图形密码方案可用性及安全性分析

当前图形密码还没有广泛地应用于实际,图形密码身份验证方案大多处于实验室阶段.依据图形密码的评价指标,针对图形密码身份验证方案最重要的两个指标可用性和安全性对当前出现的有代表性的图形密码方案进行对比分析.最后将图形密码的安全性与文本密码进行比较,分析了图形密码的密钥空间和抵抗常见口令攻击的能力.经分析多数图形密码在易记忆性和安全性方面优于传统密码.     

一种高效安全的动态口令认证方案

动态口令身份认证技术相对于传统的静态口令身份认证技术有更高的安全性.基于ElGamal公钥密码体制和挑战-应答机制,提出了一种新型的结合智能卡和指纹特征的动态口令身份认证方案,实现了服务器和用户之间的双向认证,该方案能够有效地防止重放攻击,并且可以抵御假冒服务器攻击.     

基于MAC地址的软件动态口令实现方案

随着网络技术的发展,传统的静态密码身份认证方案已不能给电子商务活动提供足够的保护。描述了动态口令技术的原理,分析了硬件和软件实现动态口令的利弊,设计了一种基于客户端MAC地址的动态口令认证协议,并在此基础上论述了系统方案的实施流程、总体设计和认证过程。最后进行了安全性分析并提出了相应的提高安全性的措施。分析表明,该方案具有适用面广、安全性高、使用方便和系统成本低的特点。     

基于手机令牌的动态口令身份认证系统的实现

随着网络技术的普及,传统的静态密码方案已不能满足电子商务中的身份认证的要求。描述了动态口令技术的基本原理,分析了其软件和硬件实现的利弊,设计了一种基于挑战/应答模式的动态口令认证协议,并在此协议基础上设计实现了基于手机令牌的动态口令身份认证系统,论述了系统的总体设计、认证过程、安全性措施和具体的实施步骤,最后进行了系统的安全性分析。分析表明,该系统具有安全性高、适用面广,使用方便,系统成本低的特点。     

基于椭圆曲线密码体制的OTP身份认证方案

文章阐述了椭圆曲线密码体制的基本原理及其优点,介绍了OTP认证技术的原理,分析了S/Key一次性口令系统的局限性.利用椭圆曲线密码体制对现有的OTP系统进行改进,提出了一种基于ECC的双向认证的动态口令认证方案,该方案在安全性、运算速度和存储空间方面相对其它身份认证方案具有更高的优势.     

基于OTP的WiFi身份认证模型的设计及分析

身份认证问题成为制约无线网络发展的瓶颈.一次性口令(OTP)技术和椭圆曲线密码体制由于自身优点,比较适合无线环境中的身份认证.利用椭圆曲线密码体制(ECC)实现数字签名,基于一次性口令技术提出了一种安全的双向身份认证模型.最后,通过安全性分析和SVO逻辑方法证明了该模型的安全性.     

B2C支付系统下网页版动态口令卡的探究与实现

现有的在线交易身份认证采用电子口令卡或动态密码与手机绑定等方式,存在一定风险及使用上的不便,同时在使用虚拟货币的网络游戏等领域,每一次交易仅采用静态密码进行身份认证,账号安全性难以保障。在基于挑战-应答异步认证机制的动态口令技术基础上,以采用SSH架构的网上商城为例,设计了一种适用于B2C的支付系统,并对虚拟货币支付方式提供良好兼容性与实用性的网页版口令卡身份认证方案。该方案较之传统的身份认证方式风险小并且使用便捷。     

面向移动平台的新型身份认证方案设计

各种类型的移动平台如智能手机、平板电脑、嵌入式系统快速普及,并渗透到生活和工作的方方面面,但是移动平台在带给大家丰富多彩的应用和方便快捷的生活的同时,也带来了许多新的安全问题。身份认证和接入认证是保护移动平台的第一道屏障。结合多点触控技术、重力感应技术和图形密码,设计、开发了适用于移动平台的几种身份认证方案,包括绘制曲线认证方案、图像选择认证方案、多点指划认证方案和重力感应认证方案。所设计的方案较之单纯的口令式密码,设置口令和验证口令直观方便,通过简单的操作即可产生较大的密钥空间。经分析,所提方案操作方便,安全性较高。     

无双线性对的动态口令认证与密钥协商方案

提出了一种椭圆曲线密码体制下基于身份的双向认证方案,用于解决基于移动终端的动态口令机制身份认证方案在双向认证和会话密钥方面的不足。该方案使用移动端令牌生成动态口令,采用三次握手原理实现身份认证,支持安全会话密钥协商、一次性口令、双向认证和轻量级服务器存储。分析表明,该方案可以抵抗针对移动终端口令认证方案的常见攻击,安全有效,满足安全设计目标。     

基于动态口令身份认证系统的设计与实现

身份认证是网络安全技术的一个重要组成部分,而动态口令认证系统可以有效地避免因用户密码被盗而带来的巨大损失.文章在基于挑战/应答认证机制的基础上提出了基于动态口令的认证机制,并介绍了静态口令与动态口令的区别,论述了用动态口令设计身份认证的原理,提出了动态口令身份认证系统的实现方法.     

On designing usable and secure recognition-based graphical authentication mechanisms

In this article we present the development of a new, web-based, graphical authentication mechanism called ImagePass. The authentication mechanism introduces a novel feature based on one-time passwords that increases the security of the system without compromising its usability. Regarding usability, we explore the users’ perception of recognition-based, graphical authentication mechanisms in a web environment. Specifically, we investigate whether the memorability of recognition-based authentication keys is influenced by image content. We also examine how the frequency of use affects the usability of the system and whether user training via mnemonic instructions improves the graphical password recognition rate. The design and development process of the proposed system began with a study that assessed how the users remember abstract, face or single-object images, and showed that single-object images have a higher memorability rate. We then proceeded with the design and development of a recognition-based graphical authentication mechanism, ImagePass, which uses single-objects as the image content and follows usable security guidelines. To conclude the research, in a follow-up study we evaluated the performance of 151 participants under different conditions. We discovered that the frequency of use had a great impact on users’ performance, while the users’ gender had a limited task-specific effect. In contrast, user training through mnemonic instructions showed no differences in the users’ authentication metrics. However, a post-study, focus-group analysis revealed that these instructions greatly influenced the users’ perception for memorability and the usability of the graphical authentication. In general, the results of these studies suggest that single-object graphical authentication can be a complementary replacement for traditional passwords, especially in ubiquitous environments and mobile devices.     

An Enhanced Drawing Reproduction Graphical Password Strategy

Passwords are used in the vast majority of computer and communication systems for authentication. The greater security and memorability of graphical passwords make them a possible alternative to traditional textual passwords. In this paper we propose a new graphical password scheme called YAGP, which is an extension of the Draw-A-Secret (DAS) scheme. The main difference between YAGP and DAS is soft matching. The concepts of the stroke-box, image-box, trend quadrant, and similarity are used to describe the images characteristics for soft matching. The reduction in strict user input rules in soft matching improves the usability and therefore creates a great advantage. The denser grid granularity enables users to design a longer password, enlarging the practical password space and enhancing security. Meanwhile, YAGP adopts a triple-register process to create multi-templates, increasing the accuracy and memorability of characteristics extraction. Experiments illustrate the effectiveness of YAGP.     

An Enhanced Graphical Authentication Scheme Using Multiple-Image Steganography

Most remote systems require user authentication to access resources. Text-based passwords are still widely used as a standard method of user authentication. Although conventional text-based passwords are rather hard to remember, users often write their passwords down in order to compromise security. One of the most complex challenges users may face is posting sensitive data on external data centers that are accessible to others and do not be controlled directly by users. Graphical user authentication methods have recently been proposed to verify the user identity. However, the fundamental limitation of a graphical password is that it must have a colorful and rich image to provide an adequate password space to maintain security, and when the user clicks and inputs a password between two possible grids, the fault tolerance is adjusted to avoid this situation. This paper proposes an enhanced graphical authentication scheme, which comprises benefits over both recognition and recall-based graphical techniques besides image steganography. The combination of graphical authentication and steganography technologies reduces the amount of sensitive data shared between users and service providers and improves the security of user accounts. To evaluate the effectiveness of the proposed scheme, peak signal-to-noise ratio and mean squared error parameters have been used.     

一种基于智能卡口令认证方案的研究

基于口令的认证方案广泛应用于远程控制系统中,智能卡与静态口令结合使用的认证方式是目前应用最广泛的口令认证机制。提出一种基于智能卡的口令认证方案。通过对其安全性进行分析,发现此方案能够抵抗住离线字典攻击、假冒攻击、重放攻击和修改攻击等攻击。     

A Human-Cognitive Perspective of Users’ Password Choices in Recognition-Based Graphical Authentication

ABSTRACT

Graphical password composition is an important part of graphical user authentication which affects the strength of the chosen password. Considering that graphical authentication is associated with visual search, perception, and information retrieval, in this paper we report on an eye-tracking study (N = 109) that aimed to investigate the effects of users’ cognitive styles toward the strength of the created passwords and shed light into whether and how the visual strategy of the users during graphical password composition is associated with the passwords’ strength. For doing so, we adopted Witkin’s Field Dependence-Independence theory, which underpins individual differences in visual information and cognitive processing, as graphical password composition tasks are associated with visual search. The analysis revealed that users with different cognitive processing characteristics followed different patterns of visual behavior during password composition which affected the strength of the created passwords. The findings underpin the need of considering human-cognitive characteristics as a design factor in graphical password schemes. The paper concludes by discussing implications for improving recognition-based graphical passwords through adaptation and personalization techniques based on individual cognitive characteristics.     

Two-factor mutual authentication based on smart cards and passwords

One of the most commonly used two-factor user authentication mechanisms nowadays is based on smart-card and password. A scheme of this type is called a smart-card-based password authentication scheme. The core feature of such a scheme is to enforce two-factor authentication in the sense that the client must have the smart-card and know the password in order to gain access to the server. In this paper, we scrutinize the security requirements of this kind of schemes, and propose a new scheme and a generic construction framework for smart-card-based password authentication. We show that a secure password based key exchange protocol can be efficiently transformed to a smart-card-based password authentication scheme provided that there exist pseudorandom functions and target collision resistant hash functions. Our construction appears to be the first one with provable security. In addition, we show that two recently proposed schemes of this kind are insecure.     

An enhanced smart card based remote user password authentication scheme

Smart card based password authentication is one of the simplest and efficient authentication mechanisms to ensure secure communication in insecure network environments. Recently, Chen et al. have pointed out the weaknesses of some password authentication schemes and proposed a robust smart card based remote user password authentication scheme to improve the security. As per their claims, their scheme is efficient and can ensure forward secrecy of the session key. However, we find that Chen et al.'s scheme cannot really ensure forward secrecy, and it cannot detect the wrong password in login phase. Besides, the password change phase of Chen et al.'s scheme is unfriendly and inefficient since the user has to communicate with the server to update his/her password. In this paper, we propose a modified smart card based remote user password authentication scheme to overcome the aforementioned weaknesses. The analysis shows that our proposed scheme is user friendly and more secure than other related schemes.     

基于SM9算法的移动互联网身份认证方案研究

移动互联网单服务器环境下传统身份认证方案存在用户需要针对不同的服务器记忆相应的不同口令,以及传统认证方式中的口令泄漏等安全问题.为解决以上问题,文章提出一种移动互联网单服务器环境下基于SM9算法的身份认证方案.用户针对不同的应用系统,仅需记忆统一的标识和口令,即可在不同的应用系统中通过身份认证,从而获得应用服务和访问资...     

Dynamic ID-based remote user password authentication schemes using smart cards: A review

Remote user authentication is a mechanism, in which the remote server verifies the legitimacy of a user over an insecure communication channel. Until now, there have been ample of remote user authentication schemes published in the literature and each published scheme has its own merits and demerits. A common feature among most of the published schemes is that the user's identity (ID) is static in all the transaction sessions, which may leak some information about that user and can create risk of identity theft during the message transmission. To overcome this risk, many researchers have proposed dynamic ID based remote user authentication schemes. In this paper, we have defined all the security requirements and all the goals an ideal password authentication scheme should satisfy and achieve. We have presented the results of our survey through six of the currently available dynamic ID based remote user authentication schemes. All the schemes are vulnerable to guessing attack except Khan et al.'s scheme, and do not meet the goals such as session key agreement, secret key forward secrecy. In the future, we hope an ideal dynamic ID based password authentication scheme, which meets all the security requirements and achieves all the goals can be developed.