北京航空航天大学学报 ›› 2008, Vol. 34 ›› Issue (09): 1037-1040.

• 论文 • 上一篇    下一篇

对一种远程用户口令认证方案的改进

胡荣磊,刘建伟,张其善   

  1. 北京航空航天大学 电子信息工程学院, 北京 100191
  • 收稿日期:2007-08-27 出版日期:2008-09-30 发布日期:2010-09-17
  • 作者简介:胡荣磊(1977-),男,河北衡水人,博士生,huronglei@sohu.com.
  • 基金资助:

    国家自然科学基金资助项目(60672102)

Improvement of remote user authentication schemes using passwords

Hu Ronglei, Liu Jianwei, Zhang Qishan   

  1. School of Electronics and Information Engineering, Beijing University of Aeronautics and Astronautics, Beijing 100191, China
  • Received:2007-08-27 Online:2008-09-30 Published:2010-09-17

摘要: 口令认证是远程身份认证中重要的方法.分析了一种基于hash函数强图形口令远程认证方案,指出该方案不能抵抗校验值丢失攻击:攻击者利用口令校验值可以假冒服务器,欺骗合法用户发送认证信息,生成登录信息假冒用户登录,并通过认证获得授权,而不用知道用户口令.引入了智能卡的应用,提出一种改进方案.智能卡用来存储服务器认证信息,实现了用户和服务器的双向认证,攻击者不能冒充服务器和用户的任何一方,并且攻击者从截获的信息中不能获得有用的用户认证信息.改进方案保留了原方案抵抗重放、拒绝服务、口令猜测、伪造、口令文件丢失以及内部攻击的特点,并能够抵抗校验值丢失和智能卡丢失攻击,具有更好的安全性.

Abstract: Password authentication scheme is a promising and practical solution to remote user authentication. The security of an authentication scheme using strong graphical passwords basing on hash function was analyzed. The scheme can not resist to stolen-verifier attack. The adversary can pretend to be a server to cheat a legal user to send him authentication message, and then it masquerades as a legal user by creating a valid login message, passes the authentication phase and gains the authority of a legitimate user without knowing user password. An enhanced scheme was proposed in which smart card is used for storing server authentication message. The server and user can authenticate each other. The adversary can personate neither server nor user and can not get useful login message from eavesdropped communication. The enhanced scheme can withstand replay attack, denial-of-service attack, password-guessing attack, forgery attack, password-file compromise attack and inside attack as the former scheme. It can also withstand stolen-verifier attack and smart card loss attack.

中图分类号: 


版权所有 © 《北京航空航天大学学报》编辑部
通讯地址:北京市海淀区学院路37号 北京航空航天大学学报编辑部 邮编:100191 E-mail:jbuaa@buaa.edu.cn
本系统由北京玛格泰克科技发展有限公司设计开发