基于移动端协助的远程用户单一口令认证方法
|
摘要
针对口令认证系统中用户频繁重复使用同一弱口令的问题,提出一种基于服务器与便携移动设备间秘密共享的单一口令认证方法,允许远程用户使用单一口令和多个在线服务进行安全认证,且客户端PC无需存储用户的任何秘密信息;即使移动设备丢失或被盗,也不会损害用户信息。安全性分析与性能测试结果表明,新方法大大提高了用户私密信息的安全性,可以抵御字典攻击、蜜罐攻击、跨站点编程攻击及网络钓鱼攻击,减轻用户记忆负担,缓解存储压力,易于部署。
To address the issue that users frequently reuse their weak passwords in password-based authentication system,single password authentication based on secret sharing between server and mobile terminal(SPASS) was proposed,which allows a remote user to use a single password to authenticate to multiple services securely and has no need to storeany secret of the user in the client PC. Even when the mobile device is lost or stolen, no damage to the user's informationwill be induced. Security analysis and performance test show that SPASS greatly improves the security of the user's se-cret information and resists dictionary attacks, honeypot attacks, cross-site scripting attacks etc. Furthermore, the pro-posed scheme can lighten burden of the user's memory, reduce the storage pressure and easy to be deployed.
To address the issue that users frequently reuse their weak passwords in password-based authentication system,single password authentication based on secret sharing between server and mobile terminal(SPASS) was proposed,which allows a remote user to use a single password to authenticate to multiple services securely and has no need to storeany secret of the user in the client PC. Even when the mobile device is lost or stolen, no damage to the user's informationwill be induced. Security analysis and performance test show that SPASS greatly improves the security of the user's se-cret information and resists dictionary attacks, honeypot attacks, cross-site scripting attacks etc. Furthermore, the pro-posed scheme can lighten burden of the user's memory, reduce the storage pressure and easy to be deployed.
引文
[1]FLORENCIO D,HERLEY C.A large-scale study of Web password habits[C]//Proceeding of the 16th international conference on World Wide Web.2007,ACM,2007:657-666.
[2]CARSON N.In:2004,Mark Zuckerberg broke into a facebook user’s private email account[EB].Business Insider,2010.
[3]BELLOVIN S M,MERRITT M.Encrypted key exchange:password-based protocols secure against dictionary attack[C]//Computer Society Symposium on Research in Security and Privacy.1992:72-84.
[4]WU T D.The secure remote password protocol[C]//The Network and Distributed System Security Symposium.1998,98:97-111.
[5]JABLON D P.Strong password-only authenticated key exchange[J].ACM SIGCOMM Computer Communications Review,1996,26(5):5-26.
[6]BELLOVIN S M,MERRITT M.Augmented encrypted key exchange:a password-based protocol secure against dictionary attacks and password file compromise[C]//The 1st ACM Conference on Computer and Communications Security.ACM,1993:244-250.
[7]GENTRY C,MACKENZIE P,RAMZAN Z.A method for making password-based key exchange resilient to server compromise[C]//Annual international Cryptology Conference.Springer Berlin Heidelberg,2006:142-159.
[8]BOYEN X.Hidden credential retrieval from a reusable password[C]//Proceedings of the 4th International Symposium on Information,Computer,and Communications Security.ACM,2009:228-238.
[9]BOYEN X.Hpake:password authentication secure against cross-site user impersonation[C]//International Conference on Cryptology and Network Security.2009:279-298.
[10]JUNG J,LEE D,KIM J,et al.Cryptanalysis and improvement of efficient password-based user authentication scheme using hash function[C]//The 10th International Conference on Ubiquitous Information Management and Communication.2016:23.
[11]WEI J,LIU W,HU X.Secure and efficient smart card based remote user password authentication scheme[J].International Journal of Network Security,2016,18(4):782-792.
[12]TSAI C Y,PAN C S,HWANG M S.An improved password authentication scheme for smart card[C]//International Conference on Intelligent and Interactive Systems and Applications.2016:194-199.
[13]OM H,BANERJEE S.A password authentication method for remote users based on smart card and biometrics[J].Journal of Discrete Mathematical Sciences&Cryptography,2017,20(3):595-610.
[14]GIRI D,SHERRATT R S,MAITRA T.A novel and efficient session spanning biometric and password based three-factor authentication protocol for consumer USB Mass Storage Devices[J].IEEE Transactions on Consumer Electronics,2016,62(3):283-291.
[15]李晓伟,杨邓奇,陈本辉,等.基于生物特征和口令的双因子认证与密钥协商协议[J].通信学报,2017,38(7):89-95.LI X W,YANG D Q,CHEN B H,et al.Two-factor authenticated key agreement protocol based on biometric feature and password[J].Journal on Communications,2017,38(7):89-95.
[16]WU M,GARFINKEL S,MILLER R.Secure web authentication with mobile phones[J].Dimacs Workshop on Usable Privacy&Security Software,2004.
[17]安迪,杨超,姜奇,等.一种新的基于指纹与移动端协助的口令认证方法[J].计算机研究与发展,2016,53(10):2400-2411.AN D,YANG C,JIANG Q,et al.A new password authentication method based on fingerprint and mobile phone assistance[J].Journal of Computer Research and Development,2016,53(10):2400-2411.
[18]MCCUNE J M,PERRIG A,REITER M K.Seeing-is-believe:using camera phones for human-verifiable authentication[C]//Security and Privacy,2005 IEEE Symposium on.IEEE,2005:110-124.
[19]STARNBERGER G,FROIHOFER L,GOESCHKA K M.QR-TAN:secure mobile transaction authentication[C]//International Conference on Availability,Reliability and Security.2009:578-583.
[20]ACAR T,BELENKIY M,KüP?üA.Single password authentication[J].Computer Networks,2013,57(13):2597-2614.
[21]BAGHERZANDI A,JARECKI S,SAXENA N,et al.Password-protected secret sharing[C]//The 18th ACM conference on Computer and Communications Security.2011:433-444.
[22]CAMENISCH J,LYSYANSKAYA A,NEVEN G.Practical yet universally composable two-server password-authenticated secret sharing[C]//Proceedings of the 2012 ACM Conference on Computer and Communications Security.2012:525-536.
[2]CARSON N.In:2004,Mark Zuckerberg broke into a facebook user’s private email account[EB].Business Insider,2010.
[3]BELLOVIN S M,MERRITT M.Encrypted key exchange:password-based protocols secure against dictionary attack[C]//Computer Society Symposium on Research in Security and Privacy.1992:72-84.
[4]WU T D.The secure remote password protocol[C]//The Network and Distributed System Security Symposium.1998,98:97-111.
[5]JABLON D P.Strong password-only authenticated key exchange[J].ACM SIGCOMM Computer Communications Review,1996,26(5):5-26.
[6]BELLOVIN S M,MERRITT M.Augmented encrypted key exchange:a password-based protocol secure against dictionary attacks and password file compromise[C]//The 1st ACM Conference on Computer and Communications Security.ACM,1993:244-250.
[7]GENTRY C,MACKENZIE P,RAMZAN Z.A method for making password-based key exchange resilient to server compromise[C]//Annual international Cryptology Conference.Springer Berlin Heidelberg,2006:142-159.
[8]BOYEN X.Hidden credential retrieval from a reusable password[C]//Proceedings of the 4th International Symposium on Information,Computer,and Communications Security.ACM,2009:228-238.
[9]BOYEN X.Hpake:password authentication secure against cross-site user impersonation[C]//International Conference on Cryptology and Network Security.2009:279-298.
[10]JUNG J,LEE D,KIM J,et al.Cryptanalysis and improvement of efficient password-based user authentication scheme using hash function[C]//The 10th International Conference on Ubiquitous Information Management and Communication.2016:23.
[11]WEI J,LIU W,HU X.Secure and efficient smart card based remote user password authentication scheme[J].International Journal of Network Security,2016,18(4):782-792.
[12]TSAI C Y,PAN C S,HWANG M S.An improved password authentication scheme for smart card[C]//International Conference on Intelligent and Interactive Systems and Applications.2016:194-199.
[13]OM H,BANERJEE S.A password authentication method for remote users based on smart card and biometrics[J].Journal of Discrete Mathematical Sciences&Cryptography,2017,20(3):595-610.
[14]GIRI D,SHERRATT R S,MAITRA T.A novel and efficient session spanning biometric and password based three-factor authentication protocol for consumer USB Mass Storage Devices[J].IEEE Transactions on Consumer Electronics,2016,62(3):283-291.
[15]李晓伟,杨邓奇,陈本辉,等.基于生物特征和口令的双因子认证与密钥协商协议[J].通信学报,2017,38(7):89-95.LI X W,YANG D Q,CHEN B H,et al.Two-factor authenticated key agreement protocol based on biometric feature and password[J].Journal on Communications,2017,38(7):89-95.
[16]WU M,GARFINKEL S,MILLER R.Secure web authentication with mobile phones[J].Dimacs Workshop on Usable Privacy&Security Software,2004.
[17]安迪,杨超,姜奇,等.一种新的基于指纹与移动端协助的口令认证方法[J].计算机研究与发展,2016,53(10):2400-2411.AN D,YANG C,JIANG Q,et al.A new password authentication method based on fingerprint and mobile phone assistance[J].Journal of Computer Research and Development,2016,53(10):2400-2411.
[18]MCCUNE J M,PERRIG A,REITER M K.Seeing-is-believe:using camera phones for human-verifiable authentication[C]//Security and Privacy,2005 IEEE Symposium on.IEEE,2005:110-124.
[19]STARNBERGER G,FROIHOFER L,GOESCHKA K M.QR-TAN:secure mobile transaction authentication[C]//International Conference on Availability,Reliability and Security.2009:578-583.
[20]ACAR T,BELENKIY M,KüP?üA.Single password authentication[J].Computer Networks,2013,57(13):2597-2614.
[21]BAGHERZANDI A,JARECKI S,SAXENA N,et al.Password-protected secret sharing[C]//The 18th ACM conference on Computer and Communications Security.2011:433-444.
[22]CAMENISCH J,LYSYANSKAYA A,NEVEN G.Practical yet universally composable two-server password-authenticated secret sharing[C]//Proceedings of the 2012 ACM Conference on Computer and Communications Security.2012:525-536.