| 对三个多服务器环境下匿名认证协议的分析 |
| |
| 引用本文: | 汪定,李文婷,王平.对三个多服务器环境下匿名认证协议的分析[J].软件学报,2018,29(7):1937-1952. |
| |
| 作者姓名: | 汪定 李文婷 王平 |
| |
| 作者单位: | 北京大学信息科学技术学院, 北京 100871;软件工程国家工程研究中心, 北京 100871,北京大学软件与微电子学院, 北京 100260;软件工程国家工程研究中心, 北京 100871,北京大学软件与微电子学院, 北京 100260;软件工程国家工程研究中心, 北京 100871 |
| |
| 基金项目: | 国家自然科学基金(61472016);国家重点研发计划(2016YFB0800603) |
| |
| 摘 要: | 设计安全高效的多服务器环境下匿名身份认证协议是当前安全协议领域的研究热点。基于广泛接受的攻击者模型,对多服务器环境下的三个代表性匿名认证协议进行了安全性分析.指出Wan等协议无法实现所声称的离线口令猜测攻击,且未实现用户匿名性和前向安全性;指出Amin等协议同样不能抵抗离线口令猜测攻击,且不能提供匿名性,对两种破坏前向安全性的攻击是脆弱的;指出Reedy等协议不能抵抗所声称的用户仿冒攻击和离线口令猜测攻击,且无法实现用户不可追踪性.突出强调这些协议失败的根本原因在于,违反协议设计的三个基本原则:公钥原则、用户匿名性原则和前向安全性原则.明确协议的具体失误之处,并提出相应修正方法.
|
| 关 键 词: | 多服务器环境 认证协议 匿名性 离线口令猜测攻击 前向安全性 |
| 收稿时间: | 2017/5/30 0:00:00 |
| 修稿时间: | 2017/7/13 0:00:00 |
Crytanalysis of Three Anonymous Authentication Schemes for Multi-Server Environment |
| |
| WANG Ding,LI Wen-Ting and WANG Ping.Crytanalysis of Three Anonymous Authentication Schemes for Multi-Server Environment[J].Journal of Software,2018,29(7):1937-1952. |
| |
| Authors: | WANG Ding LI Wen-Ting and WANG Ping |
| |
| Affiliation: | School of Electronics Engineering and Computer Science, Peking University, Beijing 100871, China;National Engineering Research Center for Software Engineering, Beijing, China,School of Software and Microelectronics, Peking University, Beijing 100871, China;National Engineering Research Center for Software Engineering, Beijing, China and School of Software and Microelectronics, Peking University, Beijing 100871, China;National Engineering Research Center for Software Engineering, Beijing, China |
| |
| Abstract: | The design of secure and efficient user authentication protocols for multi-serverenvironment is increasingly becoming a hot research topic in the cryptographic protocol community. Based on the widely acceptedadversarymodel, this paperanalyzes threerepresentative, recently proposed user authentication schemes for multi-server environment. We point out that:1) Wan et al.''s scheme is subject to offline password guessing attack as opposed to the authors'' claim and it also cannot provide user anonymity and forward secrecy. 2) Amin et al.''s scheme cannot withstand offline password guessing attack, cannot preserve user anonymity and is vulnerable to two kinds of forward secrecy issues. 3) Reedy et al.''s scheme cannot resist againstuser impersonation attack and offline password guessing attack as well as falling short of user un-traceability. We highlight three principles for designing more robust anonymous multi-factor authentication schemes:public key principle, user anonymity principle and forward secrecy principle, explaining the essential reasons for the security flaws of the above protocols. We further propose someadmendments for the identified security flaws. |
| |
| Keywords: | Multi-server environment Authentication protocol User anonymity Offline password guessing attack Forward secrecy |
|
| 点击此处可从《软件学报》浏览原始摘要信息 |
|
点击此处可从《软件学报》下载全文 |
|
