一种基于智能卡的口令认证方案

给出了一个基于智能卡的远程访问口令认证方案，它能够对登录口令进行检验而不需要检索口令表。它利用了公钥密码系统的签名特性，其安全性依赖于离散对数问题和因数分解问题。特点是网络用户可以自由选择其口令，通过对口令增加时间戳还可抵抗重放攻击。     

融入混沌理论的一种OTP方案研究

身份认证中广泛使用了一次性口令机制。该文分析了一种一次性口令认证方案，指出了其存在的不足；将混沌理论中混沌序列的技术应用到一次性口令当中，提出了一种新的一次性口令方案，该方案实现了双向认证，并在认证时间和存储空间上的开销得到了优化，提高了认证的强度和安全性。     

基于混沌映射的用户匿名三方口令认证密钥协商协议

在基于混沌的三方口令认证密钥协商协议中,用户通过低熵的口令实现相互认证和共享会话密钥,以避免在身份认证过程中公钥基础设施或存储用户长期密钥的安全威胁。通过分析Lee提出的基于混沌映射的口令认证密钥协商协议,发现其协议不能进行口令变更,而且仅适用于用户和服务器之间的两方通信。为了改进此方案,提出两个基于切比雪夫混沌映射的用户匿名三方口令认证密钥协商协议,包括基于时钟同步的密钥协商方案和基于随机数的密钥协商方案。其中基于时钟同步的用户匿名三方口令认证密钥协商协议通信量少,基于随机数的用户匿名三方口令认证密钥协商协议更容易实现。两个方案的优点是用户仅选择一个简单的口令进行相互认证和密钥协商,服务器不需要再保护用户口令表,避免了口令相关的攻击,而且在相互认证过程中用户使用临时身份和哈希函数,实现用户匿名性,在增强协议安全性的同时,减少了通信过程中消息的数量,提高了协议的执行效率,具有完美前向安全,并用BAN逻辑证明了其安全性。     

一种适合远程访问场景的认证和密钥交换方案

提出了一种基于基本ECMQV协议的非对称式认证和密钥交换方案AEAS，可实现对客户端的口令认证和对服务端的公钥认证；AEAS中的客户端口令认证具有零知识安拿属性，允许用户使用弱口令，并能抵御各种字典攻击和重放攻击；与同类非对称认证和密钥交换方案相比，AEAS具有最少的公钥计算开销。AEAS协议能集成到现有WTLS协议框架中，从而实现一种高安全性和低计算开销的WTLS扩展，它完全可满足无线终端在企业远程访问场景下的高安全性要求。     

使用智能卡的动态口令认证机制

动态口令身份认证机制是目前身份认证技术发展的一个重要方向。但是在很多动态口令机制中,用户的认证数据通常利用在服务器储存的验证因子进行掩码传输,如果验证因子被盗,攻击者就可以伪造验证数据,因此动态口令认证机制易遭受盗窃攻击。最近提出了一种新的抗盗窃攻击的动态口令认证方案2GR,但是2GR不能抵抗拒绝服务攻击,也没有提供用户和服务器的双向认证。将在2GR方案的基础上提出一个基于智能卡的改进方案,该方案能解决上述问题。     

一个基于智能卡的动态认证方案

讨论了2006年袁丁等人设计的简单高效的口令识别方案（SEPA）,指出该方案无法抵御字典攻击、中间人攻击和服务器拒绝服务攻击。提出了一个基于智能卡的动态认证方案,并对其进行了分析,结果表明新方案提供双向认证,安全性高,运算量低,具有安全、友好、方便的口令更新方式,并且服务器不需维护用于认证的验证表。     

基于SHA和RSA算法实用有效的双向身份认证系统

该文分析了常用的几种一次性口令身份认证方案,在挑战/应答方案的基础上,使用SHA算法和RSA公钥加密体制,设计了一种新型的身份认证方案。该方案将静态口令机制和动态口令机制相结合,不仅能提供通信双方的相互认证,而且克服了传统挑战/应答方案的弱点。最后对方案的安全性和有效性进行了分析。     

无须重注册的单向通信动态口令认证

动态口令是在系统中或设备上仅对一次会话有效的口令。目前存在的无须重注册的动态口令方案虽然不受认证次数的限制,但仅支持在线认证,不能离线认证。针对以上问题,提出一种无须重注册的单向通信动态口令认证方案。该方案基于无须重注册的方式结合基于时间动态口令方案,在实现离线认证的同时满足认证次数无限和口令有时效,最后证明该方案的安全性。     

基于身份的远程用户认证方案

研究近期提出的2个远程用户认证方案,对其进行伪造攻击。利用基于身份的签名思想提出一个基于身份的远程用户认证方案,在实现动态认证的同时无须用户与远程服务器端交互,通信量小,远端服务器无须保存或维护任何口令或验证表,存储代价低,可以避免口令攻击、重放攻击、伪造攻击、中间人攻击等,安全性高。     

基于ECC的PostgreSQL口令认证的研究与改进

口令认证技术是最常用的身份认证技术,它可分为两类:静态口令和动态口令.介绍了PostgreSQL 口令认证的原理,虽然PostgreSQL口令认证机制在一定程度上采用了动态口令认证方式,但是其口令认证方式仍然存在不能抵抗字典攻击以及冒充攻击等局限性.其次基于椭圆曲线,对PostgreSQL口令认证机制进行了改进,提出了一种可以弥补PostgreSQL 口令认证机制存在上述漏洞的改进方案.结果表明改进方案能够进行双向认证,有效地防止冒充攻击、重放攻击和字典攻击,提高了PostgreSQL口令认证机制的安全性.     

Password authentication schemes with smart cards

In this paper, two password authentication schemes with smart cards are proposed. In the schemes, users can change their passwords freely, and the remote system does not need the directory of passwords or verification tables to authenticate users. Once the secure network environment is set up, authentication can be handled solely by the two parties involved. For a network without synchronized clocks, the proposed nonce-based authentication scheme is able to prevent malicious reply attacks.     

Shoulder-surfing-proof graphical password authentication scheme

The graphical password authentication scheme uses icons instead of text-based passwords to authenticate users. Icons might be somehow more familiar to human beings than text-based passwords, since it is hard to remember the latter with sufficient security strength. No matter what kind of password is used, there are always shoulder-surfing problems. An attacker can easily get text-based password or graphical password by observation, capturing a video or recording the login process. In this paper, we propose a shoulder-surfing-proof graphical password authentication scheme using the convex-hull graphical algorithm. We give evaluation and comparisons to demonstrate the security strength and the functionality advantages of our scheme.     

基于椭圆曲线密码体制的口令认证系统研究

针对现有口令认证系统中存在的安全问题,本文在研究椭圆曲线密码体制ECC基本原理的基础上,设计了一种新的基于ECC的口令认证方案,给出了该方案的详细实现过程,最后对方案进行了安全性分析。本方案的特点是用户口令在系统存储和传输过程中难以被破解;认证信息保持动态性,能有效防止重放攻击;用户还可以及时发现秘密使用其口令的非法用户,杜绝了信息泄漏或资源盗用。整个方案安全有效,易于实现,有着良好的应用前景。     

An Enhanced Graphical Authentication Scheme Using Multiple-Image Steganography

Most remote systems require user authentication to access resources. Text-based passwords are still widely used as a standard method of user authentication. Although conventional text-based passwords are rather hard to remember, users often write their passwords down in order to compromise security. One of the most complex challenges users may face is posting sensitive data on external data centers that are accessible to others and do not be controlled directly by users. Graphical user authentication methods have recently been proposed to verify the user identity. However, the fundamental limitation of a graphical password is that it must have a colorful and rich image to provide an adequate password space to maintain security, and when the user clicks and inputs a password between two possible grids, the fault tolerance is adjusted to avoid this situation. This paper proposes an enhanced graphical authentication scheme, which comprises benefits over both recognition and recall-based graphical techniques besides image steganography. The combination of graphical authentication and steganography technologies reduces the amount of sensitive data shared between users and service providers and improves the security of user accounts. To evaluate the effectiveness of the proposed scheme, peak signal-to-noise ratio and mean squared error parameters have been used.     

An improved timestamp-based remote user authentication scheme

To protect the remote server from various malicious attacks, many authentication schemes have been proposed. Some schemes have to maintain a password verification table in the remote server for checking the legitimacy of the login users. To overcome potential risks of verification tables, researchers proposed remote user authentication schemes using smartcard, in which the remote server only keeps a secret key for computing the user’s passwords and does not need any verification table for verifying legal user. In 2003 Shen, Lin, and Hwang proposed a timestamp-based password authentication scheme using smartcards in which the remote server does not need to store the passwords or verification table for user authentication. Unfortunately, this scheme is vulnerable to some deadly attacks. In this paper, we analyze few attacks and finally propose an improved timestamp-based remote user authentication scheme. The modified scheme is more efficient and secure than original scheme.     

Seed-based authentication for mobile clients across multiple devices

Authenticating users for mobile cloud apps has been a major security issue in recent years. Traditional passwords ensure the security of mobile applications, but it also requires extra effort from users to memorize complex passwords. Seed-based authentication can simplify the process of authentication for mobile users. In the seed-based authentication, images can be used as credentials for a mobile app. A seed is extracted from an image and used to generate one-time tokens for login. Compared to complex passwords, images are more friendly to mobile users. Previous work had been done in seed-based authentication which focused on providing authentication from a single device. It is common that a mobile user may have two or more mobile devices. Authenticating the same user on different devices is challenging due to several aspects, such as maintaining the same credential for multiple devices and distinguishing different users. In this article, we aimed at developing a solution to address these issues. We proposed multiple-device authentication algorithms to identify users. We adopted a one-time token paradigm to ensure the security of mobile applications. In addition, we tried to minimize the authentication latency for better performance. Our simulation showed that the proposed algorithms can improve the average latency of authentication for 40% at most, compared to single-device solutions.     

一种新型抵御字典攻击的认证方案

身份验证是网络应用系统中的第一道防线,目的是验证通信双方的身份,防止非法用户窃取和假冒合法用户.尽管通过口令是最方便的身份验证方法,但它也伴随着字典攻击的威胁.分析了常用的几种一次性口令身份认证方案,在挑战-响应方案基础上,利用安全单向哈希函数提出并设计了一种新型身份验证方案.该方案不仅明显减少了认证服务器的开销,而且能有效地抵御字典攻击、拒绝服务攻击等攻击手段,显著增强了应用系统的安全性.     

一种新型抵御字典攻击的方案

身份验证是网络应用系统中的第一道防线,目的是验证通信双方的身份,防止非法用户窃取和假冒合法用户。尽管通过口令是最方便的身份验证方法,但它也伴随着字典攻击的威胁。分析了常用的几种一次性口令身份认证方案,在挑战-响应方案基础上,利用安全单向哈希函数提出并设计了一种新型身份验证方案。该方案不仅明显减少了认证服务器的开销,而且能有效地抵御字典攻击、拒绝服务攻击等攻击手段,显著增强了应用系统的安全性。     

An efficient biometrics-based remote user authentication scheme using smart cards

In this paper, we propose an efficient biometric-based remote user authentication scheme using smart cards, in which the computation cost is relatively low compared with other related schemes. The security of the proposed scheme is based on the one-way hash function, biometrics verification and smart card. Moreover, the proposed scheme enables the user to change their passwords freely and provides mutual authentication between the users and the remote server. In addition, many remote authentication schemes use timestamps to resist replay attacks. Therefore, synchronized clock is required between the user and the remote server. In our scheme, it does not require synchronized clocks between two entities because we use random numbers in place of timestamps.     

A more efficient and secure dynamic ID-based remote user authentication scheme

In 2004, Das, Saxena and Gulati proposed a dynamic ID-based remote user authentication scheme. This scheme allows users to change and choose passwords freely, and the server does not maintain any verifier table. It is also secure to against ID-theft, replay attacks and insider attacks and so on. However, research has been done to point that it is completely insecure for its independent of the password. Furthermore, it did not achieve mutual authentication and could not resist impersonate remote server attack. In this paper, an enhanced password authentication scheme which still keeps the merits of the original scheme was presented. Security analysis proved that the improved scheme is more secure and practical.