| 抵抗恶意服务器的口令增强加密方案 |
| |
| 引用本文: | 赵一,刘行,LIANG Kaitai,明洋,赵祥模,杨波.抵抗恶意服务器的口令增强加密方案[J].软件学报,2023,34(5):2482-2493. |
| |
| 作者姓名: | 赵一 刘行 LIANG Kaitai 明洋 赵祥模 杨波 |
| |
| 作者单位: | 长安大学 信息工程学院, 陕西 西安 710064;Faculty of Electrical Engineering, Mathematics & Computer Science, Delft University of Technology, Delft, the Netherlands;陕西师范大学 计算机科学学院, 陕西 西安 710119 |
| |
| 基金项目: | 国家重点研发计划(2017YFB0802000);国家自然科学基金(62072054,U2001205,61772326,61802241,61802242);陕西省重点研发计划(2021GY-047);长安大学中央高校基本科研业务费专项(300102240102) |
| |
| 摘 要: | 口令增强加密是一个近年来新出现的原语,可以通过增加一个第三方密码服务提供商承担辅助解密的功能,抵抗已有的服务器猜测低熵口令即可解密带来的恶意离线攻击风险,即实现了对口令认证进行增强并增加加密的功能.结合近年来新出现的算法替换攻击威胁,对提出该原语工作中的方案给出了一种服务器积极攻击的方法,该攻击具有不可检测性且可以让服务器仍然能实施离线攻击,从而证明原方案不具备其声称的抵抗恶意服务器的功能.接着讨论与总结能够抵抗恶意服务器实施算法替换攻击的方案应当具备的性质与构造特点;随后,给出一个能够真正抵抗恶意服务器算法替换攻击的方案并给出了仿真结果;最后,对于复杂交互式协议受到算法替换攻击时的安全性影响需要的系统性研究进行了展望.
|
| 关 键 词: | 口令增强加密 算法替换攻击 不可检测性 抵抗恶意服务器 |
| 收稿时间: | 2021/4/15 0:00:00 |
| 修稿时间: | 2021/6/1 0:00:00 |
Password Hardening Encryption Services Against Malicious Server |
| |
| ZHAO Yi,LIU Hang,LIANG Kaitai,MING Yang,ZHAO Xiang-Mo,YANG Bo.Password Hardening Encryption Services Against Malicious Server[J].Journal of Software,2023,34(5):2482-2493. |
| |
| Authors: | ZHAO Yi LIU Hang LIANG Kaitai MING Yang ZHAO Xiang-Mo YANG Bo |
| |
| Affiliation: | School of Information Engineering, Chang''an University, Xi''an 710064, China;Faculty of Electrical Engineering, Mathematics & Computer Science, Delft University of Technology, Delft, The Netherlands; School of Computer Science, Shaanxi Normal University, Xi''an 710119, China |
| |
| Abstract: | Password hardening encryption (PHE) is an emerging primitive in recent years. It can resist offline attack brought by keyword guessing attack from server via adding a third party with crypto services joining the decryption process. This primitive enhances the password authentication protocol and adds encryption functionality. This paper presents an active attack from server in the first scheme that introduced this primitive. This attack combines the idea from a cutting-edge threat called algorithm substitution attack which is undetectable and makes the server capable of launching offline attack. This result shows that the original PHE scheme can not resist attacks from malicious server. Then this study tries to summarize the property that an algorithm substitution attack resistant scheme should have. After that this paper presents a PHE scheme that can resist such kind of attacks from malicious server with simulation results. Finally, this study concludes the result and gives some expectation for future systematic research on interactive protocols under algorithm substitution attack. |
| |
| Keywords: | password hardening encryption (PHE) algorithm substitution attack undetectable malicious server |
|
| 点击此处可从《软件学报》浏览原始摘要信息 |
|
点击此处可从《软件学报》下载全文 |
|
