Search Results (50)

In trans-border data (data transferred or accessed across national jurisdictions) exchange scenarios, identity authentication mechanisms serve as critical components for ensuring data security and privacy protection, with their effectiveness directly impacting the compliance and reliability of transnational operations. However, existing identity authentication systems face multiple challenges in trans-border contexts. Firstly, the transnational transfer of identity data struggles to meet the varying data-compliance requirements across different jurisdictions. Secondly, centralized authentication architectures exhibit vulnerabilities in trust chains, where single points of failure may lead to systemic risks. Thirdly, the inefficiency of certificate verification in traditional Public Key Infrastructure (PKI) systems fails to meet the real-time response demands of globalized business operations. These limitations severely constrain real-time identity verification in international business scenarios. To address these issues, this study proposes a trans-border distributed certificate-free identity authentication framework (STALE). The methodology adopts three key innovations. Firstly, it utilizes email addresses as unique user identifiers combined with a Certificateless Public Key Cryptography (CL-PKC) system for key distribution, eliminating both single-point dependency on traditional Certificate Authorities (CAs) and the key escrow issues inherent in Identity-Based Cryptography (IBC). Secondly, an enhanced Elliptic Curve Diffie–Hellman (ECDH) key-exchange protocol is introduced, employing forward-secure session key negotiation to significantly improve communication security in trans-border network environments. Finally, a distributed identity ledger is implemented, using the FISCO BCOS blockchain, enabling decentralized storage and verification of identity information while ensuring data immutability, full traceability, and General Data Protection Regulation (GDPR) compliance. Our experimental results demonstrate that the proposed method exhibits significant advantages in authentication efficiency, communication overhead, and computational cost compared to existing solutions. Full article

Quantum computing challenges the mathematical problems anchoring the security of the classical public key algorithms. For quantum-resistant public key algorithms, the National Institute of Standards and Technology (NIST) has undergone a multi-year standardization process and selected the post-quantum cryptography (PQC) public key digital signatures of Dilithium, Falcon, and SPHINCS⁺. Finding common ground to compare these algorithms can be difficult because of their design differences, including the fundamental math problems (lattice-based vs. hash-based). We use a visualization model to show the key/signature size vs. security trade-offs for all PQC algorithms. Our performance analyses compare the algorithms’ computational loads in the execution time. Building on the individual algorithms’ analyses, we analyze the communication costs and implementation overheads when integrated with Public Key Infrastructure (PKI) and with Transport Layer Security (TLS) and Transmission Control Protocol (TCP)/Internet Protocol (IP). Our results show that the lattice-based algorithms of Dilithium and Falcon induce lower computational overheads than the hash-based algorithms of SPHINCS⁺. In addition, the lattice-based PQC can outperform the classical algorithm with comparable security strength; for example, Dilithium 2 and Falcon 512 outperform RSA 4096 in the TLS handshake time duration. Full article

As a data-centric next-generation network architecture, Named Data Networking (NDN) exhibits inherent compatibility with the distributed nature of the Internet of Things (IoT) through its name-based routing mechanism. However, existing signature schemes for NDN-IoT face dual challenges: resource-constrained IoT terminals struggle with certificate management and computationally intensive bilinear pairings under traditional Public Key Infrastructure (PKI), while NDN routers require low-latency batch verification for high-speed data forwarding. To address these issues, this study proposes ECAE, an efficient certificateless aggregate signature scheme based on elliptic curve cryptography (ECC). ECAE introduces a partial private key distribution mechanism in key generation, enabling the authentication of identity by a Key Generation Center (KGC) for terminal devices. It leverages ECC and universal hash functions to construct an aggregate verification model that eliminates bilinear pairing operations and reduces communication overhead. Security analysis formally proves that ECAE resists forgery, replay, and man-in-the-middle attacks under the random oracle model. Experimental results demonstrate substantial efficiency gains: total computation overhead is reduced by up to 46.18%, and communication overhead is reduced by 55.56% compared to state-of-the-art schemes. This lightweight yet robust framework offers a trusted and scalable verification solution for NDN-IoT environments. Full article

With the rapid increase in the number of vehicles and the growing demand for low-latency and reliable communication, traditional vehicular network architectures face numerous challenges. Unmanned Aerial Vehicle (UAV)-assisted vehicular networks provide an innovative solution for real-time data transmission and efficient cross-domain communication, significantly enhancing resource allocation efficiency and traffic safety. However, these networks also raise privacy and security concerns. Traditional symmetric key and Public Key Infrastructure (PKI)-based authentication schemes suffer from issues such as key management, certificate verification, and data leakage risks. While blockchain technology has been explored to address these problems, it still suffers from inefficiencies and high computational overhead. This paper proposes a UAV-assisted vehicular network architecture that leverages UAVs as trusted intermediaries for cross-domain authentication, effectively reducing authentication delays and improving scalability. Through ProVerif security proofs and detailed theoretical analysis, the proposed scheme is demonstrated to meet the security requirements of vehicular networks and withstand a broader range of attacks. Performance evaluation results show that the proposed scheme achieves at least a 20% reduction in computational and communication overhead compared to existing schemes, highlighting its significant advantages. Additionally, the average consensus time for the proposed scheme is at least 40% lower than existing schemes. The novelty of the proposed scheme lies in the integration of UAVs as trusted intermediaries with blockchain technology, addressing key management and privacy issues, and providing an efficient and secure solution for high-density vehicular networks. Full article

This paper introduces PK-Judge, a novel neural network watermarking framework designed to enhance the intellectual property (IP) protection by incorporating an asymmetric cryptograp hic approach in the verification process. Inspired by the paradigm shift from HTTP to HTTPS in enhancing web security, this work integrates public key infrastructure (PKI) principles to establish a secure and verifiable watermarking system. Unlike symmetric approaches, PK-Judge employs a public key infrastructure (PKI) to decouple ownership validation from the extraction process, significantly increasing its resilience against adversarial attacks. Additionally, it incorporates a robust challenge-response mechanism to mitigate replay attacks and leverages error correction codes (ECC) to achieve an Effective Bit Error Rate (EBER) of zero, ensuring watermark integrity even under conditions such as fine-tuning, pruning, and overwriting. Furthermore, PK-Judge introduces a new requirement based on the principle of separation of privilege, setting a foundation for secure and scalable watermarking mechanisms in machine learning. By addressing these critical challenges, PK-Judge advances the state-of-the-art in neural network IP protection and integrity, paving the way for trust-based AI technologies that prioritize security and verifiability. Full article

In recent years, governments have regarded blockchain technology as a key breakthrough in independent innovation of core technologies and have attached great importance to its development. In current blockchain solutions, the elliptic curve digital signature algorithm (ECDSA) is usually combined with the Keccak Hash Algorithm 256-bit Variant (keccak256) to generate blockchain addresses. Although the ECDSA algorithm is based on the Public Key Infrastructure (PKI) system, which has prominent issues such as complex deployment processes, high operation and maintenance costs, low efficiency, and difficulties in adapting to a large number of users, it still holds an important position and has a broad application foundation in the field of cryptography. This paper aims to circumvent the existing flaws of the PKI system rather than discarding the strong and well-proven PKI system. Instead, it endeavors to explore the application of the Identity-Based Cryptography (IBC) system in blockchain and reduce dependence on foreign cryptographic algorithms. This study adopts the SM9 algorithm based on the IBC and combines it with the SM3 algorithm to generate blockchain addresses. Considering users’ use, this paper improves the original SM9 algorithm based on the original SM9 algorithm, enabling users to perform functions such as signing and encryption with just a single pair of public and private keys. Experimental results indicate that the time consumed by this proposed scheme in blockchain address generation is 1.29 times that of the existing schemes, and the length of the blockchain addresses generated is the same as that of the existing ones. Full article

As quantum computing advances, current cryptographic protocols are increasingly vulnerable to quantum attacks, particularly those based on Public Key Infrastructure (PKI) like RSA or Elliptic Curve Cryptography (ECC). This paper presents a comprehensive review of Post-Quantum Cryptography (PQC) as a solution to protect digital systems in the quantum era. We provide an in-depth analysis of various quantum-resistant cryptographic algorithms, including lattice-based, code-based, hash-based, isogeny-based, and multivariate approaches. The review highlights the National Institute of Standards and Technology (NIST) PQC standardization process, highlighting key algorithms, such as CRYSTALS–Kyber, CRYSTALS–Dilithium, Falcon, and SPHINCS+, and discusses the strengths, vulnerabilities, and implementation challenges of the leading algorithms. In addition, we explore transition strategies for organizations, emphasizing hybrid cryptography to ensure backward compatibility during migration. This study offers key insights into the future of cryptographic standards and the critical steps necessary to prepare for the transition from classical to quantum-resistant systems. Full article

In the proposed protocol, a trusted entity interacts with the terminal device of each user to verify the legitimacy of the public keys without having access to the private keys that are generated and kept totally secret by the user. The protocol introduces challenge–response–pair mechanisms enabling the generation, distribution, and verification of cryptographic public–private key pairs in a distributed network with multi-factor authentication, tokens, and template-less biometry. While protocols using generic digital signature algorithms are proposed, the focus of the experimental work was to implement a solution based on Crystals-Dilithium, a post-quantum cryptographic algorithm under standardization. Crystals-Dilithium generates public keys consisting of two interrelated parts, a matrix generating seed, and a vector computed from the matrix and two randomly picked vectors forming the secret key. We show how such a split of the public keys lends itself to a two-way authentication of both the trusted entity and the users. Full article

Due to their inherent openness, wireless sensor networks (WSNs) are vulnerable to eavesdropping attacks. Addressing the issue of secure Internet Key Exchange (IKE) in the absence of reliable third parties like CA/PKI (Certificate Authority/Public Key Infrastructure) in WSNs, a novel key synchronization method named NDPCS-KS is proposed in the paper. Firstly, through an initial negotiation process, both ends of the main channels generate the same initial key seeds using the Channel State Information (CSI). Subsequently, negotiation keys and a negative database (NDB) are synchronously generated at the two ends based on the initial key seeds. Then, in a second-negotiation process, the NDB is employed to filter the negotiation keys to obtain the keys for encryption. NDPCS-KS reduced the risk of information leakage, since the keys are not directly transmitted over the network, and the eavesdroppers cannot acquire the initial key seeds because of the physical isolation of their eavesdropping channels and the main channels. Furthermore, due to the NP-hard problem of reversing the NDB, even if an attacker obtains the NDB, deducing the initial key seeds is computationally infeasible. Therefore, it becomes exceedingly difficult for attackers to generate legitimate encryption keys without the NDB or initial key seeds. Moreover, a lightweight anti-replay and identity verification mechanism is designed to deal with replay attacks or forgery attacks. Experimental results show that NDPCS-KS has less time overhead and stronger randomness in key generation compared with other methods, and it can effectively counter replay, forgery, and tampering attacks. Full article

With the increasing awareness for sustainable future and green energy, the demand for electric vehicles (EVs) is growing rapidly, thus placing immense pressure on the energy grid. To alleviate this, local trading between EVs should be encouraged. In this paper, we propose a blockchain and public key infrastructure (PKI)-based secure vehicle-to-vehicle (V2V) energy-trading protocol. A permissioned blockchain utilizing the proof of authority (PoA) consensus and smart contracts is used to securely store data. Encrypted communication is ensured through transport layer security (TLS), with PKI managing the necessary digital certificates and keys. A multi-leader, multi-follower Stackelberg game-based trade algorithm is formulated to determine the optimal energy demands, supplies, and prices. Finally, we propose a detailed communication protocol that ties all the components together, enabling smooth interaction between them. Key findings, such as system behavior and performance, scalability of the trade algorithm and the blockchain, smart contract execution costs, etc., are presented through numerical results by implementing and simulating the protocol in various scenarios. This work not only enhances local energy trading among EVs, encouraging efficient energy usage and reducing burden on the power grid, but also paves a way for future research in sustainable energy management. Full article

The advent of Internet of Things (IoT) devices has revolutionized our daily routines, fostering interconnectedness and convenience. However, this interconnected network also presents significant security challenges concerning authentication and data integrity. Traditional security measures, such as Public Key Infrastructure (PKI), encounter limitations when applied to resource-constrained IoT devices. This paper proposes a novel decentralized PKI system tailored specifically for IoT environments to address these challenges. Our approach introduces a unique “zone” architecture overseen by zone masters, facilitating efficient certificate management within IoT clusters while reducing the risk of single points of failure. Furthermore, we prioritize the use of lightweight cryptographic techniques, including Elliptic Curve Cryptography (ECC), to optimize performance without compromising security. Through comprehensive evaluation and benchmarking, we demonstrate the effectiveness of our proposed solution in bolstering the security and efficiency of IoT ecosystems. This contribution underlines the critical need for innovative security solutions in IoT deployments and presents a scalable framework to meet the evolving demands of IoT environments. Full article

With superior computing power and efficient data collection capability, Internet of Medical Things (IoMT) significantly improves the accuracy and convenience of medical work. As most communications are over open networks, it is critical to encrypt data to ensure confidentiality before uploading them to cloud storage servers (CSSs). Public key encryption with keyword search (PEKS) allows users to search for specific keywords in ciphertext and plays an essential role in IoMT. However, PEKS still has the following problems: 1. As a semi-trusted third party, the CSSs may provide wrong search results to save computing and bandwidth resources. 2. Single-keyword searches often produce many irrelevant results, which is undoubtedly a waste of computing and bandwidth resources. 3. Most PEKS schemes rely on bilinear pairings, resulting in computational inefficiencies. 4. Public key infrastructure (PKI)-based or identity-based PEKS schemes face the problem of certificate management or key escrow. 5. Most PEKS schemes are vulnerable to offline keyword guessing attacks, online keyword guessing attacks, and insider keyword guessing attacks. We present a certificateless verifiable and pairing-free conjunctive public keyword searchable encryption (CLVPFC-PEKS) scheme. An efficiency analysis shows that the performance advantage of the new scheme is far superior to that of the existing scheme. More importantly, we provide proof of security under the standard model (SM) to ensure the reliability of the scheme in practical applications. Full article

Driven by the Industry 4.0 paradigm and the resulting demand for connectivity in industrial networking, there is a convergence of formerly isolated operational technology and information technology networks. This convergence leads to attack surfaces on industrial networks. Therefore, a holistic approach of countermeasures is needed to protect against cyber attacks. One element of these countermeasures is the use of certificate-based authentication for industrial components communicating on the field level. This in turn requires the management of certificates, private keys, and trust anchors in the communication endpoints. The work at hand surveys the topic of certificate management in industrial networking environments throughout their life cycle, from manufacturing until their disposal. To the best of the authors’ knowledge, there is no work yet that surveys the topic of certificate management in industrial networking environments. The work at hand considers contributions from research papers, industrial communication standards, and contributions that originate from the IT domain. In total, 2042 results from IEEE Xplore, Science Direct, Scopus, and Springer Link were taken into account. After applying inclusion and exclusion criteria and title, abstract, and full-text analysis, 20 contributions from research papers were selected. In addition to the presentation of their key contributions, the work at hand provides a synopsis that compares the overarching aspects. This comprises different proposed entity architectures, certificate management functions, involvement of different stakeholders, and consideration of life cycle stages. Finally, research gaps that are to be filled by further work are identified. While the topic of certificate management has already been addressed by the IT domain, its incorporation into industrial communication standards began significantly later and is still the subject of research work. Full article

Internet applications rely on Secure Socket Layer (SSL)/Transport Security Layer (TSL) certifications to establish secure communication. However, the centralized nature of certificate authorities (CAs) poses a risk, as malicious third parties could exploit the CA to issue fake certificates to malicious web servers, potentially compromising the privacy and integrity of user data. In this paper, we demonstrate how the utilization of decentralized certificate verification with blockchain technology can effectively address and mitigate such attacks. We present a decentralized public key infrastructure (PKI) based on a distributed trust model, e.g., Web of Trust (WoT) and blockchain technologies, to overcome vulnerabilities like single points of failure and to prevent tampering with existing certificates. In addition, our infrastructure establishes a trusted key-ring network that decouples the authentication process from CAs in order to enhance secure certificate issuance and accelerate the revocation process. Furthermore, as a proof of concept, we present the implementation of our proposed system in the Ethereum blockchain, confirming that the proposed framework meets the five identified requirements. Our experimental results demonstrate the effectiveness of our proposed system in practice, albeit with additional overhead compared to conventional PKIs. Full article

In this work, a secure architecture to send data from an Internet of Things (IoT) device to a blockchain-based supply chain is presented. As is well known, blockchains can process critical information with high security, but the authenticity and accuracy of the stored and processed information depend primarily on the reliability of the information sources. When this information requires acquisition from uncontrolled environments, as is the normal situation in the real world, it may be, intentionally or unintentionally, erroneous. The entities that provide this external information, called Oracles, are critical to guarantee the quality and veracity of the information generated by them, thus affecting the subsequent blockchain-based applications. In the case of IoT devices, there are no effective single solutions in the literature for achieving a secure implementation of an Oracle that is capable of sending data generated by a sensor to a blockchain. In order to fill this gap, in this paper, we present a holistic solution that enables blockchains to verify a set of security requirements in order to accept information from an IoT Oracle. The proposed solution uses Hardware Security Modules (HSMs) to address the security requirements of integrity and device trustworthiness, as well as a novel Public Key Infrastructure (PKI) based on a blockchain for authenticity, traceability, and data freshness. The solution is then implemented on Ethereum and evaluated regarding the fulfillment of the security requirements and time response. The final design has some flexibility limitations that will be approached in future work. Full article