基于口令的远程身份认证及密钥协商协议

基于口令的身份认证协议是研究的热点。分析了一个低开销的基于随机数的远程身份认证协议的安全性，指出了该协议的安全缺陷。构造了一个基于随机数和Hash函数、使用智能卡的远程身份认证和密钥协商协议：PUAKP协议。该协议使用随机数，避免了使用时戳带来的重放攻击的潜在风险。该协议允许用户自主选择和更改口令，实现了双向认证，有较小的计算开销；能够抵御中间人攻击；具有口令错误敏感性、口令的主机非透明性和强安全修复性；生成的会话密钥具有新鲜性、机密性、已知密钥安全性和前向安全性。

Password-based remote user authentication and key agreement protocol

Password-based remote user authentication is a hotspot in authentication protocol research. The security of a proposed remote user authentication scheme was analyzed. Whereby it used nonce random and had very low computational costs. However, this scheme still has many security faults. The weakness of the scheme was demonstrated. Password-based remote user authentication and key agreement protocol (PUAKP), a novel nonce and hash-based remote user authentication scheme and key agreement using smart cards were also presented. In order to avoid the risk of message replay attack, the scheme uses nonce random instead of using time stamps. PUAKP has many merits: it lets users freely choose and change password at their own will; it provides mutual authentication between two entities; it has more lower computational costs; it resists man-in-the-middle attack; in addition, it has wrong password sensitivity; and it has password nontransparency to system and strong security reparability. Furthermore, the session key has freshness, confidentiality, known-key security and forward security.