424results about How to "Prevent replay attacks" patented technology

Apparatus and methods perform transactions in a secure environment between an individual and another party, such as a merchant, in various embodiments. The individual possesses a mobile electronic device, such as a smartphone, that can encrypt data according to a public key infrastructure. The individual authenticates the individual's identity to the device, thereby unlocking credentials that may be used in a secure transaction. The individual causes the device to communicate the credentials, in a secure fashion, to an electronic system of a relying party, in order to obtain the relying party's authorization to enter the transaction. The relying party system determines whether to grant the authorization, and communicates the grant and the outcome of the transaction to the device using encryption according to the public key infrastructure.

A system and method to ensure that a remote computer making a VPN connection complies with network security policies. Server-driven security checks may be configured to verify compliance with each access level before access is granted at that level. The security checks may be selected based at least according to the information received from the remote computer. After the server determines that the remote computer complies with the security policy for the requested access level, the server may pass a token to the remote computer, or may grant VPN access to the remote computer. If the remote computer does not comply with the security policy associated with the requested access level but is in compliance with a security policy corresponding to a lower access level, the server may grant the remote computer access to the lower access level.

The method includes steps: communication opposite terminal (COT) sends the request end information received from the request end to the key management center (KMC); based on the request end information, KMC validates ID of the request end; after validating validity of the request end, KMC creates shared cipher key for COT and the request end based on the request end information, and self prearranged security information; KMC down sends the created shared cipher key as information of cipher key to COT; using the said shared cipher key, the request end and COT carry out security communication. The invention also discloses device for security communication between terminal devices. Guaranteeing security communication between terminal devices, the invention especially guarantees security communication between ME/UICC/PE and PE.

The present invention provides a bi-direction authentication method and system which belongs to the field of network communication. The present invention aims at solving the problems that certificate management in present private key authority technology is complex and the certificate management can not protect the identity of the users. The present invention provides a bi-direction authority method. The present invention includes the procedures of the system initialization and generating system parameters, an applicant initializing a dialogue request to establish connection with an authorization server, the applicant and the authorization server mutually check identity and generate a pair of main key which is used for the four-procedure-hand-shaking. The present invention also provides a bi-direction authorization system. The system includes a parameter initialization module, an establishing dialogue connecting module, a server identity verification module and an applicant identify verification. Applications of the technical proposal of the present invention can reduce the establishing and maintenance cost of the system, to enhance the running efficiency of the system, and to realize the target of protecting applicants.

A method and apparatus for performing SIM-based authentication and authorization in a WLAN Internet Service Provider (WISP) network supporting the universal access method (UAM) of authentication and authorization enabling roaming for customers of mobile service providers onto said networks. In addition, the invention provides a secure way of authenticating the customer's client device to the mobile service provider's network by employing temporary credentials for authentication that provide privacy of the user's identity and prevent replay attacks. Finally, if the WISP network supports the ‘pass-through’ facility, the authentication can be done more securely and quickly.

The invention relates to the field of commutation and discloses an authentication and key negotiation method, an authentication method, a system and a device, which leads a user card to be capable of resisting the playback attack during the process of an AKA under the situation of not supporting SQN storing. In the invention, when a network side receives the authentication request of a terminal, a random number, a first sequence number SQN1 and a first authentication code MAC are sent to the terminal according to the shared key, the random number and the first authentication code MAC generated by the first sequence number SQN1, the first authentication code MAC represents the current system time at the network side; if a second authentication code XMAC is the same as the first authentication code MAC, and the difference value of a second sequence number SQN2 representing the current system time at the terminal side and the first sequence number SQN1 meet a preset condition, the terminal determines the network side legal according to the key shared with the network side, the received random number and the first authentication code MAC generated by the first sequence number SQN1.

The invention discloses a method for safety communication of ECUs (Electronic Control Unit) in a CAN (controller area network) bus, which comprises the steps that: 1, a system model is established; 2, an GECU (Gateway Electronic Control Unit) loads a session key into a safety storage of the GECU; 3, the GECU carries out session key distribution on each ECU in the CAN bus; 4, a receiver ECUr carries out authentication on an encrypted data frame sent by a sender ECUs; 5, the GECU updates an encryption key and an authentication key which are used for communication, wherein update is mainly divided into two stages of in-vehicle ECU key update and key update when a connection of external equipment is released; and 6, when a vehicle is connected with the external equipment, designing an additional authentication and key distribution method so as to ensure legality of the accessed external equipment. According to the method disclosed by the invention, calculation cost can be obviously reduced, and a load of the CAN bus is reduced; and optimization is carried out for a key distribution protocol in the in-vehicle CAN bus, a key update problem generated when the external equipment is connected and released is considered, a counter is used for generating a random number to change a parameter for key generation, and a relay attack is effectively prevented.

The invention discloses a disordered transaction control method based on a block chain account model. The disordered transaction control method based on a block chain account model is characterized in that based on an account model, a user utilizes a unique ID (such as UUID) taken from an increment digital number as the unique identifier for transaction; a node determines whether the behavior of double expenditure exists by determining whether a new transaction ID exists in a historical transaction ID list of the user; an order dependence relationship does not exist between the transaction IDs; an accounting node can packing the transactions into blocks in any order; and the successive dependence relationship of the service layer between the transactions can be guaranteed when a client issues a transaction without influencing disordered packing of the accounting node. The disordered transaction control method based on a block chain account model utilizes the unique ID to prevent double expenditure and playback attack, enables the transaction to not depend on the fixed order, and can use a disordered mode to directly enters the chain, thus satisfying the scene requirement for single-account high concurrent transaction of the client, and avoiding the situation that other transactions are postponed after the transactions are lost in the past.

The application provides a network communication method, a system, a server and a terminal based on HTTP (Hypertext Transfer Protocol), aiming at resisting replay attack in HTTP network communication. The network communication method comprises the steps of sending a first time stamp to the terminal according to a terminal request; receiving network request information sent by the terminal, wherein the network request information includes the first time stamp and corresponding time stamp ciphertext, and the time stamp ciphertext is generated by encrypting algorithm factor containing the first time stamp according to a preset encryption algorithm at the terminal; and verifying whether the time stamp ciphertext is in effect or not according to the preset encryption algorithm, if no, judging the network request information is an invalid request. By verifying the validity and effectiveness of the time stamp ciphertext containing time stamp information, the possibility that the time stamp information in the network request is tampered can be further prevented, and occurrence of network replay attack can be avoided.

A block chain identity system comprises a client and a cloud, wherein the client consists of a radio frequency reading module, a computing platform, a touch screen module, a communication module and an intelligent identity card, the cloud consists of a block chain multi-node network which comprises a data block chain and a multi-node network, and the multi-node network takes charge of coordination with the client to complete an identity generation process and an identity authentication process. The authentication system uses an intelligent identity card to guarantee safety of a user identity, transmitted information is transmitted after being encrypted and cannot be leaked in the transmission process, the validity of two times of authentication is guaranteed, and unnecessary attacks in the authentication process are avoided.

The invention discloses a bidirectional identity authentication method for a wireless sensor network node. Double authentication parties in the identity authentication process need to generate the corresponding physical un-duplicated function (PUF) response according to the challenge provided by the opposite party, and the PUF can not be partitioned with a chip in the node and can not be duplicated, so the node can not be duplicated and attacked; a disposable random number is set in a packet sent by the node during applying for authentication every time, and a signature message is related with the random number, so replay attack of an attacker is avoided; and meanwhile, triple information related with the authentication in the node and the PUF are positioned in the same chip, so even if the attacker acquires the information, other nodes in the network can not be threatened because the PUF property is destroyed.

The application discloses a voice playback detection method and device. The method comprises the steps of establishing a user channel model according to the reserved training voice of a target user; calculating the trust degree score of the to-be-recognized voice on the user channel model; if the trust degree score is less than a set threshold value, determining that the to-be-recognized voice needs to play back, and the return authentication is unsuccessful; on the contrary, passing the playback detection, thereby solving the voice playback attack problem in a current voiceprint recognition technology.

The invention discloses an identity authentication server and an identity authentication token, wherein the identity authentication server comprises a standard FIDO server and a storage space for storing keys, namely, a database, which are connected with each other; the identity authentication token is based on physical unclonable and the FIDO U2F protocol and comprises a U2F module, and a PUF module,a TRNG module, a USB module and an interaction module, which are connected with the U2F module, and a touch module connected with the interaction module; and an identity token interacts with a client browser, and the client browser in turn interacts with an FIDO server in the authentication server. According to the identity authentication server disclosed by the invention, the physical unclonable function is combined with the FIDO, the uniqueness and non-replicability of the token are ensured by the physical unclonable function, and the accuracy of the user identity and the non-defective modification and non-repudiation of the operation are ensured by the FIDO.

The embodiment of the invention discloses a terminal authentication method and device based on single sign-on. The method comprises the following steps: a single sign-on server receives log-on evidence generated by a terminal to be authenticated carried in an authentication request of the terminal, wherein the log-on evidence at least comprises a serial number and verification information, the serial number is generated according to an initial random number distributed for the terminal by the single sign-on server and the cumulative number of terminal authentication, and the verification information is generated according to a shared key between the terminal and the single sign-on server; the single sign-on server judges that the terminal to be authenticated passes authentication if the serial number of the terminal to be authenticated is matched with the serial number of a terminal recorded by the single sign-on server; and otherwise, the authentication of the terminal to be authenticated fails. By adopting the method and the device, replay attack is prevented, and the singe log-on efficiency is increased.

The invention discloses a bidirectional identity authentication method based on dynamic password and biologic features under cloud environment, wherein a plurality of authentication methods and encryption technologies are comprehensively used, a one-time random key is obtained by receiving messages, the bidirectional authentication is realized, a user can login anywhere, finish registration process on net, and has no need to register information at designated location. According to the bidirectional identity authentication method based on dynamic password and biologic features under cloud environment, the one-time dynamic password is combined with the biological features, secret key is transmitted to GSM (Global System for Mobile Communication), and accordingly, security and reliability of authentication process are enhanced.

The invention provides an efficient anonymous identity authentication method in an Internet of Vehicles environment, and belongs to the technical field of Internet of Vehicles security. According to the technical scheme, the method comprises the following steps of vehicle offline registration, online registration and rapid identity authentication. The method has the beneficial effects that a temporary identity certificate Token mechanism is set, so that the authentication efficiency is improved while the vehicle anonymous two-way communication is realized; a block chain distributed account book mode is utilized, so that data traceability and tamper resistance are guaranteed, and the problems of relatively low identity authentication efficiency, easiness in attack and the like caused by traditional PKI authentication centralization of the Internet of Vehicles are solved; the combination of the blockchain PBFT consensus mechanism and the smart contract greatly reduces the authenticationtime delay of the traditional method.

Disclosed is a method of preventing a replay attack during a handoff in a communication system using a Mobile IPv6 protocol. A mobile node creates a CoA (Care of Address) by handoff and sends the CoA to a correspondent node, thereby creating a binding entry. Upon receipt of a binding update message including a HoA and a CoA from the mobile node or an attacker, the correspondent node searches a binding cache for a binding entry having the same HoA (Home Address) and CoA as included in the binding update message. If it is determined that the binding entry has the same respective HoA and CoA as contained in the binding update message, the correspondent node checks a Used field of the binding entry. If it is determined that the Used field of the binding entry is equal to a predetermined value, the correspondent node sends a reauthentication command message to the mobile node.

Secure site-to-site transactional communication between at least two network servers coupled to a data communication network, including secure registration by an authentication server associated with a multi-site user authentication system. A network server receives a request via a browser f of a client computer. In response, the network server initiates a transaction with the authentication server and defines a data structure, such as a query string, associated with the transaction. The network server also generates a digital signature of the data structure and then adds it to the data structure before directing the client computer from the network server to the authentication server with the data structure and the added digital signature. The network server also adds an index to the data structure. The index is associated with the transaction and unique, per transaction, to the network server initiating the transaction.

The invention provides a method for authenticating identification among peer-to-peer nodes in a P2P network. Each peer-to-peer node in the P2P network has a certificate which is acquired when a user node logs on the network through a certificate server, and the certificate comprises an encryption result of a private key of the certificate server to a public key of the user node. The method comprises the following steps: a first user node transmits an identification authentication message to a second user node in the network, wherein the identification authentication message comprises a certificate of the first user node and the public key of the first user node; a second user node authenticates identification of the first user node by the identification authentication message, after authentication succeeds, the identification authentication message is returned to the first user node, wherein the identification authentication message comprises a certificate of the second user node and the public key of the second user node; and the first user node authenticates the identification of the second user node by the identification authentication message returned by the second user node, and if the authentication succeeds, identification authentication between two user nodes succeeds.

Provided are a method and an attestation system for preventing an attestation replay attack. The method for preventing an attestation replay attack in an attestation system including an attestation target system and an attestation request system, the method including: measuring associated components when an event that affects the integrity of the attestation target system occurs; perceiving own identity information and verifying the perceived identity information; extending the measured component and the identity information into a register and logging the measured component and the identity information; generating an attestation response message including values of the log and the register when an attestation request message is received from the attestation request system; and transmitting the generated attestation response message to the attestation request system. Therefore, the method and an attestation system may be useful to provide an additional simple mathematical operation in verifying an attestation message by preventing an attestation replay attack, and thus to minimize performance degradation in the attestation system, compared to the conventional attestation processing mechanisms.

The method for realizing secure transmission of an Automatic Dependent Surveillance Broadcast Information includes: (1) a three-level vertical management system is constructed according to the Aviation Management & Controlling Center, the flight information region and the control area subordinated to the flight information center; the lowest level is ADS-B user belonging to each control area, and the ADS-B user communicates with the control area server that ADS-B user belongs to by means of independent mutual certification mode; (2) at the beginning stage of the planning air line safety period, the Aviation Management & Controlling Center allots a temporary identity for the ADS-B user, establishes a mapping relationship from the temporary identity to a true identity and send the mapping relationship to the administration of the flight information region which the ADS-B user planning air line passes through; before the ADS-B user takes off, the administration of the control area that the ADS-B user belongs to secretly provides the ADS-B user with the temporary user identity and double factor symmetric-key in the server, and public key information of the server identification and the server message authentication code of the ground server near the planning air line. The invention can effectively resist a plurality of active attacks, realize security certification and ensure the safety of ADS-B information transmission.

The invention relates to the technical field of communications, and discloses an information transmission method, a client, a server and a computer readable storage medium. The method comprises the following steps: receiving user information input by a user; sending first login request information to the server; receiving response information returned by the server, the response information carrying first encrypted information, and the first encrypted information being information acquired by encrypting a random number generated by the server by an encryption key; decrypting the first encrypted information through the encryption key to acquire the random number, the encryption key being acquired by the client and the server respectively from own local sides; encrypting the random number and a password to acquire second encrypted information; and sending second login request information to the server, the second login request information carrying a user name and the second encrypted information. Verification information for each login is different, so that a replay attack can be prevented; and furthermore, the encryption key is not required to be subjected to network switching between the client and the server, so that the security of the encryption key is guaranteed.