This paper shows several security weaknesses of a Multi-Factor Authenticated Key Exchange (MK-AKE) protocol, proposed by Pointcheval and Zimmer at ACNS'08. The Pointcheval-Zimmer scheme was designed to combine three authentication factors in one system, including a password, a secure token (that stores a private key) and biometrics. In a formal model, Pointcheval and Zimmer formally proved that an attacker had to break all three factors to win. However, the formal model only considers the threat that an attacker may impersonate the client; it however does not discuss what will happen if the attacker impersonates the server. We fill the gap by analyzing the case of the server impersonation, which is a realistic threat in practice. We assume that an attacker has already compromised the password, and we then present two further attacks: in the first attack, an attacker is able to steal a fresh biometric sample from the victim without being noticed; in the second attack, he can discover the victim's private key based on the Chinese Remainder theorem. Both attacks have been experimentally verified. In summary, an attacker actually only needs to compromise a single password factor in order to break the entire system. We also discuss the deficiencies in the Pointcheval-Zimmer formal model and countermeasures to our attacks.

关键词：电子信息；信息安全；网络安全；密钥交换协议；身份验证

查看摘要 索取原文[15页]

So far, we have introduced protections of communication systems placed at the upper layers of networked communication systems. Those mechanisms utilize modern cryptographic methods, together with network administration policies. The important characteristics of modern cryptographic algorithms and protocols are that they are independent of physical-layer transmission technologies and assume that the physical-layer transmission has already been established and is error free.

关键词：电子信息；信息安全；物理层；通信系统

查看摘要 索取原文[36页]

Cybercrime is costly both for businesses and consumers. Criminals can have different purposes, such as financial winnings, defacement and disruption, which not only cause financial loss but also damage organization's reputation and image. To prevent a number of cybercrimes and simple mistakes, such as not insuring that all traffic into and out of a network pass through firewall, security of e-commerce systems should be considered from the very beginning, i.e. early stage of the e-commerce software development. This is due to software vulnerabilities are a huge security problem. Therefore, to enhance security of e-commerce software, we propose the use of multi-agent system. The research in this paper is focused mainly on the design of agents that provide support to engineers during development process. Moreover, the multi-agent system, presented in this research, supports implementation of patterns and extraction of security information, and provides traceability of security requirements in the engineering process.

关键词：电子信息；信息安全；网络安全；电子商务；软件系统

查看摘要 索取原文[9页]

Service providers rely on industrial control systems (ICS) to manage the flow of water at dams, open breakers on power grids, control ventilation and cooling in nuclear power plants, and more. In today's interconnected environment, this can present a serious cyber security challenge. To combat this growing challenge, government, private industry, and academia are working together to reduce cyber risks. The Idaho National Laboratory (INL) is a key contributor to the Department of Energy National SCADA Test Bed (NSTB) and the Department of Homeland Security (DHS) Control Systems Security Program (CSSP), both of which focus on improving the overall security posture of ICS in the national critical infrastructure. In support of the NSTB, INL hosts a dedicated SCADA testing facility which consists of multiple control systems supplied by leading national and international manufacturers. Within the test bed, INL researchers systematically examine control system components and work to identify vulnerabilities. In support of the CSSP, INL develops and conducts training courses which are designed to increase awareness and defensive capabilities for IT/Control System professionals. These trainings vary from web-based cyber security trainings for control systems engineers to more advanced hands-on training that culminates with a Red Team/ Blue Team exercise that is conducted within an actual control systems environment. INL also provides staffing and operational support to the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Security Operations Center which responds to and analyzes control systems cyber incidents across the 18 US critical infrastructure sectors.

关键词：电子信息；信息安全；网络安全；网络工业控制系统；测试

查看摘要 索取原文[9页]

In the wake of the attack of 9/11, the United States government recognized that the manner in which threats and information were conveyed was extremely inefficient, and in many cases completely nonfunctional due to disparate data failing to become accurately coalesced. This is especially true within the area of intermodal cargo shipping. Our research explores and seeks to inform the development of requirements for an information sharing system amongst harbor cargo operators engaged in intermodal shipping. Through interviews conducted of the Naval Postgraduate School's Multimodal Information Sharing Team's (MIST's) federal and local partners, careful examination of existing MIST findings, and research into best practices in information system design, we seek to provide an analysis of current needs and recommendations for improvements to communications about threats to intermodal shipping. Our qualitative findings, found through interviewing communication systems operators and users, indicate that the generalized lack of trust has created limits to communication that have manifested themselves in different electronic solutions that appear to have been developed without direct input from operators. We also find that there exist overland enterprises (e.g., trucking industry) that lack the motivation to provide funding for improved communications infrastructure. Future research efforts may include further identification of communication barriers (e.g., costs) to improve shared communications systems.

关键词：电子信息；信息安全；网络安全；港务；信息共享

查看摘要 索取原文[105页]

Secure mobile ad hoc network (MANET) routing protocols are not tested thoroughly against their security properties. Previous research focuses on verifying secure, reactive, accumulation-based routing protocols. An improved methodology and framework for secure MANET routing protocol verification is proposed which includes table-based and proactive protocols. The model checker, SPIN, is selected as the core of the secure MANET verification framework. Security is defined by both accuracy and availability: a protocol forms accurate routes and these routes are always accurate. The framework enables exhaustive verification of protocols and results in a counter-example if the protocol is deemed insecure.The framework is applied to models of the Optimized Link-State Routing (OLSR) and Secure OLSR protocol against five attack vectors. These vectors are based on known attacks against each protocol. Vulnerabilities consistent with published findings are automatically revealed. No unknown attacks were found; however, future attack vectors may lead to new attacks.
The new framework for verifying secure MANET protocols extends verification capabilities to table-based and proactive protocols. More work is needed to create attack vectors that reveal unknown attacks against secure protocols, but the framework makes construction of such vectors easy.

关键词：电子信息；信息安全；网络安全；路由协议；验证

查看摘要 索取原文[108页]

A Transportation Research Board (TRB) conference on U.S. and international approaches to performance measurement for transportation systems was conducted May 18 through 20, 2011, at the Arnold and Mabel Beckman Center of the National Academies in Irvine, California. The theme for the fourth in a series of international conferences, driving change and being driven by change, captured the changing environment in which transportation services are delivered as well as the role of performance measurement in delivering these services.

关键词：电子信息；系统；交通；测量

查看摘要 索取原文[118页]

Wireless Reconfigurable Networks (WRN) adapt rapidly and flexibly to network variations, providing advantages to establish efficient communication for emergency operations, disaster relief efforts, and military networks. Security is a necessity where data integrity and confidentiality are exposed to attacks. Security schemes are based on cryptography, providing an expensive and partial defense, since high processing needs are inconvenient for WRN. Hence, the design of a distributed, low cost detection and defense mechanism is important. In this chapter, we present the fundamentals of network coding in WRN, its advantages and how particular problems in wireless networks limit those. We provide an algebraic representation of a distributed, low cost Detection and Defense Mechanism (DDM) that responds to the WRN demands. We evaluate quality of routes involved in the security mechanism, as well as make a selection of the best route for the DDM. The DDM uses network coding to distribute information, and to detect and defend from sink holes and selective forwarding attacks. For performance, we include the number of successful packets, overhead and accuracy in terms of detected attacks and false detections.

关键词：电子信息；信息安全；网络安全；编码

查看摘要 索取原文[34页]

Effective and sufficient support for the transportation of oversized and overweight (OS-OW) loads on the nation's transportation system is important to a vibrant economy. The availability of advanced tools and technologies based on geographic information systems (GIS) has increased considerably the ability of transportation policy makers to analyze vehicle routing data better. The Texas Department of Transportation recently initiated a research effort to analyze the routes of historically permitted OS-OW loads. The primary objectives of this research included the development of criteria for assigning current and projected OS-OW groups to an improved road network, the identification of strategic infrastructure improvements to accommodate such loads, and the development of optimal and alternative routes for priority load groups between the most common origins and destinations. As part of the project, the research team developed a highly efficient GIS-mapping approach and converted a massive data set of OS-OW permit routes into a GIS format. The mapping approach enabled batch processing and directly queried, retrieved, and stored data from and to an Oracle database. This paper presents part of the findings of this research, with a focus on the GIS mapping process of the historical OS-OW permit routes. The GIS approach will be particularly valuable for those states that are, or will be, automating their process for OS-OW permitting through GIS-based tools. In addition, the research provides valuable lessons for other states that are looking for a workable solution to analyze effectively mass historical OS-OW routing data.

关键词：电子信息；系统；地理信息系统；路线映射

查看摘要 索取原文[9页]

The intent of this chapter is to introduce side channel attacks as a significant threat for wireless sensor networks, since in such systems the individual sensor node can be accessed physically and analysed afterwards. Even though such attacks are known for some years, they have never been specifically considered before in the area of WSNs (Wireless Sensor Networks).

关键词：电子信息；信息安全；网络安全；无线传感器；信道攻击

查看摘要 索取原文[26页]