对两个基于智能卡的口令认证协议的安全性分析

身份认证是确保信息系统安全的重要手段,基于智能卡的口令认证协议由于实用性较强而成为近期研究热点。采用基于场景的攻击技术,对最近新提出的两个基于智能卡的口令认证协议进行了安全性分析。指出“对Liao等身份鉴别方案的分析与改进”(潘春兰,周安民,肖丰霞,等.对Liao等人身份鉴别方案的分析与改进.计算机工程与应用,2010,46(4):110-112)中提出的认证协议无法实现所声称的抗离线口令猜测攻击;指出“基于双线性对的智能卡口令认证改进方案”(邓粟,王晓峰.基于双线性对的智能卡口令认证改进方案.计算机工程,2010,36(18):150-152)中提出的认证协议无法抗拒绝服务(DoS)攻击和内部人员攻击,且口令更新阶段存在设计缺陷。分析结果表明,这两个口令认证协议都存在严重安全缺陷,不适合安全需求较高的应用环境。     

增强的基于智能卡的远程用户认证协议

基于智能卡的远程用户认证协议比基于口令的安全协议能提供更好的安全性。2011年Chen等提出一种对Hsiang-Shih方案改进的基于智能卡的远程认证协议,并称解决了相关方案中存在的各种攻击问题。指出Chen等方案仍然存在着内部攻击、丢失智能卡攻击、重放攻击和身份冒充攻击,并针对基于口令和智能卡的远程认证协议类存在的离线口令猜测攻击提出一种基于智能卡和椭圆曲线离散对数问题的认证协议。该协议能抵抗提到的所有攻击,在登陆和认证阶段只需要一个点乘运算。     

基于生物特征的匿名远程用户认证方案

分析基于生物特征与二次剩余的远程用户认证方案,指出其存在不能抵抗冒充用户攻击、假冒服务器攻击、会话密钥泄露攻击和拒绝服务攻击等安全缺陷,基于此提出一个基于生物特征、口令与智能卡的匿名远程用户认证方案,主要包含注册、登录、认证和口令更新4个阶段。分析结果表明,该方案不仅克服了远程用户认证方案的安全缺陷,而且还可以抵抗智能卡丢失攻击、重放攻击,并实现了用户匿名性。     

Ku-Chien远程身份认证方案的安全性分析

Ku－Chien远程身份认证方案是一种使用智能卡、低开销、实用的口令认证方案。本文分析了Ku－Chien方案的安全性，指出了Ku－Chien方案的安全缺陷：不能抵御并行会话攻击和伪造主机攻击。分析了产生安全缺陷的原因：登陆阶段用户计算出的秘密信息和认证阶段远程主机计算出的秘密信息具有类似的结构。最后，利用口令更改计数器，给出了一种改进的口令认证方案。该方案允许用户自主选择并更改口令，实现了双向认证；能够抵御重放攻击、内部攻击，具备强安全修复性；能够抵御并行会话攻击和伪造远程主机攻击。     

一个基于智能卡的动态认证方案

讨论了2006年袁丁等人设计的简单高效的口令识别方案（SEPA）,指出该方案无法抵御字典攻击、中间人攻击和服务器拒绝服务攻击。提出了一个基于智能卡的动态认证方案,并对其进行了分析,结果表明新方案提供双向认证,安全性高,运算量低,具有安全、友好、方便的口令更新方式,并且服务器不需维护用于认证的验证表。     

基于双线性对的智能卡口令认证改进方案

通过对一种使用双线性对构造的智能卡口令认证方案的分析,发现该方案不能抵抗冒充攻击和服务器伪装攻击。针对该问题,提出一种改进的基于双线性对的智能卡口令认证方案,即利用服务器公钥进行加解密操作,通过引入序列号使用户与系统间进行了双向认证,不仅保持了原有方案的安全性,而且能有效地抵御冒充攻击和服务器伪装攻击,安全性更高。     

一种基于智能卡口令认证方案的研究

基于口令的认证方案广泛应用于远程控制系统中,智能卡与静态口令结合使用的认证方式是目前应用最广泛的口令认证机制。提出一种基于智能卡的口令认证方案。通过对其安全性进行分析,发现此方案能够抵抗住离线字典攻击、假冒攻击、重放攻击和修改攻击等攻击。     

一种基于智能卡的安全认证模型

智能卡技术是近年来兴起的一种新的安全技术,在身份认证中得到了越来越广泛的应用。本文提出了一种对Lin-Shen-Hwang方案改进的智能卡远程认证方案。该方案把关于密钥的信息全存放在智能卡中,是一种基于ID的远程双向身份认证方案。它可以避免Lin-Shen-Hwang方案可能遭受的拒绝服务攻击和重放攻击,而且只在客户端就能自由更改密码,增加了用户使用的便利性,并且该方案能够抵抗一些常见的攻击,安全地进行用户身份认证。     

对一个口令认证协议的可攻击性分析及改进

Rhee H S等人(Computer Standards &; Interfaces, 2009, No.1)提出的协议使用移动设备代替智能卡记忆数据降低风险和成本,但该协议仍存在一些不足。针对该问题,基于Chan-Cheng攻击案例,指出该协议难以抵抗假冒攻击和离线口令猜测攻击,为克服这些缺陷,给出一种改进方案,通过实验证明了该方案可以有效抵抗上述2种攻击,并能保证其口令的秘密性及身份认证的安全性。     

格上基于智能卡的安全口令认证方案

基于智能卡的认证方案是一种高效且常用的认证机制,但安全性基于数论难题构建的相关认证方案存在不能抵抗量子攻击、恶意读卡器攻击等问题.提出一种新的格上基于智能卡的口令认证方案,该方案利用格密码中近似平滑投射哈希函数和可拆分公钥密码体制,通过用户口令和智能卡完成与服务器的身份认证和会话密钥协商.该方案在随机预言模型下满足理论可证明安全,在抵抗量子攻击、恶意读卡器攻击和其他类型攻击方面有较高的可靠度.仿真实验表明,所提方案执行效率高,满足实际应用需求.     

An enhanced smart card based remote user password authentication scheme

Smart card based password authentication is one of the simplest and efficient authentication mechanisms to ensure secure communication in insecure network environments. Recently, Chen et al. have pointed out the weaknesses of some password authentication schemes and proposed a robust smart card based remote user password authentication scheme to improve the security. As per their claims, their scheme is efficient and can ensure forward secrecy of the session key. However, we find that Chen et al.'s scheme cannot really ensure forward secrecy, and it cannot detect the wrong password in login phase. Besides, the password change phase of Chen et al.'s scheme is unfriendly and inefficient since the user has to communicate with the server to update his/her password. In this paper, we propose a modified smart card based remote user password authentication scheme to overcome the aforementioned weaknesses. The analysis shows that our proposed scheme is user friendly and more secure than other related schemes.     

Cryptanalysis and security enhancement of a ‘more efficient & secure dynamic ID-based remote user authentication scheme’

Remote user authentication is a method, in which remote server verifies the legitimacy of a user over an insecure communication channel. Currently, smart card-based remote user authentication schemes have been widely adopted due to their low computational cost and convenient portability for the authentication purpose. Recently, Wang et al. proposed a dynamic ID-based remote user authentication scheme using smart cards. They claimed that their scheme preserves anonymity of user, has the features of strong password chosen by the server, and protected from several attacks. However, in this paper, we point out that Wang et al.’s scheme has practical pitfalls and is not feasible for real-life implementation. We identify that their scheme: does not provide anonymity of a user during authentication, user has no choice in choosing his password, vulnerable to insider attack, no provision for revocation of lost or stolen smart card, and does provide session key agreement. To remedy these security flaws, we propose an enhanced authentication scheme, which covers all the identified weaknesses of Wang et al.’s scheme and is more secure and efficient for practical application environment.     

Cryptanalysis and improvement of a robust smart card secured authentication scheme on SIP using elliptic curve cryptography

The session initiation protocol (SIP) has been receiving a lot of attention to provide security in the Voice over IP (VoIP) in Internet and mobility management. Recently, Yeh et al. proposed a smart card-based authentication scheme for SIP using elliptic curve cryptography (ECC). They claimed that their scheme is secure against known security attacks. However, in this paper, we indicate that Yeh et al.’s scheme is vulnerable to off-line password guessing attack, user impersonation attack and server impersonation attack, in the case that the smart card is stolen and the information stored in the smart card is disclosed. As a remedy, we also propose an improved smart card-based authentication scheme which not only conquers the security weaknesses of the related schemes but also provides a reduction in computational cost. The proposed scheme also provides the user anonymity and untraceability, and allows a user to change his/her password without informing the remote server. To show the security of our protocol, we prove its security the random oracle model.     

基于口令的远程身份认证及密钥协商协议

基于口令的身份认证协议是研究的热点。分析了一个低开销的基于随机数的远程身份认证协议的安全性,指出了该协议的安全缺陷。构造了一个基于随机数和Hash函数、使用智能卡的远程身份认证和密钥协商协议：PUAKP协议。该协议使用随机数,避免了使用时戳带来的重放攻击的潜在风险。该协议允许用户自主选择和更改口令,实现了双向认证,有较小的计算开销;能够抵御中间人攻击;具有口令错误敏感性、口令的主机非透明性和强安全修复性;生成的会话密钥具有新鲜性、机密性、已知密钥安全性和前向安全性。     

Efficient and secure two-factor dynamic ID-based password authentication scheme with provable security

Password-based remote user authentication schemes using smart cards are designed to ensure that only a user who possesses both the smart card and the corresponding password can gain access to the remote servers. Despite many research efforts, it remains a challenging task to design a secure password-based authentication scheme with user anonymity. The author uses Kumari et al.’s scheme as the case study. Their scheme uses non-public key primitives. The author first presents the cryptanalysis of Kumari et al.’s scheme in which he shows that their scheme is vulnerable to user impersonation attack, and does not provide forward secrecy and user anonymity. Using the case study, he has identified that public-key techniques are indispensable to construct a two-factor authentication scheme with security attributes, such as user anonymity, unlinkability and forward secrecy under the nontamper resistance assumption of the smart card. The author proposes a password-based authentication scheme using elliptic curve cryptography. Through the informal and formal security analysis, he shows that proposed scheme is secure against various known attacks, including the attacks found in Kumari’s scheme. Furthermore, he verifies the correctness of mutual authentication using the BAN logic.     

对两个基于智能卡的多服务器身份认证方案的密码学分析与改进

身份认证是用户访问网络资源时的一个重要安全问题。近来,Xu等(XU C, JIA Z, WEN F, et al. Cryptanalysis and improvement of a dynamic ID based remote user authentication scheme using smart cards [J]. Journal of Computational Information Systems, 2013, 9(14): 5513-5520)提出了一个基于智能卡的动态身份用户认证方案。分析指出其方案不能抵抗中间人攻击和会话密钥泄露攻击,且无法实现会话密钥前向安全性。此外,指出Choi等(CHOI Y, NAM J, LEE D, et al. Security enhanced anonymous multiserver authenticated key agreement scheme using smart cards and biometrics [J]. The Scientific World Journal, 2014, 2014: 281305)提出的基于智能卡和生物特征的匿名多服务器身份认证方案(简称CNL方案)易遭受智能卡丢失攻击、服务器模仿攻击,且不能提保护用户的匿名性。最后,基于生物特征和扩展混沌映射,提出了一个安全的多服务器认证方案,安全分析结果表明,新方案消除了Xu方案和CNL方案的安全漏洞。     

基于D-H密钥交换协议的用户认证方案

分析指出Liaw等人的远程用户认证方案(Mathematical and Computer Modelling,2006,No.1/2)容易受到重放攻击和中间人攻击,并且密码修改阶段和注册阶段存在安全漏洞,在此基础上提出一个基于D-H密钥交换协议的远程用户认证方案.理论分析结果表明,该方案可以抵抗假冒攻击、重放攻击、中间人攻击,安全地实现相互认证及会话密钥生成.     

An anonymous mobile user authentication protocol using self-certified public keys based on multi-server architectures

As a smart phone becomes a daily necessity, mobile services are springing up. A mobile user should be authenticated and authorized before accessing these mobile services. Generally, mobile user authentication is a method which is used to validate the legitimacy of a mobile login user. As the rapid booming of computer networks, multi-server architecture has been pervasive in many network environments. Much recent research has been focused on proposing password-based remote user authentication protocols using smart cards for multi-server environments. To protect the privacy of users, many dynamic identity based remote user authentication protocols were proposed. In 2009, Hsiang and Shih claimed their protocol is efficient, secure, and suitable for the practical application environment. However, Sood et al. pointed out Hsiang et al.’s protocol is susceptible to replay attack, impersonation attack and stolen smart card attack. Moreover, the password change phase of Hsiang et al.’s protocol is incorrect. Thus, Sood et al. proposed an improved protocol claimed to be practical and computationally efficient. Nevertheless, Li et al. found that Sood et al.’s protocol is still vulnerable to leak-of-verifier attack, stolen smart card attack and impersonation attack and consequently proposed an improvement to remove the aforementioned weaknesses. In 2012, Liao et al. proposed a novel pairing-based remote user authentication protocol for multi-server environment, the scheme based on elliptic curve cryptosystem is more secure and efficient. However, through careful analyses, we find that Liao et al.’s protocol is still susceptible to the trace attack. Besides, Liao et al.’s protocol is inefficient since each service server has to update its ID table periodically. In this paper, we propose an improved protocol to solve these weaknesses. By enhancing the security, the improved protocol is well suited for the practical environment.     

Secure Dynamic Identity-Based Authentication Scheme Using Smart Cards

ABSTRACT

In 2004, Das et al. proposed a dynamic identity-based remote user authentication scheme using smart cards. This scheme allows users to choose and change their passwords freely, and the server does not maintain any verification table. Das et al. claimed that their scheme is secure against stolen verifier attack, replay attack, forgery attack, dictionary attack, insider attack and identity theft. However, many researchers have demonstrated that Das et al.'s scheme is susceptible to various attacks. Furthermore, this scheme does not achieve mutual authentication and thus cannot resist malicious server attack. In 2009, Wang et al. argued that Das et al.'s scheme is susceptible to stolen smart card attack. If an attacker obtains the smart card of the user and chooses any random password, the attacker gets through the authentication process to get access of the remote server. Therefore, Wang et al. suggested an improved scheme to preclude the weaknesses of Das et al.'s scheme. However, we found that Wang et al.'s scheme is susceptible to impersonation attack, stolen smart card attack, offline password guessing attack, denial of service attack and fails to preserve the user anonymity. This paper improves Wang et al.'s scheme to resolve the aforementioned problems, while keeping the merits of different dynamic identity based smart card authentication schemes.