| 摘要: | 本研究針對學者Lin和Li, Liao, Kumari, Liang, Wu, and Khan等以行動裝置和動態式身分識別為基礎發表之金鑰交換認證機制進行探討,透過訊息內容竄改、資訊流分析和詳細的演算步驟,發現並揭露其認證機制之安全缺失,最後利用類似運算成本提出一個新的改良方案,以解決其漏洞並達成安全之需求。
改良後的新機制使用Diffie-Hellman金鑰交換演算法、安全雜湊函數、訊息認證碼等密碼學技術,修改前人之認證過程並巧妙的利用新的加密金鑰設計,使得本認證機制可以實現相互驗證、防止通訊內容被竄改、提供使用者匿名保護、對抗離線猜弱密碼攻擊、提供通訊內容保密及前推私密性之安全保護等安全性之加強。
In this research, we investigated the proposed two mobile dynamic ID authentication and key agreement schemes by Lin and by Li, Liao, Kumari, Liang, Wu, and Khan. We found and pointed out that these two schemes contain various security flaws and weaknesses. We demonstrated these security issues by using message content tampering, traffic analysis, and detailed algorithm steps. Therefore, we propose an improved mobile dynamic ID-based authentication scheme to solve these vulnerabilities with similar operation cost. The scheme also satisfies the feasible security requirements and features.
Our proposed scheme uses cryptography technique such as Diffie-Hellman key exchange, secure hash function, and message authentication code to improve Lin's scheme. We use an ingenious design of encryption key and procedure to accomplish mutual authentication, resist modification of message and offline password guessing attacks, and provide anonymity and forward secrecy. |
