• • 上一篇    下一篇

一种改进的 CHAP 方案

赵铭伟%于晓晨%徐喜荣%江荣安   

  • 基金资助:
    国家自然科学基金(61170303)

An Improved Scheme of CHAP

ZHAO Ming-wei%YU Xiao-chen%XU Xi-rong%JIANG Rong-an   

  • About author:大连理工大学电子信息与电气工程学部,辽宁大连,116023

摘要: 电子计算机的普及和互联网技术日新月异的发展使得计算机网络已经渗透到社会生活的各个方面。但网络的全球化、开放化的特点使得网络环境充满着复杂性和不确定性,各种网络攻击与假冒手段等不安全因素充斥着整个网络。因此,如何保证网上业务开展的安全性是当前面临的主要问题,计算机网络安全已经成为当今世界各国共同关注的焦点。身份认证技术是构筑现代网络信息系统安全基石的不可或缺的组成部分,是信息安全的基础。目前,常用的身份认证方法有:基于证书的数字签名认证方式和口令方式。基于证书的数字签名认证的安全性较高,但需要一个完善的证书系统作为基础。而基于口令的身份认证技术作为最早出现的身份认证技术之一,以其简洁性和实用性得到了广泛的应用和发展,成为了网络安全中重要的分支。但是传统的静态口令身份认证技术存在着明显的安全漏洞,动态口令身份认证技术就是针对静态口令身份认证技术的安全隐患而提出的。动态口令是随机变化的一种口令,在口令中加入不确定因子作为动态因子,以提高登录过程中的安全性。文章在深入分析了传统的 CHAP 动态口令身份认证方案及其一系列衍生方案的优点与不足的基础上,结合安全的散列函数和异或运算,同时引入了保护认证信息的干扰因子,设计并实现了一种改进的 CHAP 一次性口令双向身份认证协议。本方案分为用户注册、登录认证和密码修改三个阶段。只需要通信双方的三次信息握手就实现了客户端与服务器端的双向身份认证。与其它几种典型的 CHAP 改进方案相比,本方案不但实现了通信双方的双向身份认证,而且具有通信量小、灵活性高、安全性强、成本低等特点。通过对整个方案的安全性测试和性能测试可以看出,本方案能够有效抵御大部分典型的网络攻击,可以作为大多数不安全网络信道中的身份认证协议,尤其适合在中小型电子商务网站中的身份认证。

Abstract: As the popularity of computer technology and the rapid development of Internet, computer network have penetrated into all aspects of social life. However, the network environment is filled with complexity and uncertainty because of its globalization and opening, which makes it suffer variety of attacks and fake. Therefore, it has been a problem that how to ensure computer network security, which has become the focus that all the country concern. Identity authentication is the indispensable part to construct network information system security, as well as the basis of information security. Currently, digital signature authentication and password authentication are common identity authentication methods. Certificate-based digital signature provides high security, which requires a complete certificate-based system correspondingly. As one of the earliest authentication technology, identity authentication based on password has been widely developed and applied for its simplicity and practicality, which has been one of the most important branches in the network security. Instead of tradi-tional static password authentication with obvious security weakness, dynamic password technology came into existence. It is raised as a way of certification where the password changes randomly every time. In order to im-prove the safety of the login process, uncertain factors are added in the password so that the information which is transferred during certification process is different. In light of the security vulnerability of static password authentication and based on thorough analysis of advantages and disadvantages on traditional CHAP dynamic password authentication scheme and a series of derivative schemes, this paper illustrates an improved CHAP dynamic password mutual authentication protocol, which combines secure hash function and exclusive operation, at the same time introduces interference factor protection. This scheme is divided into three stages: user registration, login authentication and password change. Mutual authentication between server and client is achieved by a three-way handshake exclusively. Compared with other typical improved CHAP scheme, this scheme not only achieve mutual authentication between server and client under the network environment, but also has the advantages of high safety, strong practicability, low cost etc.,. Performance and security testing proves that the scheme can effectively resist most traditional network attacks, which can be used as identity authentication protocol in most insecure network channels, particularly small and medium-sized ecommerce websites because of its small communication, high flexibility.