B/S架构下一次性口令身份认证方案的设计与实现
|
摘要
随着全球信息化发展和Internet普及,计算机网络安全逐渐成为人们关注的焦点问题。计算机网络的开放性导致计算机网络中存在相当多的安全漏洞和安全威胁,网络中的各类资源很容易被人非法访问和复制。因此,对网络资源访问者的合法身份进行认证就变得非常的重要,目前网络通信主要提供五种安全服务,即身份认证服务、访问控制服务、机密性服务、完整性服务和抗否认性服务。其中,身份认证作为安全应用系统的第一道防线,是最重要的安全服务,所有其它的安全服务都依赖于该服务,它的失败可能导致整个系统的失败。因此,身份认证技术已经成为网络系统安全中最重要的技术之一。
较为常用的身份认证技术是基于静态口令的身份认证技术,该技术的特点是简单、易用,在一定的安全程度上可以进行有效的用户身份认证。但是,随着网络应用的深入化和网络攻击手段的多样化,静态口令认证技术由于其自身的安全缺陷己经不再适应于安全性要求较高的网络应用系统。静态口令认证技术面临的主要网络攻击手段有:明文形式的口令在网络上传输容易遭受口令窃听攻击;加密形式的口令则容易遭受截取/重放攻击;其他攻击手段还包括伪造主机攻击、内部人员攻击、字典攻击等等。
针对静态口令认证技术存在的安全缺陷,业界提出了一次性口令认证技术(One-Time Password Authentication),也称为动态口令认证技术。一次性口令认证技术是在登陆过程中加入不确定因素,使每次的密码都不相同,系统接收到登陆口令后,以同样的算法做一次验算即可验证用户的身份。一次性口令是一种无需第三方如CA参与的,具有“一次一密”等优点的认证技术。它消除了静态口令认证技术的大部分安全缺陷,能有效抵抗静态口令认证技术所面临的主要安全威胁和攻击,为网络应用系统提供了更加安全可靠的用户身份认证保障。
本论文提出的适用于Web应用的一次性口令登陆方案,采用了RSA,AES,MD5加密算法和运用普通口令和图片口令结合的双口令技术及服务器标识语(server identification)等设计出一种适用于B/S架构的一次性口令身份认证系统方案。该方案实现了双向认证,具有效率高,安全可靠,认证原理灵活等特点。
With the development of global information and the popularization of Internet, the security of computer networks has become the focus of concern gradually. The computer networks brings so many security vulnerabilities and attacks because of its open character. The network resources can be accessed and copied easily. So it is very important to carry through the identity authentication for people who want to access the network resources. Nowadays, there are several security services in the network communication, such as identity authentication,access control, confidentiality, integrality and anti-negation, As the first line of defense in the security application system, identity authentication is the most important security services, all of others depending on it, and the whole system will be defeated if identity authentication lost. So, identity authentication is one of the most important technology in Network Security.
The technology of identity authentication based on the static password is common. The characteristics of this technology is easy to use and authenticate the users' identity safely and availably. As the applications of networks develop deeply and the means of attacking become variety, the technology of static password authentication can not meet the needs of network system which needs security requirements because it's security vulnerabilities. The main attack means to the static password authentication technology are: the users' non-cryptograph password can be wiretapped from the network and the cryptograph password can be suffered record/replay attack. Other attacks means include forge host attack, inside attack and dictionary attack etc.
The information security experts bring forward the technology of One-Time Password Authentication for the static password authentication's security vulnerabilities. This technology means the password for identity is only used one time and differently with adding indeterminable genes every time. The system can validate users by the same algorithm when receives the password.The One-Time Password is an identity authentication technique, which does not needs the third party as CA(Certificate Authority). It takes advantage of the "one time one cipher" , and can avoids the security vulnerabilities and offers safety authentication much more.
In this paper, An one-time password authentication scheme, which implements two-way authentication for B/S structure ,is designed with RSA, AES, MD5 encryption algorithms , combinated with ordinary password, picture passwords, server identification technologies. this authentication scheme is efficient, safe, reliable, flexible.
较为常用的身份认证技术是基于静态口令的身份认证技术,该技术的特点是简单、易用,在一定的安全程度上可以进行有效的用户身份认证。但是,随着网络应用的深入化和网络攻击手段的多样化,静态口令认证技术由于其自身的安全缺陷己经不再适应于安全性要求较高的网络应用系统。静态口令认证技术面临的主要网络攻击手段有:明文形式的口令在网络上传输容易遭受口令窃听攻击;加密形式的口令则容易遭受截取/重放攻击;其他攻击手段还包括伪造主机攻击、内部人员攻击、字典攻击等等。
针对静态口令认证技术存在的安全缺陷,业界提出了一次性口令认证技术(One-Time Password Authentication),也称为动态口令认证技术。一次性口令认证技术是在登陆过程中加入不确定因素,使每次的密码都不相同,系统接收到登陆口令后,以同样的算法做一次验算即可验证用户的身份。一次性口令是一种无需第三方如CA参与的,具有“一次一密”等优点的认证技术。它消除了静态口令认证技术的大部分安全缺陷,能有效抵抗静态口令认证技术所面临的主要安全威胁和攻击,为网络应用系统提供了更加安全可靠的用户身份认证保障。
本论文提出的适用于Web应用的一次性口令登陆方案,采用了RSA,AES,MD5加密算法和运用普通口令和图片口令结合的双口令技术及服务器标识语(server identification)等设计出一种适用于B/S架构的一次性口令身份认证系统方案。该方案实现了双向认证,具有效率高,安全可靠,认证原理灵活等特点。
With the development of global information and the popularization of Internet, the security of computer networks has become the focus of concern gradually. The computer networks brings so many security vulnerabilities and attacks because of its open character. The network resources can be accessed and copied easily. So it is very important to carry through the identity authentication for people who want to access the network resources. Nowadays, there are several security services in the network communication, such as identity authentication,access control, confidentiality, integrality and anti-negation, As the first line of defense in the security application system, identity authentication is the most important security services, all of others depending on it, and the whole system will be defeated if identity authentication lost. So, identity authentication is one of the most important technology in Network Security.
The technology of identity authentication based on the static password is common. The characteristics of this technology is easy to use and authenticate the users' identity safely and availably. As the applications of networks develop deeply and the means of attacking become variety, the technology of static password authentication can not meet the needs of network system which needs security requirements because it's security vulnerabilities. The main attack means to the static password authentication technology are: the users' non-cryptograph password can be wiretapped from the network and the cryptograph password can be suffered record/replay attack. Other attacks means include forge host attack, inside attack and dictionary attack etc.
The information security experts bring forward the technology of One-Time Password Authentication for the static password authentication's security vulnerabilities. This technology means the password for identity is only used one time and differently with adding indeterminable genes every time. The system can validate users by the same algorithm when receives the password.The One-Time Password is an identity authentication technique, which does not needs the third party as CA(Certificate Authority). It takes advantage of the "one time one cipher" , and can avoids the security vulnerabilities and offers safety authentication much more.
In this paper, An one-time password authentication scheme, which implements two-way authentication for B/S structure ,is designed with RSA, AES, MD5 encryption algorithms , combinated with ordinary password, picture passwords, server identification technologies. this authentication scheme is efficient, safe, reliable, flexible.
引文
[1]梁亚声,王永益,刘京菊等著,计算机网络安全技术教程,北京,机械工业出版社,2004,p1-18.
[2]易江波,网络攻击方法分析,[学位论文],中国科学技术大学,2000.5.
[3]杨文涛,网络攻击技术研究,[学位论文],四川大学,2004.1.
[4]冯登国,网络安全原理与技术,北京,科学出版社,2003,p39-91.
[5]吴和生,范训礼,伍卫民等,一种有效的一次性口令身份认证方案.计算机应用,2003,23(5),P45-47.
[6]Chun-Li Lin,Hung-Min Sun and Tzonelih Hwang,Attacks and solutions on strong-password authentication,IEICE Trans.On Commun,2001,Vol.E84-B(9),p 2622-2627.
[7]Balenson D.,RFC 1423,TIS,Febrary 1993,Privacy Enhancement for Internet Electronic Mail:part:Ⅲ Algorithms,modes,and Identifiers.
[8]杨俊,景疆,浅谈生物认证技术.指纹识别,计算机时代,2004.3,17(2),P3-4.
[9]B.Neuman,T.Ts'o,Kerberos:an authentication service for computer networks IEEE Communciation Magazine,1994,32(9),p33-38.
[10]盛焕烨,王珏,基于Kerberos的公开密钥身份认证协议,计算机工程,2002,24(9),p39-41.
[11]R Housley,Intemet X.509 Public Key Infrastructure,RFC 3280,2002.
[12]Hung-Yu Chien,Jinn-Ke Jan,Yuh-Min Tseng,An Efficient and Practical Solution to Remote Authentication:Smart Card,Computers&Security,2002,21(4),p372-375.
[13]Shyi-Tsong Wu,Bin-ChangChieu.with smart cards,.Computers&Security A user friendly remote authentication scheme,2003,22(6),p547-550.
[14]N.Hailer,C.Metz,RFC 1938,May 1996,A One-Time Password System.
[15]N.Hailer,C.Metz,P.Nesser,M.Straw,RFC2289,February 1998,A One-Time Password System.
[16]张武,一次性口令系统的研究,[学位论文],重庆大学,2005.5.
[17]Lamport L,Password authentication with insecure communication.Communi- cations of the ACM,1981,24(11),p770-772.
[18]N.M.Hailer,The S/Key(TM)one-time password system,Proc.Intemet Society Symposium on Network and Distributed System Security,1994,p151-158.
[19]刘阳,基于一次性口令身份认证系统的设计与实现,[学位论文],山东大学,2005.4
[20]索望,一次性口令身份认证方案的设计与实现,[学位论文],四川大学,2005.5.
[21]Lynn E.Sullivan,Marek Chawarski,Patrick G.O'Connora etc,The practice of office-based buprenorphine treatment of opioid dependence:is it associated with new patients entering into treatment,Drug and Alcohol Dependence 79,2005,p113-116.
[22]谢希仁著,计算机网络,第四版,北京,电子工业出版社,2003.p351-374.
[23]William E.Burr,Selecting the Advanced Encryption Standard,IEEE Security&Privacy,The IEEE Computer Socity,March/April 2003.
[24]Murphy S,Robshaw M.Essential Algebraic Structure Within the AES,Advances in Cryptology:CRYPTO'02,Berlin:Springer-Verlag,2002,p1-16.
[25]IEEE P 1363/D6(Drafe Version(6),Standard Specification for Public Key Cryptography[EB/OL],http://grouper.ieee.org/groups/1363/P1363/draft.html,2004.
[26]RSA Data Security,Inc.,Public Key Cryptography Standards(PKCS),1993.
[27]曹晓静,基于RSA一次性口令身份认证系统,[学位论文],暨南大学,2006.5.
[28]陈恳,基于ECC的一次性口令身份认证方案设计与实现,[学位论文],西南交通大学,2005.
[29]The Secure Hash Algorithm D http://www.secure-hash-algorithm-md5-sha-l.co.uk/,2003.11,irectory MD5,SHA-1 and HMAC Resources9
[30]R.Rivest,RFC 1321,April 1992,The MD5 Message-Digest Algorithm.
[31]张建伟,李鑫,张梅峰,基于MD5算法的身份鉴别技术的研究与实现[J],计算机工程,2003,29(4),p118-119.
[32]张峰,王小妮,杨根兴,一种安全的身份认证系统—动态口令认证系统.计算机应用研究,2002,22(5),p43-46.
[33]张宏,陈志刚,一种新型一次性口令身份认证方案的设计与分析,计算机工程,2004.9,30(17),P112-114.
[34]周国良,双因素身份认证技术研究,技术论坛,2003.10,4(1),p37-38.
[35]Rafael C.Gonzalez,Richard E.Woods 著,Digital Image Processing,Second Edition,北京,电子工业出版社,2003,p224-272.
[2]易江波,网络攻击方法分析,[学位论文],中国科学技术大学,2000.5.
[3]杨文涛,网络攻击技术研究,[学位论文],四川大学,2004.1.
[4]冯登国,网络安全原理与技术,北京,科学出版社,2003,p39-91.
[5]吴和生,范训礼,伍卫民等,一种有效的一次性口令身份认证方案.计算机应用,2003,23(5),P45-47.
[6]Chun-Li Lin,Hung-Min Sun and Tzonelih Hwang,Attacks and solutions on strong-password authentication,IEICE Trans.On Commun,2001,Vol.E84-B(9),p 2622-2627.
[7]Balenson D.,RFC 1423,TIS,Febrary 1993,Privacy Enhancement for Internet Electronic Mail:part:Ⅲ Algorithms,modes,and Identifiers.
[8]杨俊,景疆,浅谈生物认证技术.指纹识别,计算机时代,2004.3,17(2),P3-4.
[9]B.Neuman,T.Ts'o,Kerberos:an authentication service for computer networks IEEE Communciation Magazine,1994,32(9),p33-38.
[10]盛焕烨,王珏,基于Kerberos的公开密钥身份认证协议,计算机工程,2002,24(9),p39-41.
[11]R Housley,Intemet X.509 Public Key Infrastructure,RFC 3280,2002.
[12]Hung-Yu Chien,Jinn-Ke Jan,Yuh-Min Tseng,An Efficient and Practical Solution to Remote Authentication:Smart Card,Computers&Security,2002,21(4),p372-375.
[13]Shyi-Tsong Wu,Bin-ChangChieu.with smart cards,.Computers&Security A user friendly remote authentication scheme,2003,22(6),p547-550.
[14]N.Hailer,C.Metz,RFC 1938,May 1996,A One-Time Password System.
[15]N.Hailer,C.Metz,P.Nesser,M.Straw,RFC2289,February 1998,A One-Time Password System.
[16]张武,一次性口令系统的研究,[学位论文],重庆大学,2005.5.
[17]Lamport L,Password authentication with insecure communication.Communi- cations of the ACM,1981,24(11),p770-772.
[18]N.M.Hailer,The S/Key(TM)one-time password system,Proc.Intemet Society Symposium on Network and Distributed System Security,1994,p151-158.
[19]刘阳,基于一次性口令身份认证系统的设计与实现,[学位论文],山东大学,2005.4
[20]索望,一次性口令身份认证方案的设计与实现,[学位论文],四川大学,2005.5.
[21]Lynn E.Sullivan,Marek Chawarski,Patrick G.O'Connora etc,The practice of office-based buprenorphine treatment of opioid dependence:is it associated with new patients entering into treatment,Drug and Alcohol Dependence 79,2005,p113-116.
[22]谢希仁著,计算机网络,第四版,北京,电子工业出版社,2003.p351-374.
[23]William E.Burr,Selecting the Advanced Encryption Standard,IEEE Security&Privacy,The IEEE Computer Socity,March/April 2003.
[24]Murphy S,Robshaw M.Essential Algebraic Structure Within the AES,Advances in Cryptology:CRYPTO'02,Berlin:Springer-Verlag,2002,p1-16.
[25]IEEE P 1363/D6(Drafe Version(6),Standard Specification for Public Key Cryptography[EB/OL],http://grouper.ieee.org/groups/1363/P1363/draft.html,2004.
[26]RSA Data Security,Inc.,Public Key Cryptography Standards(PKCS),1993.
[27]曹晓静,基于RSA一次性口令身份认证系统,[学位论文],暨南大学,2006.5.
[28]陈恳,基于ECC的一次性口令身份认证方案设计与实现,[学位论文],西南交通大学,2005.
[29]The Secure Hash Algorithm D http://www.secure-hash-algorithm-md5-sha-l.co.uk/,2003.11,irectory MD5,SHA-1 and HMAC Resources9
[30]R.Rivest,RFC 1321,April 1992,The MD5 Message-Digest Algorithm.
[31]张建伟,李鑫,张梅峰,基于MD5算法的身份鉴别技术的研究与实现[J],计算机工程,2003,29(4),p118-119.
[32]张峰,王小妮,杨根兴,一种安全的身份认证系统—动态口令认证系统.计算机应用研究,2002,22(5),p43-46.
[33]张宏,陈志刚,一种新型一次性口令身份认证方案的设计与分析,计算机工程,2004.9,30(17),P112-114.
[34]周国良,双因素身份认证技术研究,技术论坛,2003.10,4(1),p37-38.
[35]Rafael C.Gonzalez,Richard E.Woods 著,Digital Image Processing,Second Edition,北京,电子工业出版社,2003,p224-272.