信息网络安全
信息網絡安全
신식망락안전
NETINFO SECURITY
2014年
7期
75-80
,共6页
赵铭伟%于晓晨%徐喜荣%江荣安
趙銘偉%于曉晨%徐喜榮%江榮安
조명위%우효신%서희영%강영안
网络安全%CHAP%动态口令%散列函数%干扰因子%双向认证
網絡安全%CHAP%動態口令%散列函數%榦擾因子%雙嚮認證
망락안전%CHAP%동태구령%산렬함수%간우인자%쌍향인증
network security%CHAP%dynamic password%Hash function%interference factor%mutual authentication
电子计算机的普及和互联网技术日新月异的发展使得计算机网络已经渗透到社会生活的各个方面。但网络的全球化、开放化的特点使得网络环境充满着复杂性和不确定性,各种网络攻击与假冒手段等不安全因素充斥着整个网络。因此,如何保证网上业务开展的安全性是当前面临的主要问题,计算机网络安全已经成为当今世界各国共同关注的焦点。身份认证技术是构筑现代网络信息系统安全基石的不可或缺的组成部分,是信息安全的基础。目前,常用的身份认证方法有:基于证书的数字签名认证方式和口令方式。基于证书的数字签名认证的安全性较高,但需要一个完善的证书系统作为基础。而基于口令的身份认证技术作为最早出现的身份认证技术之一,以其简洁性和实用性得到了广泛的应用和发展,成为了网络安全中重要的分支。但是传统的静态口令身份认证技术存在着明显的安全漏洞,动态口令身份认证技术就是针对静态口令身份认证技术的安全隐患而提出的。动态口令是随机变化的一种口令,在口令中加入不确定因子作为动态因子,以提高登录过程中的安全性。文章在深入分析了传统的 CHAP 动态口令身份认证方案及其一系列衍生方案的优点与不足的基础上,结合安全的散列函数和异或运算,同时引入了保护认证信息的干扰因子,设计并实现了一种改进的 CHAP 一次性口令双向身份认证协议。本方案分为用户注册、登录认证和密码修改三个阶段。只需要通信双方的三次信息握手就实现了客户端与服务器端的双向身份认证。与其它几种典型的 CHAP 改进方案相比,本方案不但实现了通信双方的双向身份认证,而且具有通信量小、灵活性高、安全性强、成本低等特点。通过对整个方案的安全性测试和性能测试可以看出,本方案能够有效抵御大部分典型的网络攻击,可以作为大多数不安全网络信道中的身份认证协议,尤其适合在中小型电子商务网站中的身份认证。
電子計算機的普及和互聯網技術日新月異的髮展使得計算機網絡已經滲透到社會生活的各箇方麵。但網絡的全毬化、開放化的特點使得網絡環境充滿著複雜性和不確定性,各種網絡攻擊與假冒手段等不安全因素充斥著整箇網絡。因此,如何保證網上業務開展的安全性是噹前麵臨的主要問題,計算機網絡安全已經成為噹今世界各國共同關註的焦點。身份認證技術是構築現代網絡信息繫統安全基石的不可或缺的組成部分,是信息安全的基礎。目前,常用的身份認證方法有:基于證書的數字籤名認證方式和口令方式。基于證書的數字籤名認證的安全性較高,但需要一箇完善的證書繫統作為基礎。而基于口令的身份認證技術作為最早齣現的身份認證技術之一,以其簡潔性和實用性得到瞭廣汎的應用和髮展,成為瞭網絡安全中重要的分支。但是傳統的靜態口令身份認證技術存在著明顯的安全漏洞,動態口令身份認證技術就是針對靜態口令身份認證技術的安全隱患而提齣的。動態口令是隨機變化的一種口令,在口令中加入不確定因子作為動態因子,以提高登錄過程中的安全性。文章在深入分析瞭傳統的 CHAP 動態口令身份認證方案及其一繫列衍生方案的優點與不足的基礎上,結閤安全的散列函數和異或運算,同時引入瞭保護認證信息的榦擾因子,設計併實現瞭一種改進的 CHAP 一次性口令雙嚮身份認證協議。本方案分為用戶註冊、登錄認證和密碼脩改三箇階段。隻需要通信雙方的三次信息握手就實現瞭客戶耑與服務器耑的雙嚮身份認證。與其它幾種典型的 CHAP 改進方案相比,本方案不但實現瞭通信雙方的雙嚮身份認證,而且具有通信量小、靈活性高、安全性彊、成本低等特點。通過對整箇方案的安全性測試和性能測試可以看齣,本方案能夠有效牴禦大部分典型的網絡攻擊,可以作為大多數不安全網絡信道中的身份認證協議,尤其適閤在中小型電子商務網站中的身份認證。
전자계산궤적보급화호련망기술일신월이적발전사득계산궤망락이경삼투도사회생활적각개방면。단망락적전구화、개방화적특점사득망락배경충만착복잡성화불학정성,각충망락공격여가모수단등불안전인소충척착정개망락。인차,여하보증망상업무개전적안전성시당전면림적주요문제,계산궤망락안전이경성위당금세계각국공동관주적초점。신빈인증기술시구축현대망락신식계통안전기석적불가혹결적조성부분,시신식안전적기출。목전,상용적신빈인증방법유:기우증서적수자첨명인증방식화구령방식。기우증서적수자첨명인증적안전성교고,단수요일개완선적증서계통작위기출。이기우구령적신빈인증기술작위최조출현적신빈인증기술지일,이기간길성화실용성득도료엄범적응용화발전,성위료망락안전중중요적분지。단시전통적정태구령신빈인증기술존재착명현적안전루동,동태구령신빈인증기술취시침대정태구령신빈인증기술적안전은환이제출적。동태구령시수궤변화적일충구령,재구령중가입불학정인자작위동태인자,이제고등록과정중적안전성。문장재심입분석료전통적 CHAP 동태구령신빈인증방안급기일계렬연생방안적우점여불족적기출상,결합안전적산렬함수화이혹운산,동시인입료보호인증신식적간우인자,설계병실현료일충개진적 CHAP 일차성구령쌍향신빈인증협의。본방안분위용호주책、등록인증화밀마수개삼개계단。지수요통신쌍방적삼차신식악수취실현료객호단여복무기단적쌍향신빈인증。여기타궤충전형적 CHAP 개진방안상비,본방안불단실현료통신쌍방적쌍향신빈인증,이차구유통신량소、령활성고、안전성강、성본저등특점。통과대정개방안적안전성측시화성능측시가이간출,본방안능구유효저어대부분전형적망락공격,가이작위대다수불안전망락신도중적신빈인증협의,우기괄합재중소형전자상무망참중적신빈인증。
As the popularity of computer technology and the rapid development of Internet, computer network have penetrated into all aspects of social life. However, the network environment is filled with complexity and uncertainty because of its globalization and opening, which makes it suffer variety of attacks and fake. Therefore, it has been a problem that how to ensure computer network security, which has become the focus that all the country concern. Identity authentication is the indispensable part to construct network information system security, as well as the basis of information security. Currently, digital signature authentication and password authentication are common identity authentication methods. Certificate-based digital signature provides high security, which requires a complete certificate-based system correspondingly. As one of the earliest authentication technology, identity authentication based on password has been widely developed and applied for its simplicity and practicality, which has been one of the most important branches in the network security. Instead of tradi-tional static password authentication with obvious security weakness, dynamic password technology came into existence. It is raised as a way of certification where the password changes randomly every time. In order to im-prove the safety of the login process, uncertain factors are added in the password so that the information which is transferred during certification process is different. In light of the security vulnerability of static password authentication and based on thorough analysis of advantages and disadvantages on traditional CHAP dynamic password authentication scheme and a series of derivative schemes, this paper illustrates an improved CHAP dynamic password mutual authentication protocol, which combines secure hash function and exclusive operation, at the same time introduces interference factor protection. This scheme is divided into three stages: user registration, login authentication and password change. Mutual authentication between server and client is achieved by a three-way handshake exclusively. Compared with other typical improved CHAP scheme, this scheme not only achieve mutual authentication between server and client under the network environment, but also has the advantages of high safety, strong practicability, low cost etc.,. Performance and security testing proves that the scheme can effectively resist most traditional network attacks, which can be used as identity authentication protocol in most insecure network channels, particularly small and medium-sized ecommerce websites because of its small communication, high flexibility.