信息网络安全 ›› 2020, Vol. 20 ›› Issue (12): 91-97.doi: 10.3969/j.issn.1671-1122.2020.12.012

• 理论研究 • 上一篇    下一篇

基于物理不可克隆函数的Kerberos扩展协议及其形式化分析

张正1,2(), 查达仁1, 柳亚男2, 方旭明2   

  1. 1.中国科学院信息工程研究所,北京 100093
    2.金陵科技学院网络安全学院,南京 211169
  • 收稿日期:2020-08-02 出版日期:2020-12-10 发布日期:2021-01-12
  • 通讯作者: 张正 E-mail:zhangzheng@jit.edu.cn
  • 作者简介:张正(1973—),男,江苏,研究员,本科,主要研究方向为网络安全、密码协议、无线通信安全|查达仁(1982—),男,河北,高级工程师,博士,主要研究方向为密码工程与应用、可信计算与信息安全|柳亚男(1984—),女,江苏,讲师,博士,主要研究方向为物联网安全、应用密码学|方旭明(1981—),男,江苏,讲师,博士,主要研究方向为无线传感器网络
  • 基金资助:
    国家重点研发计划(2017YFB0802802);国家自然科学基金(61902163)

PUF-based Kerberos Extension Protocol with Formal Analysis

ZHANG Zheng1,2(), ZHA Daren1, LIU Yanan2, FANG Xuming2   

  1. 1. Institute of Information Engineering, CAS, Beijing 100093, China
    2. School of Network Security, Jinling Institute of Technology, Nanjing 211169, China
  • Received:2020-08-02 Online:2020-12-10 Published:2021-01-12
  • Contact: ZHANG Zheng E-mail:zhangzheng@jit.edu.cn

摘要:

文章提出一种基于物理不可克隆函数(PUF)的Kerberos扩展协议。基于PUF的激励响应认证机制,利用PUF激励响应对代替Kerberos标准协议中的口令或数字证书,可以抵抗口令猜测攻击和假冒攻击。该协议优势在于实现认证服务器与设备的双向认证、设备端无须预存储口令或密钥、降低存储开销和口令或密钥泄露的风险。文章基于BAN逻辑进行形式化分析,证明该协议的安全性;同时与其他协议进行比较,证明该协议能够抵抗物理克隆、建模攻击等威胁。

关键词: 物理不可克隆函数, Kerberos, 认证, 密钥分配, BAN逻辑

Abstract:

This paper proposes an extended Kerberos protocol based on the physical unclonable function (PUF). In basis of the challenge-response authentication mechanism, this paper employs the PUF challenge-response pairs to substitute the password or the certificate in standard Kerberos protocol, so as to resist the password guessing attack and impersonation attack. The advantages of this extended protocol lie in the following aspects: it provides mutual authentication between the authentication server and the device; the device is not pre-distributed with any password or key, which reduces the storage overhead and the disclosure risk of password or key. The formal analysis based on BAN Logic and comparison with different protocols are both given to prove the security of the PUF-based extended protocol.

Key words: physical unclonable function, Kerberos, authentication, key distribution, BAN logic

中图分类号: