计算机应用 ›› 2015, Vol. 35 ›› Issue (8): 2199-2204.DOI: 10.11772/j.issn.1001-9081.2015.08.2199

• 信息安全 • 上一篇    下一篇

对两个基于智能卡的多服务器身份认证方案的密码学分析与改进

屈娟1, 李艳平2, 伍习丽1   

  1. 1. 重庆三峡学院 数学与统计学院, 重庆 404000;
    2. 陕西师范大学 数学与信息科学学院, 西安 710062
  • 收稿日期:2015-03-12 修回日期:2015-05-11 出版日期:2015-08-10 发布日期:2015-08-14
  • 通讯作者: 屈娟(1984-),女,陕西商洛人,讲师,硕士,主要研究方向:认证理论,qulujuan@163.com
  • 作者简介:李艳平(1978-),女,山西吕梁人,副教授,博士, 主要研究方向:量子信息安全; 伍习丽1988-),女,重庆开县人,硕士,主要研究方向:统计分析。
  • 基金资助:

    国家自然科学基金资助项目(61402275);陕西省自然科学基金计划研究项目(2012JQ8023);重庆三峡学院项目(14QN29)。

Cryptanalysis and improvement of two multi-server remote user authentication schemes using smart cards

QU Juan1, LI Yanping2, WU Xili1   

  1. 1. College of Mathematics and Statistics, Chongqing Three Gorges University, Chongqing 404000, China;
    2. College of Mathematics and Information Science, Shaanxi Normal University, Xi'an Shaanxi 710062, China
  • Received:2015-03-12 Revised:2015-05-11 Online:2015-08-10 Published:2015-08-14

摘要:

身份认证是用户访问网络资源时的一个重要安全问题。近来,Xu等(XU C, JIA Z, WEN F, et al. Cryptanalysis and improvement of a dynamic ID based remote user authentication scheme using smart cards [J]. Journal of Computational Information Systems, 2013, 9(14): 5513-5520)提出了一个基于智能卡的动态身份用户认证方案。分析指出其方案不能抵抗中间人攻击和会话密钥泄露攻击,且无法实现会话密钥前向安全性。此外,指出Choi等(CHOI Y, NAM J, LEE D, et al. Security enhanced anonymous multiserver authenticated key agreement scheme using smart cards and biometrics [J]. The Scientific World Journal, 2014, 2014: 281305)提出的基于智能卡和生物特征的匿名多服务器身份认证方案(简称CNL方案)易遭受智能卡丢失攻击、服务器模仿攻击,且不能提保护用户的匿名性。最后,基于生物特征和扩展混沌映射,提出了一个安全的多服务器认证方案,安全分析结果表明,新方案消除了Xu方案和CNL方案的安全漏洞。

关键词: 多服务器, 认证, 中间人攻击, 前向安全, 匿名

Abstract:

User authentication is an important security issue when user access resources from network. Recently, Xu et al.(XU C, JIA Z, WEN F, et al. Cryptanalysis and improvement of a dynamic ID based remote user authentication scheme using smart cards [J]. Journal of Computational Information Systems, 2013, 9(14): 5513-5520) proposed a dynamic ID based remote user authentication scheme using smart cards. Though the rigorous security analysis, it was found that Xu scheme could not resist man in-the-middle attack and session key disclosure attack, and could not provide perfect forward secrecy for session key. Additionally, it was also demonstrated that the scheme proposed by Choi et al. (CHOI Y, NAM J, LEE D, et al. Security enhanced anonymous multiserver authenticated key agreement scheme using smart cards and biometrics [J]. The Scientific World Journal, 2014, 2014: 281305)was vulnerable to smart card loss attack, server spoofing attack, and could not provide user anonymity. Therefore, these two schemes could not be suitable for practical applications. At last, an improved scheme was proposed based on biometrics and extended chaotic maps to overcome the lack of Xu scheme and CNL scheme.

Key words: multi-server, authentication, man-in-the-middle attack, forward secrecy, anonymity

中图分类号: