增强的基于智能卡的远程用户认证协议

基于智能卡的远程用户认证协议比基于口令的安全协议能提供更好的安全性。2011年Chen等提出一种对Hsiang-Shih方案改进的基于智能卡的远程认证协议,并称解决了相关方案中存在的各种攻击问题。指出Chen等方案仍然存在着内部攻击、丢失智能卡攻击、重放攻击和身份冒充攻击,并针对基于口令和智能卡的远程认证协议类存在的离线口令猜测攻击提出一种基于智能卡和椭圆曲线离散对数问题的认证协议。该协议能抵抗提到的所有攻击,在登陆和认证阶段只需要一个点乘运算。     

基于生物特征的匿名远程用户认证方案

分析基于生物特征与二次剩余的远程用户认证方案,指出其存在不能抵抗冒充用户攻击、假冒服务器攻击、会话密钥泄露攻击和拒绝服务攻击等安全缺陷,基于此提出一个基于生物特征、口令与智能卡的匿名远程用户认证方案,主要包含注册、登录、认证和口令更新4个阶段。分析结果表明,该方案不仅克服了远程用户认证方案的安全缺陷,而且还可以抵抗智能卡丢失攻击、重放攻击,并实现了用户匿名性。     

一种基于智能卡的安全认证模型

智能卡技术是近年来兴起的一种新的安全技术,在身份认证中得到了越来越广泛的应用。本文提出了一种对Lin-Shen-Hwang方案改进的智能卡远程认证方案。该方案把关于密钥的信息全存放在智能卡中,是一种基于ID的远程双向身份认证方案。它可以避免Lin-Shen-Hwang方案可能遭受的拒绝服务攻击和重放攻击,而且只在客户端就能自由更改密码,增加了用户使用的便利性,并且该方案能够抵抗一些常见的攻击,安全地进行用户身份认证。     

多服务器环境下的身份认证方案

基于智能卡的多服务器远程认证方案,存在不能抵抗伪造攻击、重放攻击和中间人攻击等问题。针对上述安全性缺陷,提出一种改进的身份鉴别方案。该方案利用自验证的时间戳技术,解决基于时间戳技术的认证方案中存在的时钟同步问题,同时将时间戳作为随机数,有效地避免遭受重放攻击。安全性分析结果表明,与基于智能卡的多服务器远程认证方案相比,该方案继承了其轻量级认证的特征,计算量低,存储量小,实现了服务器对用户的可追踪性,满足实际网络的复杂性要求。     

基于双线性对和Nonce的智能卡远程用户认证方案*

远程用户认证方案是远程服务器通过不安全的网络认证远程用户身份的一种机制。根据椭圆曲线上的双线性对的优良性质,2006年,Das等人提出了基于双线性对的远程用户认证方案。2009年, Goriparthi等人指出该方案易遭受伪造攻击和重放攻击并给出了一个改进方案。然而发现Goriparthi等人的改进方案易遭受内部人员攻击、拒绝服务攻击和服务器哄骗攻击以及存在时钟同步问题。为了克服这些缺点,提出了基于双线性对和Nonce的智能卡远程用户认证方案。安全分析表明,该方案不但增强了认证系统的安全性,而且可安全地完     

增强型相互认证密钥协商方案

传统用于保护用户密钥隐私的相互认证方案不能有效抵抗重放攻击与DOS攻击。为此,将安全单向哈希函数和椭圆曲线上的离散对数难问题相结合,提出一种基于智能卡的相互认证方案。该方案通过引入时间戳及时延限制,能有效抵抗重放攻击,并减轻DOS攻击。相比于其他同类方案,该方案的移动用户端减少2次点的加法运算,提高用户端的计算效率。分析结果表明,该方案是安全有效的。     

一种新的基于动态口令的远程双向认证

针对基于口令的远程用户鉴别方案在时间戳和用户ID以及挑战/应答机制中的单相认证的上存在的脆弱性,采用指纹和智能卡双重认证技术,提出了挑战/应答机制的改进方案,该方案能进行双向认证,可抵抗重放攻击和假冒攻击,且由示证和认证双方共同生成随机因子,也体现了认证的公平性,认证过程不需要传递用户指纹信息,保护了用户的隐私,比较发现该方案是一种更安全、实用、简单、便捷的基于动态口令的远程双向认证方案。     

一种基于智能卡口令认证方案的研究

基于口令的认证方案广泛应用于远程控制系统中,智能卡与静态口令结合使用的认证方式是目前应用最广泛的口令认证机制。提出一种基于智能卡的口令认证方案。通过对其安全性进行分析,发现此方案能够抵抗住离线字典攻击、假冒攻击、重放攻击和修改攻击等攻击。     

一种改进的智能卡远程身份认证方案

分析了现有认证方案中存在的因智能卡内部信息泄露导致的安全问题,提出了一种改进的智能卡远程身份认证方案。该方案增强了智能卡中验证信息的秘密性,并使用双向认证和随机数,提高了交互信息的可靠性和随机性,使认证系统能够抵御伪装攻击和重放攻击,提高了应用系统的安全性。     

基于智能卡和指纹的动态口令鉴别方案

针对Lin和Lai提出的基于口令的远程用户鉴别方案在时间戳和用户ID上存在的脆弱性,提出基于挑战 应答机制的改进方案。该方案采用指纹和智能卡双重认证技术,能进行双向认证,可抵抗重放攻击和假冒攻击,且由示证和认证双方共同生成随机因子,也体现了认证的公平性,认证过程不需要传递用户指纹信息,保护了用户的隐私。     

Secure Dynamic Identity-Based Authentication Scheme Using Smart Cards

ABSTRACT

In 2004, Das et al. proposed a dynamic identity-based remote user authentication scheme using smart cards. This scheme allows users to choose and change their passwords freely, and the server does not maintain any verification table. Das et al. claimed that their scheme is secure against stolen verifier attack, replay attack, forgery attack, dictionary attack, insider attack and identity theft. However, many researchers have demonstrated that Das et al.'s scheme is susceptible to various attacks. Furthermore, this scheme does not achieve mutual authentication and thus cannot resist malicious server attack. In 2009, Wang et al. argued that Das et al.'s scheme is susceptible to stolen smart card attack. If an attacker obtains the smart card of the user and chooses any random password, the attacker gets through the authentication process to get access of the remote server. Therefore, Wang et al. suggested an improved scheme to preclude the weaknesses of Das et al.'s scheme. However, we found that Wang et al.'s scheme is susceptible to impersonation attack, stolen smart card attack, offline password guessing attack, denial of service attack and fails to preserve the user anonymity. This paper improves Wang et al.'s scheme to resolve the aforementioned problems, while keeping the merits of different dynamic identity based smart card authentication schemes.     

一种增强的智能卡口令认证方案

Hwang等人提出了基于ElGamal算法的智能卡口令认证方案,其安全性依赖于计算有限域上离散对数的难度。Chan等人分析了该方案的安全缺陷,并进行了改进。最近,Awasthi等人指出了改进方案中的安全缺陷,并提出了一种新方案,但新方案仍然存在缺陷。针对新方案的缺陷,基于“一次一密”和“动态口令”,提出了一种增强的智能卡口令认证方案。该方案允许用户自由选择口令,能够抵御重放攻击、内部攻击,能双向认证,具备强安全修复性。     

基于D-H密钥交换协议的用户认证方案

分析指出Liaw等人的远程用户认证方案(Mathematical and Computer Modelling,2006,No.1/2)容易受到重放攻击和中间人攻击,并且密码修改阶段和注册阶段存在安全漏洞,在此基础上提出一个基于D-H密钥交换协议的远程用户认证方案.理论分析结果表明,该方案可以抵抗假冒攻击、重放攻击、中间人攻击,安全地实现相互认证及会话密钥生成.     

An anonymous mobile user authentication protocol using self-certified public keys based on multi-server architectures

As a smart phone becomes a daily necessity, mobile services are springing up. A mobile user should be authenticated and authorized before accessing these mobile services. Generally, mobile user authentication is a method which is used to validate the legitimacy of a mobile login user. As the rapid booming of computer networks, multi-server architecture has been pervasive in many network environments. Much recent research has been focused on proposing password-based remote user authentication protocols using smart cards for multi-server environments. To protect the privacy of users, many dynamic identity based remote user authentication protocols were proposed. In 2009, Hsiang and Shih claimed their protocol is efficient, secure, and suitable for the practical application environment. However, Sood et al. pointed out Hsiang et al.’s protocol is susceptible to replay attack, impersonation attack and stolen smart card attack. Moreover, the password change phase of Hsiang et al.’s protocol is incorrect. Thus, Sood et al. proposed an improved protocol claimed to be practical and computationally efficient. Nevertheless, Li et al. found that Sood et al.’s protocol is still vulnerable to leak-of-verifier attack, stolen smart card attack and impersonation attack and consequently proposed an improvement to remove the aforementioned weaknesses. In 2012, Liao et al. proposed a novel pairing-based remote user authentication protocol for multi-server environment, the scheme based on elliptic curve cryptosystem is more secure and efficient. However, through careful analyses, we find that Liao et al.’s protocol is still susceptible to the trace attack. Besides, Liao et al.’s protocol is inefficient since each service server has to update its ID table periodically. In this paper, we propose an improved protocol to solve these weaknesses. By enhancing the security, the improved protocol is well suited for the practical environment.     

对两个基于智能卡的多服务器身份认证方案的密码学分析与改进

身份认证是用户访问网络资源时的一个重要安全问题。近来,Xu等(XU C, JIA Z, WEN F, et al. Cryptanalysis and improvement of a dynamic ID based remote user authentication scheme using smart cards [J]. Journal of Computational Information Systems, 2013, 9(14): 5513-5520)提出了一个基于智能卡的动态身份用户认证方案。分析指出其方案不能抵抗中间人攻击和会话密钥泄露攻击,且无法实现会话密钥前向安全性。此外,指出Choi等(CHOI Y, NAM J, LEE D, et al. Security enhanced anonymous multiserver authenticated key agreement scheme using smart cards and biometrics [J]. The Scientific World Journal, 2014, 2014: 281305)提出的基于智能卡和生物特征的匿名多服务器身份认证方案(简称CNL方案)易遭受智能卡丢失攻击、服务器模仿攻击,且不能提保护用户的匿名性。最后,基于生物特征和扩展混沌映射,提出了一个安全的多服务器认证方案,安全分析结果表明,新方案消除了Xu方案和CNL方案的安全漏洞。     

对两个基于智能卡的口令认证协议的安全性分析

身份认证是确保信息系统安全的重要手段,基于智能卡的口令认证协议由于实用性较强而成为近期研究热点。采用基于场景的攻击技术,对最近新提出的两个基于智能卡的口令认证协议进行了安全性分析。指出“对Liao等身份鉴别方案的分析与改进”(潘春兰,周安民,肖丰霞,等.对Liao等人身份鉴别方案的分析与改进.计算机工程与应用,2010,46(4):110-112)中提出的认证协议无法实现所声称的抗离线口令猜测攻击;指出“基于双线性对的智能卡口令认证改进方案”(邓粟,王晓峰.基于双线性对的智能卡口令认证改进方案.计算机工程,2010,36(18):150-152)中提出的认证协议无法抗拒绝服务(DoS)攻击和内部人员攻击,且口令更新阶段存在设计缺陷。分析结果表明,这两个口令认证协议都存在严重安全缺陷,不适合安全需求较高的应用环境。     

Efficient and secure two-factor dynamic ID-based password authentication scheme with provable security

Password-based remote user authentication schemes using smart cards are designed to ensure that only a user who possesses both the smart card and the corresponding password can gain access to the remote servers. Despite many research efforts, it remains a challenging task to design a secure password-based authentication scheme with user anonymity. The author uses Kumari et al.’s scheme as the case study. Their scheme uses non-public key primitives. The author first presents the cryptanalysis of Kumari et al.’s scheme in which he shows that their scheme is vulnerable to user impersonation attack, and does not provide forward secrecy and user anonymity. Using the case study, he has identified that public-key techniques are indispensable to construct a two-factor authentication scheme with security attributes, such as user anonymity, unlinkability and forward secrecy under the nontamper resistance assumption of the smart card. The author proposes a password-based authentication scheme using elliptic curve cryptography. Through the informal and formal security analysis, he shows that proposed scheme is secure against various known attacks, including the attacks found in Kumari’s scheme. Furthermore, he verifies the correctness of mutual authentication using the BAN logic.     

基于动态ID的远程用户身份认证方案

用户身份认证作为网络安全和信息安全的第一道屏障,有着非常重要的作用.口令与智能卡相结合的认证方式可以克服传统口令认证方式的诸多弊端,能够提高网络和信息系统整体的安全性.对基于动态ID的远程用户身份认证方案进行了分析,指出了该方案在入侵者持有用户智能卡的情况下,即使不知道用户口令也能够伪装成合法用户通过远程系统的身份验证,获取系统的网络资源.提出了一种改进方案,能有效抵御重放攻击、伪造攻击、口令猜测攻击、内部攻击和伪装攻击.