基于SM9算法的移动互联网身份认证方案研究

doi:10.3969/j.issn.1671-1122.2021.04.001

摘要/Abstract

摘要：

移动互联网单服务器环境下传统身份认证方案存在用户需要针对不同的服务器记忆相应的不同口令,以及传统认证方式中的口令泄漏等安全问题。为解决以上问题,文章提出一种移动互联网单服务器环境下基于SM9算法的身份认证方案。用户针对不同的应用系统,仅需记忆统一的标识和口令,即可在不同的应用系统中通过身份认证,从而获得应用服务和访问资源的权限。文章方案将SM9标识密码算法与口令隐藏相结合,采用一次一密的方式实现密文传输、双向认证,达到了更高的安全性和健壮性,并能减轻用户的记忆负担,给用户带来更好的应用体验。通过安全性分析,文章方案能抵抗重放攻击、仿冒攻击、智能设备丢失攻击等常见攻击。通过性能对比,文章方案比同类方案具有更强的鲁棒性、更高的安全性、更好的便捷性和更少的计算成本,在移动支付、非接触门禁等高安全性需求场景中有较大的应用价值。

关键词: SM9算法, 移动互联网, 单服务器环境, 身份认证

Abstract:

The traditional authentication scheme in the single-server environment of the mobile internet has security problems, such as users needing to memorize different passwords corresponding to different servers, password leakage in traditional authentication methods, and so on. In order to solve the problems described above, this paper proposes a single-server environment authentication scheme based on SM9 algorithm for mobile internet. For different application systems, users that only needed to memorize a unified identification and password could pass through authentication in different application systems and obtained application services and resources. The proposed scheme combined the SM9 algorithm and password hiding to realize ciphertext transmission and mutual authentication, achieved higher security and robustness with one-time key. At the same time, the proposed scheme could reduce the user’s memory burden and offer a better application experience. Through security analysis, the proposed scheme can provide resistance to replay attacks, counterfeiting attacks, smartphone loss attacks and other common attacks. Through performance comparison, the proposed scheme has stronger robustness, higher security, better convenience and less computation cost than other similar schemes, and has high application value in high security scenario, such as mobile payment and contactless access control.

Key words: SM9 algorithm, mobile internet, single-server environment, authentication

中图分类号:

TP309

张昱, 孙光民, 李煜. 基于SM9算法的移动互联网身份认证方案研究[J]. 信息网络安全, 2021, 21(4): 1-9.

ZHANG Yu, SUN Guangmin, LI Yu. Research on Mobile Internet Authentication Scheme Based on SM9 Algorithm[J]. Netinfo Security, 2021, 21(4): 1-9.

图/表 6

表1

图1

表2

表3

表4

表5

参考文献 31

[1]	SHI Sha. Research on the Key Technologies of Secure Authentication and Applications in the Mobile Internet[D]. Beijing: Beijing University of Posts and Telecommunications, 2012.
	石莎. 移动互联网络安全认证及安全应用中若干关键技术研究[D]. 北京:北京邮电大学, 2012.
[2]	LUO Junzhou, WU Wenjia, YANG Ming. Mobile Internet: Terminal Device, Networks and Service[J]. Chinese Journal of Computers, 2011,34(11):2029-2051. doi: 10.3724/SP.J.1016.2011.02029 URL
	罗军舟, 吴文甲, 杨明. 移动互联网:终端、网络与服务[J]. 计算机学报, 2011,34(11):2029-2051.
[3]	ZHAO Goufeng, SHAN Qing, XIAO Shasha, et al. Modeling Web Browsing on Mobile Internet[J]. Communications Letters IEEE, 2011,15(10):1081-1083. doi: 10.1109/LCOMM.2011.082011.111368 URL
[4]	LI Jun. Thoughts on Mobile Internet Security[J]. Network&Information, 2010,24(10):61.
	李钧. 移动互联网的安全之思[J]. 网络与信息, 2010,24(10):61.
[5]	LI Xiong. Research and Design on Identity Authentication Protocol for Multi-environments[D]. Beijing: Beijing University of Posts and Telecommunications, 2012.
	李雄. 多种环境下身份认证协议的研究与设计[D]. 北京:北京邮电大学, 2012.
[6]	LI Gang. Biometric Authentication: Sixth Token for Identity Authentication[J]. China Information Security, 2013,4(3):34-43.
	李刚. 生物识别: 身份认证的第六道“令牌”[J]. 中国信息安全, 2013,4(3):34-43.
[7]	YANG T C, LO N W, LIAW H T, et al. A Secure Smart Card Authentication and Authorization Framework Using in Multimedia Cloud[J]. Multimedia Tools and Applications, 2017,76(9):1715-1737.
[8]	KARUPPIAH M, PRADHAN A, KUMARI S, et al. Security on "Secure Remote Login Scheme with Password and Smart Card Update Facilities"[C]// ICMC. Third International Conference on Mathematics and Computing, January 17-21, 2017, Haldia, India. Singapore: Springer, 2017: 26-33.
[9]	SAE-BAE N, AHMED K, ISBISTER K, et al. Biometric-rich Gestures: A Novel Approach to Authentication on Multi-touch Devices[C]// SIGCHI. CHI '12: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, May 5-10, 2012, Austin, Texas, USA. New York: Association for Computing Machinery, 2012: 977-986.
[10]	SEO H, KIM E, KIM H K. A Novel Biometric Identification Based on a User’s Input Pattern Analysis for Intelligent Mobile Devices[J]. International Journal of Advanced Robotic Systems, 2012,2012(9):1-10.
[11]	JANAKIRAMAN R, ZHANG Sheng, SIM T, et al. Continuous Verification Using Multimodal Biometrics[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2007,29(4):687-700. doi: 10.1109/TPAMI.2007.1010 URL
[12]	LAMPORT L. Password Authentication with Insecure Communication[J]. Communications of the ACM, 1981,24(11):770-772. doi: 10.1145/358790.358797 URL
[13]	HWANG M S, LI L H. A New Remote User Authentication Scheme Using Smart Cards[J]. IEEE Transactions on Consumer Electronics, 2000,46(1):28-30. doi: 10.1109/30.826377 URL
[14]	CHIEN H Y, JAN J K, TSENG Y M. An Efficient and Practical Solution to Remote Authentication: Smart Card[J]. Computers & Security, 2002,21(4):372-375. doi: 10.1016/S0167-4048(02)00415-7 URL
[15]	LI Xiong, NIU Jianwei, MA Jian, et al. Cryptanalysis and Improvement of a Biometrics-based Remote User Authentication Scheme Using Smart Cards[J]. Journal of Network and Computer Applications, 2011,34(1):73-79. doi: 10.1016/j.jnca.2010.09.003 URL
[16]	HUANG X, XIANG Y, CHONKA A, et al. A Generic Framework for Three-factor Authentication: Preserving Security and Privacy in Distributed Systems[J]. Parallel and Distributed Systems, IEEE Transactions on, 2011,22(8):1390-1397. doi: 10.1109/TPDS.2010.206 URL
[17]	HALEVI S, KRAWCZYK H. Public-key Cryptography and Password Protocols[J]. ACM Transactions on Information and System Security (TISSEC), 1999,2(3):230-268. doi: 10.1145/322510.322514 URL
[18]	YANG Piyi, CAO Zhenfu, DONG Xiaolei. Fuzzy Identity Based Signature with Applications to Biometric Authentication[J]. Computers & Electrical Engineering, 2011,37(4):532-540.
[19]	NEEDHAM R M, SCHROEDER M D. Using Encryption for Authentication in Large Networks of Computers[J]. Communications of the ACM, 1978,21(12):993-999. doi: 10.1145/359657.359659 URL
[20]	FAN C I, LIN Yihui. Provably Secure Remote Truly Three Factor Authentication Scheme with Privacy Protection on Biometrics[J]. IEEE Transactions on Information Forensics and Security, 2009,4(4):933-945. doi: 10.1109/TIFS.2009.2031942 URL
[21]	LI C T, HWANG M S. An Efficient Biometrics-based Remote User Authentication Scheme Using Smart Cards[J]. Journal of Network and Computer Applications, 2010,33(1):1-5. doi: 10.1016/j.jnca.2009.08.001 URL
[22]	DAS A K. Analysis and Improvement on an Efficient Biometric-based Remote User Authentication Scheme Using Smart Cards[J]. IET Information Security, 2011,5(3):145-151. doi: 10.1049/iet-ifs.2010.0125 URL
[23]	LEE C C, HSU C W. A Secure Biometric-based Remote User Authentication with Key Agreement Scheme Using Extended Chaotic Maps[J]. Nonlinear Dynamics, 2013,71(1-2):201-211. doi: 10.1007/s11071-012-0652-3 URL
[24]	JIANG Qi, WEI Fushan, FU Shuai, et al. Robust Extended Chaotic Maps-based Three-factor Authentication Scheme Preserving Biometric Template Privacy[J]. Nonlinear Dynamics, 2016,83(4):2085-2101. doi: 10.1007/s11071-015-2467-5 URL
[25]	ALI R, PAL A K. A Secure and Robust Three-factor Based Authentication Scheme Using RSA Cryptosystem[J]. International Journal of Business Data Communications and Networking (IJBDCN), 2017,13(1):74-84.
[26]	ZHANG Min, ZHANG Jiashu, ZHANG Ying. Remote Three-factor Authentication Scheme Based on Fuzzy Extractors[J]. Security and Communication Networks, 2015,8(4):682-693. doi: 10.1002/sec.1016 URL
[27]	ARMANDO A, CARBONE R, COMPAGNA L, et al. An Authentication Flaw in Browser-based Single Sign-on Protocols: Impact and Remediations[J]. Computers & Security, 2013,33(4):41-58. doi: 10.1016/j.cose.2012.08.007 URL
[28]	ZHANG Fuyou, WANG Qiongxiao, SONG Li. Research on Unified Identity Authentication System Based on Biometrics[J]. Netinfo Security, 2019,19(9):86-90.
	张富友, 王琼霄, 宋利. 基于生物特征识别的统一身份认证系统研究[J]. 信息网络安全, 2019,19(9):86-90.
[29]	ZHANG Xiao, LIU Jiqiang. Multi-factor Authentication Protocol Based on Hardware Fingerprint and Biometrics[J]. Netinfo Security, 2020,20(8):9-15.
	张骁, 刘吉强. 基于硬件指纹和生物特征的多因素身份认证协议[J]. 信息网络安全, 2020,20(8):9-15.
[30]	CHANG H, CHOI E. User Authentication in Cloud Computing[C]// UCMA. Second International Conference on Ubiquitous Computing and Multimedia Applications, April 13-15, 2011, Daejeon, Korea. Heidelberg: Springer-Verlag, 2011: 338-342.
[31]	LEE CC. A Simple Key Agreement Scheme Based on Chaotic Maps for VSAT Satellite Communications[J]. International Journal of Satellite Communications and Networking, 2013,31(4):77-186. doi: 10.1002/sat.v31.2 URL

符号	所代表的意义
N	${{G}_{1}}$,${{G}_{2}}$,${{G}_{T}}$的阶,均为素数
${{P}_{1}}$	${{G}_{1}}$的生成元
${{P}_{2}}$	${{G}_{2}}$的生成元
KGC	服务器的密钥生成中心
$hid$	KGC选择并公开用一个字节表示的私钥生成函数识别符
RC	服务器的注册中心
$I{{D}_{S}}$	系统服务器的标识
${{P}_{pub}}$	系统服务器的主公钥
$s$	系统服务器的主私钥
$I{{D}_{A}}$	终端用户A自主选定的自身标识
${{Q}_{A}}$	终端用户A的公钥
${{d}_{A}}$	终端用户A的私钥（服务器密钥生成中心KGC生成）
$r$	用于加解密的随机数
$p{{w}_{A}}$	终端用户A的口令
${{R}_{A1}}$	终端用户A在首次注册时产生的随机数
${{R}_{Ai}}$	终端用户A在第i次注册（或认证）时产生的随机数
$H\cdot $	单向哈希运算
$t_{reg}^{A1}$	终端用户A首次注册的时间
$t_{reg}^{Ai}$	终端用户A第i次注册（或认证）的时间
$\Delta t$	有效时间间隔
${{D}_{A}}(M)$	使用用户A的私钥对消息M执行数字签名算法
${{E}_{A}}(M)$	使用用户A的公钥对消息M执行加密算法

用户身份标识	用户公钥	用户注册（或认证）随机数	用户注册（或认证）哈希值	用户注册（或认证）时间
$I{{D}_{A}}$	${{Q}_{A}}$	${{R}_{A1}}$	${{H}_{A}}={{H}_{1}}(p{{w}_{A}}\|\|{{R}_{\text{A1}}})$	$t_{reg}^{A1}$
$I{{D}_{B}}$	${{Q}_{B}}$	${{R}_{B1}}$	${{H}_{B}}={{H}_{1}}(p{{w}_{B}}\|\|{{R}_{\text{B1}}})$	$t_{reg}^{B1}$
$I{{D}_{C}}$	${{Q}_{C}}$	${{R}_{C1}}$	${{H}_{C}}={{H}_{1}}(p{{w}_{C}}\|\|{{R}_{\text{C1}}})$	$t_{reg}^{C1}$
…	…	…	…	…

安全问题	文献[20] 方案	文献[21] 方案	文献[22] 方案	文献[23] 方案	文献[26] 方案	本文方案
用户是否统一口令	No	No	No	No	No	Yes
用户身份伪造攻击	Yes	No	No	No	Yes	Yes
口令猜测攻击	Yes	No	No	No	Yes	Yes
特权攻击	Yes	No	No	Yes	Yes	Yes
会话密钥攻击	Yes	No	No	Yes	Yes	Yes
口令更改是否服务器参与	No	Yes	Yes	Yes	Yes	Yes

运算	执行时间	运算	执行时间
MD5哈希运算：${{T}_{H}}$	0.97	从特征${w}'$和P恢复出R：${{T}_{R\text{ep}}}$	180.97
DES对称加密：${{T}_{E}}$	16	IBC基于身份的签名：${{T}_{IBS}}$	23.866
DES对称解密：${{T}_{D}}$	16	IBC基于身份的签名验证：${{T}_{IBV}}$	5.872
切比雪夫映射：${{T}_{C}}$	0.97	SM9基于身份的签名：${{T}_{SM9S}}$	704.4
RSA非对称加密：${{T}_{PE}}$	4	SM9基于身份的验证：${{T}_{SM9V}}$	593.29
RSA非对称解密：${{T}_{PD}}$	15.6	SM9基于公钥的加密：${{T}_{SM9PE}}$	938.96
原始生物特征$w$中获得s：${{T}_{SS}}$	780	SM9基于公钥的解密：${{T}_{SM9PD}}$	938.96
从生物特征${w}'$恢复特征$w$：${{T}_{REC}}$	180	点乘运算：${{T}_{M}}$	2.226
从特征$w$中获得P和R：${{T}_{GEN}}$	780.97	双线性对：${{T}_{P}}$	5.811

方案	用户端（单位/ms）	服务器端（单位/ms）
文献[20]方案	$2{{T}_{E}}+{{T}_{D}}+{{T}_{X}}+{{T}_{\operatorname{Re}c}}+{{T}_{PE}}$=232	${{T}_{E}}+{{T}_{PD}}+2{{T}_{D}}$=63.6
文献[21]方案	$3{{T}_{H}}+3{{T}_{X}}$=2.91	$2{{T}_{H}}+2{{T}_{X}}$=1.94
文献[22]方案	$4{{T}_{X}}+5{{T}_{H}}$=4.85	$4{{T}_{X}}+8{{T}_{H}}$=7.76
文献[23]方案	$5{{T}_{X}}+10{{T}_{H}}+3{{T}_{C}}$=12.61	$3{{T}_{X}}+7{{T}_{H}}+3{{T}_{C}}$=9.7
文献[26]方案	$8{{T}_{X}}+3{{T}_{H}}+{{T}_{SS}}+{{T}_{\operatorname{Re}c}}+{{T}_{Gen}}+{{T}_{R\text{e}\text{p}}}$= 2541	$4{{T}_{X}}+6{{T}_{H}}$=5.82
本文方案	$2{{T}_{X}}+{{T}_{H}}+{{T}_{SM9S}}+{{T}_{SM9PE}}$= 1644.3	${{T}_{SM9PD}}+{{T}_{SM9V}}+{{T}_{H}}$= 1533.2