1996:119–130.[9]BURMESTER M,DESMEDT Y.A Secure and ScalableGroup Key Exchange System[J].Information ProcessingLetters,2005,94(3):137–143.BiographiesZhang Zijian,is currently a ph.D.student atSchool of Computer Science and Technology,Beijing Insititute of Technology.His researchinterests include security protocol analysis, and provable security,group key exchange protocol.E-mail: zhangzijian@Z hu Lieh u ang,i s cu rrently an asso ciateprofessor at School of Computer Science andTechnology,Beijing Insititute of Technology.He is an expert in network security.His research interests include security protocol analysis and design,group key exchange protocol,wireless sensor network and cloud computing.E-mail:liehuangz@Liao Lejian,is currently a professor at Schoolof Computer Science and Techno-logy,BeijingInsi titut e of Techn ology.H e is an exp ertsemantic web.His research interests include security protocol analysis and design web service,semantic web,model checking and logic.E-mail:liaolj@2011.0365。
结合ECC算法的电力监控网络智能接入协议
第46卷第1期2024年1月沈 阳 工 业 大 学 学 报JournalofShenyangUniversityofTechnologyVol 46No 1Jan 2024收稿日期:2021-12-17基金项目:广东省科技研发基础研究项目(JCYJ20190305125219789)。
作者简介:曹小明(1987—),男,广东湛江人,高级工程师,硕士,主要从事电力监控和自动化运维等方面的研究。
檪檪檪檪檪檪檪檪檪檪殏殏殏殏电气工程 DOI:10.7688/j.issn.1000-1646.2024.01.11结合ECC算法的电力监控网络智能接入协议曹小明,张华兵,叶思斯,石宏宇,魏理豪(南方电网数字电网研究院有限公司运维服务事业部,广东广州510062)摘 要:为了进一步降低电力监控网络遭受攻击的风险,基于ECC公钥加密算法,提出了具有较高安全性能的智能接入协议。
通过研究电力监控网络的基本架构和安全体系,总结了电力监控终端所面临的多种攻击方式。
并在此基础上,利用ECC公钥加密算法,深度改进适用于电力监控网络的智能接入协议,进而优化协议的加密耗时、解密耗时及安全强度等多项参数。
仿真结果表明,与基于RSA算法的协议相比,基于ECC算法的智能接入协议具备更高的安全强度。
关 键 词:电力信息网络;输电线路;实时监控;安全接入;椭圆曲线算法;身份验证;安全协议;ECC公钥算法中图分类号:TM73;TN918 文献标志码:A 文章编号:1000-1646(2024)01-0060-06SecurityaccessprotocolofpowermonitoringnetworkbasedonECCalgorithmCAOXiaoming,ZHANGHuabing,YESisi,SHIHongyu,WEILihao(OperationandMaintenanceServiceDivision,DigitalPowerGridResearchInstituteCo.,Ltd.ofChinaSouthernPowerGrid,Guangzhou510062,Guangdong,China)Abstract:Inordertofurtherreducetheriskofattackonpowermonitoringnetwork,asecureaccessprotocolbasedonECCpublickeyencryptionalgorithmwithhighsecurityperformancewasproposed.Bystudyingthebasicarchitectureandsecuritysystemofpowermonitoringnetwork,avarietyofattackmethodsfacedbypowermonitoringterminalsweresummarized.Onthisbasis,thesecurityaccessprotocolsuitableforpowermonitoringnetworkwasdeeplyimprovedbyusingECCpublickeyencryptionalgorithm,andthenmanyparameterssuchasencryptiontime,decryptiontimeandsecuritystrengthwereoptimized.ThesimulationresultsshowthatthesecureaccessprotocolbasedonECCalgorithmhashighersecuritystrengthincomparisonwiththeclassicalRSAprotocol.Keywords:powerinformationnetwork;transmissionline;realtimemonitoring;secureaccess;ellipticcurvealgorithm;authentication;securityagreement;ECCpublickeyalgorithm 随着社会经济的快速发展,基于传感、测量、控制与通信等多种技术的智能电网也逐渐得到了广泛的推广和普及。
模拟心电门控技术用于3_岁以下儿童心脏CT_检查的可行性
Feasibility of simulated electrocardiogram-gated technologyapplicated in cardiac CT scanning inchildren under 3 years oldZHU Chen, XUN Chong, GUO Bin, YANG Ming, LI Shu*(Department of Radiology, the Affiliated Children's Hospital of NanjingMedical University, Nanjing 210008, China)[Abstract]Objective To investigate the feasibility of simulated electrocardiogram (ECG)-gated technology applicated in cardiac CT scanning in children under 3 years old.Methods Totally 100 children under 3 years old with congenital cardiac diseases who received cardiac CT examinations (50 underwent real ECG gating [real ECG group]and 50 underwent simulated ECG gating [simulated ECG group])were retrospectively analyzed.The subjective scores of imaging quality,including anatomical structure display score,beam-hardening artifact and overall image quality score were evaluated and compared between groups.Results The imaging quality of both groups met the requirements of clinical diagnosis.The anatomical structure display score was 2 (2, 3), the beam hardening artifact score was 3 (2, 3) and the overall image quality score was 4 (3,5)in real ECG group,while those of simulated ECG group was 2 (2,2),2 (2,3)and 4 (4,5),respectively. No significant difference of the above scores was found between groups (Z=0.259, 1.424, 0.373,P=0.796,0.154, 0.709).Conclusion Simulated ECG-gated technology could be used in cardiac CT of children under 3 years old.[Keywords]child; heart; tomography, X-ray computed; image quality; electrocardiogram-gated technologyDOI:10.13929/j.issn.1672-8475.2023.11.012模拟心电门控技术用于3岁以下儿童心脏CT检查的可行性竺陈,荀冲,郭斌,杨明,李姝*(南京医科大学附属儿童医院放射科,江苏南京 210008)[摘要]目的 评估模拟心电门控技术用于3岁以下儿童心脏CT检查的的可行性。
现代密码学中英文翻译(部分)
Table of ContentsModern Cryptography: Theory and PracticeBy Wenbo Mao Hewlett-Packard CompanyPublisher: Prentice Hall PTRPub Date: July 25, 2003ISBN: 0-13-066943-1Pages: 648Many cryptographic schemes and protocols, especially those based onpublic-keycryptography,have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects formany textbooks on cryptography. This book takes adifferent approach to introducingcryptography: it pays much more attention tofit-for-application aspects of cryptography. Itexplains why "textbook crypto" isonly good in an ideal world where data are random and badguys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world bydemonstratingnumerous attacks on such schemes, protocols and systems under variousrealworldapplication scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely,explains their working principles, discusses their practicalusages, and examines their strong(i.e., fit-for-application) security properties, oftenwith security evidence formally established.The book also includes self-containedtheoretical background material that is the foundation formodern cryptography.Table of ContentsModern Cryptography: Theory and PracticeBy Wenbo Mao Hewlett-Packard CompanyPublisher: Prentice Hall PTRPub Date: July 25, 2003ISBN: 0-13-066943-1Pages: 648CopyrightHewlett-Packard® Professional BooksA Short Description of the BookPrefaceScopeAcknowledgementsList of FiguresList of Algorithms, Protocols and AttacksPart I: IntroductionChapter 1. Beginning with a Simple Communication GameSection 1.1. A Communication GameSection 1.2. Criteria for Desirable Cryptographic Systems and Protocols Section 1.3. Chapter SummaryExercisesChapter 2. Wrestling Between Safeguard and AttackSection 2.1. IntroductionSection 2.2. EncryptionSection 2.3. Vulnerable Environment (the Dolev-Yao Threat Model)Section 2.4. Authentication ServersSection 2.5. Security Properties for Authenticated Key Establishment Section 2.6. Protocols for Authenticated Key Establishment Using Encryption Section 2.7. Chapter SummaryExercisesPart II: Mathematical Foundations: Standard NotationChapter 3. Probability and Information TheorySection 3.1. IntroductionSection 3.2. Basic Concept of ProbabilitySection 3.3. PropertiesSection 3.4. Basic CalculationSection 3.5. Random Variables and their Probability DistributionsSection 3.6. Birthday ParadoxSection 3.7. Information TheorySection 3.8. Redundancy in Natural LanguagesSection 3.9. Chapter SummaryExercisesChapter 4. Computational ComplexitySection 4.1. IntroductionSection 4.2. Turing MachinesSection 4.3. Deterministic Polynomial TimeSection 4.4. Probabilistic Polynomial TimeSection 4.5. Non-deterministic Polynomial TimeSection 4.6. Non-Polynomial BoundsSection 4.7. Polynomial-time IndistinguishabilitySection 4.8. Theory of Computational Complexity and Modern Cryptography Section 4.9. Chapter SummaryExercisesChapter 5. Algebraic FoundationsSection 5.1. IntroductionSection 5.2. GroupsSection 5.3. Rings and FieldsSection 5.4. The Structure of Finite FieldsSection 5.5. Group Constructed Using Points on an Elliptic CurveSection 5.6. Chapter SummaryExercisesChapter 6. Number TheorySection 6.1. IntroductionSection 6.2. Congruences and Residue ClassesSection 6.3. Euler's Phi FunctionSection 6.4. The Theorems of Fermat, Euler and LagrangeSection 6.5. Quadratic ResiduesSection 6.6. Square Roots Modulo IntegerSection 6.7. Blum IntegersSection 6.8. Chapter SummaryExercisesPart III: Basic Cryptographic TechniquesChapter 7. Encryption — Symmetric TechniquesSection 7.1. IntroductionSection 7.2. DefinitionSection 7.3. Substitution CiphersSection 7.4. Transposition CiphersSection 7.5. Classical Ciphers: Usefulness and SecuritySection 7.6. The Data Encryption Standard (DES)Section 7.7. The Advanced Encryption Standard (AES)Section 7.8. Confidentiality Modes of OperationSection 7.9. Key Channel Establishment for Symmetric Cryptosystems Section 7.10. Chapter SummaryExercisesChapter 8. Encryption — Asymmetric TechniquesSection 8.1. IntroductionSection 8.2. Insecurity of "Textbook Encryption Algorithms"Section 8.3. The Diffie-Hellman Key Exchange ProtocolSection 8.4. The Diffie-Hellman Problem and the Discrete Logarithm Problem Section 8.5. The RSA Cryptosystem (Textbook Version)Section 8.6. Cryptanalysis Against Public-key CryptosystemsSection 8.7. The RSA ProblemSection 8.8. The Integer Factorization ProblemSection 8.9. Insecurity of the Textbook RSA EncryptionSection 8.10. The Rabin Cryptosystem (Textbook Version)Section 8.11. Insecurity of the Textbook Rabin EncryptionSection 8.12. The ElGamal Cryptosystem (Textbook Version)Section 8.13. Insecurity of the Textbook ElGamal EncryptionSection 8.14. Need for Stronger Security Notions for Public-key CryptosystemsSection 8.15. Combination of Asymmetric and Symmetric CryptographySection 8.16. Key Channel Establishment for Public-key CryptosystemsSection 8.17. Chapter SummaryExercisesChapter 9. In An Ideal World: Bit Security of The Basic Public-Key Cryptographic Functions Section 9.1. IntroductionSection 9.2. The RSA BitSection 9.3. The Rabin BitSection 9.4. The ElGamal BitSection 9.5. The Discrete Logarithm BitSection 9.6. Chapter SummaryExercisesChapter 10. Data Integrity TechniquesSection 10.1. IntroductionSection 10.2. DefinitionSection 10.3. Symmetric TechniquesSection 10.4. Asymmetric Techniques I: Digital SignaturesSection 10.5. Asymmetric Techniques II: Data Integrity Without Source Identification Section 10.6. Chapter SummaryExercisesPart IV: AuthenticationChapter 11. Authentication Protocols — PrinciplesSection 11.1. IntroductionSection 11.2. Authentication and Refined NotionsSection 11.3. ConventionSection 11.4. Basic Authentication TechniquesSection 11.5. Password-based AuthenticationSection 11.6. Authenticated Key Exchange Based on Asymmetric CryptographySection 11.7. Typical Attacks on Authentication ProtocolsSection 11.8. A Brief Literature NoteSection 11.9. Chapter SummaryExercisesChapter 12. Authentication Protocols — The Real WorldSection 12.1. IntroductionSection 12.2. Authentication Protocols for Internet SecuritySection 12.3. The Secure Shell (SSH) Remote Login ProtocolSection 12.4. The Kerberos Protocol and its Realization in Windows 2000Section 12.5. SSL and TLSSection 12.6. Chapter SummaryExercisesChapter 13. Authentication Framework for Public-Key CryptographySection 13.1. IntroductionSection 13.2. Directory-Based Authentication FrameworkSection 13.3. Non-Directory Based Public-key Authentication FrameworkSection 13.4. Chapter SummaryExercisesPart V: Formal Approaches to Security EstablishmentChapter 14. Formal and Strong Security Definitions for Public-Key Cryptosystems Section 14.1. IntroductionSection 14.2. A Formal Treatment for SecuritySection 14.3. Semantic Security — the Debut of Provable SecuritySection 14.4. Inadequacy of Semantic SecuritySection 14.5. Beyond Semantic SecuritySection 14.6. Chapter SummaryExercisesChapter 15. Provably Secure and Efficient Public-Key CryptosystemsSection 15.1. IntroductionSection 15.2. The Optimal Asymmetric Encryption PaddingSection 15.3. The Cramer-Shoup Public-key CryptosystemSection 15.4. An Overview of Provably Secure Hybrid CryptosystemsSection 15.5. Literature Notes on Practical and Provably Secure Public-key Cryptosystems Section 15.6. Chapter SummarySection 15.7. ExercisesChapter 16. Strong and Provable Security for Digital SignaturesSection 16.1. IntroductionSection 16.2. Strong Security Notion for Digital SignaturesSection 16.3. Strong and Provable Security for ElGamal-family SignaturesSection 16.4. Fit-for-application Ways for Signing in RSA and RabinSection 16.5. SigncryptionSection 16.6. Chapter SummarySection 16.7. ExercisesChapter 17. Formal Methods for Authentication Protocols AnalysisSection 17.1. IntroductionSection 17.2. Toward Formal Specification of Authentication ProtocolsSection 17.3. A Computational View of Correct Protocols — the Bellare-Rogaway Model Section 17.4. A Symbolic Manipulation View of Correct ProtocolsSection 17.5. Formal Analysis Techniques: State System ExplorationSection 17.6. Reconciling Two Views of Formal Techniques for SecuritySection 17.7. Chapter SummaryExercisesPart VI: Cryptographic ProtocolsChapter 18. Zero-Knowledge ProtocolsSection 18.1. IntroductionSection 18.2. Basic DefinitionsSection 18.3. Zero-knowledge PropertiesSection 18.4. Proof or Argument?Section 18.5. Protocols with Two-sided-errorSection 18.6. Round EfficiencySection 18.7. Non-interactive Zero-knowledgeSection 18.8. Chapter SummaryExercisesChapter 19. Returning to "Coin Flipping Over Telephone"Section 19.1. Blum's "Coin-Flipping-By-Telephone" ProtocolSection 19.2. Security AnalysisSection 19.3. EfficiencySection 19.4. Chapter SummaryChapter 20. AfterremarkBibliographyCopyrightLibrary of Congress Cataloging-in-Publication DataA CIP catalog record for this book can be obtained from the Library of Congress. Editorial/production supervision: Mary SudulCover design director: Jerry VottaCover design: Talar BoorujyManufacturing manager: Maura ZaldivarAcquisitions editor: Jill HarryMarketing manager: Dan DePasqualePublisher, Hewlett-Packard Books: Walter BruceA Short Description of the BookMany cryptographic schemes and protocols, especially those based on public-key cryptography,have basic or so-called "textbook crypto" versions, as these versions are usually the subjects formany textbooks on cryptography. This book takes a different approach to introducingcryptography: it pays much more attention to fit-for-application aspects of cryptography. Itexplains why "textbook crypto" is only good in an ideal world where data are random and badguys behave nicely. It reveals the general unfitness of "textbook crypto" for the real world bydemonstrating numerous attacks on such schemes, protocols and systems under various realworldapplication scenarios. This book chooses to introduce a set of practical cryptographicschemes, protocols and systems, many of them standards or de facto ones, studies them closely,explains their working principles, discusses their practical usages, and examines their strong(i.e., fit-for-application) security properties, often with security evidence formally established.The book also includes self-contained theoretical background material that is the foundation formodern cryptography.PrefaceOur society has entered an era where commerce activities, business transactions andgovernment services have been, and more and more of them will be, conducted and offered overopen computer and communications networks such as the Internet, in particular, viaWorldWideWeb-based tools. Doing things online has a great advantage of an always-onavailability to people in any corner of the world. Here are a few examples of things that havebeen, can or will be done online:Banking, bill payment, home shopping, stock trading, auctions, taxation, gambling, micropayment(e.g., pay-per-downloading), electronic identity, online access to medical records, virtual private networking, secure data archival and retrieval, certified delivery of documents, fair exchange of sensitive documents, fair signing of contracts,time-stamping,notarization, voting, advertising, licensing, ticket booking, interactive games, digitallibraries, digital rights management, pirate tracing, …And more can be imagined.Many cryptographic schemes and protocols, especially those based onpublic-keycryptography,have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects formany textbooks on cryptography. This book takes adifferent approach to introducingcryptography: it pays much more attention tofit-for-application aspects of cryptography. Itexplains why "textbook crypto" isonly good in an ideal world where data are random and badguys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world bydemonstratingnumerous attacks on such schemes, protocols and systems under variousrealworldapplication scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely,explains their working principles, discusses their practicalusages, and examines their strong(i.e., fit-for-application) security properties, oftenwith security evidence formally established.The book also includes self-containedtheoretical background material that is the foundation formodern cryptography.PrefaceOur society has entered an era where commerce activities, business transactions andgovernment services have been, and more and more of them will be, conducted and offered overopen computer and communications networks such as the Internet, in particular, viaWorldWideWeb-based tools. Doing things online has a great advantage of an always-onavailability to people in any corner of the world. Here are a few examples of things that havebeen, can or will be done online:Banking, bill payment, home shopping, stock trading, auctions, taxation, gambling, micropayment(e.g., pay-per-downloading), electronic identity, online access to medical records, virtual private networking, secure data archival and retrieval, certified delivery of documents, fair exchange of sensitive documents, fair signing of contracts,time-stamping,notarization, voting, advertising, licensing, ticket booking, interactive games, digitallibraries, digital rights management, pirate tracing, …And more can be imagined.Fascinating commerce activities, transactions and services like these are only possible ifcommunications over open networks can be conducted in a secure manner. An effective solutionto securing communications over open networks is to apply cryptography. Encryption, digitalsignatures, password-based user authentication, are some of the most basic cryptographictechniques for securing communications. However, as we shall witness many times in this book,there are surprising subtleties and serious security consequences in the applicationsof even themost basic cryptographic techniques. Moreover, for many "fancier" applications, such as manylisted in the preceding paragraph, the basic cryptographic techniques are no longer adequate.With an increasingly large demand for safeguarding communications over open networks formore and more sophisticated forms of electronic commerce, business and services[a], anincreasingly large number of information security professionals will be needed for designing,developing, analyzing and maintaining information security systems and cryptographicprotocols. These professionals may range from IT systems administrators, information securityengineers and software/hardware systems developers whose products have securityrequirements, to cryptographers.[a] Gartner Group forecasts that total electronic business revenues for business to business (B2B) andbusiness to consumer (B2C) in the European Union will reach a projected US $2.6 trillion in 2004 (withprobability 0.7) which is a 28-fold increase from the level of 2000 [5]. Also, eMarketer [104] (page 41) reportsthat the cost to financial institutions (in USA) due to electronic identity theft was US $1.4 billion in 2002, andforecasts to grow by a compound annual growth rate of 29%.In the past few years, the author, a technical consultant on information security and cryptographic systems at Hewlett-Packard Laboratories in Bristol, has witnessed the phenomenon of a progressively increased demand for information security professionalsunmatched by an evident shortage of them. As a result, many engineers, who are oriented toapplication problems and may have little proper training in cryptography and informationsecurity have become "roll-up-sleeves" designers and developers for information securitysystems or cryptographic protocols. This is in spite of the fact that designing cryptographicsystems and protocols is a difficult job even for an expert cryptographer.The author's job has granted him privileged opportunities to review many information securitysystems and cryptographic protocols, some of them proposed and designed by "roll-up-sleeves"engineers and are for uses in serious applications. In several occasions, the author observed socalled"textbook crypto" features in such systems, which are the result of applications of cryptographic algorithms and schemes in ways they are usually introduced in many cryptographic textbooks. Direct encryption of a password (a secret number of a smallmagnitude) under a basic public-key encryption algorithm (e.g., "RSA") is a typical example oftextbook crypto. The appearances of textbook crypto in serious applications with a "nonnegligibleprobability" have caused a concern for the author to realize that the general danger oftextbook crypto is not widely known to many people who design and develop informationsecurity systems for serious real-world applications.Motivated by an increasing demand for information security professionals and a belief that theirknowledge in cryptography should not be limited to textbook crypto, the author has written thisbook as a textbook on non-textbook cryptography. This book endeavors to: Introduce a wide range of cryptographic algorithms, schemes and protocols with a particular emphasis on their non-textbook versions.Reveal general insecurity of textbook crypto by demonstrating a large number of attacks onand summarizing typical attacking techniques for such systems.Provide principles and guidelines for the design, analysis and implementation of cryptographic systems and protocols with a focus on standards.Study formalism techniques and methodologies for a rigorous establishment of strong andfit-for-application security notions for cryptographic systems and protocols. Include self-contained and elaborated material as theoretical foundations of modern cryptography for readers who desire a systematic understanding of the subject.ScopeModern cryptography is a vast area of study as a result of fast advances made in the past thirtyyears. This book focuses on one aspect: introducing fit-for-application cryptographic schemesand protocols with their strong security properties evidently established.The book is organized into the following six parts:Part I This part contains two chapters (1—2) and serves an elementary-level introductionfor the book and the areas of cryptography and information security. Chapter 1 begins witha demonstration on the effectiveness of cryptography in solving a subtle communicationproblem. A simple cryptographic protocol (first protocol of the book) for achieving "fair cointossing over telephone" will be presented and discussed. This chapter then carries on toconduct a cultural and "trade" introduction to the areas of study. Chapter 2 uses a series ofsimple authentication protocols to manifest an unfortunate fact in the areas: pitfalls areeverywhere.As an elementary-level introduction, this part is intended for newcomers to the areas.Part II This part contains four chapters (3—6) as a set of mathematical background knowledge, facts and basis to serve as a self-contained mathematical reference guide forthe book. Readers who only intend to "knowhow," i.e., know how to use thefit-forapplicationcrypto schemes and protocols, may skip this part yet still be able to follow most contents of the rest of the book. Readers who also want to "know-why," i.e., know whythese schemes and protocols have strong security properties, may find that this selfcontainedmathematical part is a sufficient reference material. When we present working principles of cryptographic schemes and protocols, reveal insecurity for some of them andreason about security for the rest, it will always be possible for us to refer to a precise pointin this part of the book for supporting mathematical foundations.This part can also be used to conduct a systematic background study of the theoreticalfoundations for modern cryptography.Part III This part contains four chapters (7—10) introducing the most basic cryptographicalgorithms and techniques for providing privacy and data integrity protections. Chapter 7 isfor symmetric encryption schemes, Chapter 8, asymmetric techniques. Chapter 9 considersan important security quality possessed by the basic and popular asymmetric cryptographicfunctions when they are used in an ideal world in which data are random. Finally, Chapter10 covers data integrity techniques.Since the schemes and techniques introduced here are the most basic ones, manyof themare in fact in the textbook crypto category and are consequently insecure. While the schemes are introduced, abundant attacks on many schemes will be demonstrated withwarning remarks explicitly stated. For practitioners who do not plan to proceed with an indepthstudy of fit-for-application crypto and their strong security notions, this textbook crypto part will still provide these readers with explicit early warning signals on the generalinsecurity of textbook crypto.Part IV This part contains three chapters (11—13) introducing an important notion inapplied cryptography and information security: authentication. These chapters provide awide coverage of the topic. Chapter 11 includes technical background, principles, a series ofbasic protocols and standards, common attacking tricks and prevention measures. Chapter12 is a case study for four well-known authentication protocol systems for real world applications. Chapter 13 introduces techniques which are particularly suitable for openfor-application) security properties, oftenwith security evidence formally established.The book also includes self-containedtheoretical background material that is the foundation formodern cryptography.systems which cover up-to-date and novel techniques.Practitioners, such as information security systems administration staff in an enterprise andsoftware/hardware developers whose products have security consequences may find thispart helpful.Part V This part contains four chapters (14—17) which provide formalism and rigoroustreatments for strong (i.e., fit-for-application) security notions for public-key cryptographictechniques (encryption, signature and signcryption) and formal methodologies for theanalysis of authentication protocols. Chapter 14 introduces formal definitions of strongsecurity notions. The next two chapters are fit-for-application counterparts to textbookcrypto schemes introduced in Part III, with strong security properties formally established(i.e., evidently reasoned). Finally, Chapter 17 introduces formal analysismethodologiesand techniques for the analysis of authentication protocols, which we have not been able todeal with in Part IV.Part VI This is the final part of the book. It contains two technical chapters (18—19) and ashort final remark (Chapter 20). The main technical content of this part, Chapter 18, introduces a class of cryptographic protocols called zero-knowledge protocols. Theseprotocols provide an important security service which is needed in various "fancy" electronic commerce and business applications: verification of a claimed property of secretdata (e.g., in conforming with a business requirement) while preserving a strict privacyquality for the claimant. Zero-knowledge protocols to be introduced in this part exemplifythe diversity of special security needs in various real world applications, which are beyondconfidentiality, integrity, authentication and non-repudiation. In the final technical chapterof the book (Chapter 19) we will complete our job which has been left over from the firstprotocol of the book: to realize "fair coin tossing over telephone." That final realization willachieve a protocol which has evidently-established strong security properties yet with anefficiency suitable for practical applications.Needless to say, a description for each fit-for-application crypto scheme or protocol has to beginwith a reason why the textbook crypto counterpart is unfit for application. Invariably, thesereasons are demonstrated by attacks on these schemes or protocols, which, by the nature ofattacks, often contain a certain degree of subtleties. In addition, a description of a fit-forapplicationscheme or protocol must also end at an analysis that the strong (i.e.,fit-forapplication)security properties do hold as claimed. Consequently, some parts of this book inevitably contain mathematical and logical reasonings, deductions and transformations in orderto manifest attacks and fixes.While admittedly fit-for-application cryptography is not a topic for quick mastery or that can bemastered via light reading, this book, nonetheless, is not one for in-depth researchtopics whichwill only be of interest to specialist cryptographers. The things reported and explained in it arewell-known and quite elementary to cryptographers. The author believes that they can also becomprehended by non-specialists if the introduction to the subject is provided with plenty ofexplanations and examples and is supported by self-contained mathematical background andreference material.The book is aimed at the following readers.Students who have completed, or are near to completion of, first degree courses in computer, information science or applied mathematics, and plan to pursue a career ininformation security. For them, this book may serve as an advanced course in appliedcryptography.Security engineers in high-tech companies who are responsible for the design and development of information security systems. If we say that the consequence of textbookcrypto appearing in an academic research proposal may not be too harmful since the worstcase of the consequence would be an embarrassment, then the use of textbook crypto in aninformation security product may lead to a serious loss. Therefore, knowing the unfitness oftextbook crypto for real world applications is necessary for these readers. Moreover, thesereaders should have a good understanding of the security principles behind thefit-forapplicationschemes and protocols and so they can apply the schemes and the principles correctly. The self-contained mathematical foundations material in Part II makes the book asuitable self-teaching text for these readers.Information security systems administration staff in an enterprise andsoftware/hardwaresystems developers whose products have security consequences. For these readers, Part Iis a simple and essential course for cultural and "trade" training; Parts III and IV form asuitable cut-down set of knowledge in cryptography and information security. These threeparts contain many basic crypto schemes and protocols accompanied with plenty of attacking tricks and prevention measures which should be known to and can be grasped by。
《科技英语文献阅读与翻译》Unit 1-TextB
As the Internet and other forms of electronic communication become more prevalent, electronic security is also becoming increasingly important. Cryptography is used to protect e-mail messages, credit card information, and corporate data.
The public key can be certified using an electronic certificate issued and signed by a certification authority.
private key
It is the key for use with asymmetric encryption that is accessible to the key holder only. Asymmetric encryption uses different keys for encryption and decryption. Each participant is assigned a pair of keys, consisting of an encryption key and a corresponding decryption key.
信息安全技术-健康医疗数据安全指南 英语
信息安全技术-健康医疗数据安全指南英语Information Security Technology - A Health Data Security GuideIn the digital age, the healthcare industry has undergone a significant transformation, with the widespread adoption of electronic health records (EHRs) and the increasing reliance on technology to manage and store sensitive patient data. As a result, the importance of information security in the healthcare sector has become paramount. Ensuring the confidentiality, integrity, and availability of health data is not only a legal requirement but also a moral obligation to protect the well-being and privacy of patients.The field of information security encompasses a wide range of techniques and technologies designed to safeguard digital information from unauthorized access, modification, or destruction. In the context of healthcare, these security measures are crucial in maintaining the trust of patients and ensuring the seamless delivery of medical services.One of the primary concerns in healthcare data security is the protection of personal health information (PHI). PHI includes a wide range of sensitive data, such as medical histories, diagnoses,treatment plans, and financial information. This data is highly valuable and must be secured to prevent unauthorized access, which could lead to identity theft, financial fraud, or even the exploitation of vulnerable individuals.To address this challenge, healthcare organizations must implement robust security measures that align with industry standards and regulations. These measures include the use of encryption technologies, access controls, and comprehensive data backup and recovery plans. Additionally, regular security assessments and employee training programs are essential to identify and mitigate potential vulnerabilities.Encryption is a fundamental aspect of healthcare data security. By converting plain text data into an unreadable format, encryption ensures that even if unauthorized individuals gain access to the data, they will be unable to make sense of it. Healthcare organizations should employ strong encryption algorithms, such as AES (Advanced Encryption Standard) or RSA (Rivest-Shamir-Adleman), to protect sensitive information during storage and transmission.Access controls are another crucial component of healthcare data security. Healthcare organizations must implement robust identity and access management (IAM) systems to ensure that only authorized personnel can access and interact with sensitive data. Thisincludes the use of multi-factor authentication, role-based access controls, and regular review of user permissions.In addition to technical security measures, healthcare organizations must also focus on the human element of information security. Employees play a crucial role in maintaining the security of health data, and it is essential to provide comprehensive training programs that educate staff on best practices for data handling, incident response, and the importance of adhering to security protocols.Another significant aspect of healthcare data security is the implementation of comprehensive data backup and recovery plans. In the event of a data breach, natural disaster, or system failure, healthcare organizations must be able to quickly restore their data and resume operations. This requires the implementation of robust backup and disaster recovery strategies, including the use of offsite storage, redundant systems, and regular testing of recovery procedures.Regulatory compliance is also a critical consideration in healthcare data security. Healthcare organizations must adhere to various regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States or the General Data Protection Regulation (GDPR) in the European Union. These regulations establish strict requirements for the protection of patientdata and impose significant penalties for non-compliance.To ensure compliance and maintain the trust of patients, healthcare organizations must continuously monitor their security posture, conduct regular risk assessments, and implement appropriate security controls. This may involve the engagement of specialized security professionals, the adoption of advanced security technologies, and the implementation of comprehensive incident response and breach notification procedures.In the ever-evolving landscape of healthcare technology, the importance of information security cannot be overstated. By implementing robust security measures, healthcare organizations can protect sensitive patient data, maintain compliance with regulatory requirements, and ensure the continued delivery of high-quality medical services. As the healthcare industry continues to embrace digital transformation, the need for a comprehensive and proactive approach to data security will only become more critical.。
密码学密钥管理初学者指南说明书
Cryptographic Key Management A Beginner’s GuideCryptography is almost as old as human civilization, dating back to the ancient Egyptians. It is used to pass coded messages back and forth containing vital information that must be communicated between a commander and their forces. Julius Caesar developed a famous cryptographic system to communicate with his senior officers. In this system, Caesar shifted each letter of his message three letters to the right to produce what is called the ciphertext.Breaking a Caesar cipher can be achieved via two different means, either using frequency analysis or brute force. Frequency analysis uses the fact that certain letters are used more frequently than others to help guess the plaintext. Alternatively brute force only requires 26 permutations to be generated (one for each letter of the English alphabet), which should quickly lead to the plaintext.Overviewgenerate a ciphertext using a look-up-table of rotated alphabets and reference using the key and the plaintext. However, one of the weaknesses of this scheme is that the key is repeated until it matches the length of the plaintext, which makes it susceptible to several code-breaking methods.It wasn’t until the 20th century that cryptography came into widespread use. Notable encryption developments of the 20th century were the Enigma machine, the US Data Encryption Standard, the invention of asymmetric encryption and the Advanced Encryption Standard (AES) contest. The 21st century promises even greater evolution with the advent and growth of quantum computing. Everyone has heard about famous cybercrimes likeStuxnet, the Estonian cyber war, the Mt. Gox hack, and the PlayStation Network hack, to name but a few. The internet is home to a multitude of ransomware, malware and other viruses that attack businesses, governments and families. But hackers are only part of the equation when it comes to cybersecurity. There is an unseen level of validation that underpins all cybersecurity – cryptographic keys and encryption.But it was the Italian Vigenere in the 16th century who introduced the idea of cryptographic keys. With the development of keys, you no longer had to worry about the secrecy of the encryption methodology or algorithm, but rather the security of the encryption key. Users couldA Beginner’s GuideEncryption and the keys involved in the encryption process are, for most of us, an invisible part of our everyday modern lives. However, how these keys are managed and controlled is vitally important, with extremely serious repercussions should keys fall into the wrong hands. That’s precisely why keys must be protected from generation to retirement, both by using industry best practices and by employing Hardware Security Modules (HSMs).Encryption and authentication are everywhere in modern life. Bank cards and payment systems, the internet, mobile phones, and even cars. Virtually anything you do has some form of encryption or authentication behind it. And what does encryption need?It needs data to encrypt, an algorithm to perform the encryption, and perhaps most importantly, the key or key material. It doesn’t matter how strong your encryption algorithm is, if a third-party gains access to that key, they can rapidly decrypt your data. That key could be giving access to your bank account, it could be securing all your business’ trade secrets or it could be protecting international defense or financial systems.Now let’s look at two scenarios to put encryption and key management in context.Losing Data Versus Losing an Encryption KeyAs we’ve seen, encryption keys are like keys to door locks. So, can you pick the lock?In Scenario One, you lose encrypted data. If the data has been encrypted with a well-implemented and strong encryption algorithm, such as AES-256, it should be a lot of work to decrypt that encrypted data. Brute forcing AES-256 using the fastest supercomputer in the world, Summit from IBM, at the Oak Ridge National Laboratory, which delivers a peak of 200 petaFLOPS, would take10 million trillion trillion trillion trillion years. That’s a whole lot of computing power and a very long time. If you lose encrypted data, the chances are it will remain safe and secure.In Scenario Two, you lose an encryption key. There are only really two possible outcomes:1. The key is lost and never discovered by anyone, andthe data remains encrypted and secure, whether for good or bad!2. The key is lost and found by a third-party who exploitthat key, and use it to decrypt all the encrypteddata at a rate only constrained by the speed of the implementation of the decryption algorithm.Rigorous key management is vital to ensuring scenario two remains a “what if” to your organization.The Keys That Make the Digital World Go RoundKey management is the hardest part ofcryptography and often the Achilles’ heel of an otherwise secure system.─ Bruce Schneier““A Beginner’s GuideGENERATIONDISTRIBUTIONUSESTORAGEROTATIONREVOCATIONBACKUP/RECOVERYAUDITINGKey management is a set of operations which are needed to ensure a key is created, stored, used, rotated and revoked securely. There are eight operations:1. Generation 2. Distribution 3. Use 4. Storage 5. Rotation 6. Revocation7. Backup/Recovery 8.AuditingKey generation is the first critical, step in the keymanagement chain, and there are a myriad number of ways to perform this operation, but the same outcome of quickly generating a sequence of N bits, with maximal entropy is desired. In broad terms, there are two groups these methods can divided into, but we’re only concerned with one – True Random Number Generators (TRNGs). TRNGs are usually based on a form of naturally occurring noise, such as the thermal noise in a resistor or diode. Now that a key has been generated, it’s imperative that it be stored and dispersed as its value dictates. There are various ways of keeping these keys secure, involving layers of physical security and/or encryption of the keys with appropriate procedures in place to ensure they remain secure and retain their integrity.At the very simplest level, they may be protected by auser’s password on a mobile phone. At the other extreme they may be stored in a highly specialised device known as a Hardware Security Module (HSM) that is air-gapped and can only be accessed when a certain number of users and their access control cards are present. Of course, there are many differing intermediate options, such as Trusted Execution Environments (TEEs), Trusted Platform Modules (TPMs) and Cloud HSMs. The strength of the protection required is dependent on the value of the data protected by the keys, and also in some industries, regulatory and compliance legislation.The next step of the key lifecycle is ensuring the safe distribution of the keys. Some keys are distributedunencrypted under armed guard, but the vast majority of keys are distributed in an encrypted form, and thendecrypted at point of use. Asymmetric key or Public-Key Infrastructure (PKI) distribution methods using X.509certificates dominate and form the basis of most everyday communications such as the internet.After distribution and receipt of the key, it can now be used in a secure manner for cryptographic operations by an authorised user, with safeguards in place to ensure the key is not misused, copied and so on.However, the actual use of the key in a secure manner has its own challenges. The encryption algorithm must have been implemented correctly, and in such a way so as not to leak unencrypted data or key material into the encrypted data path. Its implementation must also take into consideration side-channel attacks, such as cache attacks, timing attacks, power monitoring attacks or electromagnetic attacks. It’s a modern-day arms race between adversaries devising new and novel attack vectors and researchers who are continually working to mitigate these threats.A Primer on Key Management OperationsKeyManagement LifecycleA Beginner’s GuideThere are storage standards in the industry, such as FIPS 140-2 and 140-3, that exist to set an industry-wide range of protection measures for cryptographic modules. These standards define 4 levels of protection:• Level 1 the lowest, requires approved algorithms, but they can be executed on a general-purpose computer running an unevaluated operating system.• Level 2 builds on Level 1 but adds requirements for physical tamper-evidence and role-basedauthentication and places some requirements on the operating system.• Level 3 adds requirements for physical tamper-resistance and identity-based authentication, and for a physical or logical separation between “critical security parameters” interfaces.• Level 4 is the highest level and requires an enhanced physical security to prevent and detect tampering, and to provide protection against environmental attacks. Once a key’s cryptoperiod, or time period the key is allowed to be used for, passes, the key must be rotated, i.e., the current key is retired and replaced with a new key. For a data-at-rest system, this requires the decryption using the existing key and subsequent re-encryption of the data with the new key. The main benefits of key rotation are:Key rotation limits the amount of information, protected by a specific key, available for cryptanalysis, while also limiting exposure if a specific key is compromised in some way. Key rotation also avoids certain known, and protects against any future unknown, algorithmic weaknesses that may either be key dependent or ultimately reduce key lifespan. While retiring and refreshing keys seems like an obvious measure to guard against data loss, key rotation introduces a few challenges:• In a data-at-rest situation, decrypting and re-encrypting any significant volume of data will take aconsiderable time, during which that data would beunavailable.• All instances of the current key have to be updated securely with the new key.• The key rotation for all systems and users must be synchronized simultaneously.Key rotation is not the only way of dealing with a compromised key; revocation or destruction are the other options. Revoking a key means the key can no longer be used to encrypt or decrypt data, even if its cryptoperiodis still valid. Destroying a key, whether that is due to compromise or due to it no longer being used, deletes the key permanently from any systems. This makes it impossible to recreate the key, unless a backup image is used.We’re now going to talk about key backup and recovery. Like any important data, it is prudent to ensure that a backup is maintained, in the event of any data loss or corruption, and the same is true for keys which are often needed for continued operations and cannot be easily replaced. The backup of key material on an independent, secure storage media provides for the option of key recovery if required; however, backing up key material involves the creation of a duplicate, under strictly controlled policies and conditions, that must then be protected by the same, or greater, mechanisms, that the original key material is safeguarded by.It may also not just be the key itself that is required to be backed up – there may be associated metadata with it, that must also be safely duplicated.In the event a key must be recovered, the first thing you should determine is the why. If key recovery is required due to a corrupted key, then the source of the corruption ought to be determined to ensure it wasn’t a side effectof the key being compromised. Similarly, if key recovery is required because a key has been lost, the whereabouts of this key, or whether it has been compromised, would need to be analyzed to ensure that key recovery does not lead to further data exposure and compromise.The sequences of key management operations that are performed on key material using a key management system should be periodically audited to ensure that key management policies and guidelines have been adhered to. Each of the stages of the key lifecycle must be checked for compliance in terms of physical, logical and personnel or users. The key management system should provide the facility for a dedicated user type to exist, who can only perform these audits, and cannot actually perform anyA Primer on Key Management Operations continuedA Beginner’s GuideA Primer on Key Management Operations continuedother key management tasks. The logs generated by the system, and are reviewed by this user type, must have built-in mechanisms to ensure that their integrity and authenticity is maintained and can be verified.As part of the audit, the key management system should be checked for any visible signs of tamper or intrusion, and the system’s audit logs should be checked for any evidence of tamper events. The audit logs should also be reviewed to ensure that the expected operations were performed on the individual keys managed by the system, on akey-by-key basis, and also a verification of the user who performed those operations.The audit and compliance regulations vary from industry-to-industry but two of the mostly commonly encountered compliance authorities are the (National Institute of Standards and Technology) NIST and The Payment Card Industry Security Standards Council (PCI SSC).The Fundamental Best Practicesof Key ManagementNow remember, the aim of key management is to prevent data compromise and meet compliance regulations, so the first step is to development a key management plan, that will set out what regulatory compliance is required and how best practices are going to be brought to bear. Standards, created by the NIST, and regulations, like PCI DSS, FIPS, and HIPAA, expect users to follow certain best practices to maintain the security of cryptographic keys used to protect sensitive data.We’ll now look at some of these best practices:Key generation: Key generation is extremely important, and closely linked to this is, never hard-code key values anywhere. Hard-coding a key into open-source code,or code of any kind, instantly compromises the key. Anyone with access to that code now has access to the key material. Recently, in the UK, at IT professional was threatened with legal action after flagging up an exposed GitHub repo containing credentials and insecure code. Least privilege: The principle of least privilege is theidea that users should only have access to keys and the subset of key management operations that are absolutely necessary for their work. By strictly limiting who can access and do what, you reduce the risk of both intentional and unintentional data breaches and also makes it easier to identify the source of any breaches should they occur. Hardware Security Modules: Hardware Security Modules (HSMs), are physical devices that stores cryptographic keys and performs key management and cryptographic operations, such as encryption, decryption, digital signing and authentication, in a trusted environment. They come in a variety of different levels of security, with the highest levels providing significant levels of physical protection, and respond to attempted intrusion by securely erasing any stored key material.Create and Enforce Policies: Creating and enforcing security policies relating to encryption keys is another way to ensure the safety and compliance of their key management system. Security policies specify the processes that must be followed, which will inevitably have been devised to leave an audit trail of who has performed what operations on what keys.Separation of Duties: Separation of duties within key management is another important practice that is very closely related to the principle of least privilege and policies. By creating distinct duties or user types, that can only perform certain operations, there is an additional layer of security applied, since multiple users would need to be in collusion for key material to be stolen or manipulated in an inappropriate manner, and the audit trail to be erased.Key Splitting: One final practice to ensure the strengthof any key management system is by splitting the keysor access keys into multiple portions. In this way, no one person is in possession of the entire key, or can access the key, and multiple people, but not necessarily all of them, must come together to reconstitute or use the key. HSMs - Smart Key ManagementHardware Security Modules or HSMs, are dedicated physical devices that are designed to store cryptographic keys and perform key management and cryptographic operations, such as encryption, decryption, digital signing and authentication, in a trusted environment. They come– A Beginner’s GuideHSMs - Smart Key Management continuedin a variety of different levels of security, often validated by third parties such as FIPS, Common Criteria or PCI, with the highest levels, providing significant levels of physical protection, and respond to attempted intrusion by securing erasing any stored key material.A hardware security module can be considered to be a trust anchor, and trust anchors are used to protect the services we use every day, such as the internet, SSL, DNS, banking, mobile devices, code signing, smart meters,IoT devices, bank and credit cards, mobile payments, document management systems etc.Due to the value and sensitivity of the key material stored in an HSM, they generally have a range of securityfeatures to enable enforcement of the principles of least privilege, separation of duties and key splitting, with physical protection measures to provide either tamper evidence, tamper resistance or tamper response. They are also typically certified to internationally recognised standards such as Common Criteria or FIPS 140 to provide an independent assessment and assurance of the security measures in place.The Ultra KeyperPLUS HSM has previously been evaluated to the FIPS 140-2 Level 4 standard and is currently going through re-evaluation as the result of an algorithm and hardware refresh.As the only standalone Level 4 HSM on the market, KeyperPLUS was specifically designed to limit all potential points of access with a tamper-resistant design, ensuring only those with intended permission may access the sensitive data it protects. Through vigorous and careful management of any areas of physical or digital infiltration, KeyperPLUS delivers a robust solution that meets the most stringent of security standards.Based on this core technology, Ultra has built a product range to cater to the PKI, VPN and Internet security markets. The KeyperPLUS HSM is ideally suited to businesses and organizations deploying a cryptographic system where the protection of cryptographic keys is a priority, for example, in organizations requiring certificate signing, code or document signing, bulk generation or ciphering of keys or data.Protecting Keys in TransitEven today, in many instances, humans have to deliver new key material, often to inhospitable or dangerous places. Ultra’s solutions allow key material to be moved electronically reducing costs, the chance for costly errors, security breaches and more. They avoid duplicationand ensure all key material movements are tracked and audited.The Remote Cryptographic Management System (RCMS) provides monitoring control and key delivery to dispersed stations over TCP/IP networks to greatly enhance access to remote locations, lower travel requirements and improve visibility of system operations. Using a net-centric approach to provide secure, remote cryptographic system management, RCMS includes a software controller that provides key management capability and allows the operator to remotely load keys to the MIDS terminals over a secure Ethernet LAN connection.Cryptographic keys underpin our digital reality, and as more and more of our lives move online, the imperative to protect these keys is paramount.。
基于ECG的生物特征身份识别技术分析
总756期第二十二期2021年8月河南科技Journal of Henan Science and Technology基于ECG的生物特征身份识别技术分析陈辰(国家知识产权局专利局专利审查协作天津中心,天津300300)摘要:基于心电信号(Electrocardiosignal,ECG)的生物特征身份识别技术是一种活体的身份识别,防伪性高。
ECG身份识别技术分为两大类:一种是非基准点的ECG身份识别方法,波形分析信息量和存储量大;另一种是基于特征的ECG身份识别方法,其识别率和系统稳定性主要依赖各基准点的定位精确度,而定位精确度又会受到个体差异、ECG采集过程中产生的噪声等许多因素影响。
此外,选取哪些特征作为身份识别的关键特征、如何选取更有效的训练学习算法和分类识别算法也是ECG身份识别的重点研究领域。
关键词:生物特征;身份识别;心电信号中图分类号:TN911.7文献标识码:A文章编号:1003-5168(2021)22-0013-03 Biometric Identification Technology Based on ECGCHEN Chen(Patent Examination Cooperation(Tianjin)Center of the Patent Office,CNIPA,Tianjin300300)Abstract:Biometric identification technology based on electrocardiogram(ECG)is a kind of living identity recogni⁃tion,which has high anti-counterfeiting.ECG identification technology can be divided into two categories:one is based on non reference point,in this method,the amount of waveform analysis information and storage is large;the oth⁃er is based on feature point extraction,the recognition rate and system stability of this method mainly depend on the positioning accuracy of each reference point,and the positioning accuracy will be affected by many factors such as in⁃dividual differences and noise generated in the process of ECG acquisition.At the same time,which feature points should be selected as the key points of identity recognition,how to select more effective training and learning algo⁃rithms and classification recognition algorithms are also a key research field of ECG identity recognition in the future. Keywords:biometrics;identification;electrocardiosignal目前,可用于身份识别的生物特征一般同时满足4项条件[1]。
Cryptography and Encryption
Cryptography and EncryptionKOSTAS ZOTOS, ANDREAS LITKEDept. of Applied Informatics,University of Macedonia54006 Thessaloniki, GREECE{zotos, litke}@uom.grAbstract.In cryptography, encryption is the process of obscuring information to make it unreadable without special knowledge. This is usually done for secrecy, and typically for confidential communications. Encryption can also be used for authentication, digital signatures, digital cash e.t.c. In this paper we are going to examine and analyse all these topics in detail.Key words: cryptography; ciphers; encryption1. IntroductionThe fundamental objective of cryptography is to enable two people, usually referred to as Alice and Bob, to communicate over an insecure channel in such a way that an opponent, Oscar, cannot understand what is being said. This channel could be a telephone line or computer network, for example. The information that Alice wants to send to Bob, which we call “plaintext,” can be English text, numerical data, or anything at all — its structure is completely arbitrary. Alice encrypts the plaintext, using a predetermined key, and sends the resulting ciphertext over the channel. Oscar, upon seeing the ciphertext in the channel by eavesdropping, cannot determine what the plaintext was; but Bob, who knows the encryption key, can decrypt the ciphertext and reconstruct the plaintext.2. CiphersA cipher is an algorithm for performing encryption (and the reverse, decryption) — a series of well-defined steps that can be followed as a procedure. An alternative term is encipherment. The original information is known as plaintext, and the encrypted form as ciphertext. The ciphertext message contains all the information of the plaintext message, but is not in a format readable by a human or computer without the proper mechanism to decrypt it; it should resemble random gibberish to those not intended to read it.Ciphers are usually parameterised by a piece of auxiliary information, called a key. The encrypting procedure is varied depending on the key which changes the detailed operation of the algorithm. Without the key, the cipher cannot be used to encrypt, or more importantly, to decrypt[3].In non-technical usage, a "cipher" is the same thing as a "(secret) code"; however, in technical discussions they are distinguished into two concepts: codes work at the level of meaning; that is, words or phrases are converted into something else, while cipherswork at a lower level: the level of individual letters, or small groups of letters — or in modern ciphers, individual bits.Historically, cryptography was split into a dichotomy of codes and ciphers, and coding had its own terminology, analogous to that for ciphers: "encoding, code text, decoding" and so on. However, codes have a variety of drawbacks, including susceptibility to cryptanalysis and the difficulty of managing a cumbersome codebook. Because of this, codes have fallen into disuse in modern cryptography, and ciphers are the dominant paradigm.3. Types of cipherThere are a variety of different types of encryption. Algorithms used earlier in the history of cryptography are substantially different to modern methods, and modern ciphers can be classified according to how they operate and whether they use one or two keys.Encryption methods can be divided into symmetric key algorithm. A symmetric-key algorithm is an algorithm for cryptography that uses the same cryptographic key to encrypt and decrypt the message. Actually, it is sufficient for it to be easy to compute the decryption key from the encryption key and vice versa. In cryptography, an asymmetric key algorithm uses a pair of different, though related, cryptographic keys to encrypt and decrypt. The two keys are related mathematically; a message encrypted by the algorithm using one key can be decrypted by the same algorithm (e.g., RSA), there are two separate keys: a public key is published and enables any sender to perform encryption, while a private key is kept secret by the receiver and enables him to perform decryption. Common asymmetric encryption algorithms available today are all based on the Diffie-Hellman key agreement algorithm.Symmetric key ciphers can be distinguished into two types, depending on whether they work on blocks of symbols usually of a fixed size ( block ciphers), or on a continuous stream of symbols ( stream ciphers).4. A postal analogyAn analogy which can be used to understand the advantages of an asymmetric system is to imagine two people, Alice and Bob, sending a secret message through the public mail. In this example, Alice has the secret message and wants to send it to Bob, after which Bob sends a secret reply.With a symmetric key system, Alice first puts the secret message in a box, and then locks the box using a padlock to which she has a key. She then sends the box to Bob through regular mail. When Bob receives the box, he uses an identical copy of Alice's key (which he has somehow obtained previously) to open the box, and reads the message. Bob can then use the same padlock to send his secret reply.In an asymmetric key system, Bob and Alice have separate padlocks. Firstly, Alice asks Bob to send his open padlock to her through regular mail, keeping his key to himself. When Alice receives it she uses it to lock a box containing her message, and sends the locked box to Bob. Bob can then unlock the box with his key and read the message from Alice. To reply, Bob must similarly get Alice's open padlock to lock the box before sending it back to her. The critical advantage in an asymmetric key system is that Bob and Alice never need send a copy of their keys to each other. This substantially reduces the chance that a third party (perhaps, in the example, an corrupted postal worker) will copy a key while is in transit, allowing said third party to spy on all future messages sent between Alice and Bob. In addition, if Bob were to be careless and allow someone else to copy his key, Alice's messages to Bob will becompromised, but Alice's messages to other people would remain secret, since the other people would be providing different padlocks for Alice to use.Fortunately cryptography is not concerned with actual padlocks, but with encryption algorithms which aren't vulnerable to hacksaws, bolt cutters, or liquid nitrogen attacks[4].Not all asymmetric key algorithms operate in precisely this fashion. The most common have the property that Alice and Bob own two keys; neither of which is (so far as is known) deducible from the other. This is known as public-key cryptography, since one key of the pair can be published without affecting message security. In the analogy above, Bob might publish instructions on how to make a lock ("public key"), but the lock is such that it is impossible (so far as is known) to deduce from these instructions how to make a key which will open that lock ("private key"). Those wishing to send messages to Bob use the public key to encrypt the message; Bob uses his private key to decrypt it.Of course, there is the possibility that someone could "pick" Bob's or Alice's lock. Unlike the case of the one-time pad or its equivalents, there is no currently known asymmetric key algorithm which has been proven to be secure against a mathematical attack. That is, it is not known to be impossible that some relation between the keys in a key pair, or a weakness in an algorithm's operation, might be found which would allow decryption without either key, or using only the encryption key. The security of asymmetric key algorithms is based on estimates of how difficult the underlying mathematical problem is to solve. Such estimates have changed both with the decreasing cost of computer power, and with new mathematical discoveries. Weaknesses have been found for promising asymmetric key algorithms in the past. The 'knapsack packing' algorithm was found to be insecure when an unsuspected attack came to light. Recently, some attacks based on careful measurements of the exact amount of time it takes known hardware to encrypt plain text have been used to simplify the search for likely decryption keys. Thus, use of asymmetric key algorithms does not ensure security; it is an area of active research to discover and protect against new and unexpected attacks[8].Another potential weakness in the process of using asymmetric keys is the possibility of a 'Man in the Middle' attack, whereby the communication of public keys is intercepted by a third party and modified to provide the third party's own public keys instead. The encrypted response also must be intercepted, decrypted and re-encrypted using the correct public key in all instances however to avoid suspicion, making this attack difficult to implement in practice.The first known asymmetric key algorithm was invented by Clifford Cocks of GCHQ in the UK. It was not made public at the time, and was reinvented by Rivest, Shamir, and Adleman at MIT in 1976. It is usually referred to as RSA as a result. RSA relies for its security on the difficulty of factoring very large integers. A breakthrough in that field would cause considerable problems for RSA's security. Currently, RSA is vulnerable to an attack by factoring the 'modulus' part of the public key, even when keys are properly chosen, for keys shorter than perhaps 700 bits. Most authorities suggest that 1024 bit keys will be secure for some time, barring a fundamental breakthrough in factoring practice, but others favor even longer keys.At least two other asymmetric algorithms were invented after the GCHQ work, but before the RSA publication. These were the Ralph Merkle puzzle cryptographic system and the Diffie-Hellman system. Well after RSA's publication, Taher Elgamal invented the Elgamal discrete log cryptosystem which relies on the difficulty of inverting logs in a finite field. It is used in the Secure Sockets Layer SSL andTransport Layer Security TLS , its successor, are cryptographic protocols which provide secure communications on the Internet. A relatively new addition to the class of asymmetric key algorithms is elliptic curve cryptography. Elliptic curve cryptography (ECC is an approach to public-key cryptography based on the mathematics of elliptic curves. Proponents claim that ECC can be faster and use smaller keys than older methods — such as RSA — while providing an equivalent level of. While it is more complex computationally, many believe it to represent a more difficult mathematical problem than either the factorisation or discrete logarithm problems[5].5. RSA algorithmRSA it is an asymmetric algorithm and plays a key role in public key cryptography. It is widely used in electronic commerce protocols. The algorithm was described in 1977 by Ron Rivest, Adi Shamir and Len Adleman who were all at MIT at the time; the letters RSA are the initials of their surnames.Clifford Cocks, a British mathematician working for GCHQ, described an equivalent system in an internal document in 1973. His discovery, however, was not revealed until 1997 due to its top-secret classification [2].The security of the RSA system relies on the difficulty of factoring very large numbers; were such factorization to be quick, cryptanalysis of RSA messages would be quick as well. New fast algorithms in this field could render the RSA algorithm insecure. A working quantum computerMolecule of alanine used in NMR implementation of error correction. Qubits are implemented by spin states of carbon atoms. A quantum computer is any device for computation that makes direct use of distinctively quantum mechanical phenomena, such as superp implementing Shor's algorithmShor's algorithm is a quantum algorithm for factoring a number N in O((log N 3) time and O(log N space, named after Peter Shor. Many public key cryptosystems, such as RSA, will become obsolete if Shor's algorithm is ever implemented in a practical quantum could render RSA insecure through fast factorization. However, this is generally considered not a problem in the short term. At the moment, just as for all ciphers, inadequately long RSA keys are vulnerable to a brute force search approach. The likely effect of an improvement in factoring technique will be to increase the size of adequately long RSA keys. As of 2004, there is no known method of attack which is feasible against the basic algorithm, and sufficiently long. In cryptography, the key size (alternatively key length is a measure of the number of possible keys which can be used in a cipher. Because modern cryptography uses binary keys, the length is usually specified in bits. The length of a key is critical in de RSA keys make brute force attacks infeasible -- that is, effectively impossible [7]. The algorithm was patented by MIT in 1983. Suppose a user Alice wishes to allow Bob to send her a private message over an insecure transmission medium. She takes the following steps to generate a public key and a private key:1.Choose two large prime numbers. In mathematics, a prime number or primefor short, is a natural number whose only distinct positive divisors are 1 anditself; otherwise it is called a composite number. Hence a prime number hasexactly two divisors. The number 1 is neither prime nor com p≠q randomlyand independently of each other. Compute N = p q.2.Choose an integer 1 < e < N which is coprime to (p-1)(q-1).pute d such that d e≡ 1 (mod (p-1)(q-1)).•(Steps 2 and 3 can be performed with the extended Euclidean algorithm; see modular arithmetic.)•(Step 3, rewritten, can also be found by finding integer x which causes d = (x(p-1)(q-1) + 1)/e to be an integer, then using the value of d (mod (p-1)(q-1)).N and e are the public key, and N and d are the private key. Note that only d is a secret as N is known to the public. Alice transmits the public key to Bob, and keeps the private key secret. p and q are also very sensitive since they are the factors of N, and allow computation of d given e. They are sometimes securely deleted, and sometimes kept secret along with d in order to speed up decryption and signing using the Chinese Remainder Theorem[6].6. ConclusionsCryptography is an interdisciplinary subject, drawing from several fields. Before the time of computers, it was closely related to linguistics. Nowadays the emphasis has shifted, and cryptography makes extensive use of technical areas of mathematics, especially those areas collectively known as discrete mathematics. This includes topics from number theory, information theory, computational complexity, statistics and combinatorics. The security of all practical encryption schemes remains unproven, both for symmetric and asymmetric schemes. For symmetric ciphers, confidence gained in an algorithm is usually anecdotal — e.g. no successful attack has been reported on an algorithm for several years despite intensive analysis. Such a cipher might also have provable security against a limited class of attacks. For asymmetric schemes, it is common to rely on the difficulty of the associated mathematical problem, but this, too, is not provably secure. Surprisingly, it is proven that cryptography has only one secure cipher: the one-time pad. However, it requires keys (at least) as long as the plaintext, so it was almost always too cumbersome to use.References[1] Douglas Stinson, “Cryptography: Theory and Practice”, CRC Press, 1995[2] W. Alexi, B. Chor, O. Goldreich and C. P. Schnorr. RSA and Rabin functions: certain parts are as hard as the whole. SIAM Jounal on Computing, 17 (1988), 194-209.[3] H. Beker and F. Piper. Cipher Systems, The Protection of Communications. John Wiley and Sons, 1982.[4] G. Brassard. Modern Cryptology - A Tutorial. Lecture Notes in Computer Science, vol. 325, Springer-Verlag, 1988.[5] F. Chabaud. On the security of some cryptosystems based on error-correcting codes. Lecture Notes in Computer Science, to appear. (Advances in Cryptology - EUROCRYPT '94.)[6] D. Coppersmith (Ed.) Advances in Cryptology - CRYPTO '95 Proceedings. Lecture Notes in Computer Science, vol. 963, Springer-Verlag, 1995.[7] W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22 (1976), 644-654.[8] N. Koblitz. A Course in Number Theory and Cryptography (Second Edition). Springer-Verlag, 1994.。
隐私保护的心电图身份识别技术研究
隐私保护的心电图身份识别技术研究管绍朋;葛鑫;张渊;仲盛【期刊名称】《信息网络安全》【年(卷),期】2016(0)8【摘要】心电图是与个体紧密相关的生理特征,用于身份认证有着无可比拟的优势。
然而,心电图反映了人体的健康状况,属于重要的个人隐私。
文章提出了一种隐私保护的心电图身份识别技术,首先在数据的训练阶段和匹配阶段采用一定机制进行心电图隐私保护,然后分别采用欧几里得距离算法和互相关算法对隐私保护后的心电图数据进行识别实验。
结果显示:对于公用数据库MIT-BIH Normal Sinus Rhythm Database中的心电图数据,使用欧几里得距离算法和互相关算法的识别率都能达到100%。
对于公用数据库MIT-BIH Arrhythmia Database中的心电图数据,使用欧几里得距离算法和互相关算法的识别率都能达到96.77%。
%ECG data are physiological characteristics that are closely related to an individual, which has an unparalleled advantage for authentication. However, ECG data relfect the health situation of an individual, which belong to the important personal privacy. This paper proposes a privacy preserving ECG-based identiifcation technology. Firstly, a certain mechanism is adopted to protect the ECG data in the data training phase and the data matching phase, and then identiifcation experiments on the protected ECG data are conducted by the Euclidean distance algorithm and the cross-correlation algorithm. The results show that the ECG data in MIT-BIH Normal Sinus Rhythm Database are 100% identiifed by theEuclidean distance algorithm and the cross-correlation algorithm, and the ECG data in MIT-BIH Arrhythmia Database are 96.77% identiifed by the Euclidean distance algorithm and the cross-correlation algorithm.【总页数】5页(P1-5)【作者】管绍朋;葛鑫;张渊;仲盛【作者单位】南京大学计算机系,江苏南京210023;南京大学计算机系,江苏南京210023;南京大学计算机系,江苏南京210023;南京大学计算机系,江苏南京210023【正文语种】中文【中图分类】TP309【相关文献】1.基于心电图的身份识别方法 [J], 师黎;郭豹;李中健;赵云2.基于心电图身份识别防范急性心梗保险欺诈的探索 [J], 李丽;李仿彬3.基于遗传算法优化BP神经网络在心电图身份识别中的应用 [J], 师黎;朱民杰4.身份识别与复制:智能生物识别技术应用中的隐私保护 [J], 顾理平5.智能生物识别技术:从身份识别到身体操控——公民隐私保护的视角 [J], 顾理平因版权原因,仅展示原文概要,查看原文内容请购买。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
ECG-Cryptography and Authentication in BodyArea NetworksZhaoyang Zhang,Honggang Wang,Athanasios V.Vasilakos,and Hua FangAbstract—Wireless body area networks(BANs)have drawn much attention from research community and industry in recent years.Multimedia healthcare services provided by BANs can be available to anyone,anywhere,and anytime seamlessly.A critical issue in BANs is how to preserve the integrity and privacy of a person’s medical data over wireless environments in a resource ef-ficient manner.This paper presents a novel key agreement scheme that allows neighboring nodes in BANs to share a common key gen-erated by electrocardiogram(ECG)signals.The improved Jules Sudan(IJS)algorithm is proposed to set up the key agreement for the message authentication.The proposed ECG-IJS key agree-ment can secure data commnications over BANs in a plug-n-play manner without any key distribution overheads.Both the simu-lation and experimental results are presented,which demonstrate that the proposed ECG-IJS scheme can achieve better security performance in terms of serval performance metrics such as false acceptance rate(FAR)and false rejection rate(FRR)than other existing approaches.In addition,the power consumption analysis also shows that the proposed ECG-IJS scheme can achieve energy efficiency for BANs.Index Terms—Eletrocardiogram(ECG),energy consumption, fuzzy vault,monic polynomial,wireless body area networks (BANs).I.I NTRODUCTIONW IRELESS body area networks(BANs)can be deployed on a person’s body for pervasive and real-time health-care monitoring in the form of multimedia such as text,au-dio,image,and video.The nonintrusive and ambulatory health monitoring of patients’vital signs over BANs provides an eco-nomical solution to the current healthcare system,in which the healthcare information can be distributed to users anytime through handheld devices and internet.A BANs consists of a set of mobile and small size intercommunicating sensors, which are either wearable or can be implanted into the human body for monitoring vital signs(e.g.,heart rate,brain activ-ity,blood pressure,and oxygen saturation)and/or environmen-tal parameters(e.g.,location,temperature,humidity,and light) and movements.However,there are several research challengesManuscript received January30,2011;revised April9,2012;accepted June 18,2012.Date of publication June26,2012;date of current version November 16,2012.Z.Zhang and H.Wang are with the Department of Electrical and Computer Engineering,University of Massachusetts,Dartmouth,MA02747-2300USA (e-mail:zzhang1@;hwang1@).A.V.Vasilakos is with the Department of Computer and Telecommunications Engineering,University of Western Macedonia,Kozani50100,Greece(e-mail: vasilako@ath.forthnet.gr).H.Fang is with the Department of Quantitative Health Science,Univer-sity of Massachusetts Medical School,Worcester,MA01655USA(e-mail: Hua.Fang@).Color versions of one or more of thefigures in this paper are available online at .Digital Object Identifier10.1109/TITB.2012.2206115before BANs can be widely deployed.First,the sensors have limited resources in terms of energy,bandwidth,memory,and computational capability,a lightweight communication solution should be pursued in BANs.Second,since the performance of BANs is closely related to people’s health,it is important to have safe sensor networks in which the requirements of medical data privacy,confidentiality,authentication,and integrity should be satisfied.The lack of security in the operation and communica-tion of resource-constrained medical sensor nodes in BANs has been an obstacle to move the technology forward.A.Cryptography and Authentication for Secure Multimedia Healthcare ServicesCryptography and authentication methods are utilized in BANs to offer secure multimedia healthcare services via wire-less communications.In BANs,sensors usually rely on the cryp-tographic keys to secure multimedia data communications.Nu-merous key management and distribution schemes have been developed to offer the security in general wireless sensor net-works.However,they cannot be directly applied for the BANs due to the scale of biomedical sensors.However,designing an efficient key management and agreement scheme in BANs is still challenging.The key distribution methods,such as probabilis-tic key distribution[1],SPINS[2],LEAP[3],and asymmetric cryptosystems[4],have been developed to distribute security keys in BANs.But these methods are not easily implemented in body sensors due to limited sensor resources,or requiring predeployment of the secret keys that are hard to be replaced and are vulnerable to offline crack.In addition,the overheads of the key management and distributions in these methods are huge when large number of sensor nodes are deployed[5],[6]. In this paper,we present a new key agreement scheme called ECG-improved Jules Sudan(IJS),which utilizes physiologi-cal signal such as ECG signals for generating cryptographic ing ECG-IJS scheme,the secure intersensor commu-nication could be implemented in a“plug and play”manner, which means that no previous key distribution is needed.The secret keys used in the communication are generated based on the ECG signals,which meets the the requirements of long, random,time variant keys proposed in[7].The proposed key is generated from a universally measurable physiological stimuli (ECG)that is unique and distinctive for each person.Addition-ally,the ECG-IJS scheme only needs a small time period to generate keys with low computational requirements.The ECG-IJS scheme can also achieve better performance in term of false acceptance rate(FAR)and false reject ratio(FRR)than the existing research work in[8].In addition,it is an energy efficient scheme because it does not require the chaff points(communi-cation overheads)used in[8].A power consumption analysis1089-7771/$31.00©2012IEEEFig.1.Body sensor networks.is given to demonstrate the energy efficiency of the proposed ECG-IJS scheme.B.Major ContributionsWe summarized our major contributions in this paper.First, we innovated a new biometric-based approach to authenticate the message through a lightweight manner in BANs,which is a piratical solution and can be simply implemented in the resource constrained biomedical sensors;second,a novel key-agreement scheme is developed to allow communication parties to share the same key without much overheads;finally,a framework for the security and energy efficiency analysis of BANs is given to evaluate the efficiency of the proposed approach.Our research opens a new vista of securing medical data transmission over BANs.II.R ELATED W ORKSA typical topology of BANs shown in Fig.1includes mul-tiple types of medical sensors that can be wirelessly connected to other medical sensors or to the control nodes(e.g.,Smart-phones),which could interface with other types of networks such as WiMAX or WiFI to further deliver the collected medi-cal information to the information center.Much great effort has been devoted to developing secure communication schemes be-tween the internet and control nodes.Thus,our studies focus on the securing intersensor communication over the body area in-stead.A comprehensive survey on wireless body area networks is given in[9].Besides the transitional key distribution schemes,there are several on-going research works that implement the key distribu-tion using biometric features.The research in[7]and[10]–[12] utilizes the physiological signals for securing intersensor com-munication over BANs.The authors in[10]and[11]proposed the use of the frequency coefficients of the ECG or photoplethys-mogram(PPG)signals to generate cryptographic keys.In[7] and[12],the interpulse interval derived from ECG/PPG signals is proposed to generate cryptographic keys.The fuzzy vault method proposed by Jules and Sudan in[13] has been used in the message authentication withbiometric Fig.2.Processes of QPSK using fuzzy vault.information as shown in[14]–[16].In[8],the authorsfirstly proposed to use the fuzzy vault method called physiological-signal-based key agreement(PSKA)to secure intersensor com-munications.Then,some modified fuzzy vault scheme[17], [18]were proposed to use the ECG signals to improve security performance.The authors in[19]give an improved Jules and Sudan scheme,which has been proved with high performance in the applications of thefingerprint-based key generation[20]. The PSKA scheme proposed in[8]uses fuzzy vault to lock the randomly generated key in the vault at the sender,and unlock the vault to regenerate the key by the similar features available at the receiver.However,the security of the vault depend on its size,so extra chaff points are needed to ensure the security of the vault, which brings the extra communication overheads.The authors of paper[21]suggest the use of ECG signals as a biometric feature to authenticate users and messages.The approach requires the creation of an ECG template and then comparing their current ECG signals with this template to verify the identity.However, it is not efficient to achieve good security performance due to using the static template.In our proposed ECG-IJS,we extract the time-variant features from the ECG signals and use them as keys to encrypt/authenticate messages.III.S YSTEM M ODELSA.Fuzzy Vault SchemeA fuzzy vault scheme was proposed by Juels and Sudan[13]. The fuzzy vault scheme is designed to lock(hide)a secret S in a construct called a vault using a set of values A.The procedure of construct a Vault is as follows:1)generating a v th-order polynomial p over the variable x that encodes the secret S;2)computing the value of the polynomial at different values of x from set A and creating a set R={a i,p(a i)}and3)adding randomly generated set of points C=c i,c j called chaff to R. Once the vault has been constructed,only the values B similar to set A could unlock the vault and discover the secret S.The unlock procedure is an inverse process:1)finding points(x i,y i) from R according to the element in B;2)reconstructing the v th-order polynomial by the acquired points above;3)decoding the coefficients of the polynomial using a Reed–Solomon decoder. If thefinal decoding operation is successful,then the output secret k should be equal to k if the set B is close to the original set A.Otherwise,the reconstruction process of the secret key fails.The PSKA method[8]uses the fuzzy vault in BANs as a key agreement protocol.The key agreement process of PSKA using fuzzy vault scheme is shown in Fig.2,which contains both vault construction and reconstruction processes.B.Improved Fuzzy Vault SchemeBased on Juels and Sudan’s work,Y .Dodis et al.proposed an improved fuzzy vault algorithm called IJS [19].In IJS algorithm,the sender can construct a unique monic polynomial using the F as the roots and send parts of the coefficients to the receiver.Without knowing most of the roots,it is impossible for the receiver to reconstruct the monic polynomial to discover K .When the receiver receives the coefficients sent by the sender,it can reconstruct the polynomial by F it has.The receiver could successfully reconstruct the monic polynomial only when F and F share most common pared with the original fuzzy vault algorithm,the IJS algorithm does not using chaff points to hide the secret (Key).Thus,the communication overheads between the sender and the receiver is significantly reduced.We introduce the process of the IJS algorithm that could tolerate t set difference features briefly in the following.1)Let f (x )be the unique monic polynomial of degree s such that p (x )=0for all x ∈w .2)Output t coefficients of p (x )from degree s −1down to s −t ,i.e.,if w =x 1,...,x s ,then ouputix i , i =jx i x j ,...S ⊆[s ],|S |=ti ∈Sx i .(1)Here,t coefficients are sent to the receiver without the en-cryption.The eavesdroppers may get these coefficients,but it isimpossible for them to recover the w .Once the receiver get the t coefficients from the sender,it can reconstruct the monic polyno-mial f (x )with the w ,which should share at least s −t common elements with w .The process of recover the w using the received t coefficients and w is as follows,where w =a 1,a 2,...,a S .1)Create a new polynomial f h using coefficient 1and the received t coefficients.Then,f h shares the top t +1coefficients with that of f ,which is described asf h (x )def =x s + s −1i =s −t a i x i.2)Evaluate f h on all points in u i ∈w to obtain s pairs (u i ,v i ),in which v i =f h (u i ).3)Use [s,s −t,t +1]Reed–Solomon decoding [22]to search for a polynomial f l of degree s −t −1such that f l (u i )=v i for at least s −t/2of the u i values.4)If the searching process has completed successfully,then output the list of zeros (roots)of the polynomial f h −f l .Otherwise,output “fail.”The algorithm can tolerate t difference errors dis (w,w )≤t ,which is required by our designed scheme due to the dynamic nature of ECG features.Let f (x )be f (x )=w i ∈w (x −w ).The polynomial f (x )is monic x s .We can divide the re-maining coefficients into two groups:the high coefficients denoted a s −t ,...,a s −1,and the low coefficients denoted by b 1,...,b s −t −1:f (x )=x s+s −1 i =s −ta i x if h (x )+s −t −1i =0b i x iq (x )(2)f (x )can be written as f h (x )+q (x ),where q (x )has degrees −t −1.The recovery algorithm will have the coefficients of f h as the input.For any point x in w ,0=f (x )=f h (x )+q (x )Fig.3.Process of ECG-IJS algorithm.is satisfied.Thus,f h (x )and −q (x )agree at all points in w .Sinceset w intersects w in at least s −t/2points,the polynomial −q (x )satisfies the conditions.In addition,the polynomial is unique,since no two distinct polynomials of degree s −t −1can have the correct b i on more than s −t/2a i .Thus,the recovered polynomial f l (x )should be −q (x ).Then,f h (x )−f l (x )=f (x )is satisfied.Consider the following example that illustrates the process of the IJS.Suppose s =5and t =2,let the sender and the receiver have the set w ={1,2,3,4,5}and w ={1,3,5,7,9},respec-tively.The elements in w and w could be in any order.Then,the sender will generate a monic polynomial f (x )=(x −w i )=x 5−15x 4+85x 3−225x 2+274−120,and then it send two coefficients {−15,85}to the receiver.After re-ceiving the four coefficients,the receiver constructs a poly-nomial f h =x 5−15x 4+85x 3,and then evaluates all the elements in the set u i ∈w by v i =f h (u i )to form a set of pairs {(1,71),(3,1323),(5,4375),(7,9947),(9,22599)}.Reed–Solomon decoding is used to search a polynomial f l with degree 2such that v i =p l (u i )for at least 4of u i values.After the searching process,the receiver gets f l (x )=225x 2−274+120.Thus,the receiver reconstructs the f (x )=f h (x )−f l (x ).And then,it could recover w by solving the roots of the monic polynomial f (x ).Compared with the original fuzzy vault scheme,the IJS al-gorithm does not use the chaff points to secure the information.Thus,it reduces the transmission overheads,saves the transmis-sion energy and prolongs the lifetime of the battery.Most of nodes in BANs are battery supported,the availability and reli-ability of the networks increases if less energy is consumed.In this paper,a scheme called ECG-IJS key agreement that uses the ECG signals and IJS scheme is proposed to implement the key agreement protocol in BANs.C.Proposed ECG-IJS SchemeBased on the IJS algorithm described earlier,we propose an ECG-IJS key agreement to secure data communication in BANs.Especially,our approach focuses on the intercommunication and authentication between the sensor nodes in the BANs.The proposed ECG-IJS scheme is shown in Fig.3.In the scheme,we assume that both the sender and the receiver have the capability to sample the ECG signals from the human body.Thus,the same feature extraction algorithm can be utilized to generate features form the collected ECG signals.The processes of extracting features from the ECG signals are shown in Section IV.The features F and F are used as keys to encrypt and decryptFig.4.ECG-IJS authentication scheme.the message to achieve secure communication in BANs.The process of the ECG-IJS scheme is described as follows.ECG-IJS key hiding:1)extracting the feature F from the ECG signal and formingthe secret K;2)using the ECG feature F as the root to build a unique ECGmonic polynomial with degree s;3)calculate the coefficients of the ECG monic polynomialand then output the ECG vault coefficients from the degree s−1to s−t.t denotes the number of coefficients.the number t is trans-mitted without the encryption to the receiver with a subset of coefficients together.t affects the performance of the proposed ECG-IJS scheme as shown in Fig.8and9.In addition,the value of t could be predefined/predeployed in the sensor nodes within the same body area network according to the authentication per-formance requirements(i.e.,FAR or FRR).When the receiver receives the subset of the monic polynomial coefficients,it can reconstruct the ECG monic polynomial based on the ECG signal it samples from the same human body as the sender.ECG-IJS key recovering:1)extracting the feature F from the ECG signal;2)constructing a new ECG feature polynomial p high withdegree s using the coefficients it receives;3)evaluating the above polynomial on all points in F to geta set of pairs;4)using Reed–Solomon decoding to search for a polynomialwith degree s−t−1to meet most of the pairs.5)reconstruct the ECG vault secret K by searching resultsand coefficients received from the sender.D.System DesignA typical proposed design for the message authentication is described in Fig.4.The example applications shown in the figure are using BANs for diabetes monitoring in which the glucose sensors deployed or implanted in the skin continuously monitor and wirelessly transmit the blood glucose levels to the microchip-based control devices for an accurate,timely,and efficient insulin release.In such a system,the integrity and con-fidentiality of sensitive medical data among sensor nodes must be protected against modification or other malicious attacks,be-cause malicious or fraudulent(i.e.,alteration of drug dosages or treatment procedures)can be extremely hazardous[23].Other similar attacks include the deliberation of health data leading to wrong diagnosis and treatment,and the falsification of alarms or the suppression of real alarms in emergency.Because of the limited resources in body sensors in terms of power and computation capability,and transmission capabil-ity,an energy-efficient solution is required to secure the data transmission.In the proposed ECG-IJS scheme,at the sender, features F are extracted from the ECG signals to form a secret k,which is used to encrypt the glucose data or general message, and then it sends the encrypted message,IJS coefficients and the HASH-based message authentication code(MAC)to the receiver.After the receiver gets the packet,it could recover the secret k using the ECG signal measured at the receiver’s site and then decrypt the encrypted message using the key k.When the message are received at the receiver,the MAC is recalculated from it using the same algorithm.The results will be compared with the received MAC to complete the authentication precess.A monic polynomial with a degree s is generated at the sender based on the ECG features.Then,t coefficients are sent to the receiver with a hash value.After receiving the t coefficients, the receiver begins to recover the other s−t coefficients based on the t received coefficients and the ECG feature the receiver measures.If the ECG features at the receiver are similar with the ones at the sender,the receiver will be able to recover the other s−t coefficients of the monic polynomial.If the recal-culated hash value matches with the received hash value,then the receiver has successfully recovered the s−t coefficients set and the authentication process is completed.In the proposed ECG-IJS scheme,we assume that both the sender and the re-ceiver have the capability of sampling the ECG signals from the human body.This assumption could be realized by attaching an ECG sensor to a body sensor node such as a glucose sensor. However,the ECG measurements on the different areas of the body could still be different.We use the fast Fourier transform (FFT)peak index as a feature to characterize and tolerate the dif-ferences on the same body while they are significantly different on different bodies.The whole process is described as follows. Step1(Key Hiding):The sender measures the ECG signals and glucose data,and the glucose data will be sent to the re-ceiver.The receiver have statistically similar ECG signals when two sensors measure the ECG from the same body.Both the sender and the receiver use the same future extraction algorithm to generate feature set called IJS coefficients.The feature ex-traction algorithm is presented in details in Section IV.Once the features are generated,the sender uses it as a key to en-crypt the glucose data,and then send the following packet to the receiver:{ID s,ID r,E,S,N1,MAC(k,S|M|N1|ID s)},where the ID s and ID r are the IDs of the sender and receiver,respec-tively.M is the original message.E is the encrypted message. N1is a nonce used for the signature.S is the subset of t monic polynomial coefficients.MAC is a message authentication code using the Hash functions(e.g.,SHA-1or SHA-2),and the k is generated from the ECG features at the receiver site.Step2(Key recovering):After receiving the package from the sender,the receiver uses the feature extracting from the ECG andthe receiver data set S to recover the secret k by the proposedECG-IJS algorithm.The secret k is further used to decrypt theencrypted message E to obtain the original glucose data M.Step3(Authentication):The receiver uses the same authen-tication algorithm with the sender to recalculate the MAC.Ifthe MAC value calculated by the receiver is equal to the MACvalue received from the sender,the authentication succeeds.Otherwise,the authentication fails and the received packet willbe discarded.Step4(Acknowledgement):If the authentication process suc-cesses,the receiver sends an acknowledgement back to thesender in the format of{ID r,ID s,N1,MAC(k,N1|ID s|ID r)}, where N1is a nonce,the other symbols have the same meaningsas described earlier.IV.E XPERIMENTAL R ESULTSIn this section,we validate the proposed ECG-IJS scheme.The validation begins with the feature extraction from the ECGsignals,followed by the FAR and FRR analysis.After that,thesecurity analysis of the proposed ECG-IJS scheme is discussed.A.Feature ExtractionWhen two sensors in a BANs want to securely communicateeach other by using ECG signal measured separately from thesame body,the ECG featuresfirst need to be extracted from thesampled ECG signals.In our proposed scheme,we perform afrequency-domain analysis of ECG signals for generating thefeatures.This is because that the frequency components of phys-iological signals,at any given time,have statistically similarvalues as long as they are measured on the body.A time-domainanalysis shows that the values of the ECG signals measured atdifferent parts of the body(from different leads)have similartrend but diverse values.In this validation process of the pro-posed ECG-IJS scheme,the ECG signals are downloaded fromMIT-BIH Arrhythmia database[24].The MIT-BIH Arrhythmia Database contains48half-hour excerpts of two-channel ambu-latory ECG recordings.The recordings were digitized at360 samples per second per channel with11-bit resolution over a 10-mV range[25].The Feature extraction process is shown as follows.1)Get the ECG data for afixed time duration of4s.Thereason for choosing a4s duration is that we want it to include at least one heart beat.2)Resample the ECG data at120Hz.3)Conduct512points FFT of the ECG data;extract thefirst256coefficients because the coefficients are symmetric.4)Detect the local peaks on the extracted FFT coefficients;each of the peak location index is used as a feature.The ECG signals measured on the different areas of the body have statistically similar values within a time period.There are two reasons for selecting the FFT peak location index as a fea-ture.First,the feature changes dynamically but can easily be de-tected with low computational complexity.Second,the body’s physiological behaviors will be characterized by the peak loca-tion index features in the Fourier transform domain.Therefore,TABLE IFAR AND FRR P ERFORMANCEFig.5.FAR versus FRR.the peak location index is a good candidate that can be used to differentiate measurements(collected by a sensor)of one patient from those of different patients.The feature provides an efficient representation of ECG signals for the data authentication and secret key agreement.However,our proposed authentication framework does not limit to using the peak location index.Po-tential features such as the P-R interval could also be applied as long as they can meet the required authentication performance (i.e.,FAR and FRR).B.Performance AnalysisIn our experiment,we consider securing the communication between any two nodes within the same WBAN.We assume that the sensor nodes have the capability of measuring the ECG signals with an attached ECG sensor.In addition,we set the path loss exponent to3and7for the line of sight(LOS)channel and non-LOS(NLOS)channel same as in[26],respectively. In this part,FAR and FRR are used to evaluate the perfor-mance of the proposed ECG-IJS scheme.The half total error rate(HTER),computed by HTER=(FAR+FRR)/2,is also obtained.Ten person’s ECG data were randomly selected from MIT-BIH Arrhythmia Database[24].The FAR,FRR,and HTER performance evaluated by the ten person’s ECG data versus to the difference tolerance t(polynomial degree s is8)are shown in Table I.The performance of FAR versus the FRR is given in Fig.5.As shown in Fig.5,the FAR decrease as the FRR increase. From Table I,it is observed that when the difference tolerance t increases,the FAR also increases.This is because if the system could tolerate more different features between the sender and the receiver,the possibility of matching two feature sets that do not belong to the same person increase and thus the FAR increase. In contrast to the FAR,the FRR decreases when t increases, this is because when t increases,these two feature sets comingFig.6.FARcomparison.Fig.7.FRR comparison.from the same person are more likely to be matched.Thus,the probability of recovering one set using the other sets also increases.Fig.6and 7show the FAR and FRR performance when the degree of the monic polynomial s changes (the difference tol-erance t is set to 2).The degree of the polynomial s should satisfy s >=4in order not to compromise the security [17].It is shown in Fig.6that the FAR decrease when s increase.When t is fixed,the bigger s means that more shared features in the feature set is needed to successfully recover the secret k .Thus,the probability of mismatching the feature sets de-creases.In Fig.7,the FRR increases when s increases.This is due to the fact that if more common elements of the feature are needed,it is more likely for the system to reject the two feature sets that coming from the same person.The comparison between the PSKA [8]and the proposed ECG-IJS scheme in term of the FAR and FRR performance also shown in Fig.6and 7.Though the FAR performance of the proposed ECG-IJS is a little worse than that of PSKA,the FRR performance of the proposed ECG-IJS scheme is much better than that of PSKA.Also,as shown in Table II,the HTER performance of the ECG-IJS is better than that of PSKA on all polynomial degree s .We will also further demonstrate the energy saving advantages of the proposed approach in Section V.Fig.8and 9show the FAR performance and the FRR perfor-mance,respectively,for different polynomial degree s and dif-ferent tolerance t .It demonstrates that choosing certain degreesTABLE II C OMPARISON OFHTERFig.8.FAR versus polynomial degrees.Fig.9.FRR versus polynomial degree s.and tolerance levels can achieve required security performance.However,the complexity of the computation is increased when higher s is chosen.C.Energy Efficiency AnalysisThe wireless channel condition in BANs is different from that of free space [27].In this section,first,we describe the wireless channels over the human body in BANs.Second,we introduce an energy consumption model which is used to evaluate the energy efficiency of the proposed ECG-IJS scheme.At last,the energy efficiency of the ECG-IJS scheme is compared with the PSKA.1)Path Loss Near Human Body:The path loss models for BANs either using narrowband radio signals or ultra wideband (UWB)are investigated in [28]and [29].It is reported that the radio signals experience great losses and the value of the path loss exponent αvaries greatly in BANs.The path loss exponent for propagation in free space is equal to 2.But the path loss。