With the increasing of the multi-server application,researches on three-factor authentication scheme which based on password,smart card and biometrics continue ensure the information safety of the communcation parties.Recently,Chaudhry proposed a new three-factor authentication scheme based on elliptic curve cryptosystem.This paper showed that his scheme was vulnerable to not only denial of service attacks,but also user impersonation attack.In addition,users didn't have a unique identifier in his protocol,and they were unable to change the password.To solve these safety deficiencies,this paper proposed an improved scheme,reasonably used the elliptic curve cryptosystem and fuzzy extractor technology to combine three-factor.This paper proves that the proposed scheme is feasible and safe through Burrows-Abadi-Needham (BAN) logic and the analysis of the known attacks.As compared with the previous multi-server authentication schemes,the proposed scheme is more secure and practical.%随着多服务器环境应用的增多,为保证通信双方的信息安全,结合口令、智能卡和生物特征的三因子认证协议越来越多.最近,Chaudhry提出了一个基于椭圆曲线密码的三因子认证协议方案,分析此方案,指出其无法抵抗拒绝服务攻击、伪装攻击,用户没有唯一标志符,且无法成功更改口令.为解决这些安全缺陷,提出了一个改进的方案,更加合理地利用椭圆曲线数学难题,并使用模糊提取器来结合三因子.通过BAN逻辑形式化分析和对已知攻击手段的分析,证明了改进的方案可行且安全;与Chandhry等方案相比,改进的方案更为安全和实用.
展开▼
