一个基于口令的能抵抗字典攻击的身份认证系统设计与实现
|
摘要
计算机网络是一个开放的系统,但由于其开放性导致计算机网络中存在相当多的安全漏洞和安全威胁,网络中的各类资源很容易被人非法访问和复制。因此,对网络资源访问者的合法身份进行认证就变得非常的重要,身份认证技术已经成为网络系统安全中最重要的技术之一。
基于口令的身份认证系统允许人们选择自己的口令,并且不需要辅助设备生成或储存,因此基于口令的机制广泛应用于用户认证密钥协商。但是,易于记忆的口令容易遭受各种各样的攻击,主要的网络攻击手段有:网络数据流窃听、认证信息拷贝/重放、字典攻击等等。因此,设计并实现安全的身份认证系统具有重要的现实意义。
本文主要在掌握了一定的数据加密与信息安全、身份认证等知识的基础上,对EKE协议和CAPTCHA作了较为深入的研究。EKE协议是基于弱口令的密钥交换协议,通过使用对称密钥加密体制和公钥加密体制,能够很好地抵抗离线字典攻击。CAPTCHA是指全自动区分计算机和人类的图灵测试,通过不断地测试,完成两个主要功能:一是大多数人能通过测试,二是目前的计算机不能通过测试。因此,利用CAPTCHA技术,可以避免攻击者利用机器进行自动的在线字典攻击。本文的研究成果:结合EKE协议和CAPTCHA技术,针对字典攻击,设计并实现了一个基于口令的能抵抗字典攻击的身份认证系统,这里的字典攻击包含了离线字典攻击和在线字典攻击。在系统的实现过程中,还主要解决了大素数的生成以及大数运算等问题。
The computer network is an open system, and because of its openness, there exist quite a few security vulnerabilities and threats and different kinds of resources are easy to be accessed illegally. Therefore, identity authentication for visitors is more and more important and become one of the most significant techniques in network security field.
Identity authentication based on password is widely used in the user authentication key negotiation procedure because it allows users to choose their own passwords without any accessories for generating or store them. But simple passwords are also ease to be attacked in various ways, such as Sniffer, Record/Replay and dictionary attack. So it is necessary and important to design a system of identity authentication with high security.
This paper deeply researches on EKE protocol and CAPTCHA on the base of the knowledge of Data Encryption and Information Security. EKE is a kind of key exchange protocol based on week password and can resist offline dictionary attacks by use of symmetric key encryption and public key encryption. CAPTCHA is Completely Automated Public Turing Test to Tell Computes and Humans Aparts. By keeping testing, it can complete two functions: one is most users can pass the test, the other is current computers can not. Therefore, CAPTCHA can resist online dictionary attacks.
Our work is designing an identity authentication system by use of EKE protocol and CAPTCHA; which can resist online and offline dictionary attacks. And the generation of big prime number and the googol computation are also solved in this system.
基于口令的身份认证系统允许人们选择自己的口令,并且不需要辅助设备生成或储存,因此基于口令的机制广泛应用于用户认证密钥协商。但是,易于记忆的口令容易遭受各种各样的攻击,主要的网络攻击手段有:网络数据流窃听、认证信息拷贝/重放、字典攻击等等。因此,设计并实现安全的身份认证系统具有重要的现实意义。
本文主要在掌握了一定的数据加密与信息安全、身份认证等知识的基础上,对EKE协议和CAPTCHA作了较为深入的研究。EKE协议是基于弱口令的密钥交换协议,通过使用对称密钥加密体制和公钥加密体制,能够很好地抵抗离线字典攻击。CAPTCHA是指全自动区分计算机和人类的图灵测试,通过不断地测试,完成两个主要功能:一是大多数人能通过测试,二是目前的计算机不能通过测试。因此,利用CAPTCHA技术,可以避免攻击者利用机器进行自动的在线字典攻击。本文的研究成果:结合EKE协议和CAPTCHA技术,针对字典攻击,设计并实现了一个基于口令的能抵抗字典攻击的身份认证系统,这里的字典攻击包含了离线字典攻击和在线字典攻击。在系统的实现过程中,还主要解决了大素数的生成以及大数运算等问题。
The computer network is an open system, and because of its openness, there exist quite a few security vulnerabilities and threats and different kinds of resources are easy to be accessed illegally. Therefore, identity authentication for visitors is more and more important and become one of the most significant techniques in network security field.
Identity authentication based on password is widely used in the user authentication key negotiation procedure because it allows users to choose their own passwords without any accessories for generating or store them. But simple passwords are also ease to be attacked in various ways, such as Sniffer, Record/Replay and dictionary attack. So it is necessary and important to design a system of identity authentication with high security.
This paper deeply researches on EKE protocol and CAPTCHA on the base of the knowledge of Data Encryption and Information Security. EKE is a kind of key exchange protocol based on week password and can resist offline dictionary attacks by use of symmetric key encryption and public key encryption. CAPTCHA is Completely Automated Public Turing Test to Tell Computes and Humans Aparts. By keeping testing, it can complete two functions: one is most users can pass the test, the other is current computers can not. Therefore, CAPTCHA can resist online dictionary attacks.
Our work is designing an identity authentication system by use of EKE protocol and CAPTCHA; which can resist online and offline dictionary attacks. And the generation of big prime number and the googol computation are also solved in this system.
引文
[1]李中献,詹榜华,杨义先.认证理论与技术的发展.电子学报,1999,21(7):98-102
[2]Lamport L.Password authentication with insecure communication[J].Communication of ACM,1981,24:770-772
[3]Haller N.A One-Time Password System[S].RFC 2289,1998,2
[4]Haller NM.The S/IEY one-time password system[A].Proceedings of the internet society symposiumon netword and distributed system security[C].Sandiego,CA,1994
[5]Haller N.The S/KEY onetime password system[S].RFC 1760,1995,11
[6]陈恳.基于ECC的一次性口令身份认证方案设计与实现.西南交通大学硕士学位论文,2005
[7]陈恳,彭代渊,鲁荣波.一种基于ECC的一次性口令身份认证方案.微机发展,2005,15(5):40-42
[8]Sun HM.An efficient remote user authentication scheme using smart cards.IEEE Transactions on Consumer Electronics,2000,46:958-961
[9]Chien HY,Jan JK,Tseng YM.An efficient and practical solution to remote authentication:Smart Card.Computers and Security,2002,21(4):372-375
[10]Hsu CL.Security of two remote user authentication schemes using smart cards.IEEE Transactions on Consumer Electronics,2003,49(4):1196-1198
[11]Das ML,Saxena A,Gulati VP.A dynamic ID-based remote user authentication scheme[J].IEEE Transactions on Consumer Electronics,2004(50):629-631
[12]Awasthi AK.Comment on'A Dynamic ID-based Remote User Authentication Scheme.Transaction on Cryptology,2004,1(2):15-16
[13]Sandirigama M,Shimizu A,Noda MT.Simple and secure password authentication protocol(SAS)[J].IEICE Trans Commun,2000,E83-B(6):1363-1365
[14]Lin C,Sun H,Hwang T.Attacks and solutions on strong-password authentication.MICE Trans Commun,2001,E84-B(9):2622-2627
[15]Kamioka T,Shimizu A.The examination of the security of SAS one-time password authentication.MICE Technical Report,2001,OFS2001-48(435):53-58
[16]YUAN Ding,FAN PingZhi.A Secure Dynamic Password Authentication Scheme.Journal of Sichuan University(Natural Science Edition),2002,39(2):228-232
[17]Tsuji T,Kamioka T,Shimizu A.Simple and secure password authentication protocol,ver2(SAS-2).IEICE Technical Report,OIS2002-30,2002,102(314):7-11
[18]Hwang MS,Li LH.A new remote user authentication scheme suing smart cards.IEEE Transactions on Consumer Electronics,2000,46(4):992-993
[19]Chan CK,Cheng LM.Cryptanalysis of timestamp-based password authentication scheme.Computer&Security,2002,21(1):74-76
[20]Chang CC,Hwang KF.Some forgery attack on a remote user authentication scheme using smart cards.Infomatics,2003,14(3):189-294
[21]Lee JK,Ryu SR,Yoo KY.Fingerprint-based remote user authentication scheme using smart cards.ELECTRONICS LETTERS,2002,38(12):554-555
[22]Shen JJ,Lin CW,Hwang MS.A modified remote user authentication scheme using smart cards.IEEE Trans Consumer Elictronic,2003(49):414-416
[23]Hsieh BT,Yeh HT,Sun HM,etc.Cryptanalysis of a fingerprint-based remote user authentication scheme using smart cards.Security Technology 2003.Proceedings.IEEE 37th Annual 2003 International Carnahan Conference,2003:349-350
[24]Lin CH,Lai YY.A flexible biometrics remote user authentication scheme.Computer Standards&Interfaces,2004,27:19-23
[25]Mitchell CJ,Tang Q.Security of the Lin-Lai smart card based user authentication scheme.http://www.rhul.ac.uk/mathematics/techreports.2005
[26]Awasthi AK,Lal S.A remote user authentication scheme using smart cards with forward secrecy.IEEE Transactions on consumer electronics,2003(49):1246-1248
[27]Lee SW,Kim HS,Yoo KY.Comment on a remote user authentication scheme using smart cards with 'forward secrecy.IEEE Transactions on consumer electronics,2004(50):576-577
[28][Kumar M.New Remote User Authentication Scheme Using Smart Cards.IEEE 2004,597:600
[29]陈鲁生,沈世镒.现代密码学.北京:科学出版社,2002
[30]Douglas R Stinson.密码学原理与实践(第二版).冯登国译.北京:电子工业出版社,2003
[31]Wenbo Mao.现代密码学理论与实践.王继林,伍前红译.北京:电子工业出版社,2004
[32]Bruce Schneier.应用密码学协议,算法与源程序.吴世忠译.机械工业出版社,2000
[33]曹天杰,张永平,苏成.计算机系统安全.北京:高等教育出版社,2003
[34]尹少平,董丹.Diffie-Hellman密钥交换协议设计与实现.电力学报,2006.21(1):9-12
[35]赵跃华,王琴.运用DH-EKE增强WTLS握手协议的安全性.计算机工程与设计,2007,28(8):1801-1803
[36]黄松柏,韩秀玲.密钥交换协议的安全性分析与改进.信息安全,2007,3:35-37
[37]王全来,韩继红,王亚弟.基于逻辑编程的EKE协议分析.计算机工程,2007,33(5):112-113
[38]徐沛东,张玉峰.可抵御字典攻击的可验证密钥交换协议.微型机与应用,2001,1:56-60
[39]於时才,胡佳文,靳艳峰.一种新型抵御字典攻击的认证方案.计算机工程与设计,2007,28(8):1798-180
[40]Ahn,L.von,Blum,M.,Hopper,N.J.,and Langford,J.CAPTCHA:Telling humans and computers apart.In Advances in Cryptology,Eurocrypt '03,volume 2656 of Lecture Notes in Computer Science,(2003),294-311
[41]金海坤,杜文杰,沙俐敏.基于CAPTCHA的中文安全机制的研究.计算机工程与设计,2006,27(6):985-987
[42]Liang Wei,Wang Wenye.On performance analysis of challenge-responsebased authentication in wireless networks.Computer Networks,2005,48(10):267-288.
[43]张丽,郭慧.密码分析与安全策略.网络与信息,2007(1):69
[44]马自堂,张鲁国.基于口令的群密钥分发协议的分析与设计.信息安全,2006,9:107-109
[45]李莉,薛锐,张焕国,冯登国,王丽娜.基于口令认证的密钥交换协议的安全性分析.电子学报,2005,33(1):166-170
[46]索望,硕士论文《一次性口令身份认证方案的设计与实现》,四川大学,2005年5月
[47]雷斌,杨建华,黄超等.Visual C++6.0网络编程技术.北京:人民邮电出版社,2000
[48]徐晓刚,高兆法,王秀娟.Visual C++6.0入门与提高.北京:清华大学出版社,2000
[49]网冠科技.Visual C++6.0时尚编程百例.北京:机械工业出版社,2001
[50]Bruce Schneier著.吴世忠,祝世雄,张文政等译.应用密码学:协议、算法与C源程序.北京:机械工业出版社,2000
[2]Lamport L.Password authentication with insecure communication[J].Communication of ACM,1981,24:770-772
[3]Haller N.A One-Time Password System[S].RFC 2289,1998,2
[4]Haller NM.The S/IEY one-time password system[A].Proceedings of the internet society symposiumon netword and distributed system security[C].Sandiego,CA,1994
[5]Haller N.The S/KEY onetime password system[S].RFC 1760,1995,11
[6]陈恳.基于ECC的一次性口令身份认证方案设计与实现.西南交通大学硕士学位论文,2005
[7]陈恳,彭代渊,鲁荣波.一种基于ECC的一次性口令身份认证方案.微机发展,2005,15(5):40-42
[8]Sun HM.An efficient remote user authentication scheme using smart cards.IEEE Transactions on Consumer Electronics,2000,46:958-961
[9]Chien HY,Jan JK,Tseng YM.An efficient and practical solution to remote authentication:Smart Card.Computers and Security,2002,21(4):372-375
[10]Hsu CL.Security of two remote user authentication schemes using smart cards.IEEE Transactions on Consumer Electronics,2003,49(4):1196-1198
[11]Das ML,Saxena A,Gulati VP.A dynamic ID-based remote user authentication scheme[J].IEEE Transactions on Consumer Electronics,2004(50):629-631
[12]Awasthi AK.Comment on'A Dynamic ID-based Remote User Authentication Scheme.Transaction on Cryptology,2004,1(2):15-16
[13]Sandirigama M,Shimizu A,Noda MT.Simple and secure password authentication protocol(SAS)[J].IEICE Trans Commun,2000,E83-B(6):1363-1365
[14]Lin C,Sun H,Hwang T.Attacks and solutions on strong-password authentication.MICE Trans Commun,2001,E84-B(9):2622-2627
[15]Kamioka T,Shimizu A.The examination of the security of SAS one-time password authentication.MICE Technical Report,2001,OFS2001-48(435):53-58
[16]YUAN Ding,FAN PingZhi.A Secure Dynamic Password Authentication Scheme.Journal of Sichuan University(Natural Science Edition),2002,39(2):228-232
[17]Tsuji T,Kamioka T,Shimizu A.Simple and secure password authentication protocol,ver2(SAS-2).IEICE Technical Report,OIS2002-30,2002,102(314):7-11
[18]Hwang MS,Li LH.A new remote user authentication scheme suing smart cards.IEEE Transactions on Consumer Electronics,2000,46(4):992-993
[19]Chan CK,Cheng LM.Cryptanalysis of timestamp-based password authentication scheme.Computer&Security,2002,21(1):74-76
[20]Chang CC,Hwang KF.Some forgery attack on a remote user authentication scheme using smart cards.Infomatics,2003,14(3):189-294
[21]Lee JK,Ryu SR,Yoo KY.Fingerprint-based remote user authentication scheme using smart cards.ELECTRONICS LETTERS,2002,38(12):554-555
[22]Shen JJ,Lin CW,Hwang MS.A modified remote user authentication scheme using smart cards.IEEE Trans Consumer Elictronic,2003(49):414-416
[23]Hsieh BT,Yeh HT,Sun HM,etc.Cryptanalysis of a fingerprint-based remote user authentication scheme using smart cards.Security Technology 2003.Proceedings.IEEE 37th Annual 2003 International Carnahan Conference,2003:349-350
[24]Lin CH,Lai YY.A flexible biometrics remote user authentication scheme.Computer Standards&Interfaces,2004,27:19-23
[25]Mitchell CJ,Tang Q.Security of the Lin-Lai smart card based user authentication scheme.http://www.rhul.ac.uk/mathematics/techreports.2005
[26]Awasthi AK,Lal S.A remote user authentication scheme using smart cards with forward secrecy.IEEE Transactions on consumer electronics,2003(49):1246-1248
[27]Lee SW,Kim HS,Yoo KY.Comment on a remote user authentication scheme using smart cards with 'forward secrecy.IEEE Transactions on consumer electronics,2004(50):576-577
[28][Kumar M.New Remote User Authentication Scheme Using Smart Cards.IEEE 2004,597:600
[29]陈鲁生,沈世镒.现代密码学.北京:科学出版社,2002
[30]Douglas R Stinson.密码学原理与实践(第二版).冯登国译.北京:电子工业出版社,2003
[31]Wenbo Mao.现代密码学理论与实践.王继林,伍前红译.北京:电子工业出版社,2004
[32]Bruce Schneier.应用密码学协议,算法与源程序.吴世忠译.机械工业出版社,2000
[33]曹天杰,张永平,苏成.计算机系统安全.北京:高等教育出版社,2003
[34]尹少平,董丹.Diffie-Hellman密钥交换协议设计与实现.电力学报,2006.21(1):9-12
[35]赵跃华,王琴.运用DH-EKE增强WTLS握手协议的安全性.计算机工程与设计,2007,28(8):1801-1803
[36]黄松柏,韩秀玲.密钥交换协议的安全性分析与改进.信息安全,2007,3:35-37
[37]王全来,韩继红,王亚弟.基于逻辑编程的EKE协议分析.计算机工程,2007,33(5):112-113
[38]徐沛东,张玉峰.可抵御字典攻击的可验证密钥交换协议.微型机与应用,2001,1:56-60
[39]於时才,胡佳文,靳艳峰.一种新型抵御字典攻击的认证方案.计算机工程与设计,2007,28(8):1798-180
[40]Ahn,L.von,Blum,M.,Hopper,N.J.,and Langford,J.CAPTCHA:Telling humans and computers apart.In Advances in Cryptology,Eurocrypt '03,volume 2656 of Lecture Notes in Computer Science,(2003),294-311
[41]金海坤,杜文杰,沙俐敏.基于CAPTCHA的中文安全机制的研究.计算机工程与设计,2006,27(6):985-987
[42]Liang Wei,Wang Wenye.On performance analysis of challenge-responsebased authentication in wireless networks.Computer Networks,2005,48(10):267-288.
[43]张丽,郭慧.密码分析与安全策略.网络与信息,2007(1):69
[44]马自堂,张鲁国.基于口令的群密钥分发协议的分析与设计.信息安全,2006,9:107-109
[45]李莉,薛锐,张焕国,冯登国,王丽娜.基于口令认证的密钥交换协议的安全性分析.电子学报,2005,33(1):166-170
[46]索望,硕士论文《一次性口令身份认证方案的设计与实现》,四川大学,2005年5月
[47]雷斌,杨建华,黄超等.Visual C++6.0网络编程技术.北京:人民邮电出版社,2000
[48]徐晓刚,高兆法,王秀娟.Visual C++6.0入门与提高.北京:清华大学出版社,2000
[49]网冠科技.Visual C++6.0时尚编程百例.北京:机械工业出版社,2001
[50]Bruce Schneier著.吴世忠,祝世雄,张文政等译.应用密码学:协议、算法与C源程序.北京:机械工业出版社,2000