一种改进的智能卡远程用户匿名认证方案

针对Sonwanshi提出的远程用户认证方案存在会话密钥安全性差、不能抵御扮演攻击和离线口令猜测攻击的缺陷,提出了一种改进方案,主要在注册和登录阶段增加了安全性能。在注册阶段,用户口令直接在智能卡内进行相应运算,不再提交给服务器。这不仅降低了服务器对口令存储、维护的开销,而且避免了服务器对用户的攻击,提高了安全性能。在登录阶段,采用随机数的挑战应答方式取代原方案的时间戳方式,消除了时钟不同步导致的认证失败。对原方案、改进方案和其他同类方案进行安全性和效率分析的结果表明,改进方案不仅弥补了原方案的缺陷,而且相对同类方案,降低了时间复杂度,适用于安全需求高、处理能力低的设备。

An improved remote user anonymous authentication scheme using smart cards

We find some security flaws in Sonwanshi’s remote user authentication scheme, such as poor session key security and incapability to resist impersonation attacks and offline password guessing attacks. We propose an improvement scheme, which mainly enhances the security of Sonwanshi’s scheme in the registration and login phase. In the registration phase, users’ passwords are directly stored in the local smart cards rather than be submitted to the server, which not only reduces the costs of servers for password storage and maintenance, but also improves the security performance. In the login phase, the original time stamp mode is replaced by a random number challenge response mode to avoid authentication failure caused by clock asynchronization. The analysis on security performance and efficiency shows that the proposed scheme not only eliminates the defects of Sonwanshi’s scheme, but also reduces the time complexity in comparison with similar schemes. It, therefore, is suitable for those devices with low processing power and high security requirements.