For a specific information system resource, it should only be accessed by authorized legal users. The key to the problem lies in how to correctly identify the true identity of the user. Identity authentication is the process of checking the identity certificate of the user by the system. It is essentially to find out whether the user has the right to store and use the resource he requested. Identification in the field of information technology is achieved by binding an evidence to an entity identity. The entity may be a user, a host, an application, or even a process. There is a one-to-one correspondence between evidence and identities. In the process of communication between two parties, one entity provides the evidence to prove its identity to the other party, and the other party verifies the evidence through a corresponding mechanism to determine whether the entity claims the evidence. Identity is consistent. NINGBO HOZ TRADING CO.,LTD , https://www.howzkitchenware.com
Currently used identity authentication technology is mainly divided into password-based identity authentication, smart card-based authentication, password-based identity authentication, biometric-based identity authentication, and other types. Among them, password authentication is a method of verifying identity based on known things, and is widely used because of its characteristics such as low cost, easy implementation, and convenient use. However, this authentication method is also the most easily broken form of the user authentication mechanism. If an eavesdropper on the network gets a secret password, he can impersonate the user. Once the eavesdropper is able to impersonate the user, the server cannot prevent eavesdroppers from doing anything that the legitimate user authorized to do.
Password authentication is divided into static password authentication and dynamic password authentication. Existing research shows that the traditional static password authentication technology has inherent security flaws. Therefore, it is necessary to strengthen the security of the password authentication technology. Using dynamic password authentication technology can significantly improve the security of the password authentication scheme. Dynamic password authentication is based on the fact that each time a user logs in to the system, the dynamic password authentication information is different, making it difficult to guess passwords and replay attacks through direct network eavesdropping. However, if these dynamic password authentication information are derived from a user-remembered password, then the user-remembered password is still vulnerable to password guessing attacks. In addition, if these dynamic passwords are all written on a piece of paper for the user to save, although the above-mentioned attacks can be prevented and the password verification code will not be reused, the user needs to carry a large number of password verification codes and ensure these passwords. It is inconvenient to verify the security of the code and enter a relatively complex string each time. In addition, this method is also likely to cause password leaks or man-in-the-middle attacks.
In order to effectively improve the security of password authentication, numerous documents have been discussed, such as increasing the strength of passwords to improve the ability to resist brute force attacks and dictionary attacks; password encryption is prevented from being eavesdropped on transmission; and dynamic one-time passwords are used. The system prevents password replay and the like. In order to solve the above problems, this paper proposes a dynamic password authentication mechanism based on smart cards, which effectively improves the security of passwords.
Smart card authentication is a combination of "user known and already owned" authentication. The smart card has a CPU and memory embedded in the card, as well as a series of security mechanisms to secure the internal data. Using smart cards with data processing capabilities, you can perform more complex operations such as key pair generation on the card and signature and verification calculations on the card. When a user accesses the system, the system first determines the legitimacy of the smart card, and then the smart card authenticates the legitimacy of the card holder through the input PIN, and then the system further authenticates the legitimacy of the smart card. Therefore, this method has better security than the password-based identity authentication method, and solves problem 1 in the password authentication method to a certain extent (the attacker may eavesdrop or intercept the communication content on the communication channel.) and problems. 2 (The attacker may use the vulnerability in the system to obtain the system's password file for related attacks. Currently smart cards are constantly replacing magnetic cards as a more effective personal possession for identifying identities. Although smart card-based authentication Ways, better security, but the use of ordinary smart cards requires smart card readers, which seriously affect the ease of use.With the popularization and development of computer universal serial bus standard USB interface, based on the USB interface and The USB KEY of smart card technology has been rapidly developed, and the USBKEY-based authentication method will be a convenient, secure, and economical authentication technology.
1 Dynamic Password and Smart Card
Dynamic passwords are also called one-time passwords. The dynamic password changes with the calculation factor that generates the password. Dynamic password generation factors generally use a double-computation factor: the first is the user's private key. It is an identifier that represents the user's identity and is fixed. The second is the change factor. It is the constant change of the change factor that produces the ever-changing dynamic password. Using different variation factors, different dynamic password authentications are formed: authentication technologies based on time synchronization authentication, event synchronization authentication, and challenge/response mode.
1) Time-based synchronization authentication takes time as the variation factor, and so-called "synchronization" means that the password generated by the user's password card and the authentication server must be synchronized in time.
2) The event-based synchronization authentication technique is to use a changing digital sequence (event sequence) as a calculation factor of the password generator and generate a dynamic password together with the user's private key. The synchronization means that the authentication server and the password card keep the same sequence of events at each authentication.
3) The change factor of the challenge/response method is a random number sequence generated by the authentication server. It is also the change factor of the password generated by the password card. The dynamic password technology adopts a one-time method to effectively ensure the security of the user identity. It has been widely used in recent years.
Smart card authentication is a two-factor authentication method (PIN code + smart card), two factors are indispensable. Even if an attacker steals a legitimate user's smart card and does not have the correct user PIN code, it still cannot pass the authentication system. Similarly, the attacker only obtains the user's PIN code, there is no legitimate smart card and cannot pass the authentication system, and the smart card-based identity. In the authentication method, due to the unique hardware manufacturing process of the smart card, it can resist physical tampering attacks, and the difficulty and cost of forgery are high. The operating system's security mechanism can prevent attackers from using software to steal confidential information in the card, which greatly improves the safety.
2 smart card dynamic password authentication mechanism design
A two-way authentication mechanism using challenge/response method is proposed. The client and server have a same counter in the database, and the initial state maintains synchronization. The new mechanisms include the registration phase, login phase and authentication phase. For convenience of description, the symbols and logos used in this article are described as follows:
U: User: S: Remote server ID: User ID Identifier PW: User login password Ks: Server key used to construct registered user's secret information hk(·):HMAC. SHA-1 algorithm with a key of k
⊕: XOR operation
2.1 Registration stage
1) The user freely selects the login password PW, calculates M1=h (ID⊕PW), and sends C1 and ID to the server through a secure channel for registration.
2) After receiving the registration request, s generates a random number r, takes out the key KS, calculates K=h (ID⊕KS), K1=h(ID⊕r), V=k⊕hK1(C1), S will include The smart card of the information (r, V, h(·), hk (·)| is issued to the user via the secure channel. At this time, s saves r.
2.2 Login phase
1) The user U wants to log in to the server S, insert the smart card into the terminal, submit the ID and password PW.
2) The smart card determines the validity of the user ID. If the ID is illegal, it refuses to send the login request; otherwise, it takes out R and V and calculates Ml 1 = h(PW), k1 * = h(ID⊕r), k *= V ⊕ hkl *, (M1* ), and generate a random number b, calculate c1 = h ( k * ⊕ TUI) ⊕ (k1 * ⊕ TUI), where TUI is the user's current timestamp.
3) Send information {ID, C1, TU1} to the remote server, requesting login.
2.3 Identification stage
server. After S receives the login request, the server s and the smart card perform the following operations:
1) Validity of S verification ID. If the ID is illegal, S rejects the login request; otherwise, S verifies the validity between TU1 and TS1. If TS 1-TU1 ≥ △, the server rejects the login request; otherwise, s calculates C1 *= h( k ⊕TUI) ⊕ h( k1 ⊕TUI ), compares C1* with C1, if C1* ≠C1,S terminates this time Session; otherwise, S passes authentication of user U. Among them, TS1 is the current timestamp of the server, and △ is the expected effective time interval.
2) To achieve mutual authentication, S calculates C2=h (K⊕TS2)⊕r) sends {C2, TS2} to the smart card, where TS2 is the current timestamp of the server.
3) After the smart card receives the verification information, it verifies the validity between TU2 and TS2. If TU2-TS2 ≥ △, the user rejects the server login; otherwise, the smart card takes out r and calculates C2 *=h ((K* ⊕r), compares C2* and C2, if C2*≠C2, suspends the session; otherwise, Through the identity authentication of S. Among them TU2 is the user's current time stamp, △ is the expected effective time interval.
3 Security and effectiveness analysis
1) It can effectively resist replay attacks and fractional attacks. It introduces random numbers in the authentication process, guarantees the freshness of each authentication information, and is not easy to implement guessing and forgery, and can effectively resist replay attacks. Because the implementation principle is different from S/Key, there is no decimal attack.
2) Two-way identity authentication is implemented, and the identity of the user and the legitimacy of the server are protected. At the same time, this mechanism adopts a two-factor authentication method (dynamic password + smart card), and an attacker wants to make a password guessing attack. Both are indispensable. In addition, since the user freely selects a password for registration, and the server always generates a random number in combination with the password for hash operation, the randomness of the password information further increases the difficulty of password guessing.
4) The challenge response mechanism is adopted, and the timestamp is maintained to maintain the synchronization between the client and the server. At the same time, the randomness of the authentication information is ensured and the counterfeit attack and the replay attack can be effectively resisted.
5) The mechanism adopts the hashing operation of the smart card, which has low computational cost. At the same time, the server does not need to save the password for successful authentication, which reduces the system overhead and improves the execution performance to some extent.
4 Conclusion
The dynamic password mechanism proposed in this paper adopts the two-factor authentication of smart cards, introduces a time stamp in the challenge response mechanism, maintains the synchronization of both parties, and adds dynamic passwords to make the authentication information constantly changing. In addition, due to the one-way function Security and complexity greatly increase the security and effectiveness of the application system, realize bidirectional authentication, and can effectively resist some typical attacks. However, the client-side and server-side operations are still numerous and need further improvement.
(Text/Institute of Information Security, Sichuan University, Jiang Lijun, Zhou Anmin)