计算机科学 ›› 2020, Vol. 47 ›› Issue (11): 42-47.doi: 10.11896/jsjkx.200500144
所属专题: 智能移动身份认证
董奇颖, 单轩, 贾春福
DONG Qi-ying, SHAN Xuan, JIA Chun-fu
摘要: 身份认证是确保网络与信息系统安全的第一道防线,口令则是最普遍的身份认证方式。现有研究通常假设用户构造的口令服从均匀分布,然而,最新的研究表明,口令服从Zipf分布,这意味着目前大部分口令相关安全协议都低估了攻击者优势,并不能达到所声称的安全性。针对上述问题,文中以Gjøsteen 等提出的基于口令的签名(Password-Based Signatures,PBS)协议以及Jarecki等提出的口令保护秘密共享(Password-Protected Secret Sharing,PPSS)协议为典型代表,从口令服从Zipf分布这一基本假设出发,分析了这两个协议的安全性证明缺陷,并重新定义了其安全性。同时,文中给出了对上述两个协议的改进:对于PBS协议,重新计算了攻击者优势,并通过限制攻击者猜测次数和委托可信第三方保管密钥,使得改进后的PBS协议可以抵御恶意攻击者仿冒一般用户的攻击,以及恶意服务器猜测用户口令并伪造签名的攻击;对于PPSS协议,基于诱饵口令思想,在服务器端设置了Honey_List以检测并阻止在线口令猜测攻击。
中图分类号:
[1] BONNEAU J,HERLEY C,VAN O P C,et al.The quest to replace passwords:A framework for comparative evaluation of web authentication schemes [C]//2012 IEEE Symposium on Security and Privacy.IEEE,2012:553-567. [2] GJØSTEEN K,THUEN Ø.Password-based signatures [C]//European Public Key Infrastructure Workshop.Springer,2011:17-33. [3] JARECKI S,KIAYIAS A,KRAWCZYK H,et al.Highly-efficient and composable password-protected secret sharing (or:how to protect your bitcoin wallet online) [C]//2016 IEEE European Symposium on Security and Privacy (EuroS&P).2016:276-291. [4] CASTELLUCCIA C,DÜRMUTH M,PERITO D.AdaptivePassword-Strength Meters from Markov Models [C]//NDSS.2012. [5] SCHECHTER S,HERLEY C,MITZENMACH-ER M.Popu-larity is everything:A new approach to protecting passwords from statistical-guessing attacks [C]//Proceedings of the 5th USENIX Conference on Hot Topics in Security.USENIX Association,2010:1-8. [6] NEWMAN M E J.Power laws,Pareto distributions and Zipf's law [J].Contemporary Physics,2005,46(5):323-351. [7] WANG D,CHENG H,WANG P,et al.Zipf's law in passwords[J].IEEE Transactions on Information Forensics and Security,2017,12(11):2776-2791. [8] KATZ J,OSTROVSKY R,YUNG M.Effi cient and secure authenticated key exchange using weak passwords [J].Journal of the ACM(JACM),2009,57(1):1-39. [9] BAGHERZANDI A,JARECKI S,SAXENA N,et al.Password-protected secret sharing [C]//Proceedings of the 18th ACM conference on Computer and Communications Security,2011:433-444. [10] JARECKI S,KIAYIAS A,KRAWCYZK H.Round-optimalpassword-protected secret sharing and T-PAKE in the password-only model [C]//International Conference on the Theory and Application of Cryptology and Information Security.Springer,2014:233-253. [11] WANG D,WANG P.On the implications of Zipf's law in passwords[C]//European Symposium On Research in Computer Security.Springer,2016:111-131. [12] WANG D,WANG P.Two birds with one stone:Two-factor authentication with security beyond conventional bound [J].IEEE Transactions on Dependable and Secure Computing,2016,15(4):708-722. [13] JUELS A,RIVEST R L.Honeywords:Making password-crac-king detectable [C]//Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security.2013:145-160. [14] SHAMIR A.How to share a secret [J].Communications of the ACM,1979,22(11):612-613. |
[1] | 王然然, 王勇, 蔡雨桐, 姜正涛, 代桂平. 基于进程代数的Yahalom协议正确性的形式化验证 Formal Verification of Yahalom Protocol Based on Process Algebra 计算机科学, 2021, 48(6A): 481-484. https://doi.org/10.11896/jsjkx.200500074 |
[2] | 甘勇, 王凯, 贺蕾. 带TTP的多所有者内部权重变化所有权转换协议 Ownership Transfer Protocol for Multi-owners Internal Weight Changes with Trusted Third Party 计算机科学, 2019, 46(6A): 370-374. |
[3] | 张光华, 刘会梦, 陈振国. 云计算环境下基于属性的撤销方案 Attribute-based Revocation Scheme in Cloud Computing Environment 计算机科学, 2018, 45(8): 134-140. https://doi.org/10.11896/j.issn.1002-137X.2018.08.024 |
[4] | 金瑜,蔡超,何亨,李鹏. BTDA:基于半可信第三方的动态云数据更新审计方案 BTDA:Dynamic Cloud Data Updating Audit Scheme Based on Semi-trusted Third Party 计算机科学, 2018, 45(3): 144-150. https://doi.org/10.11896/j.issn.1002-137X.2018.03.023 |
[5] | 李磊,贾惠文,班学华,何宇帆. 基于混淆的广播多重签名方案 Obfuscation-based Broadcasting Multi-signature Scheme 计算机科学, 2017, 44(Z11): 329-333. https://doi.org/10.11896/j.issn.1002-137X.2017.11A.069 |
[6] | 王佩雪,周华强. 多租户环境下基于可信第三方的云安全模型研究 Research on Cloud Security Model Based on Trusted Third Party on Multi-tenant Environment 计算机科学, 2014, 41(Z6): 363-365. |
[7] | 贺靖靖 刘景森 史强 傅慧明. 基于PMI角色模型的匿名认证方案 Anonymous Authentication Scheme Based on Role Model of PMI 计算机科学, 2012, 39(Z11): 33-35. |
[8] | 马海英,曾国荪. 一种新型的撤销成员的无加密短群签名方案 Novel Revocable Short Group Signatures Scheme without Encryption 计算机科学, 2012, 39(4): 41-45. |
[9] | 姜芳艽. 基于Zipf分布与属性相关性的选择性估计 Selectivity Estimation Based on 7ipf Distribution and Attribute Correlation 计算机科学, 2010, 37(11): 184-189. |
[10] | . 一种新的动态副本管理机制 计算机科学, 2006, 33(9): 50-51. |
[11] | 李艳平 司光东 王育民. 一种新的多方不可否认协议 计算机科学, 2006, 33(8): 95-97. |
[12] | 郎为民 杨宗凯 吴世忠 谭运猛. 一种基于ECC的可恢复离线电子支付系统 计算机科学, 2004, 31(10): 74-75. |
|