一种改进的智能卡远程用户匿名认证方案

J4 ›› 2016, Vol. 38 ›› Issue (03): 465-470.

一种改进的智能卡远程用户匿名认证方案

刘润杰，刘恒超，申金媛

郑州大学信息工程学院，河南郑州 450001）

收稿日期:2015-02-28 修回日期:2015-05-21 出版日期:2016-03-25 发布日期:2016-03-25
基金资助:
河南省科技厅产学研项目(142107000004)

An improved remote user anonymous
authentication scheme using smart cards

LIU Runjie,LIU Hengchao，SHEN Jinyuan

（School of Information Engineering,Zhengzhou University,Zhengzhou 450001,China）

Received:2015-02-28 Revised:2015-05-21 Online:2016-03-25 Published:2016-03-25

摘要/Abstract

摘要：

针对Sonwanshi提出的远程用户认证方案存在会话密钥安全性差、不能抵御扮演攻击和离线口令猜测攻击的缺陷，提出了一种改进方案，主要在注册和登录阶段增加了安全性能。在注册阶段，用户口令直接在智能卡内进行相应运算，不再提交给服务器。这不仅降低了服务器对口令存储、维护的开销，而且避免了服务器对用户的攻击，提高了安全性能。在登录阶段，采用随机数的挑战应答方式取代原方案的时间戳方式，消除了时钟不同步导致的认证失败。对原方案、改进方案和其他同类方案进行安全性和效率分析的结果表明，改进方案不仅弥补了原方案的缺陷，而且相对同类方案，降低了时间复杂度，适用于安全需求高、处理能力低的设备。

关键词: 智能卡, 身份认证, 匿名性, 扮演攻击, 会话密钥

Abstract:

We find some security flaws in Sonwanshi’s remote user authentication scheme, such as poor session key security and incapability to resist impersonation attacks and offline password guessing attacks. We propose an improvement scheme, which mainly enhances the security of Sonwanshi’s scheme in the registration and login phase. In the registration phase, users’ passwords are directly stored in the local smart cards rather than be submitted to the server, which not only reduces the costs of servers for password storage and maintenance, but also improves the security performance. In the login phase, the original time stamp mode is replaced by a random number challenge response mode to avoid authentication failure caused by clock asynchronization. The analysis on security performance and efficiency shows that the proposed scheme not only eliminates the defects of Sonwanshi’s scheme, but also reduces the time complexity in comparison with similar schemes. It, therefore, is suitable for those devices with low processing power and high security requirements.

Key words: smart card;identity authentication;anonymous;impersonation attack;session key

刘润杰，刘恒超，申金媛. 一种改进的智能卡远程用户匿名认证方案[J]. J4, 2016, 38(03): 465-470.

LIU Runjie,LIU Hengchao，SHEN Jinyuan. An improved remote user anonymous
authentication scheme using smart cards [J]. J4, 2016, 38(03): 465-470.

参考文献［12］

［1］	Lamport L.Password authentication with insecure communication［J］.Communications of the ACM,1981,24（11）:770772.
［2］	Hwang M S, Li L H. A new remote user authentication scheme using smart cards［J］.IEEE Transactions on Consumer Electronics,2000,46（1）:2830.
［3］	ElGamal T. A public key cryptosystem and a signature scheme based on discrete logarithms［C］∥Advances in Cryptology,1985:1018.
［4］	Das M L,Saxena A,Gulati V P.A dynamic IDbased remote user authentication scheme［J］.IEEE Transactions on Consumer Electronics,2004,50（2）:629631.
［5］	Hu Ronglei, Liu Jianwei, Zhang Qishan.Improvement of remote user authentication schemes using passwords［J］.Journal of Beijing University of Aeronautics and Astronautics,2008,34（9）:10371040.(in Chinese)
［6］	Duan Xiaoyi,Zhang Qishan,Liu Jianwei.Improved security enhancement for dynamic IDbased remote user authentication scheme［J］.Journal of Beijing University of Aeronautics and Astronautics,2007,33（5）:565567.(in Chinese)
［7］	Sonwanshi S S,Ahirwal R R,Jain Y K.An efficient smart card based remote user authentication scheme using hash function［C］∥2012 IEEE Students’ Conference on Electrical,Electronics and Computer Science （SCEECS）,2012:14.
［8］	Messerges T S,Dabbish E A,Sloan R H.Examining smartcard security under the threat of power analysis attacks［J］.IEEE Transactions on Computers,2002,51（5）:541552.
	Table 3Comparison of authentication functions表3认证机制的功能对比方案双向
	认证前向
	安全性抗重放
	攻击用户
	匿名性智能卡权限
	废除机制抗扮演
	攻击时钟同步
	问题抗已知
	密钥攻击抗离线
	猜测攻击原方案是是是否否否是是否Shin［13］
	方案是是是是否是否是是Youngil［14］
	方案是是是是是是是是是改进方案是是是是是是否是是［9］Tsai C S,Lee C C,Hwang M S.Password authentication schemes:Current status and key issues［J］.International Journal of Network Security,2006,3（2）:101115.
［10］	Qin Xiaolong,Yang Yixian.Composite attacks on strongpassword authentication protocol［J］.Acta Electronica Sinica,2003,31（7）:10431045.(in Chinese)
［11］	Li Li,Xue Rui,Zhang Huanguo,et al.Security analysis of authenticated key exchange protocol based on password ［J］.Acta Electronica Sinica,2005,33（1）:166170.(in Chinese)
［12］	Wang Ding,Ma Chunguang，Weng Chen,et al.Cryptanalysis and Improvement of a remote user authentication scheme for resource limited environment ［J］.Journal of Electronics &Information Technology,2012,34（10）:25202526.(in Chinese)
［13］	Shin S,Kim K,Kim K H,et al.A remote user authentication scheme with anonymity for mobile devices［J］.International Journal of Advanced Robotic Systems,2012(9):17.
［14］	Kim Y, Choi Y, Won D. Security improvement on smart cardbased remote user authentication scheme using Hash function［C］∥Proc of 2014 International Conference on Information Science and Applications （ICISA）,2014:14.
	附中文参考文献:
［5］	胡荣磊,刘建伟,张其善.对一种远程用户口令认证方案的改进［J］.北京航空航天大学学报,2008,34（9）:10371040.
［6］	段晓毅,张其善,刘建伟.基于动态 ID 的远程认证方案的改进［J］.北京航空航天大学学报,2007,33（5）:565567.
［10］	秦小龙,杨义先.强口令认证协议的组合攻击［J］.电子学报,2003,31（7）:10431045.
［11］	李莉,薛锐,张焕国,等.基于口令认证的密钥交换协议的安全性分析［J］.电子学报,2005,33（1）:166170.
［12］	汪定,马春光,翁臣,等.一种适于受限资源环境的远程用户认证方案的分析与改进［J］.电子与信息学报,2012,34（10）:25202526.

[1]	曹守启, 何鑫, 刘婉荣. 一种改进的远程用户身份认证方案[J]. 计算机工程与科学, 2021, 43(11): 1960-1965.
[2]	陈孟东，原昊，谢向辉，吴东. 一种基于分布式平台的规则处理架构[J]. 计算机工程与科学, 2020, 42(01): 18-24.
[3]	曹素珍,王斐,郎晓丽. 具有隐私保护的安全电子交易协议[J]. 计算机工程与科学, 2019, 41(04): 626-632.
[4]	曹守启，孙青，曹莉凌. 动态ID多因素远程用户身份认证方案的改进[J]. 计算机工程与科学, 2019, 41(04): 633-640.
[5]	孙子文，李富，庞永春. 最小风险贝叶斯决策融合的多点触摸身份认证[J]. 计算机工程与科学, 2018, 40(09): 1579-1584.
[6]	刘玉军，汪明辉，蔡猛，陈坤. 降低Ad hoc网络信息泄露的路由算法[J]. J4, 2015, 37(06): 1087-1092.
[7]	郑明辉，刘召召. 无线传感器网络中三方密钥建立协议研究[J]. J4, 2014, 36(11): 2132-2136.
[8]	朱黎，胡涛，罗锋，毛雷，纪忠原. 基于自适应LBP人脸识别的身份验证[J]. J4, 2014, 36(11): 2217-2222.
[9]	付青琴1,昂正全2,袁艳芳1. 一种改进的智能卡数据传输安全策略[J]. J4, 2014, 36(11): 2229-2233.
[10]	章玥1,2，郭建1,2，朱晓冉1，王文君1，朱晶洋1，汤家华3，陈峻念3. 基于Event-B 方法的多应用智能卡的建模与开发[J]. J4, 2014, 36(10): 1943-1951.
[11]	黄一平1，农丽萍2，苏检德1. 智能卡COS的快速烧写技术研究与实现[J]. J4, 2014, 36(09): 1650-1655.
[12]	黄朝阳，吴正英，罗少兰. 一种安全高效的智能卡口令认证方案[J]. J4, 2014, 36(09): 1711-1715.
[13]	易通1,李学宝2，陈宏朝1. 适用于双方频繁通信的密钥交换协议[J]. J4, 2014, 36(07): 1284-1289.
[14]	李福祥1,霍建秋2,林慕清1,唐晶1,周福才2. 一种面向击键动态身份认证的多模板选择算法[J]. J4, 2014, 36(01): 73-82.
[15]	付青琴1,昂正全2,徐平江1. 一种改进的智能卡认证方法的实现[J]. J4, 2014, 36(01): 94-98.