基于移动端协助的远程用户单一口令认证方法

doi:10.11959/j.issn.1000-436x.2019044

通信学报 ›› 2019, Vol. 40 ›› Issue (2): 174-187.doi: 10.11959/j.issn.1000-436x.2019044

基于移动端协助的远程用户单一口令认证方法

徐渊¹,杨超²,杨力³

¹ 西安财经大学实验实训教学管理中心，陕西西安 710100
² 西安电子科技大学信息网络技术中心，陕西西安 710071
³ 西安电子科技大学网络与信息安全学院，陕西西安 710071

修回日期:2018-09-23 出版日期:2019-02-01 发布日期:2019-03-04
作者简介:徐渊（1991- ），女，陕西西安人，西安财经大学助理实验师，主要研究方向为云计算、网络安全。|杨超（1979- ），男，陕西西安人，博士，西安电子科技大学教授、博士生导师，主要研究方向为密码学、信息和网络安全。|杨力（1977- ），男，陕西西安人，博士，西安电子科技大学教授、博士生导师，主要研究方向为移动互联网安全、云计算安全和可信计算技术。
基金资助:
国家重点研发计划基金资助项目(2017YFGX110123);陕西省科技创新计划基金资助项目(201809168CX9JC10);国家自然科学基金资助项目(61672415);西安财经大学2018年度教育教学改革研究基金资助项目(18xcj36)

Single password authentication method for remote user based on mobile terminal assistance

Yuan XU¹,Chao YANG²,Li YANG³

¹ Experimental Teaching Management Training Center,Xi’an University of Finance and Economics,Xi’an 710100,China
² Information Network Technology Center,Xidian University,Xi’an 710071,China
³ School of Cyber Engineering,Xidian University,Xi’an 710071,China

Revised:2018-09-23 Online:2019-02-01 Published:2019-03-04
Supported by:
The National Basic Research Program of China(2017YFGX110123);The Science and Technology Innovation Planning Project of Shaanxi Province(201809168CX9JC10);The National Natural Science Foundation of China(61672415);The Research Program of Education and Teaching Reform of Xi’an University of Finance and Economics in 2018(18xcj36)

摘要/Abstract

摘要：

针对口令认证系统中用户频繁重复使用同一弱口令的问题，提出一种基于服务器与便携移动设备间秘密共享的单一口令认证方法，允许远程用户使用单一口令和多个在线服务进行安全认证，且客户端PC无需存储用户的任何秘密信息；即使移动设备丢失或被盗，也不会损害用户信息。安全性分析与性能测试结果表明，新方法大大提高了用户私密信息的安全性，可以抵御字典攻击、蜜罐攻击、跨站点编程攻击及网络钓鱼攻击，减轻用户记忆负担，缓解存储压力，易于部署。

关键词: 口令认证, 秘密共享, 移动端辅助认证, 恶意软件, 字典攻击

Abstract:

To address the issue that users frequently reuse their weak passwords in password-based authentication system,single password authentication based on secret sharing between server and mobile terminal (SPASS) was proposed,which allows a remote user to use a single password to authenticate to multiple services securely and has no need to store any secret of the user in the client PC.Even when the mobile device is lost or stolen,no damage to the user’s information will be induced.Security analysis and performance test show that SPASS greatly improves the security of the user’s secret information and resists dictionary attacks,honeypot attacks,cross-site scripting attacks etc.Furthermore,the proposed scheme can lighten burden of the user’s memory,reduce the storage pressure and easy to be deployed.

Key words: password-based authentication, secret sharing, authentication based on mobile terminal, malware, dictionary attack

中图分类号:

TP391

徐渊,杨超,杨力. 基于移动端协助的远程用户单一口令认证方法[J]. 通信学报, 2019, 40(2): 174-187.

Yuan XU,Chao YANG,Li YANG. Single password authentication method for remote user based on mobile terminal assistance[J]. Journal on Communications, 2019, 40(2): 174-187.

图/表 26

图1

图2

图3

图4

表1

表2

图5

图6

表3

表4

表5

表6

表7

表8

表9

表10

图7

图8

图9

图10

图11

图12

图13

图14

表11

表12

参考文献 22

[1]	FLORENCIO D , HERLEY C . A large-scale study of Web password habits[C]// Proceeding of the 16th international conference on World Wide Web. 2007,ACM, 2007: 657-666.
[2]	CARSON N . In:2004,Mark Zuckerberg broke into a facebook user’s private email account[EB]. Business Insider, 2010.
[3]	BELLOVIN S M , MERRITT M . Encrypted key exchange:password-based protocols secure against dictionary attack[C]// Computer Society Symposium on Research in Security and Privacy. 1992: 72-84.
[4]	WU T D , . The secure remote password protocol[C]// The Network and Distributed System Security Symposium. 1998,98: 97-111.
[5]	JABLON D P . Strong password-only authenticated key exchange[J]. ACM SIGCOMM Computer Communications Review, 1996,26(5): 5-26.
[6]	BELLOVIN S M , MERRITT M . Augmented encrypted key exchange:a password-based protocol secure against dictionary attacks and password file compromise[C]// The 1st ACM Conference on Computer and Communications Security. ACM, 1993: 244-250.
[7]	GENTRY C , MACKENZIE P , RAMZAN Z . A method for making password-based key exchange resilient to server compromise[C]// Annual international Cryptology Conference. Springer Berlin Heidelberg, 2006: 142-159.
[8]	BOYEN X , . Hidden credential retrieval from a reusable password[C]// Proceedings of the 4th International Symposium on Information,Computer,and Communications Security. ACM, 2009: 228-238.
[9]	BOYEN X , . Hpake:password authentication secure against cross-site user impersonation[C]// International Conference on Cryptology and Network Security. 2009: 279-298.
[10]	JUNG J , LEE D , KIM J ,et al. Cryptanalysis and improvement of efficient password-based user authentication scheme using hash function[C]// The 10th International Conference on Ubiquitous Information Management and Communication. 2016:23.
[11]	WEI J , LIU W , HU X . Secure and efficient smart card based remote user password authentication scheme[J]. International Journal of Network Security, 2016,18(4): 782-792.
[12]	TSAI C Y , PAN C S , HWANG M S . An improved password authentication scheme for smart card[C]// International Conference on Intelligent and Interactive Systems and Applications. 2016: 194-199.
[13]	OM H , BANERJEE S . A password authentication method for remote users based on smart card and biometrics[J]. Journal of Discrete Mathematical Sciences ＆ Cryptography, 2017,20(3): 595-610.
[14]	GIRI D , SHERRATT R S , MAITRA T . A novel and efficient session spanning biometric and password based three-factor authentication protocol for consumer USB Mass Storage Devices[J]. IEEE Transactions on Consumer Electronics, 2016,62(3): 283-291.
[15]	李晓伟, 杨邓奇, 陈本辉 ,等. 基于生物特征和口令的双因子认证与密钥协商协议[J]. 通信学报, 2017,38(7): 89-95.
	LI X W , YANG D Q , CHEN B H ,et al. Two-factor authenticated key agreement protocol based on biometric feature and password[J]. Journal on Communications, 2017,38(7): 89-95.
[16]	WU M , GARFINKEL S , MILLER R . Secure web authentication with mobile phones[J]. Dimacs Workshop on Usable Privacy ＆ Security Software, 2004.
[17]	安迪, 杨超, 姜奇 ,等. 一种新的基于指纹与移动端协助的口令认证方法[J]. 计算机研究与发展, 2016,53(10): 2400-2411.
	AN D , YANG C , JIANG Q ,et al. A new password authentication method based on fingerprint and mobile phone assistance[J]. Journal of Computer Research and Development, 2016,53(10): 2400-2411.
[18]	MCCUNE J M , PERRIG A , REITER M K . Seeing-is-believe:using camera phones for human-verifiable authentication[C]// Security and Privacy,2005 IEEE Symposium on. IEEE, 2005: 110-124.
[19]	STARNBERGER G , FROIHOFER L , GOESCHKA K M . QR-TAN:secure mobile transaction authentication[C]// International Conference on Availability,Reliability and Security. 2009: 578-583.
[20]	ACAR T , BELENKIY M , KüP?ü A . Single password authentication[J]. Computer Networks, 2013,57(13): 2597-2614.
[21]	BAGHERZANDI A , JARECKI S , SAXENA N ,et al. Password-protected secret sharing[C]// The 18th ACM conference on Computer and Communications Security. 2011: 433-444.
[22]	CAMENISCH J , LYSYANSKAYA A , NEVEN G . Practical yet universally composable two-server password-authenticated secret sharing[C]// Proceedings of the 2012 ACM Conference on Computer and Communications Security. 2012: 525-536.

服务商	硬盘	CPU	内存	操作系统	带宽
阿里云	40 GB	1核	2 GB	Windows Sever2008	R2 5 Mbit/s
				企业版64位中文版

服务商	硬盘	CPU	内存	操作系统
Dell Inc.Vostro 270	500 GB	4核	4 GB	Windows7 64位

次数	t_R1	t_R2	总时间T_R
1	554.04	11.83	565.87
2	562.12	12.04	574.16
3	589.61	12.26	601.87
4	597.05	11.92	608.97
5	688.92	11.85	700.77
6	566.47	11.62	578.08
7	565.16	11.68	576.84
8	600.3	11.65	611.95
9	566.57	11.78	578.35
10	563.02	11.91	574.93

次数	t_A1	t_A2	t_A3	t_A4	t_A5	t_A6	总时间T_A
1	634.95	12.16	3 852.79	2 685.00	3 020.25	551.69	10 756.84
2	588.71	12.12	3 088.24	2 451.40	3 008.86	537.88	9 687.21
3	693.18	12.13	3 462.55	2 693.89	2 968.58	542.65	10 372.98
4	603.26	11.90	3 762.82	2 729.93	2 958.64	568.11	10 634.66
5	666.91	11.71	3 490.51	2 743.85	2 938.28	581.18	10 432.44
6	588.29	11.72	3 472.58	2 701.08	2 943.11	567.73	10 284.51
7	586.82	11.81	3 976.51	2 492.83	2 964.37	565.19	10 597.53
8	696.74	11.88	3 415.59	3 150.62	2 929.69	574.21	10 778.73
9	705.49	13.57	3 787.21	2 816.02	2 916.69	579.40	10 818.38
10	667.10	11.78	3 217.01	2 690.37	2 895.12	551.87	10 033.25

用户	t_R1	t_R2	总时间T_R
user1	593.71	11.32	605.03
user2	660.72	11.43	672.15
user3	555.57	11.91	567.48
user4	633.15	11.41	644.56
user5	574.02	12.16	586.18
user6	571.38	11.66	583.04
user7	672.64	11.63	684.27
user8	564.88	11.52	576.40
user9	600.78	11.44	612.22
user10	563.25	11.39	574.93

基于移动端协助的远程用户单一口令认证方法

Single password authentication method for remote user based on mobile terminal assistance

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 26

参考文献 22

相关文章 15

Metrics

推荐阅读 0

设备	t_R1	t_R2	总时间T_R
安卓模拟器	555.89	11.71	567.60
Sony	564.45	11.59	576.04
魅族	532.69	11.69	544.38

安全指标	mobile SPA	SPASS
双向认证	是	是
抗口令丢失攻击	弱	强
抗中间人攻击	弱	强
抗字典攻击	弱	强
抗恶意软件攻击	弱	强
抗服务器内部攻击	弱	强

[1]	廉欢欢, 侯慧莹, 赵运磊. 后量子基于验证元的三方口令认证密钥交换协议[J]. 通信学报, 2022, 43(4): 95-106.
[2]	尹安琪, 郭渊博, 汪定, 曲彤洲, 陈琳. 可证明安全的抗量子两服务器口令认证密钥交换协议[J]. 通信学报, 2022, 43(3): 14-29.
[3]	郭渊博, 尹安琪. 基于格的口令认证密钥交换协议综述[J]. 通信学报, 2022, 43(12): 172-187.
[4]	熊金波, 周永洁, 毕仁万, 万良, 田有亮. 边缘协同的轻量级隐私保护分类框架[J]. 通信学报, 2022, 43(1): 127-137.
[5]	刘海, 田有亮, 唐莹, Jianbing Ni, 马建峰. 面向理性用户的秘密重构设计模型[J]. 通信学报, 2021, 42(11): 54-65.
[6]	熊金波,毕仁万,陈前昕,刘西蒙. 边缘协作的轻量级安全区域建议网络[J]. 通信学报, 2020, 41(10): 188-201.
[7]	周翰逊,陈晨,冯润泽,熊俊坤,潘宏,郭薇. 基于值导数GRU的移动恶意软件流量检测方法[J]. 通信学报, 2020, 41(1): 102-113.
[8]	胡建伟,车欣,周漫,崔艳鹏. 基于高斯混合模型的增量聚类方法识别恶意软件家族[J]. 通信学报, 2019, 40(6): 148-159.
[9]	张艳硕,李文敬,陈雷,毕伟,杨涛. 基于特征值的可验证特殊门限秘密共享方案[J]. 通信学报, 2018, 39(8): 169-175.
[10]	王彩芬,陈丽. 基于格的用户匿名三方口令认证密钥协商协议[J]. 通信学报, 2018, 39(2): 21-30.
[11]	于金霞,廉欢欢,汤永利,史梦瑶,赵宗渠. 格上基于口令的三方认证密钥交换协议[J]. 通信学报, 2018, 39(11): 87-97.
[12]	张恩,裴瑶瑶,杜蛟. 基于RLWE的密文策略属性代理重加密[J]. 通信学报, 2018, 39(11): 129-137.
[13]	梁建武,刘晓书,程资. 基于图态和中国剩余定理的量子秘密共享方案[J]. 通信学报, 2018, 39(10): 72-78.
[14]	张恩,耿魁,金伟,李勇俊,孙韵清,李凤华. 抗隐蔽敌手的云外包秘密共享方案[J]. 通信学报, 2017, 38(5): 57-65.
[15]	杨宏宇,徐晋. 基于改进随机森林算法的Android恶意软件检测[J]. 通信学报, 2017, 38(4): 8-16.

用户	t_A1	t_A2	t_A3	t_A4	t_A5	t_A6	总时间T_A
user1	706.66	11.18	3 870.38	2 476.76	2 896.26	620.59	10581.83
user2	656.90	11.67	3 021.22	2 516.65	2 972.40	540.37	9719.21
user3	590.32	11.40	3 942.38	2 667.09	2 940.90	564.04	10716.13
user4	636.21	11.50	3 436.28	2 472.99	2 917.59	563.28	10037.85
user5	661.22	11.52	3 441.83	2 480.50	2 936.19	548.34	10079.60
user6	696.98	11.67	3 155.77	2 690.94	2 919.25	545.47	10020.08
user7	583.52	11.43	3 485.63	2 716.33	2 896.02	561.31	10254.24
user8	580.69	12.01	3 730.85	2 517.52	2 949.34	561.96	10352.37
user9	591.99	11.73	3 333.63	2 476.16	2 992.37	551.10	9956.98
user10	696.74	11.47	3 313.86	2 507.97	2 933.24	548.51	10011.79

用户	t_R1	t_R2	总时间T_R
user1	576.09	11.99	588.08
user2	677.24	11.78	689.02
user3	553.82	11.67	565.49
user4	577.40	12.14	589.54
user5	561.34	11.67	573.01
user6	600.80	11.78	612.58
user7	659.23	12.15	671.38
user8	638.52	11.69	650.21
user9	578.69	11.68	590.37
user10	556.91	12.04	568.95

次数	t_A1	t_A2	t_A3	t_A4	t_A5	t_A6	总时间T_A
user1	674.89	11.56	3 589.07	2 487.21	2 682.28	539.95	10 291.97
user2	652.75	11.64	3 538.29	2 702.91	3 001.16	627.43	10 534.18
user3	598.73	11.67	3 730.33	2 710.31	3 160.28	524.04	10 735.36
user4	597.75	11.60	3 389.03	2 670.76	2 921.73	532.14	10 123.01
user5	602.49	11.78	3 558.93	2 792.32	3 042.90	543.13	10 551.55
user6	679.08	12.04	3 584.63	2 780.92	2 851.92	583.65	10 492.24
user7	705.12	11.57	3 401.68	2 665.76	2 845.77	550.11	10 180.01
user8	602.14	11.81	3 769.10	2 786.24	2 858.46	562.39	10 590.14
user9	627.65	12.54	3 329.07	2 664.68	2 886.40	558.95	10 079.29
user10	611.41	11.89	3 564.91	2 682.28	2 844.04	529.52	10 244.05

设备	t_A1	t_A2	t_A3	t_A4	t_A5	t_A6	总时间T_A
安卓模拟器	655.94	12.14	3 746.96	2697.21	2 886.60	603.58	10 602.43
Sony	631.69	11.53	3 737.36	174.27	2 911.79	598.03	8 064.67
魅族	627.51	11.68	3 758.87	152.76	2 919.66	574.56	8 045.04