一种远程身份认证方案的分析与改进

口令认证是远程身份认证中实用的方法.分析了一个给出的使用智能卡的口令认证方案的安全性,指出该方案是不安全的:不能抵御并行会话攻击,攻击者可以利用截获的信息生成合法的登陆信息假冒合法用户登陆,并通过认证获得授权,而不需要知道用户口令;不能抵御更改时戳攻击,攻击者可以更改截获信息的时戳,假冒合法用户登陆远程主机或假冒合法远程主机.同时,引入登陆计数器,采用一卡一密,给出了一种改进的使用智能卡的口令认证方案.该方案允许用户自主选择并更改口令,实现了双向认证;能够抵御重放攻击、内部攻击,具备强安全修复性;能够抵御并行会话攻击和更改时戳攻击,具有更好的安全性.

Analysis and improvements of a remote authentication scheme

Password authentication scheme is a very promising and practical solution to remote user authentication.The security of a proposed password authentication scheme using smart cards is analyzed.The scheme has some weaknesses: it cannot resist parallel session attack,an intruder without knowing users' password can masquerade as a legal user by creating a valid login message from the eavesdropped communication,then passes the authentication phase and gains the authority of the legitimate user;it is also vulnerable to changing timestamps attack,an intruder can masquerade as a legal user or impersonate a valid authentication system by changing timestamps of the messages from eavesdropped communication.Furthermore,an enhanced password authentication scheme using smart cards with better security strength by using login counter and different keys via cards is proposed.The scheme has many merits as following: it lets users freely choose and change their passwords at their own will;it provides mutual authentication between two entities;it resists message replaying attack and insider attack;it has strong security reparability by using extended identities and smart cards;it also withstands parallel session attack and changing timestamps attack.