摘要
智能手机和互联网应用的广泛普及,使用户可以借助手机结合口令与服务器认证.然而现有的方案需要在手机端存储用户的秘密信息.一旦存于手机的秘密信息被对手获得,将给用户带来不可挽回的损失.针对上述问题,提出了一种基于指纹和口令的认证方案,手机端无需存储秘密信息.其核心思想是,将密文存储在服务器端,用户登录时利用手机辅助其生成私钥,从而对注册阶段生成的密文解密生成认证密钥.生成私钥的过程需要输入口令和指纹,用户在电脑端输入口令后对口令进行盲化再与手机进行交互,这样就可以保护用户口令不被对手得到.理论分析及实验结果表明:该方案提高了用户秘密信息的安全性,可以抵御对手的字典攻击、重放攻击和钓鱼攻击,减少了手机的存储压力,易于部署.
Mobile phones and Internet applications are widely used nowadays ? which enables users to authenticate with the server with the help of mobile phones. However ? existing schemes need to store the user^s secret or ciphertext on the mobile phone. Once the mobile phone is lost, opponents may get the secret information on the phone, which will bring irreparable loss to the user. Aiming at the above problems, we propose a kind of authentication scheme based on fingerprint and password which has no need to store a secret in the mobile phone. The core idea is to store the encrypted text on the server side. When the user logs in, he uses his mobile phone to generate the private key which is used todecrypt the ciphertext generated during the registration phase. The user needs to enter his passwordand fingerprint at the private key generation process. When the computer interacts with the mobilephone, the user’s password will be blind so that it can be protected from adversaries5 attacks.Theoretical analysis and experimental results show that our scheme reinforces the security of the user's secret. Meanwhile, our scheme can resist dictionary attacks, replay attacks and phishing attacks while reducing the storage pressure of the mobile phone along with easy deployment.
作者
安迪
杨超
姜奇
马建峰
An Di;Yang Chao;Jiang Qi;Ma Jianfeng
出处
《计算机研究与发展》
EI
CSCD
北大核心
2016年第10期2400-2411,共12页
Journal of Computer Research and Development
基金
国家自然科学基金青年基金项目(61303219)
国家自然科学基金面上项目(61672415)~~
关键词
口令认证
终端辅助认证
指纹认证
口令攻击与保护
基于指纹的口令盲化
password-based authentication
authentication based on terminal assistance
fingerprint authentication
password attack and protection
blind password based on fingerprint
