对两个基于智能卡的口令认证协议的安全性分析

身份认证是确保信息系统安全的重要手段，基于智能卡的口令认证协议由于实用性较强而成为近期研究热点。采用基于场景的攻击技术，对最近新提出的两个基于智能卡的口令认证协议进行了安全性分析。指出“对Liao等身份鉴别方案的分析与改进”(潘春兰,周安民,肖丰霞,等.对Liao等人身份鉴别方案的分析与改进.计算机工程与应用,2010,46(4):110-112)中提出的认证协议无法实现所声称的抗离线口令猜测攻击；指出“基于双线性对的智能卡口令认证改进方案”(邓粟,王晓峰.基于双线性对的智能卡口令认证改进方案.计算机工程,2010,36(18):150-152)中提出的认证协议无法抗拒绝服务(DoS)攻击和内部人员攻击，且口令更新阶段存在设计缺陷。分析结果表明，这两个口令认证协议都存在严重安全缺陷，不适合安全需求较高的应用环境。

Cryptanalysis of two smartcard-based remote user password authentication protocols

Since identity authentication becomes an essential mechanism to ensure robust system security in distributed networks,smartcard-based remote user password authentication protocols have been studied intensively recently.Two recently proposed smartcard-based authentication protocols were examined with the scenario-based attack techniques.The protocol presented in "Cryptanalysis and improvement of Liao et al.’s remote user authentication scheme"(PAN Chun-lan,ZHOU An-min,XIAO Feng-xia,et al.Improved remote user authentication scheme.Computer Engineering and Applications,2010,46(4):110-112) can not withstand the offline password guessing attack as the authors claimed,while the protocol presented in "Improved scheme for smart card password authentication based on bilinear pairings"(DENG Li,WANG Xiao-feng.Improved scheme for smart card password authentication based on bilinear pairings.Computer Engineering,2010,36(18):150-152) is found vulnerable to the Denial of Service(DoS) attack and insider attack.The analytical results show that,both protocols are susceptible to serious security threats and impractical for security-concerned applications.