使用智慧卡的通行碼登入系統之通行碼保護機制

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：26

、訪客IP：3.16.82.182

姓名

張永信(Yong-Xin Zhang) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

使用智慧卡的通行碼登入系統之通行碼保護機制
(Password Protection of Password-Based Login Systems with Smart Cards)

相關論文

★ 多種數位代理簽章之設計	★ 小額電子支付系統之研究
★ 實體密碼攻擊法之研究	★ 商業性金鑰恢復與金鑰託管機制之研究
★ AES資料加密標準之實體密碼分析研究	★ 電子競標系統之研究
★ 針對堆疊滿溢攻擊之動態程式區段保護機制	★ 通用型數域篩選因數分解法之參數探討
★ 於8051單晶片上實作可防禦DPA攻擊之AES加密器	★ 以非確定式軟體與遮罩分割對策防禦能量攻擊之研究
★ 遮罩保護機制防禦差分能量攻擊之研究	★ AES資料加密標準之能量密碼分析研究
★ 小額電子付費系統之設計與密碼分析	★ 公平電子現金系統之研究
★ RSA公開金鑰系統之實體密碼分析研究	★ 保護行動代理人所收集資料之研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

保護使用者的通行碼是智慧卡通行碼登入系統 (password authenticated key exchange with smart card: PAKE-CARD) 一項很重要的研究議題。本論文首先回顧相關研究文獻，並整理出五項對使用者通行碼具威脅性的密碼攻擊，包含了：通行碼猜測攻擊 (password guessing attack)，竊取驗證碼攻擊 (stolen verifier attack)，智慧卡入侵攻擊 (smart card compromise)，伺服器入侵攻擊 (server compromise) 以及間諜軟體攻擊 (spy-ware attack)。但是現有已提出之智慧卡通行碼登入系統 (PAKE-CARD) 尚無法同時抵禦上述所提之攻擊，因此使用者的通行碼仍然備受威脅。為了確實保護使用者的通行碼，本篇論文分析現有的智慧卡通行碼登入系統如何抵禦上述五項攻擊之後，提出一個新的智慧卡通行碼登入系統。所提出的系統不僅可以同時抵擋上述五項通行碼攻擊，並且在同樣的環境之下比現有的系統更有效率。

摘要(英)

How to protect user’’s password is a critical issue for any password authenticated key exchange with smart card (PAKE-CARD). Five primary attacks against PAKE-CARD schemes have been discussed in the literature, including: password guessing attack; stolen veriffier attack; smart card compromise; server compromise, and spy-ware attack. However, no existing PAKE-CARD scheme can resist all these attacks, and user’’s password is still vulnerable. In this thesis, we frst survey the existing PAKE-CARD schemes and analyze how the password can be protected under different environments. Then, we design a new PAKE-CARD scheme that can resist all the above mentioned attacks. Finally, we show that the proposed PAKE-CARD scheme is more efficient than previous ones under the same environment.

關鍵字(中)

★ 通行碼
★ 通行碼猜測攻擊
★ 智慧卡入侵攻擊
★ 伺服器入侵攻擊

關鍵字(英)

★ server compromise
★ password
★ smart card
★ password guessing attack
★ smart card compromise

論文目次

1 Introduction 1
1.1 Background................................1
1.2 Our Contributions............................3
1.3 Organization of the Thesis........................4
2 Preliminary 6
2.1 The Basic Model of Password-based Login System.......6
2.2 The Requirements and Attacks on Password-based Login System...8
2.2.1 The Requirements of Login System...............8
2.2.2 Various Kinds of Attacks.....................8
2.3 Review of Key Exchange Protocols...................10
2.3.1 Diffie-Hellman Key Exchange Protocol.............10
2.3.2 SPEKE Protocol.........................11
2.3.3 B-SPEKE Protocol........................12
2.3.4 SRP Protocol...........................13
2.3.5 APKAS-WSPEKE Protocol...................14
3 A Survey of PAKE-CARD Schemes 15
3.1 Overview of PAKE-CARD Schemes...................15
3.1.1 Stolen Veriffier Attack Resistance...........15
3.1.2 User Chosen Password......................16
3.1.3 Mutual Authentication......................16
3.1.4 Efficiency...........................16
3.1.5 Session Key Agreement, Forward Secrecy, Server Compromise Resistance, and Smart Card Compromise Resistance.....17
3.1.6 Multiple Security.........................18
3.1.7 Anonymity............................18
3.1.8 Spy-ware Attack Resistance...................19
3.2 Analysis of PAKE-CARD Schemes...................19
3.2.1 Discussion on Password Protection under Crucial Environments and Forward Secrecy...................20
3.2.2 Discussion on User's Anonymity.................22
3.3 Review of Tzeng-Zhang Scheme.....................22
3.3.1 System Setup...........................23
3.3.2 Registration Phase........................23
3.3.3 Login Phase............................24
3.3.4 Device Revocation Phase.....................25
3.3.5 Remarks and Discussions.....................26
3.4 Review of Chung-Ku-Tsaur Scheme...................26
3.4.1 System Setup...........................27
3.4.2 Registration Phase........................27
3.4.3 Login Phase............................27
3.4.4 Password Change Phase.....................28
3.4.5 Remarks and Discussions.....................28
4 A New PAKE-CARD Scheme with Two Enhanced Versions 29
4.1 System Setup...............................30
4.2 Registration Phase...........................30
4.3 Login Phase................................31
4.3.1 Basic PAKE-CARD Scheme...................31
4.3.2 Spy-ware Attack Resistant Version...............31
4.3.3 Anonymity Version........................32
4.4 Password Change Phase.........................32
4.5 Remarks and Discussions.........................32
4.5.1 Security Analysis.........................32
4.5.2 Efficiency Analysis........................35
5 Conclusions 38
5.1 Brief Review of the Main Contributions.................38
5.2 Further Research Topics and Directions.................38

參考文獻

[1] S. M. Bellovin and M. Merritt, “Encrypted key exchange: Password-based protocols secure against dictionary attacks," in IEEE Symposium on Research in Security and Privacy, pp. 72-84, IEEE Computer Society Press, 1992.
[2] K. Rhee, J. Kwak, S. Kim, and D. Won, “Challenge-response based RFID authentication protocol for distributed database environment," in Security in Pervasive Computing, vol. 3450 of Lecture Notes in Computer Science, pp. 70-84, Springer Berlin / Heidelberg, 2005.
[3] T. C. Clancy, N. Kiyavash, and D. J. Lin, “Secure smartcardbased fingerprint authentication," in Proceedings of the 2003 ACM SIGMM workshop on Bio-metrics methods and applications, pp. 45-52, ACM, 2003.
[4] S. C. Chong, A. B. J. Teoh, and D. C. L. Ngo, “Iris authentication using privatized advanced correlation filter," in Advances in Biometrics, vol. 3832 of Lecture Notes in Computer Science, pp. 382-388, Springer Berlin / Heidelberg, 2005.
[5] Research Papers on Password-based Cryptography. http://www.jablon.org/passwordlinks.html.
[6] Anti-Phishing Working Group. http://www.antiphishing.org.
[7] S. McClure, J. Scambray, and G. Kurtz, Hacking Exposed. McAfee, fifth ed.,
2005.
[8] P. Mutton Phishing Web Site Methods". http://www.fraudwatchinternational.com/phishing-fraud/phishing-web-site-methods/. Retrieved on December 14, 2006.
[9] D. Florencio and C. Herley, “Stopping a phishing attack, even when the victims
ignore warnings," Tech. Rep. MSR-TR-2005-142, Microsoft Research (MSR),
2005.
[10] D. Florencio and C. Herley, “Klassp: Entering passwords on a spyware infected machine using a shared-secret proxy," in Computer Security Applications Con-ference. 22nd Annual, pp. 67-76, Dec. 2006.
[11] D. Florencio and C. Herley, “Evaluating a trial deployment of password re-use for phishing prevention," in eCrime Researchers Summit, pp. 26-36, 2007.
[12] D. Florencio, C. Herley, and B. Coskun, “Do strong web passwords accomplish anything?," in HOTSEC'07: Proceedings of the 2nd USENIX workshop on Hot topics in security, pp. 1-6, USENIX Association, 2007.
[13] B. Coskun and C. Herley, “Can something you know" be saved?," in Informa-tion Security, vol. 5222, pp. 421-440, Springer Berlin / Heidelberg, 2008.
[14] S. Shin, K. Kobara, and H. Imai, “Leakage-resilient authenticated key estab-lishment protocols," in Advances in Cryptology - ASIACRYPT 2003, vol. 2894, pp. 155-172, Springer Berlin / Heidelberg, 2003.
[15] S. M. Bellovin and M. Merritt, “Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise," in Proceedings of the 1st ACM conference on Computer and com-munications security, pp. 244-250, ACM, 1993.
[16] S. Patel, “Number theoretic attacks on secure password schemes," in Proceed-ings of the 1997 IEEE Symposium on Security and Privacy, p. 236, IEEE Computer Society, 1997.
[17] P. Oechslin, “Making a faster cryptanalytic time-memory trade-off," in Advances in Cryptology - CRYPTO 2003, Lecture Notes in Computer Science, pp. 617-630, Springer-Verlag, 2003.
[18] A. Narayanan and V. Shmatikov, “Fast dictionary attacks on passwords using time-space tradeoff," in Proceedings of the 12th ACM conference on Computer and communications security, pp. 364-372, ACM, 2005.
[19] N. Provos and D. Mazieres, “A future-adaptable password scheme," in In Proceedings of the 1999 USENIX, Freenix track, p. 99, 1999.
[20] X. Boyen, “Hpake : Password authentication secure against cross-site user impersonation," in Cryptology And Network Security|CANS 2009, vol. 5888 of Lecture Notes in Computer Science, pp. 279-298, Berlin: Springer-Verlag, 2009.
[21] W. Rankl and W. Effing, Smart Card Handbook. Wiley, third ed., 2002.
[22] W. G. Tzeng and J. W. Zhang, “A secure login system with secure portable devices," in 17th Information Security Conference, ISC2007, Taiwan, pp. 503-516, 2007.
[23] D. FlorAancio and C. Herley, “One-time password access to any server without changing the server," in Information Security, vol. 5222 of Lecture Notes in Computer Science, pp. 401-420, Springer Berlin / Heidelberg, 2008.
[24] J. C. Haartsen, E. Radio, and S. B. V, “The bluetooth radio system," IEEE Personal Communications, vol. 7, pp. 28-36, 2000.
[25] W. Diffie and M. Hellman, “New directions in cryptography," IEEE Transactions on Information Theory, vol. 22, pp. 644-654, Nov 1976.
[26] D. P. Jablon, “Strong password-only authenticated key exchange," SIGCOMM Comput. Commun. Rev., vol. 26, no. 5, pp. 5-26, 1996.
[27] P. C. van Oorschot and M. J. Wiener, “On diffie-hellman key agreement with short exponents," in Advances in Cryptology - EUROCRYPT 1996, vol. 1070, pp. 332-343, Springer-Verlag, 1996.
[28] S. Bellovin and M. Merritt, “Augmented encrypted key exchange: Password-based protocols secure against dictionary attacks and password file compromise," tech. rep., American Telephone and Telegraph Company Bell Laboratories, 1994.
[29] D. P. Jablon, “Extended password key exchange protocols immune to dictionary attack," in Proc. of WET-ICE, pp. 248-255, 1997.
[30] T.Wu, “The secure remote password protocol," in Proceedings of the Internet Society Symposium on Network and Distributed System Security, pp. 97-111, 1998.
[31] IEEE P1363.2/D26 - Standard Specification for Password-Based Public Key Cryptographic Techniques, 2005.
[32] H. R. Chung, W. C. Ku, and M. J. Tsaur, “Weaknesses and improvement of wang et al.'s remote user password authentication scheme for resource-limited environments," Comput. Stand. Interfaces, vol. 31, no. 4, pp. 863-868, 2009.
[33] T. L. Hwang, Y. H. Chen, and C. S. Laih, “Non-interactive password authentications without password tables," in IEEE Region 10 Conference on Computer and Communication Systems, vol. 1, pp. 429-431, Sep 1990.
[34] A. Shamir, “Identity-based cryptosystems and signature schemes," in Advances in Cryptology - CRYPTO 1984, Lecture Notes in Computer Science, pp. 47-53, Springer-Verlag, 1984.
[35] C. C. Chang and T. C. Wu, “Remote password authentication with smart cards," IEE Proceedings - Computers and Digital Techniques, vol. 138, pp. 165-168, May 1991.
[36] C. C. Chang and C. S. Laih, “comment on remote password authentication with smart cards," IEE Proccedings-E, vol. 139, no. 4, pp. 372-372, 1992.
[37] C. C. Chang and S. J. Hwang, “Using smart cards to authenticate remote passwords," Computers and mathematics with applications, vol. 26, no. 7, pp. 19-27, 1993.
[38] C. C. Chang and W. Y. Liao, “A remote password authentication scheme based upon elgamal's signature scheme," Comput. Secur., vol. 13, no. 2, pp. 137-144, 1994.
[39] T. C. Wu, “Remote login authentication scheme based on a geometric approach," Computer Communications, vol. 18, no. 12, pp. 959-963, 1995.
[40] M. S. Hwang, “Cryptanalysis of a remote login authentication scheme," Computer Communications, vol. 22, no. 8, pp. 742-744, 1999.
[41] W. H. Yang and S. P. Shieh, “Password authentication schemes with smart cards," Computers and Security, vol. 18, no. 8, pp. 727-733, 1999.
[42] H. M. Sun, “Cryptanalysis of password authentication schemes with smart cards," in Information Security Conference, pp. 221-223, May 2001.
[43] M. S. Hwang and L. H. Li, “A new remote user authentication scheme using smart cards," IEEE Transactions on Consumer Electronics, vol. 46, pp. 28-30, Feb 2000.
[44] T. Elgamal, “A public key cryptosystem and a signature scheme based on discrete logarithms," IEEE Transactions on Information Theory, vol. 31, pp. 469-472, Jul 1985.
[45] C. K. Chan and L. M. Cheng, “Cryptanalysis of a remote user authentication scheme using smart cards," IEEE Transactions on Consumer Electronics, vol. 46, pp. 992-993, Nov 2000.
[46] C. C. Chang and K. F. Hwang, “Some forgery attacks on a remote user authentication scheme using smart cards," Informatica, vol. 14, no. 3, pp. 289-294, 2003.
[47] H. Yeh, H. Sun, and B. Hsieh, “Security of a remote user authentication scheme using smart cards," IEICE Transactions on Communications, vol. E87-B, no. 1, pp. 192-194, 2004.
[48] H. S. Hwang, C. C. Lee, and Y. L. Tang, “A simple remote user authentication scheme," Mathematical and Computer Modelling, vol. 36, no. 1-2, pp. 103-107, 2002.
[49] S. M. Yen and K. H. Liao, “Shared authentication token secure against replay and weak key attacks," Inf. Process. Lett., vol. 62, no. 2, pp. 77-80, 1997.
[50] D. McElroy and E. Turban, “Using smart cards in electronic commerce," International Journal of Information Management, vol. 18, pp. 61-72, Feb 1998.
[51] H. M. Sun, “An efficient remote use authentication scheme using smart cards," IEEE Transactions on Consumer Electronics, vol. 46, pp. 958-961, Nov 2000.
[52] H. Y. Chien, J. K. Jan, and Y. M. Tseng, “An efficient and practical solution to remote authentication: Smart card," Computers and Security, vol. 21, pp. 372-375, Aug 2002.
[53] S. T. Wu and B. C. Chieu, “A user friendly remote authentication scheme with smart cards," Computers and Security, vol. 22, no. 6, pp. 547-550, 2003.
[54] C. L. Hsu, “Security of chien et al.'s remote user authentication scheme using smart," Computer Standards and Interfaces, vol. 26, pp. 167-169, May 2004.
[55] W. C. Ku and S. M. Chen, “Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards," IEEE Transactions on Consumer Electronics, vol. 50, no. 1, pp. 204-207, 2004.
[56] H. T. Yeh, “Improvement of an efficient and practical solution to remote authentication : Smart card," IEICE transactions on communications, vol. 89, no. 1, pp. 210-211, 2006.
[57] E. J. Yoon, E. K. Ryu, and K. Y. Yoo, “Further improvement of an efficient password based remote user authentication scheme using smart cards," IEEE Transactions on Consumer Electronics, vol. 50, pp. 612-614, May 2004.
[58] X. M. Wang, W. F. Zhang, J. S. Zhang, and M. K. Khan, “Cryptanalysis and improvement on two efficient remote user authentication scheme using smart cards," Computer Standards and Interfaces, vol. 29, no. 5, pp. 507-512, 2007.
[59] H. T. Liaw, J. F. Lin, and W. C. Wu, “An efficient and complete remote user authentication scheme using smart cards," Mathematical and Computer Modelling, vol. 44, pp. 223-228, Jul 2006.
[60] W. G. Shieh and W. B. Horng, “An improvement of liaw-lin-wu's efficient and complete remote mutual authentication with smart cards," WSEAS Transactions on Information Science and Applications, vol. 4, no. 6, pp. 1200-1205, 2007.
[61] I. E. Liao, C. C. Lee, and M. S. Hwang, “A password authentication scheme over insecure networks," Journal of Computer and System Sciences, vol. 72, no. 4, pp.27-740, 2006.
[62] C. C. Chang, H. C. Tsai, and Y. H. Chen, “An enhanced password authentication scheme providing password updating without smart cards," in International Conference on Multimedia and Ubiquitous Engineering, vol. 1, pp. 1210-1215, April 2007.
[63] T. Xiang, K. W. Wong, and X. F. Liao, “Cryptanalysis of a password authentication scheme over insecure networks," Journal of Computer and System Sciences, vol. 74, no. 5, pp. 657-661, 2008.
[64] T. H. Chen and W. B. Lee, “A new method for using hash functions to solve remote user authentication," Comput. Electr. Eng., vol. 34, no. 1, pp. 53-62, 2008.
[65] W. Diffie, P. C. van Oorschot, and M. J. Wiener, “Authentication and authenticated key exchanges," Designs Codes and Cryptography, vol. 2, no. 2, pp. 107-125, 1992.
[66] P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis," in Advances in Cryptology - CRYPTO 99, Lecture Notes in Computer Science, pp. 388-397, Springer-Verlag, 1999.
[67] T. S. Messerges, E. A. Dabbish, R. H. Sloan, and S. Member, “Examining smart-card security under the threat of power analysis attacks," IEEE Transactions on Computers, vol. 51, pp. 541-552, 2002.
[68] W. S. Juang, “Efficient password authenticated key agreement using smart cards," Computers and Security, vol. 23, no. 2, pp. 167-173, 2004.
[69] W. G. Shieh and J. M. Wang, “Efficient remote mutual authentication and key agreement," Computers and Security, vol. 25, no. 1, pp. 72-77, 2006.
[70] C. I. Fan, Y. C. Chan, and Z. K. Zhang, “Robust remote authentication scheme with smart cards," Computers and Security, vol. 24, no. 8, pp. 619-628, 2005.
[71] S. J. Wang and J. F. Chang, “Smart card based secure password authentication scheme," Computers and Security, vol. 15, no. 3, pp. 231-237, 1996.
[72] K. Tan and H. Zhu, “Remote password authentication scheme based on cross-product," Computer Communications, vol. 22, pp. 390-393, Mar 1999.
[73] C. C. Lee, M. S. Hwang, and W. P. Yang, “A flexible remote user authentication scheme using smart cards," Operating systems review, vol. 36, no. 3, pp. 46-52, 2002.
[74] S. J.Wang, “Yet another log-in authentication using n-dimensional construction based on circle property," IEEE Transactions on Consumer Electronics, vol. 49, pp. 337-341, May 2003.
[75] C. W. Lin, J. J. Shen, and M. S. Hwang, “Security enhancement for optimal strong-password authentication protocol," SIGOPS Oper. Syst. Rev., vol. 37, no. 3, pp. 12-16, 2003.
[76] H. S. Rhee, J. O. Kwon, and D. H. Lee, “A remote user authentication scheme without using smart cards," Computer Standards and Interfaces, vol. 31, no. 1, pp. 6-13, 2009.
[77] W. S. Juang, S. T. Chen, and H. T. Liaw, “Robust and efficient password-authenticated key agreement using smart cards," IEEE Transactions on Industrial Electronics, vol. 55, pp. 2551-2556, June 2008.
[78] M. Das, A. Saxena, and V. Gulati, “A dynamic id-based remote user authentication scheme," IEEE Transactions on Consumer Electronics, vol. 50, pp. 629-631, May 2004.
[79] A. K. Awasthi and S. Lal, “Security analysis of a dynamic id-based remote user authentication scheme," http://eprint.iacr.org/2004/238.pdf.
[80] W. C. Ku and S. T. Chang, “Impersonation attack on a dynamic id-based remote user authentication scheme using smart cards," IEICE Transactions on Communications, vol. E88, no. 5, pp. 2165-2167, 2005.
[81] H. Y. Chien and C. H. Chen, “A remote authentication scheme preserving user anonymity," in Proceedings of the 19th International Conference on Advanced Information Networking and Applications, pp. 245-248, IEEE Computer Society, 2005.
[82] I. E. Liao, C. C. Lee, and M. S. Hwang, “Security enhancement for a dynamic id-based remote user authentication scheme," in Proceedings of the International Conference on Next Generation Web Services Practices, p. 437, IEEE Computer Society, 2005.
[83] Z. Chai, Z. Cao, and R. Lu, “Efficient password-based authentication and key exchange scheme preserving user privacy," in Wireless Algorithms, Systems, and Applications, vol. 4138 of Lecture Notes in Computer Science, pp. 467-477, Springer Berlin / Heidelberg, 2006.
[84] L. L. Hu, Y. X. Yang, and X. X. Niu, “Improved remote user authentication scheme preserving user anonymity," in Proceedings of the Fifth Annual Conference on Communication Networks and Services Research, pp. 323-328, IEEE Computer Society, 2007.
[85] Z. Gao and Y. Tu, “An improvement of dynamic id-based remote user authentication scheme with smart cards," in 7th World Congress on Intelligent Control and Automation, pp. 4562-4567, June 2008.
[86] S. Kim, H. S. Rhee, J. Y. Chun, and D. H. Lee, “Anonymous and traceable authentication scheme using smart cards," in Proceedings of the 2008 International Conference on Information Security and Assurance, pp. 162-165, IEEE Computer Society, 2008.
[87] W. G. Shieh and W. B. Horng, “Efficient and complete remote authentication scheme with smart cards," in IEEE International Conference on Intelligence and Security Informatics, pp. 122-127, June 2008.
[88] Y. Y. Wang, J. Y. Liu, F. X. Xiao, and J. Dan, “A more efficient and secure dynamic id-based remote user authentication scheme," Computer Communications, vol. 32, pp. 583-585, Mar 2009.
[89] G. Yang, D. S. Wong, H. Wang, and X. Deng, “Two-factor mutual authentication based on smart cards and passwords," Journal of Computer and System Sciences, vol. 74, no. 7, pp. 1160-1172, 2008.

指導教授

顏嵩銘(Sung-ming Yen)

審核日期

2010-1-16

推文