一种新型抵御字典攻击的认证方案

身份验证是网络应用系统中的第一道防线,目的是验证通信双方的身份,防止非法用户窃取和假冒合法用户.尽管通过口令是最方便的身份验证方法,但它也伴随着字典攻击的威胁.分析了常用的几种一次性口令身份认证方案,在挑战-响应方案基础上,利用安全单向哈希函数提出并设计了一种新型身份验证方案.该方案不仅明显减少了认证服务器的开销,而且能有效地抵御字典攻击、拒绝服务攻击等攻击手段,显著增强了应用系统的安全性.     

可抵御字典攻击的可验证密钥交换协议

分析了现有密钥交换协议在抵御字典攻击方面的缺陷,对“抵御在线字典攻击的密码协议”及其最新进展进行了研究和探讨。     

可分发密钥的双向口令认证方案

研究在认证服务器拥有公私钥对和客户端有容易记忆的弱口令条件下,实现强认证和密钥交换的安全协议.对Wangr的方案进行了安全性分析,发现该协议不能抵抗许多种攻击方式.提出一种在不安全网络上集口令认证、口令更改和密钥建立的方案,通过对新方案与Hwang-Yeh方案、Peyravian-Zunic方案、Peyravian-Jeffries方案和Wang方案进行的安全性对比分析,分析结果表明新口令认证方案具有更高的安全性和实用性.     

一种抗协议攻击的SVD数字水印

数字水印在应用中可能会受到很多攻击,最难对付的一种攻击是协议攻击。提出了一种基于奇异值分解(SVD)的数字水印算法,用媒体哈希序列对二值水印图像进行加密调制,然后通过随机选取分块,嵌入多份调制后的水印到宿主图像分块SVD的奇异值中,加大了嵌入容量和减少了可能的替换攻击。图像质量评价用适合于SVD的算法,可以较好地符合人眼的主观评价。理论分析表明所提算法具有抵抗协议攻击的能力,实验结果表明,所提算法对各种攻击具有很好的鲁棒性。     

一种远程动态身份认证方案

动态口令认证机制已逐渐成为主流的认证趋势。介绍、分析SAS认证方案,针对其无法抵御拒绝服务攻击和不提供双向认证的安全缺陷,提出一种新的动态身份认证方案,给出具体的注册过程和认证过程,进行安全性分析。     

一种基于身份的私钥分发方案的分析改进

私钥的安全分发是基于身份密码中一个难以解决的问题.2005年的国际并行分布式系统会议上提出了一种可分离匿名的基于身份的私钥分发方案,简称为SAKI.SAKI基于双线性对运算,结合口令认证机制和盲签名技术,能够在非安全信道中安全地传递用户私钥.经过分析发现SAKI方案缺乏用户私钥申请完整性保护,也不能抵抗对口令的字典攻击.针对SAKI存在的问题,分析了原因并给出了改进后的方案.最后分析了改进方案的安全性,证明改进方案能够克服原方案的缺陷,具有更高的安全性.     

SSL协议的哈希函数碰撞攻击与防范

安全套接层协议SSL是Netscape公司推出的一种安全通信协议,该协议在使用不当的情况下很容易受到中间人攻击。文章从密码学角度分析了哈希函数碰撞稳固性对SSL协议安全的重要作用,并给出了SSL协议的哈希函数碰撞攻击原理以及防范这种攻击的方法。     

一种对密码协议攻击的分类分析

保证协议的安全性是保证数据通信安全性的一个重要保障,但是由于协议的应用环境的复杂性和协议设计目的侧重的多样性,协议漏洞被陆续发现。该文从协议设计的角度对协议攻击进行了分类分析,指出一些协议仍然存在的攻击,并结合对前人发现的协议攻击的分析,基于协议设计对协议攻击进行分类,并根据分析结果给出了协议设计的一些指导原则。     

改进的抵抗离线字典攻击的口令更新协议

口令认证是最简单,方便和应用最广泛的一种用户认证方式。最近,Tsaur等人指出了Chang等人的口令更新协议存在拒绝服务攻击并且不能提供口令的后向安全。随后,他们给出了一种改进的口令更新协议,并声称该协议是安全的。文中,分析了Tsaur等人的口令更新协议,指出了其方案是易受离线字典攻击的,且不能提供口令的前向和后向安全性。最后,提出一种改进的口令更新协议,并分析其安全性。     

可抵御字典式攻击的传输层安全方案

传输层安全TLS是在SSL3．0基础上提出的安全通信标准，容易遭到字典式攻击，本文基于可记忆的通行字交换协议设计了传输层安全TLS方案，该方案可抵御字典式攻击，并能方便地提供身份认证．建立安全通道．减少了服务器被攻陷造成的损失．     

认证协议的一些新攻击方法

给出了针对3个认证协议的6种新攻击方法,分析了这些攻击产生的原因,并对相关协议作了改进.     

网络认证协议攻击的非形式化分析

随着密码协议在计算机网络和分布式系统中的广泛应用,协议的安全性显得越来越重要,对协议的安全性分析和研究也成为目前一个非常紧迫的课题。协议安全性分析包括非形式化和形式化两种方法。论文通过对Woo-Lam,Helsinki和Otway-Rees三个典型协议攻击的非形式化分析,归纳出协议漏洞产生的原因,并探讨了相应的改进的方法。     

Decision Procedures for the Security of Protocols with Probabilistic Encryption against Offline Dictionary Attacks

We consider the problem of formal automatic verification of cryptographic protocols when some data, like poorly chosen passwords, can be guessed by dictionary attacks. First, we define a theory of these attacks and propose an inference system modeling the deduction capabilities of an intruder. This system extends a set of well-studied deduction rules for symmetric and public key encryption, often called Dolev–Yao rules, with the introduction of a probabilistic encryption operator and guessing abilities for the intruder. Then, we show that the intruder deduction problem in this extended model is decidable in PTIME. The proof is based on a locality lemma for our inference system. This first result yields to an NP decision procedure for the protocol insecurity problem in the presence of a passive intruder. In the active case, the same problem is proved to be NP-complete: we give a procedure for simultaneously solving symbolic constraints with variables that represent intruder deductions. We illustrate the procedure with examples of published protocols and compare our model to other recent formal definitions of dictionary attacks.     

A Usable and Secure Two-Factor Authentication Scheme

ABSTRACT

There are many secure authentication schemes that are secure but difficult to use. Most existing network applications authenticate users with a username and password pair. Such systems using the reusable passwords are susceptible to attacks based on the theft of password. Each scheme has its merits and drawbacks (Misbahuddin, Aijaz Ahmed, & Shastri, 2006 Misbahuddin, M., Aijaz Ahmed, M. and Shastri, M. H. 2006. A simple and efficient solution to remote user authentication using smart cards. Proceedings of IEEE Conference on Innovations in Information Technology, : 1–5.  [Google Scholar]). To overcome the susceptibility in the existing applications, there is an authentication mechanism known as Two-Factor Authentication. Two-Factor Authentication is a process used to authenticate or verify the identity of a person or other entity requesting access under security constraints. It is a system wherein two different factors are used in conjunction to authenticate. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance. The proposed scheme allows users to freely choose their PassFile (file password) instead of remembering the password, eliminating the problem of entering the reusable password and remembering the password. In this scheme, we proposed an efficient scheme for remote user authentication. It does not maintain verifier table and allows the user to freely choose and change their passwords. The proposed scheme provides best usability for the user in terms of PassFile without changing the existing protocol. This approach uses a smart card and is secure against identity theft, guessing attack, insider attack, stolen verifier attack, replay attack, impersonation attack, and reflection attack. The proposed achieves the mutual authentication essential for many applications.     

开放式网络中一种新的远程用户认证机制

用户认证服务是确保开放式网络安全的重要组件之一。该文利用安全单向哈希函数和异或运算,提出了一种新的远程用户和服务器双向认证机制。与近年来提出的其它认证机制相比,该机制在安全性和实现效率上均有明显优势。     

Secure Dynamic Identity-Based Authentication Scheme Using Smart Cards

ABSTRACT

In 2004, Das et al. proposed a dynamic identity-based remote user authentication scheme using smart cards. This scheme allows users to choose and change their passwords freely, and the server does not maintain any verification table. Das et al. claimed that their scheme is secure against stolen verifier attack, replay attack, forgery attack, dictionary attack, insider attack and identity theft. However, many researchers have demonstrated that Das et al.'s scheme is susceptible to various attacks. Furthermore, this scheme does not achieve mutual authentication and thus cannot resist malicious server attack. In 2009, Wang et al. argued that Das et al.'s scheme is susceptible to stolen smart card attack. If an attacker obtains the smart card of the user and chooses any random password, the attacker gets through the authentication process to get access of the remote server. Therefore, Wang et al. suggested an improved scheme to preclude the weaknesses of Das et al.'s scheme. However, we found that Wang et al.'s scheme is susceptible to impersonation attack, stolen smart card attack, offline password guessing attack, denial of service attack and fails to preserve the user anonymity. This paper improves Wang et al.'s scheme to resolve the aforementioned problems, while keeping the merits of different dynamic identity based smart card authentication schemes.     

一种基于便携式指纹仪的远程认证设计

提出了一种利用便携式指纹仪提取指纹细节点信息,产生一组数字特征值,并根据这组数字特征值结合通行字双向认证方案提出了一种安全认证方案;在该方案中系统管理员无法推导出用户的任何指纹特征,入侵者也不能导出任何用户的通行字和任何保密信息,系统可对来访的用户进行认证,用户也可以对系统的真实性进行认证;该方案能抵御重试攻击,能防止系统内部人员伪造访问记录。