隨著網路與通訊技術的快速發展,人們在外地欲透過行動裝置使用網路漫遊服務,需經由原認證的本地伺服器與外地伺服器來執行交互驗證,認證成功後,使用者行動裝置即可使用與外地伺服器所提供之網路漫遊服務。隨著資訊安全需求的增加,行動裝置的認證機制也需不斷的加強與改良,增加其安全性。
在2015年,Farash等人指出Shin與Wen等人所提出的認證機制有許多安全缺失,並提出改善機制。然而,本研究發現,Farash等人的機制仍無法抵抗行動裝置失竊及訊息外洩所遭受的離線猜密碼攻擊、匿名破解、使用者與伺服器偽裝攻擊及不具前向私密性等問題。同樣的,在2016年,Islam等人指出Lin等人機制因無法檢驗使用者密碼,攻擊者可偽裝使用者及可計算出會期金鑰等問題,並提出同樣基於混沌理論的切比雪夫多項式(chebyshev chaotic map)的改進認證機制。本研究發現Islam等人機制中僅以使用者與本地伺服器進行認證,並沒有提供外地伺服器及漫遊的通訊服務,而且有重複註冊所遭受離線猜密碼攻擊等問題。故本研究將以網路漫遊為研究方向,針對Farash等人機制進行改良,提出一個新的認證機制,並對新機制做安全性分析,與其他機制進行安全性及效能比較,證明我們的機制能有效提供匿名性及更具安全性。
With the rapid development of communication technology, people use the network service by the mobile device when traveling at other countries. However, a user needs to verify by the local server in order to use the network service that is provided by the foreign server. Therefore, the secure authentication scheme for roaming with mobile device becomes more important.
In 2015, Farash et al. pointed out Shin et al.’s and Wen et al.’s schemes exist several security flaws, then proposed an enhanced scheme to fix the weakness. In 2016, Islam et al. showed Lin et al.’s scheme unable to check the password, that the attacker could impersonate the user and the session key would disclose. Islam et al. also proposed a scheme based on Chebyshev chaotic map. In their scheme has not the foreign agent to provide the roaming service. Further, both Farash et al.’s scheme and Islam et al.’s scheme does not provide untraceability, offline password guessing and duplicate registration attacks.
In our study, we improve the Farash et al.’s scheme and propose a new authentication scheme. After all, we analyze our new scheme and prove that the new scheme is more secure than others.
