Analysis and improvements of a remote authentication scheme
-
摘要: 口令认证是远程身份认证中实用的方法.分析了一个给出的使用智能卡的口令认证方案的安全性,指出该方案是不安全的:不能抵御并行会话攻击,攻击者可以利用截获的信息生成合法的登陆信息假冒合法用户登陆,并通过认证获得授权,而不需要知道用户口令;不能抵御更改时戳攻击,攻击者可以更改截获信息的时戳,假冒合法用户登陆远程主机或假冒合法远程主机.同时,引入登陆计数器,采用一卡一密,给出了一种改进的使用智能卡的口令认证方案.该方案允许用户自主选择并更改口令,实现了双向认证;能够抵御重放攻击、内部攻击,具备强安全修复性;能够抵御并行会话攻击和更改时戳攻击,具有更好的安全性.Abstract: Password authentication scheme is a very promising and practical solution to remote user authentication.The security of a proposed password authentication scheme using smart cards is analyzed. The scheme has some weaknesses: it cannot resist parallel session attack, an intruder without knowing users' password can masquerade as a legal user by creating a valid login message from the eavesdropped communication, then passes the authentication phase and gains the authority of the legitimate user; it is also vulnerable to changing timestamps attack, an intruder can masquerade as a legal user or impersonate a valid authentication system by changing timestamps of the messages from eavesdropped communication. Furthermore, an enhanced password authentication scheme using smart cards with better security strength by using login counter and different keys via cards is proposed. The scheme has many merits as following: it lets users freely choose and change their passwords at their own will; it provides mutual authentication between two entities; it resists message replaying attack and insider attack; it has strong security reparability by using extended identities and smart cards; it also withstands parallel session attack and changing timestamps attack.
-
Key words:
- user authentication /
- password /
- cryptanalysis /
- smart cards
-
[1] Lamport L. Password suthentication with insecure communication. Communications of the ACM, 1981, 24(11):770~772 [2] Hwang M S, Li L H. A new remote authentication scheme using smart cards[J] IEEE Transactions on Consumer Electronics, 2000,46(1):28~30 [3] Chan C K, Cheng L M. Cryptanalysis of a remote user authentication scheme using smart cards[J] IEEE Transactions on Consumer Electronics, 2000,46(4):992~993 [4] Shen J J, Lin C W, Hwang M S. A modified remote user authentication scheme using smart cards[J] IEEE Transactions on Consumer Electronics, 2003, 49(2):414~416 [5] Leung K C, Cheng L M, Anthony S Fong, et al. Cryptanalysis of a modified remote user authentication scheme using smart cards [J] IEEE Transactions on Consumer Electronics, 2003, 39(14):1243~1245 [6] Amit K, Awasthi, Sunder L. A remote user authentication scheme using smart cards with forward secrecy[J] IEEE Transactions on Consumer Electronics, 2003, 49(4):1246~1248 [7] Sun H M. An efficient remote use authentication scheme using smart cards[J] IEEE Transactions on Consumer Electronics, 2000, 46(4):958~961 [8] Chien H Y, Jan J K, Tsing Y M. An efficient and practical solution to remote authentication:smart cards[J] Computers and Security, 2002, 21( 4):372~375 [9] Hsu C L. Security of two remote user authentication schemes using smart cards[J] IEEE Transactions on Consumer Electronics, 2003, 49(4):1196~1198. [10] Ku W C, Chen S M. Weaknesses and improvements of an efficient password base remote user authentication scheme using smart cards[J] IEEE Transactions on Consumer Electronics, 2004,50(1):204~206. [11] 李 莉,张焕国. 一种对密码协议攻击的分类分析[J] 计算机工程与应用, 2004,40(1):16~19 Li Li, Zhang Huanguo. Analyzing the attacks types on cryptographic protocol[J] Computer Engineering and Application, 2004,40(1):16~19(in Chinese) [12] Li Gong. A security risk of depending on synchronized clocks[J] Operating Systems Review, 1992, 26(1):49~53
点击查看大图
计量
- 文章访问数: 2790
- HTML全文浏览量: 137
- PDF下载量: 884
- 被引次数: 0