基于生物特征的健壮的远程用户认证方案的设计与实现
|
摘要
认证保证用户不能以欺骗的方式非法地访问系统资源。在访问控制的实现中,用户认证至关重要。在使用智能卡和生物信息进行远程访问的环境中,远程认证是保证其安全的措施之一。随着Internet中在线资源的快速增长和用户自我保护意识的增强,相互认证作为一种安全的方式,被用来同时保护资源拥有者和使用者的利益。
在本论文中,我们将生物特征信息、单向哈希函数和智能卡等技术相结合,提出一种基于生物特征识别技术的双方身份认证方案。本论文利用时戳T生成一次性的共享信息h (h (U IDi||X S)||T),提高了系统的健壮性。服务器通过对用户登陆生成的认证信息进行认证,可防止包括重放攻击和拒绝服务攻击在内的所有已知攻击。用户与服务器仅仅需要两次握手就可实现相互认证,节约了系统的通信成本。论文中的认证算法只使用了异或运算和安全的单向哈希函数,提高了认证过程的效率。
在Visual Studio2005上,我们使用C++编程语言实现了这一方案的一个原型系统。该系统使用智能卡读取器和指纹扫描仪,实现资源拥有者和使用者之间的相互认证。我们选用不同的hash函数进行试验,力图寻找最好的认证配置方式。实验结果表明我们的设计能抵御已知的攻击,其计算成本和通信成本对许多实际应用都是可接受的。
Authentication assures that illegal users are not able to access system resourcesfraudulently. User authentication plays a significant role in access control. Remoteauthentication is one of the security measures for remote accessing in the environment usingsmart card and biometrics information. With the rapid growth of online resources in Internetand the improvement of self protection consciousness of users,mutual authentication isneeded to provide a secure way to simultaneously protect the interests of both the resourceowners and the users.
In this thesis, we present an efficient biometrics-based mutual authentication scheme,which is based on personal biometrics, one-way hash function and smart card. Forenhancing the system security, we make use of a one-time key h (h (U IDi||X S)||T)generated by using the timestamp T. In the scheme, the authentication process can resist allknown attacks including replay attacks and the DOS attacks, and needs only twice onlinemessage transmissions. Analysis shows that the scheme is secure. Our scheme only uses XORoperation, random number generating and hash faction in order to provide a simplecomputation.
A prototype system of this scheme is developed by using C++programming on VisualStudio2005platform. By combining a smart card reader with a fingerprint scanner, mutualauthentication can be achieved between a resource owner and a user. Our experiment withseveral different hash functions has been done to find out which solution is the best one. Theresults show that our design is secure to resist malicious attacks, and its computation andcommunication costs are acceptable for most practical applications.
在本论文中,我们将生物特征信息、单向哈希函数和智能卡等技术相结合,提出一种基于生物特征识别技术的双方身份认证方案。本论文利用时戳T生成一次性的共享信息h (h (U IDi||X S)||T),提高了系统的健壮性。服务器通过对用户登陆生成的认证信息进行认证,可防止包括重放攻击和拒绝服务攻击在内的所有已知攻击。用户与服务器仅仅需要两次握手就可实现相互认证,节约了系统的通信成本。论文中的认证算法只使用了异或运算和安全的单向哈希函数,提高了认证过程的效率。
在Visual Studio2005上,我们使用C++编程语言实现了这一方案的一个原型系统。该系统使用智能卡读取器和指纹扫描仪,实现资源拥有者和使用者之间的相互认证。我们选用不同的hash函数进行试验,力图寻找最好的认证配置方式。实验结果表明我们的设计能抵御已知的攻击,其计算成本和通信成本对许多实际应用都是可接受的。
Authentication assures that illegal users are not able to access system resourcesfraudulently. User authentication plays a significant role in access control. Remoteauthentication is one of the security measures for remote accessing in the environment usingsmart card and biometrics information. With the rapid growth of online resources in Internetand the improvement of self protection consciousness of users,mutual authentication isneeded to provide a secure way to simultaneously protect the interests of both the resourceowners and the users.
In this thesis, we present an efficient biometrics-based mutual authentication scheme,which is based on personal biometrics, one-way hash function and smart card. Forenhancing the system security, we make use of a one-time key h (h (U IDi||X S)||T)generated by using the timestamp T. In the scheme, the authentication process can resist allknown attacks including replay attacks and the DOS attacks, and needs only twice onlinemessage transmissions. Analysis shows that the scheme is secure. Our scheme only uses XORoperation, random number generating and hash faction in order to provide a simplecomputation.
A prototype system of this scheme is developed by using C++programming on VisualStudio2005platform. By combining a smart card reader with a fingerprint scanner, mutualauthentication can be achieved between a resource owner and a user. Our experiment withseveral different hash functions has been done to find out which solution is the best one. Theresults show that our design is secure to resist malicious attacks, and its computation andcommunication costs are acceptable for most practical applications.
引文
[1]李辉,侯方勇,黄俊辉.芯片指纹提取技术的安全应用[C].2010通信理论与技术新发展——第十五届全国青年通信学术会议论文集(上册),2010.
[2]梁国栋.沉甸甸的身份证[J].中国人大,2011.21:30-31.
[3]罗斌,裘正定.网络身份认证新技术[J].计算机安全.2005,(10):29-31.
[4] Ratha N, Connell J, Bolle R. Enhancing security and privacy in biometrics-basedauthentication systems [J]. IBM Systems Journal.2001,3(40):614–634.
[5] International Biometric Group. The Biometries Market and Industry Report2009-2014.http://www.ibgweb.com/products/reports/bmir-2009-2014.
[6]张敏贵,周德龙,潘泉等.生物特征识别及研究现状[J].生物物理学报.2002,8(2):156-162.
[7] Leslie Lamport. Password Authentication with Insecure Communication [J]. Comm-unications of the ACM.1981,24(11):770-772.
[8] Shamir A. Identity-Based Cryptosystems and Signature Schemes [J]. Advances inCryptology.1985.196:47-53.
[9] Lee JK, Ryu SR, Yoo KY. Fingerprint-based remote user authentication scheme usingsmart cards [J]. Electronic Letters.2002,38(12):554–555.
[10] Hyun-Sung Kim, Sung-Woon Lee, Kee-Young Yoo. ID-based password authenticationscheme using smart cards and fingerprints [J]. ACM SIGOPS Operating Systems Review.2003.4(37):32-41.
[11] Chun-Ta Li, Min-Shiang Hwang. An efficient biometrics-based remote user authen-tication scheme using smart cards[J], Journal of Network and Computer Applications.2010,33:1-5.
[12]朱建新,杨小虎.基于指纹的网络身份认证[J].计算机应用研究.2001,(12):14-17.
[13]沙亚清,孙宏伟,顾明.基于智能卡和指纹识别的电子报税认证系统[J].计算机工程.2006.7(32):133-135.
[14]谢巍,谷利泽,钮心忻。一种基于指纹的身份认证系统方案[J]。计算机应用.2008,10:2464-2466.
[15]任伟,刘嘉勇,熊智.一种基于指纹的远程双向身份鉴别方案[J].通信技术.2009,(11):124-126.
[16]张宏,陈志刚.一种新型一次性口令身份认证方案的设计与分析[J].计算机工程,2004,30(17):12-113.
[17] Jau-Ji Shena, Chih-Wei Linb, Min-Shiang Hwang. Security enhancement for thetimestamp-based password authentication scheme using smart cards [J]. Computers&Security.2003.22:591-595.
[18] Paul Reid. Biometrics for network security [M]. New Jersey, Prentice Hall PTR,2004.
[19] A.K. Das. Analysis and improvement on an effcient biometric-based remote userauthentication scheme using smart cards [J]. The Institution of Engineering and Technology.2011,5(3):145-151.
[20] Malone D, Sullivan W.G. Guesswork and entropy. Information Theory [J]. IEEETransactions on.2004.50(3):525-526.
[21] Andrew C. Tickle. Electrically erasable programmable read-only memory [P]. USA,4377857.1983-3-22.
[22] Mike Hendry. Smart card security and applications [M]. Boston, Artech House,2001.
[23] Joeri de Ruiter, Erik Poll. Formal Analysis of the EMV Protocol Suite [J]. Lecture Notesin Computer Science.2012,6993:113-129.
[24]Karger P, McIntosh S, Palmer E, et al. Lessons Learned: Building the CaernarvonHigh-Assurance Operating System [J]. Security&Privacy.2011,9(1):22-30.
[25] Elumalai K, Kannan M. Multimodal Authentication For High EndSecurity [J].International Journal on Computer Science and Engineering.2011.3(2):687-692.
[26]李晓航,王宏霞,张文芳.认证理论及应用[M].北京:清华大学出版社.2009.
[27] Simpson W. PPP Challenge Handshake Authentication Protocol (CHAP)[S]. RFC1994,1996.
[28] Jagatic T, Johnson N, Jakobsson M. Social phishing [J]. Communications of the ACM.2007,50(10):94-100.
[29] Dierks T, Allen C. The TLS protocol version1.0[S]. RFC2246,1999.
[30] Jennifer Steiner, Clifford Neuman, Jeffrey Schiller. Kerberos: An Authentication Servicefor Open Network Systems[C]. USENIX conference proceedings.1988:191-200.
[31] Diffie W, Hellman M. New directions in cryptography [J]. Information Theory, IEEETransactions on.1976,22(6):644-654.
[32] ElGamal T. A public key cryptosystem and a signature scheme based on discretelogarithms [C]. Advances in Cryptology Proceedings of CRYPTO84.1985,196:10-18.
[33] David W Kravitz. Digital signature algorithm[P]. USA,5231668.1991-7-26.
[34] Koblitz N. Elliptic curve cryptosystems [J]. Mathematics of computation.1987,40(177):203-209.
[35] Lai Xuejia, Massey James. A Proposal for a New Block Encryption Standard [C].Advances in Cryptology—EUROCRYPT'90.2006,473:389-404.
[36] Feistel H. Cryptography and computer privacy [J]. Scientific American.1973.5(228):15-23.
[37] Daemen J, Rijmen V. The block cipher Rijndael [J]. Smart Card research andApplications, LNCS,2000.1820:288-296.
[38] Rivest R. The MD5message-digest algorithm. RFC1321,1992.
[39] Xiaoyun Wang and Hongbo Yu. How to Break MD5and Other Hash Functions[C].Advances in Cryptology–EUROCRYPT.2005:561-561.
[40] Dobbertin H, Bosselaers A, Preneel B. RIPEMD-160, a strengthened version of RIPEMD[C]. Lecture Notes in Computer Science: Fast Software Encryption.1996,1039:71–82.
[41] Zheng Y, Pieprzyk J, Seberry J, HAVAL--A One-way Hashing Algorithm with VariableLength of Output [C], Lecture Notes in Computer Science: Fast Software Encryption.1993,718:81–104.
[42] Federal Information Processing Standards (FIPS): Secure Hash Standard (SHA-1).Technical Report180-1, National Institute of Standards and Technology (NIST), April1995.supersedes FIPS PUB180,1993.
[43] Erich Gamma, Richard Helm, Ralph Johnson, John Vlissides. Design Patterns: Elementsof Reusable Object-Oriented software [M]. Boston, Addison Wesley-Pearson software,1994.
[44] Stanley B.Lippman, Josée LaJoie, Barbara E.Moo. C++Primer中文版[M].北京:人民邮电出版社,2008.
[45] Connolly, C Begg. Database Systems: A Practical Approach to Design, Implementation,and Management, Second Edition [M]. Addison-Wesley,1999.
[46] Tinyxml: xml manager library. http://sourceforge.net/projects/tinyxml/.
[47] Bray T, Paoli J, Sperberg-McQueen C. M. Extensible markup language (XML)1.0W3Crecommendation. technical report, W3C,1998.
[48] Menezes A, van Oorschot P, Vanstone S. Handbook of Applied Cryptography [M]. USA,CRC press,1996.
[2]梁国栋.沉甸甸的身份证[J].中国人大,2011.21:30-31.
[3]罗斌,裘正定.网络身份认证新技术[J].计算机安全.2005,(10):29-31.
[4] Ratha N, Connell J, Bolle R. Enhancing security and privacy in biometrics-basedauthentication systems [J]. IBM Systems Journal.2001,3(40):614–634.
[5] International Biometric Group. The Biometries Market and Industry Report2009-2014.http://www.ibgweb.com/products/reports/bmir-2009-2014.
[6]张敏贵,周德龙,潘泉等.生物特征识别及研究现状[J].生物物理学报.2002,8(2):156-162.
[7] Leslie Lamport. Password Authentication with Insecure Communication [J]. Comm-unications of the ACM.1981,24(11):770-772.
[8] Shamir A. Identity-Based Cryptosystems and Signature Schemes [J]. Advances inCryptology.1985.196:47-53.
[9] Lee JK, Ryu SR, Yoo KY. Fingerprint-based remote user authentication scheme usingsmart cards [J]. Electronic Letters.2002,38(12):554–555.
[10] Hyun-Sung Kim, Sung-Woon Lee, Kee-Young Yoo. ID-based password authenticationscheme using smart cards and fingerprints [J]. ACM SIGOPS Operating Systems Review.2003.4(37):32-41.
[11] Chun-Ta Li, Min-Shiang Hwang. An efficient biometrics-based remote user authen-tication scheme using smart cards[J], Journal of Network and Computer Applications.2010,33:1-5.
[12]朱建新,杨小虎.基于指纹的网络身份认证[J].计算机应用研究.2001,(12):14-17.
[13]沙亚清,孙宏伟,顾明.基于智能卡和指纹识别的电子报税认证系统[J].计算机工程.2006.7(32):133-135.
[14]谢巍,谷利泽,钮心忻。一种基于指纹的身份认证系统方案[J]。计算机应用.2008,10:2464-2466.
[15]任伟,刘嘉勇,熊智.一种基于指纹的远程双向身份鉴别方案[J].通信技术.2009,(11):124-126.
[16]张宏,陈志刚.一种新型一次性口令身份认证方案的设计与分析[J].计算机工程,2004,30(17):12-113.
[17] Jau-Ji Shena, Chih-Wei Linb, Min-Shiang Hwang. Security enhancement for thetimestamp-based password authentication scheme using smart cards [J]. Computers&Security.2003.22:591-595.
[18] Paul Reid. Biometrics for network security [M]. New Jersey, Prentice Hall PTR,2004.
[19] A.K. Das. Analysis and improvement on an effcient biometric-based remote userauthentication scheme using smart cards [J]. The Institution of Engineering and Technology.2011,5(3):145-151.
[20] Malone D, Sullivan W.G. Guesswork and entropy. Information Theory [J]. IEEETransactions on.2004.50(3):525-526.
[21] Andrew C. Tickle. Electrically erasable programmable read-only memory [P]. USA,4377857.1983-3-22.
[22] Mike Hendry. Smart card security and applications [M]. Boston, Artech House,2001.
[23] Joeri de Ruiter, Erik Poll. Formal Analysis of the EMV Protocol Suite [J]. Lecture Notesin Computer Science.2012,6993:113-129.
[24]Karger P, McIntosh S, Palmer E, et al. Lessons Learned: Building the CaernarvonHigh-Assurance Operating System [J]. Security&Privacy.2011,9(1):22-30.
[25] Elumalai K, Kannan M. Multimodal Authentication For High EndSecurity [J].International Journal on Computer Science and Engineering.2011.3(2):687-692.
[26]李晓航,王宏霞,张文芳.认证理论及应用[M].北京:清华大学出版社.2009.
[27] Simpson W. PPP Challenge Handshake Authentication Protocol (CHAP)[S]. RFC1994,1996.
[28] Jagatic T, Johnson N, Jakobsson M. Social phishing [J]. Communications of the ACM.2007,50(10):94-100.
[29] Dierks T, Allen C. The TLS protocol version1.0[S]. RFC2246,1999.
[30] Jennifer Steiner, Clifford Neuman, Jeffrey Schiller. Kerberos: An Authentication Servicefor Open Network Systems[C]. USENIX conference proceedings.1988:191-200.
[31] Diffie W, Hellman M. New directions in cryptography [J]. Information Theory, IEEETransactions on.1976,22(6):644-654.
[32] ElGamal T. A public key cryptosystem and a signature scheme based on discretelogarithms [C]. Advances in Cryptology Proceedings of CRYPTO84.1985,196:10-18.
[33] David W Kravitz. Digital signature algorithm[P]. USA,5231668.1991-7-26.
[34] Koblitz N. Elliptic curve cryptosystems [J]. Mathematics of computation.1987,40(177):203-209.
[35] Lai Xuejia, Massey James. A Proposal for a New Block Encryption Standard [C].Advances in Cryptology—EUROCRYPT'90.2006,473:389-404.
[36] Feistel H. Cryptography and computer privacy [J]. Scientific American.1973.5(228):15-23.
[37] Daemen J, Rijmen V. The block cipher Rijndael [J]. Smart Card research andApplications, LNCS,2000.1820:288-296.
[38] Rivest R. The MD5message-digest algorithm. RFC1321,1992.
[39] Xiaoyun Wang and Hongbo Yu. How to Break MD5and Other Hash Functions[C].Advances in Cryptology–EUROCRYPT.2005:561-561.
[40] Dobbertin H, Bosselaers A, Preneel B. RIPEMD-160, a strengthened version of RIPEMD[C]. Lecture Notes in Computer Science: Fast Software Encryption.1996,1039:71–82.
[41] Zheng Y, Pieprzyk J, Seberry J, HAVAL--A One-way Hashing Algorithm with VariableLength of Output [C], Lecture Notes in Computer Science: Fast Software Encryption.1993,718:81–104.
[42] Federal Information Processing Standards (FIPS): Secure Hash Standard (SHA-1).Technical Report180-1, National Institute of Standards and Technology (NIST), April1995.supersedes FIPS PUB180,1993.
[43] Erich Gamma, Richard Helm, Ralph Johnson, John Vlissides. Design Patterns: Elementsof Reusable Object-Oriented software [M]. Boston, Addison Wesley-Pearson software,1994.
[44] Stanley B.Lippman, Josée LaJoie, Barbara E.Moo. C++Primer中文版[M].北京:人民邮电出版社,2008.
[45] Connolly, C Begg. Database Systems: A Practical Approach to Design, Implementation,and Management, Second Edition [M]. Addison-Wesley,1999.
[46] Tinyxml: xml manager library. http://sourceforge.net/projects/tinyxml/.
[47] Bray T, Paoli J, Sperberg-McQueen C. M. Extensible markup language (XML)1.0W3Crecommendation. technical report, W3C,1998.
[48] Menezes A, van Oorschot P, Vanstone S. Handbook of Applied Cryptography [M]. USA,CRC press,1996.