Improvement of remote user authentication schemes using passwords
-
摘要: 口令认证是远程身份认证中重要的方法.分析了一种基于hash函数强图形口令远程认证方案,指出该方案不能抵抗校验值丢失攻击:攻击者利用口令校验值可以假冒服务器,欺骗合法用户发送认证信息,生成登录信息假冒用户登录,并通过认证获得授权,而不用知道用户口令.引入了智能卡的应用,提出一种改进方案.智能卡用来存储服务器认证信息,实现了用户和服务器的双向认证,攻击者不能冒充服务器和用户的任何一方,并且攻击者从截获的信息中不能获得有用的用户认证信息.改进方案保留了原方案抵抗重放、拒绝服务、口令猜测、伪造、口令文件丢失以及内部攻击的特点,并能够抵抗校验值丢失和智能卡丢失攻击,具有更好的安全性.Abstract: Password authentication scheme is a promising and practical solution to remote user authentication. The security of an authentication scheme using strong graphical passwords basing on hash function was analyzed. The scheme can not resist to stolen-verifier attack. The adversary can pretend to be a server to cheat a legal user to send him authentication message, and then it masquerades as a legal user by creating a valid login message, passes the authentication phase and gains the authority of a legitimate user without knowing user password. An enhanced scheme was proposed in which smart card is used for storing server authentication message. The server and user can authenticate each other. The adversary can personate neither server nor user and can not get useful login message from eavesdropped communication. The enhanced scheme can withstand replay attack, denial-of-service attack, password-guessing attack, forgery attack, password-file compromise attack and inside attack as the former scheme. It can also withstand stolen-verifier attack and smart card loss attack.
-
Key words:
- password /
- authentication /
- stolen-verifier attack /
- smart cards
-
[1] Lamport L. Password authentication with insecure communication[J]. Communication of ACM, 1981, 24:770-772 [2] Tsai Chwei-Shyong,Lee Cheng-Chi, Hwang Min-Shiang.Password authentication schemes-current status and key issues[J].International Journal of Network Security,2006,3(2):101-115 [3] Ku Wei-Chi, Tsaur Maw-Jinn. A remote user authentication scheme using strong graphical passwords 30th Annual IEEE Conference on Local Computer Networks (LCN 2005). Sydney, Australia: IEEE Computer Society, 2005:351-357 [4] Ku W C. A hash-based strong-password authentication scheme without using smart cards[J]. ACM Operating System Review, 2004, 38(1): 29-34 [5] Kim Minho. Cryptanalysis and enhancement of authentication protocols . Corvallis: Philosophy in Electrical and Computer Engineering of Oregon State University, 2006 [6] Chen T H, Lee W B, Horng G. Secure SAS-like password authentication schemes[J]. Computer Standards & Interfaces, 2004, 27: 25-31 -
点击查看大图
计量
- 文章访问数: 3247
- HTML全文浏览量: 182
- PDF下载量: 982
- 被引次数: 0
下载:
