身份认证是确保信息系统安全的重要手段,基于智能卡的口令认证协议由于实用性较强而成为近期研究热点.采用基于场景的攻击技术,对最近新提出的两个基于智能卡的口令认证协议进行了安全性分析.指出“对Liao等身份鉴别方案的分析与改进”(潘春兰,周安民,肖丰霞,等.对Liao等人身份鉴别方案的分析与改进.计算机工程与应用,2010,46(4):110-112)中提出的认证协议无法实现所声称的抗离线口令猜测攻击;指出“基于双线性对的智能卡口令认证改进方案”(邓粟,王晓峰.基于双线性对的智能卡口令认证改进方案.计算机工程,2010,36(18):150-152)中提出的认证协议无法抗拒绝服务(DoS)攻击和内部人员攻击,且口令更新阶段存在设计缺陷.分析结果表明,这两个口令认证协议都存在严重安全缺陷,不适合安全需求较高的应用环境.%Since identity authentication becomes an essential mechanism to ensure robust system security in distributed networks, smartcard-based remote user password authentication protocols have been studied intensively recently. Two recently proposed smartcard-based authentication protocols were examined with the scenario-based attack techniques. The protocol presented in "Cryptanalysis and improvement of Liao et al. 's remote user authentication scheme" (PAN Chun-Ian, ZHOU An-min, XIAO Feng-xia, etal. Improved remote user authentication scheme. Computer Engineering and Applications, 2010,46 (4): 110 - 112) can not withstand the offline password guessing attack as the authors claimed, while the protocol presented in "Improved scheme for smart card password authentication based on bilinear pairings" (DENG Li, WANC Xiao-feng. Improved scheme for smart card password authentication based on bilinear pairings. Computer Engineering, 2010,36( 18): 150 - 152) is found vulnerable to the Denial of Service (DoS) attack and insider attack. The analytical results show that, both protocols are susceptible to serious security threats and impractical for security-concerned applications.
展开▼
