Wenmin Li

Circuit Ciphertext-Policy Attribute-Based Hybrid Encryption with Verifiable Delegation in Cloud Computing

In the cloud, for achieving access control and keeping data confidential, the data owners could adopt attribute-based encryption to encrypt the stored data. Users with limited computing power are however more likely to delegate the mask of the decryption task to the cloud servers to reduce the computing cost. As a result, attribute-based encryption with delegation emerges. Still, there are caveats and questions remaining in the previous relevant works. For instance, during the delegation, the cloud servers could tamper or replace the delegated ciphertext and respond a forged computing result with malicious intent. They may also cheat the eligible users by responding them that they are ineligible for the purpose of cost saving. Furthermore, during the encryption, the access policies may not be flexible enough as well. Since policy for general circuits enables to achieve the strongest form of access control, a construction for realizing circuit ciphertext-policy attribute-based hybrid encryption with verifiable delegation has been considered in our work. In such a system, combined with verifiable computation and encrypt-then-mac mechanism, the data confidentiality, the fine-grained access control and the correctness of the delegated computing results are well guaranteed at the same time. Besides, our scheme achieves security against chosen-plaintext attacks under the k-multilinear Decisional Diffie-Hellman assumption. Moreover, an extensive simulation campaign confirms the feasibility and efficiency of the proposed solution.

Secure Privacy-Preserving Biometric Authentication Scheme for Telecare Medicine Information Systems

Healthcare delivery services via telecare medicine information systems (TMIS) can help patients to obtain their desired telemedicine services conveniently. However, information security and privacy protection are important issues and crucial challenges in healthcare information systems, where only authorized patients and doctors can employ telecare medicine facilities and access electronic medical records. Therefore, a secure authentication scheme is urgently required to achieve the goals of entity authentication, data confidentiality and privacy protection. This paper investigates a new biometric authentication with key agreement scheme, which focuses on patient privacy and medical data confidentiality in TMIS. The new scheme employs hash function, fuzzy extractor, nonce and authenticated Diffie-Hellman key agreement as primitives. It provides patient privacy protection, e.g., hiding identity from being theft and tracked by unauthorized participant, and preserving password and biometric template from being compromised by trustless servers. Moreover, key agreement supports secure transmission by symmetric encryption to protect patient’s medical data from being leaked. Finally, the analysis shows that our proposal provides more security and privacy protection for TMIS.

An anonymous and efficient remote biometrics user authentication scheme in a multi server environment

As service demands rise and expand single-server user authentication has become unable to satisfy actual application demand. At the same time identity and password based authentication schemes are no longer adequate because of the insecurity of user identity and password. As a result biometric user authentication has emerged as a more reliable and attractive method. However, existing biometric authentication schemes are vulnerable to some common attacks and provide no security proof, some of these biometric schemes are also either inefficient or lack sufficient concern for privacy. In this paper, we propose an anonymous and efficient remote biometric user authentication scheme for a multi-server architecture with provable security. Through theoretical mathematic deduction, simulation implementation, and comparison with related work, we demonstrate that our approach can remove the aforementioned weaknesses and is well suited for a multi-server environment.

An Improved Biometrics-Based Authentication Scheme for Telecare Medical Information Systems

Telecare medical information system (TMIS) offers healthcare delivery services and patients can acquire their desired medical services conveniently through public networks. The protection of patients’ privacy and data confidentiality are significant. Very recently, Mishra et al. proposed a biometrics-based authentication scheme for telecare medical information system. Their scheme can protect user privacy and is believed to resist a range of network attacks. In this paper, we analyze Mishra et al.’s scheme and identify that their scheme is insecure to against known session key attack and impersonation attack. Thereby, we present a modified biometrics-based authentication scheme for TMIS to eliminate the aforementioned faults. Besides, we demonstrate the completeness of the proposed sche-me through BAN-logic. Compared to the related schemes, our protocol can provide stronger security and it is more practical.

Passive RFID-supported source location privacy preservation against global eavesdroppers in WSN

Source location privacy is one of the most challenging issues in WSN applications. Some of existing solutions defend the leakage of location information from a limited local adversary who can only observe network traffic in small region, while the global adversary can monitor the entire network traffic. Meanwhile, most of the previous works ignore the categories of RFID. In this paper, we propose a scheme named General Fake Source (GFS) against a global adversary. It supports the passive RFID, which has no battery, cannot send a signal actively. Through simulations, we show that GFS well unifies the behavior of real and fake data sources and provides trade-offs between privacy and energy consume for source location privacy in WSN.

Succinct multi-authority attribute-based access control for circuits with authenticated outsourcing

Multi-authority attribute-based access control (MABAC), which allows different independent authorities to distribute secret keys, could be adopted to control access and keep data confidential. To circumvent efficiency drawbacks during the decryption, the notion of MABAC with outsourcing is applied. However, untrusted cloud server may respond a forged transformation or deceive a permissioned user with a terminator altogether. In addressing the above issue, a construction of circuit MABAC with authenticated outsourcing is considered, which enjoys succinct ciphertext and realizes the most flexible form of expression up to now. In such a scheme, combined MABAC with two types of authenticated messages (a publicly verifiable message and a privately verifiable one), both the fine-grained data access and the authenticity of the outsourcing are well guaranteed. Furthermore, the security and authentication of the proposed scheme are intensively proved. For the sake of completeness, we then simulate the scheme and show that it is appropriate for cloud computing.

Secure multi-keyword ranked search over encrypted cloud data for multiple data owners

Abstract Secure multi-keyword ranked search over outsourced cloud data has become a hot research field. Most existing works follow the model of “Single Owner”, which just supports searching on the outsourced data belong to only one data owner. But the more realistic scenario is “Multiple Owners”, users could search on all datasets outsourced by different data owners. However, directly extending “Single Owner” schemes into “Multiple Owners” scenario still face the major two challenges: (1) the inconvenient key management and the resulting high communication cost; (2) due to the different authorities of owners, the qualities of documents are also different even if they are about the similar topic, but current rank functions in this area cannot rank documents based on their qualities. In this paper, we propose a secure multi-keyword ranked search scheme for multiple data owners. A trusted third party is imported to solve the problem of key management. We exploit the vector space model for generating index and query, and our new-designed KDO algorithm is utilized for providing keyword weight, so that the rank function not only considers about the relevance between query and document, but also takes into account the document quality. In order to protect privacy for both owners and users, the Asymmetric Scalar-product Preserving Encryption approach is utilized for encrypting weighted index and query. Besides, we construct the Grouped Balanced Binary tree index, which could further improve the search efficiency by Greedy Depth-first search algorithm. Extensive experiments demonstrate that our proposed scheme is secure, accurate and efficient.

A Three-Factor Based Remote User Authentication Scheme: Strengthening Systematic Security and Personal Privacy for Wireless Communications

Anonymous remote user authentication plays more and more important role in wireless personal communication networks to guarantee systematic security and personal privacy. However, as promising as it is, security and privacy issues have seriously challenged user experience and system performance in the authentication schemes for a long time. In this paper, we propose a remote user authentication scheme for wireless communication networks. Our proposal employs the personal workstation as a trusted proxy to preserve perfect user privacy, while maintaining system security. It not only provides mutual authentication with key agreement mechanism, but also keeps user’ privacy private in a reliable domain. In addition, the technologies of Bluetooth (or Wifi) improve user experience and improve user friendliness in three-factor based authentication schemes. Moreover, our scheme supports flexible user login and security level. Finally, the security proof and performance analysis show that our scheme is more efficient and practical.

Offline Password Guessing Attacks on Smart-Card-Based Remote User Authentication Schemes

Password as an easy-to-remember credential plays an important role in remote user authentication schemes, while drawing from a space so small that an adversary may exhaustively search all possible candidate passwords to guess the correct one. In order to enhance the security of the password authentication scheme, smart card is introduced as the second factor to construct two-factor authentication scheme. However, we find out that two latest smart-card-based password authentication schemes are vulnerable to offline password guessing attacks under the definition of secure two-factor authentication. Furthermore, in order to show the serious consequence of offline password guessing attacks, we illustrate that the password compromise impersonation attacks as further threats are effective to break down the authentication schemes. Finally, we conclude the reasons why these weaknesses exist and present our improved ideas to avoid these problems in the future.

Adaptively Secure Broadcast Encryption With Constant Ciphertexts

In this paper, we present a new public key broadcast encryption (BE) for achieving adaptive security against arbitrary number of colluders. Specifically, our scheme is built from composite order multilinear maps and enjoys ciphertext overhead of a constant number of group elements which are O (1) bits. Furthermore, the private key size and public key size are all poly-logarithmic in the total number of users. Herein, we generalize the methodology of Lewko and Waters for realizing dual system encryption to the composite order multilinear groups, and then prove the adaptive security of our scheme under static assumptions in the standard model. Compared with the state-of-the-art, our scheme achieves the adaptive security in simple and non-interactive falsifiable assumptions with the optimized parameter size for BE.