基于口令的身份认证方案安全性分析及其改进
|
摘要
常规口令身份认证方案一般采用哈希函数在客户端、服务器端之间构造交互,在抵抗重放攻击、字典攻击方面存在一定的缺陷,即使采用了口令加盐技术、哈希链算法,虽能够提高安全等级,但不能应对所有形式的攻击方式,且在效率与安全方面难以平衡。对当前广泛使用的口令认证技术进行了分析,比较研究了多种改进方案,提出了基于哈希函数和质询挑战相结合的综合身份认证方案,采用了哈希函数、加盐技术和时间戳技术,实现了对网络窃听、重放攻击、假冒攻击及字典攻击的防护,易于编程实现,且服务器端的资源占用无较大增加。
The conventional password identity authentication scheme generally uses hash function to form the interaction between the client and the server and it has certain defects in resisting replay attacks and dictionary attacks. Although the password salting technology and the hash chain algorithm can be used to improve the safety level,they cannot cope with all forms of attacks and cannot keep balance in terms of safety and efficiency. Through the analysis on currently widely used password authentication technology and the comparative study on a variety of improvement plans,I propose a comprehensive identity authentication scheme based on the combination of hash function and inquiry challenges. This scheme uses hash function,salting and time stamp technology to protect the net from the network eavesdropping,replay attacks,counterfeit attacks and dictionary attacks. It is easily programmed and server-side resource occupancy is not greatly increased.
The conventional password identity authentication scheme generally uses hash function to form the interaction between the client and the server and it has certain defects in resisting replay attacks and dictionary attacks. Although the password salting technology and the hash chain algorithm can be used to improve the safety level,they cannot cope with all forms of attacks and cannot keep balance in terms of safety and efficiency. Through the analysis on currently widely used password authentication technology and the comparative study on a variety of improvement plans,I propose a comprehensive identity authentication scheme based on the combination of hash function and inquiry challenges. This scheme uses hash function,salting and time stamp technology to protect the net from the network eavesdropping,replay attacks,counterfeit attacks and dictionary attacks. It is easily programmed and server-side resource occupancy is not greatly increased.
引文
[1]曹天杰.计算机系统安全[M].3版.北京:高等教育出版社,2014.
[2]喻丽春.基于AES和RSA算法的一次性口令认证[J].西安邮电大学学报,2017,22(1):38-43.
[3]吴和生,范训礼,伍卫民,等.一种有效的一次性口令身份认证方案[J].计算机应用研究.2003,20(8):57-59.
[4]郑海龙,刘建伟.一次性口令认证机制的分析与研究[J].信息安全与通信保密,2008(11):64-66.
[5]殷松瑜,徐炜民.S/KEY认证方案的分析与改进[J].微计算机信息,2011,27(9):175-178.
[6]商伶俐.改进型一次性口令身份认证方案的研究[J].合肥学院学报(自然科学版),2010(4):37-40.
[7]徐成强,李作维.改进的一次性口令认证方案[J].计算机工程,2009,35(24):168-169.
[8]谢志强,郭军,杨静.新型S/KEY认证方案的分析与设计[J].计算机工程,2009,35(5):175-176.
[9]汪定,马春光,张启明,等.一个强口令认证方案的攻击与改进[J].计算机科学,2012,39(6):72-76.
[10]王耀民,曾华,何文广,等.一种新的改进口令认证协议[J].计算机安全,2012(6):10-13.
[11]何冰.简单易行的S/KEY认证改进方案[J].计算机应用,2011,31(4):996-998.
[12]高雪,张焕国,孙晓梅.一种改进的一次性口令认证方案[J].计算机应用研究. 2006,23(6):127-132.
[13]王平,汪定,黄欣沂.口令安全研究进展[J].计算机研究与发展,2016,53(10):2173-2188.
[14]邓飞,朱莹.基于口令的客户端/服务器认证协议[J].计算机工程与应用,2015,51(20):72-76,161.
[2]喻丽春.基于AES和RSA算法的一次性口令认证[J].西安邮电大学学报,2017,22(1):38-43.
[3]吴和生,范训礼,伍卫民,等.一种有效的一次性口令身份认证方案[J].计算机应用研究.2003,20(8):57-59.
[4]郑海龙,刘建伟.一次性口令认证机制的分析与研究[J].信息安全与通信保密,2008(11):64-66.
[5]殷松瑜,徐炜民.S/KEY认证方案的分析与改进[J].微计算机信息,2011,27(9):175-178.
[6]商伶俐.改进型一次性口令身份认证方案的研究[J].合肥学院学报(自然科学版),2010(4):37-40.
[7]徐成强,李作维.改进的一次性口令认证方案[J].计算机工程,2009,35(24):168-169.
[8]谢志强,郭军,杨静.新型S/KEY认证方案的分析与设计[J].计算机工程,2009,35(5):175-176.
[9]汪定,马春光,张启明,等.一个强口令认证方案的攻击与改进[J].计算机科学,2012,39(6):72-76.
[10]王耀民,曾华,何文广,等.一种新的改进口令认证协议[J].计算机安全,2012(6):10-13.
[11]何冰.简单易行的S/KEY认证改进方案[J].计算机应用,2011,31(4):996-998.
[12]高雪,张焕国,孙晓梅.一种改进的一次性口令认证方案[J].计算机应用研究. 2006,23(6):127-132.
[13]王平,汪定,黄欣沂.口令安全研究进展[J].计算机研究与发展,2016,53(10):2173-2188.
[14]邓飞,朱莹.基于口令的客户端/服务器认证协议[J].计算机工程与应用,2015,51(20):72-76,161.