适用于移动商务环境的口令认证密钥交换协议

在移动商务环境下为了解决全自动区分计算机和人类的公开图灵测试（CAPTCHA）技术易被攻击而失效的问题，提出了适用于该环境的口令认证密钥交换协议．将认证密钥交换过程与CAPTCHA挑战/应答过程巧妙融合，在不增加协议通信轮数的条件下，通过对称加密方案保护CAPTCHA问题实例；采用适于移动终端的椭圆曲线公钥系统，基于智能卡的安全特性，提高了协议的效率和安全性；在随机预言机模型下，给出了安全性证明．与同类协议相比，新协议仅需3轮通信就能使CAPTCHA问题实例免受攻击，无须存储口令验证表，具备前向安全性.

A Password-Based Authenticated Key Exchange Protocol for Mobile-Commerce Environments

For mobile commerce environments, a novel password based authenticated key exchange protocol is proposed to solve that the technology to effectively prevent legitimate users’ abuse, named as completely automatic public Turing test to tell computer and human apart (CAPTCHA), is vulnerable to analytical attacks. The protocol elaborately combines the CAPTCHA challenge/response progress with the authenticated key exchange interaction. It introduces symmetric encryption scheme to make CAPTCHA secure without additional communication rounds. And it is based on smart cards to obtain stronger security and adopts elliptic curve cryptosystem which is suitable for the environments. In random oracle model it is provably secure. Compared with the other related protocols, it requires only three communication rounds, protects CAPTCHA against analytical attacks, needs no validation tables storing on the server and provides perfect forward secrecy.