Abstract: In 2005, Zhang et al. proposed a dynamic password authentication based on smart card and fingerprint. This paper found that Zhang et al.'s authentication scheme was vulnerable to a server spoofing attack. Any adversary can masquerade as a legal server by sending two fixed parameters. Therefore, an improved scheme was proposed. This proposed scheme encrypted individual information and protected a parameter sent from the server by using one-way hash function. It also protected the random number sent from the server by using the shared information.

Key words: smart card, ElGamal, authentication, server spoofing attack

摘要： 针对2005年张金颖等人提出的基于智能卡和指纹的动态口令鉴别方案，发现其验证机制存在服务器伪装攻击的安全性问题，即任何一个攻击者可以靠着回传两个固定参数来伪装成一台合法的服务器。为此，提出一个改进方案，采用单向杂凑函数来加密个人信息，保护从服务器传出的参数，并使用共享信息保护服务器所送出的随机数。

关键词: 智能卡, ElGamal, 鉴别, 服务器伪装攻击