对一种远程用户口令认证方案的改进

胡荣磊; 刘建伟; 张其善

对一种远程用户口令认证方案的改进

北京航空航天大学电子信息工程学院, 北京 100191

基金项目: 国家自然科学基金资助项目(60672102)

详细信息

作者简介:
胡荣磊(1977-),男,河北衡水人,博士生,huronglei@sohu.com.

中图分类号: TN 915.08
计量
- 文章访问数: 3141
- HTML全文浏览量: 162
- PDF下载量: 980
- 被引次数: 0
出版历程
- 收稿日期: 2007-08-27
- 网络出版日期: 2008-09-30

Improvement of remote user authentication schemes using passwords

School of Electronics and Information Engineering, Beijing University of Aeronautics and Astronautics, Beijing 100191, China

摘要

摘要: 口令认证是远程身份认证中重要的方法.分析了一种基于hash函数强图形口令远程认证方案,指出该方案不能抵抗校验值丢失攻击:攻击者利用口令校验值可以假冒服务器,欺骗合法用户发送认证信息,生成登录信息假冒用户登录,并通过认证获得授权,而不用知道用户口令.引入了智能卡的应用,提出一种改进方案.智能卡用来存储服务器认证信息,实现了用户和服务器的双向认证,攻击者不能冒充服务器和用户的任何一方,并且攻击者从截获的信息中不能获得有用的用户认证信息.改进方案保留了原方案抵抗重放、拒绝服务、口令猜测、伪造、口令文件丢失以及内部攻击的特点,并能够抵抗校验值丢失和智能卡丢失攻击,具有更好的安全性.
- 口令 /
- 认证 /
- 校验值丢失攻击 /
- 智能卡
Abstract: Password authentication scheme is a promising and practical solution to remote user authentication. The security of an authentication scheme using strong graphical passwords basing on hash function was analyzed. The scheme can not resist to stolen-verifier attack. The adversary can pretend to be a server to cheat a legal user to send him authentication message, and then it masquerades as a legal user by creating a valid login message, passes the authentication phase and gains the authority of a legitimate user without knowing user password. An enhanced scheme was proposed in which smart card is used for storing server authentication message. The server and user can authenticate each other. The adversary can personate neither server nor user and can not get useful login message from eavesdropped communication. The enhanced scheme can withstand replay attack, denial-of-service attack, password-guessing attack, forgery attack, password-file compromise attack and inside attack as the former scheme. It can also withstand stolen-verifier attack and smart card loss attack.
- password /
- authentication /
- stolen-verifier attack /
- smart cards

HTML全文

参考文献(1)

[1] Lamport L. Password authentication with insecure communication[J]. Communication of ACM, 1981, 24:770-772 [2] Tsai Chwei-Shyong,Lee Cheng-Chi, Hwang Min-Shiang.Password authentication schemes-current status and key issues[J].International Journal of Network Security,2006,3(2):101-115 [3] Ku Wei-Chi, Tsaur Maw-Jinn. A remote user authentication scheme using strong graphical passwords 30th Annual IEEE Conference on Local Computer Networks (LCN 2005). Sydney, Australia: IEEE Computer Society, 2005:351-357 [4] Ku W C. A hash-based strong-password authentication scheme without using smart cards[J]. ACM Operating System Review, 2004, 38(1): 29-34 [5] Kim Minho. Cryptanalysis and enhancement of authentication protocols . Corvallis: Philosophy in Electrical and Computer Engineering of Oregon State University, 2006 [6] Chen T H, Lee W B, Horng G. Secure SAS-like password authentication schemes[J]. Computer Standards & Interfaces, 2004, 27: 25-31

施引文献

资源附件(0)

访问统计