计算机应用 ›› 2012, Vol. 32 ›› Issue (07): 2007-2009.DOI: 10.3724/SP.J.1087.2012.02007

• 信息安全 • 上一篇    下一篇

对两个基于智能卡的口令认证协议的安全性分析

薛锋1,汪定1,2,王立萍1,马春光2   

  1. 1. 解放军蚌埠汽车士官学校 训练部,安徽 蚌埠233011
    2. 哈尔滨工程大学 计算机科学与技术学院,哈尔滨150001
  • 收稿日期:2012-01-05 修回日期:2012-02-22 发布日期:2012-07-05 出版日期:2012-07-01
  • 通讯作者: 汪定
  • 作者简介:薛锋(1975-),男,陕西宜川人,助理工程师,主要研究方向:密码学、信息安全;汪定(1985-),男,湖北十堰人,硕士研究生,主要研究方向:密码学、无线网络安全;王立萍(1985-),男,黑龙江肇东人,博士研究生,主要研究方向:微电子、信息安全;马春光(1974-),男,黑龙江双鸭山人,教授,博士,主要研究方向:密码学、信息安全。
  • 基金资助:

    福建高校产学合作科技重大项目(2010H6007);博士后科研人员落户黑龙江科研启动资金资助项目(LBH-Q10141);北京邮电大学网络与交换技术国家重点实验室开放课题(SKLNST-2009-1-10)

Cryptanalysis of two smartcard-based remote user password authentication protocols

XUE Feng1,WANG Ding1,2,WANG Li-ping1,MA Chun-guang2   

  1. 1. Department of Training, Automobile Sergeant Institute of PLA, Bengbu Anhui 233011, China
    2. College of Computer Science and Technology, Harbin Engineering University, Harbin Heilongjiang 150001, China
  • Received:2012-01-05 Revised:2012-02-22 Online:2012-07-05 Published:2012-07-01
  • Contact: WANG Ding

摘要: 身份认证是确保信息系统安全的重要手段,基于智能卡的口令认证协议由于实用性较强而成为近期研究热点。采用基于场景的攻击技术,对最近新提出的两个基于智能卡的口令认证协议进行了安全性分析。指出“对Liao等身份鉴别方案的分析与改进”(潘春兰,周安民,肖丰霞,等.对Liao等人身份鉴别方案的分析与改进.计算机工程与应用,2010,46(4):110-112)中提出的认证协议无法实现所声称的抗离线口令猜测攻击;指出“基于双线性对的智能卡口令认证改进方案”(邓粟,王晓峰.基于双线性对的智能卡口令认证改进方案.计算机工程,2010,36(18):150-152)中提出的认证协议无法抗拒绝服务(DoS)攻击和内部人员攻击,且口令更新阶段存在设计缺陷。分析结果表明,这两个口令认证协议都存在严重安全缺陷,不适合安全需求较高的应用环境。

关键词: 身份认证, 智能卡, 认证协议, 离线口令猜测攻击, 拒绝服务攻击

Abstract: Since identity authentication becomes an essential mechanism to ensure robust system security in distributed networks, smartcard-based remote user password authentication protocols have been studied intensively recently. Two recently proposed smartcard-based authentication protocols were examined with the scenario-based attack techniques. The protocol presented in “Cryptanalysis and improvement of Liao et al. 's remote user authentication scheme” (PAN Chun-lan, ZHOU An-min, XIAO Feng-xia, et al. Improved remote user authentication scheme. Computer Engineering and Applications, 2010,46(4):110-112) can not withstand the offline password guessing attack as the authors claimed, while the protocol presented in “Improved scheme for smart card password authentication based on bilinear pairings” (DENG Li, WANG Xiao-feng. Improved scheme for smart card password authentication based on bilinear pairings. Computer Engineering, 2010,36(18):150-152) is found vulnerable to the Denial of Service (DoS) attack and insider attack. The analytical results show that, both protocols are susceptible to serious security threats and impractical for security-concerned applications.

Key words: identity authentication, smart card, authentication protocol, offline password guessing attack, Denial of Service (DoS) attack

中图分类号: