对两个基于智能卡的口令认证协议的安全性分析

身份认证是确保信息系统安全的重要手段,基于智能卡的口令认证协议由于实用性较强而成为近期研究热点。采用基于场景的攻击技术,对最近新提出的两个基于智能卡的口令认证协议进行了安全性分析。指出“对Liao等身份鉴别方案的分析与改进”(潘春兰,周安民,肖丰霞,等.对Liao等人身份鉴别方案的分析与改进.计算机工程与应用,2010,46(4):110-112)中提出的认证协议无法实现所声称的抗离线口令猜测攻击;指出“基于双线性对的智能卡口令认证改进方案”(邓粟,王晓峰.基于双线性对的智能卡口令认证改进方案.计算机工程,2010,36(18):150-152)中提出的认证协议无法抗拒绝服务(DoS)攻击和内部人员攻击,且口令更新阶段存在设计缺陷。分析结果表明,这两个口令认证协议都存在严重安全缺陷,不适合安全需求较高的应用环境。     

一种增强的基于智能卡的远程身份鉴别方案

分析了Lee-Chiu等人基于智能卡的身份鉴别方案,指出了方案中存在的安全性问题,并提出了改进方案。与Lee-Chiu等人的方案相比,该方案不仅能够提供用户、服务器之间双向身份鉴别,而且能够抵抗重放攻击、猜测攻击和假冒攻击,增强了应用系统的安全性。     

一种基于智能卡的安全认证模型

智能卡技术是近年来兴起的一种新的安全技术,在身份认证中得到了越来越广泛的应用。本文提出了一种对Lin-Shen-Hwang方案改进的智能卡远程认证方案。该方案把关于密钥的信息全存放在智能卡中,是一种基于ID的远程双向身份认证方案。它可以避免Lin-Shen-Hwang方案可能遭受的拒绝服务攻击和重放攻击,而且只在客户端就能自由更改密码,增加了用户使用的便利性,并且该方案能够抵抗一些常见的攻击,安全地进行用户身份认证。     

多服务器环境下的身份认证方案

基于智能卡的多服务器远程认证方案,存在不能抵抗伪造攻击、重放攻击和中间人攻击等问题。针对上述安全性缺陷,提出一种改进的身份鉴别方案。该方案利用自验证的时间戳技术,解决基于时间戳技术的认证方案中存在的时钟同步问题,同时将时间戳作为随机数,有效地避免遭受重放攻击。安全性分析结果表明,与基于智能卡的多服务器远程认证方案相比,该方案继承了其轻量级认证的特征,计算量低,存储量小,实现了服务器对用户的可追踪性,满足实际网络的复杂性要求。     

增强的基于智能卡的远程用户认证协议

基于智能卡的远程用户认证协议比基于口令的安全协议能提供更好的安全性。2011年Chen等提出一种对Hsiang-Shih方案改进的基于智能卡的远程认证协议,并称解决了相关方案中存在的各种攻击问题。指出Chen等方案仍然存在着内部攻击、丢失智能卡攻击、重放攻击和身份冒充攻击,并针对基于口令和智能卡的远程认证协议类存在的离线口令猜测攻击提出一种基于智能卡和椭圆曲线离散对数问题的认证协议。该协议能抵抗提到的所有攻击,在登陆和认证阶段只需要一个点乘运算。     

基于智能卡芯片指纹的身份认证方案设计

身份认证在网络安全中有非常着重要的作用。最近,Das等人提出了一种基于智能卡和动态ID的身份认证方案。在分析其方案漏洞的基础上,引入芯片指纹和随机数,提出了一种改进方案,能有效地抵抗伪装攻击、芯片复制攻击、拒绝服务攻击、重传攻击、口令猜测攻击,在对系统安全度要求较高的环境中有着良好的应用前景。     

一种新的基于智能卡的双向身份认证方案设计

身份认证问题是网络安全中的重要研究课题。最近,Chien 等人提出了一种有效的基于智能卡的身份认证方案,但从文献［8］及本文的分析看,该方案容易遭受Reflection Attack,Parallel Attack、重传攻击等。在分析其方案漏洞的基础上,提出了一种新的双向身份认证方案。     

在多服务器环境下的双因素动态身份鉴别方案

针对Li等人基于智能卡的多服务器身份认证方案,分析指出了其中存在的安全性问题,提出了一个改进的双因素动态身份鉴别方案.该方案为用户提供了一种关于身份注册信息的自我更新机制,用户可以在不与远程服务器通信的状态下,动态更新身份标志、口令和秘密参数等相关信息.另外,自验证的时间戳技术的借鉴利用,不仅避免了时钟同步问题,而且节约了产生随机数的开销.该方案还实现了用户的动态登录和对用户登录操作的可追踪性.新方案不仅继承了Li方案计算量低、存储量小的优点,而且还提高了认证方案的安全性和实用性,可以适用于实际的网络环境和应用.     

基于智能卡的X.509身份认证

身份认证中的关键技术是身份信息的安全存储、处理和传递,本文提出了一种基于智能卡的X.509身份认证方案,设计了一套基于X.509的身份认证协议,将智能卡作为存储身份信息的载体,密码运算都在智能卡内部进行,认证过程安全性好.在开放的网络环境中,此方案可较好地防止中间人攻击,验证用户身份.     

一种增强的智能卡口令认证方案

Hwang等人提出了基于ElGamal算法的智能卡口令认证方案,其安全性依赖于计算有限域上离散对数的难度。Chan等人分析了该方案的安全缺陷,并进行了改进。最近,Awasthi等人指出了改进方案中的安全缺陷,并提出了一种新方案,但新方案仍然存在缺陷。针对新方案的缺陷,基于“一次一密”和“动态口令”,提出了一种增强的智能卡口令认证方案。该方案允许用户自由选择口令,能够抵御重放攻击、内部攻击,能双向认证,具备强安全修复性。     

Cryptanalysis and improvement of a robust smart card secured authentication scheme on SIP using elliptic curve cryptography

The session initiation protocol (SIP) has been receiving a lot of attention to provide security in the Voice over IP (VoIP) in Internet and mobility management. Recently, Yeh et al. proposed a smart card-based authentication scheme for SIP using elliptic curve cryptography (ECC). They claimed that their scheme is secure against known security attacks. However, in this paper, we indicate that Yeh et al.’s scheme is vulnerable to off-line password guessing attack, user impersonation attack and server impersonation attack, in the case that the smart card is stolen and the information stored in the smart card is disclosed. As a remedy, we also propose an improved smart card-based authentication scheme which not only conquers the security weaknesses of the related schemes but also provides a reduction in computational cost. The proposed scheme also provides the user anonymity and untraceability, and allows a user to change his/her password without informing the remote server. To show the security of our protocol, we prove its security the random oracle model.     

An anonymous mobile user authentication protocol using self-certified public keys based on multi-server architectures

As a smart phone becomes a daily necessity, mobile services are springing up. A mobile user should be authenticated and authorized before accessing these mobile services. Generally, mobile user authentication is a method which is used to validate the legitimacy of a mobile login user. As the rapid booming of computer networks, multi-server architecture has been pervasive in many network environments. Much recent research has been focused on proposing password-based remote user authentication protocols using smart cards for multi-server environments. To protect the privacy of users, many dynamic identity based remote user authentication protocols were proposed. In 2009, Hsiang and Shih claimed their protocol is efficient, secure, and suitable for the practical application environment. However, Sood et al. pointed out Hsiang et al.’s protocol is susceptible to replay attack, impersonation attack and stolen smart card attack. Moreover, the password change phase of Hsiang et al.’s protocol is incorrect. Thus, Sood et al. proposed an improved protocol claimed to be practical and computationally efficient. Nevertheless, Li et al. found that Sood et al.’s protocol is still vulnerable to leak-of-verifier attack, stolen smart card attack and impersonation attack and consequently proposed an improvement to remove the aforementioned weaknesses. In 2012, Liao et al. proposed a novel pairing-based remote user authentication protocol for multi-server environment, the scheme based on elliptic curve cryptosystem is more secure and efficient. However, through careful analyses, we find that Liao et al.’s protocol is still susceptible to the trace attack. Besides, Liao et al.’s protocol is inefficient since each service server has to update its ID table periodically. In this paper, we propose an improved protocol to solve these weaknesses. By enhancing the security, the improved protocol is well suited for the practical environment.     

一种更安全的基于智能卡的多服务器身份认证方案研究

随着网络和通讯技术的发展,多服务器的身份认证问题成为近几年研究的重点。针对Chuang等人提出的基于生物特征的多服务器密钥认证方案存在的安全性不足等问题,Wang等人进行了改进,但是仍未解决不同服务器密钥相同造成的恶意攻击和伪造攻击等问题。因此,本文提出了一种更安全的基于智能卡的多服务器身份认证方案。该方案在服务器注册阶段,将高熵秘密数与服务器的ID进行计算再重新分配给服务器,使得不同的服务器具有不同的密钥。最后通过五个方案功能和性能比较分析,得出改进方案比前三种方案时间上分别缩短了16.67%、20%、28.57%,且能有效阻止恶意服务器攻击、伪造攻击、重放攻击和中间人攻击等多种攻击,安全性得到了提高,满足实际网络的高可靠性需求。     

Cryptanalysis of a mutual authentication scheme based on nonce and smart cards

To prevent the forged login attacks, Liu et al. recently proposed a new mutual authentication scheme using smart cards. However, we demonstrate that the attacker without any secret information can successfully not only impersonate any user to cheat the server but also impersonate the server to cheat any user. That is, Liu et al.’s scheme fails to defend the forged login attack as the previous version. Our cryptanalysis result is important for security engineers, who are responsible for the design and development of smart card-based user authentication systems.     

基于双线性对和Nonce的智能卡远程用户认证方案*

远程用户认证方案是远程服务器通过不安全的网络认证远程用户身份的一种机制。根据椭圆曲线上的双线性对的优良性质,2006年,Das等人提出了基于双线性对的远程用户认证方案。2009年, Goriparthi等人指出该方案易遭受伪造攻击和重放攻击并给出了一个改进方案。然而发现Goriparthi等人的改进方案易遭受内部人员攻击、拒绝服务攻击和服务器哄骗攻击以及存在时钟同步问题。为了克服这些缺点,提出了基于双线性对和Nonce的智能卡远程用户认证方案。安全分析表明,该方案不但增强了认证系统的安全性,而且可安全地完     

On the Privacy of Khan et al.'s Dynamic ID-Based Remote Authentication Scheme with User Anonymity

Abstract

Very recently, Khan, Kim, and Alghathbar [6] proposed a dynamic ID-based remote user authentication scheme and claimed that their scheme can provide user anonymity. However, in this article, the authors demonstrate that either a malicious user or an adversary with a valid smart card can trace any user by eavesdropping on his normal authentication session over the public channel. Therefore, Khan et al.'s scheme fails to provide the privacy service as claimed. Hence, the authors present an improved scheme to overcome its flaw and examine the privacy of the improved scheme by using the smart card-based privacy model. In addition, the security and efficiency of the improved scheme are scrutinized. The conclusive result is that the design of the improved scheme is reasonable in not only both privacy and security aspects but also the performance aspect.     

Cryptanalysis of a password authentication scheme over insecure networks

The security of a password authentication scheme using smart cards proposed by Liao et al. [I.-E. Liao, C.-C. Lee, M.-S. Hwang, A password authentication scheme over insecure networks, J. Comput. System Sci. 72 (2006) 727–740] is analyzed. Three kinds of attacks are presented in different scenarios.     

Cryptanalysis and security enhancement of a ‘more efficient & secure dynamic ID-based remote user authentication scheme’

Remote user authentication is a method, in which remote server verifies the legitimacy of a user over an insecure communication channel. Currently, smart card-based remote user authentication schemes have been widely adopted due to their low computational cost and convenient portability for the authentication purpose. Recently, Wang et al. proposed a dynamic ID-based remote user authentication scheme using smart cards. They claimed that their scheme preserves anonymity of user, has the features of strong password chosen by the server, and protected from several attacks. However, in this paper, we point out that Wang et al.’s scheme has practical pitfalls and is not feasible for real-life implementation. We identify that their scheme: does not provide anonymity of a user during authentication, user has no choice in choosing his password, vulnerable to insider attack, no provision for revocation of lost or stolen smart card, and does provide session key agreement. To remedy these security flaws, we propose an enhanced authentication scheme, which covers all the identified weaknesses of Wang et al.’s scheme and is more secure and efficient for practical application environment.