高级检索
    安迪, 杨超, 姜奇, 马建峰. 一种新的基于指纹与移动端协助的口令认证方法[J]. 计算机研究与发展, 2016, 53(10): 2400-2411. DOI: 10.7544/issn1000-1239.2016.20160439
    引用本文: 安迪, 杨超, 姜奇, 马建峰. 一种新的基于指纹与移动端协助的口令认证方法[J]. 计算机研究与发展, 2016, 53(10): 2400-2411. DOI: 10.7544/issn1000-1239.2016.20160439
    An Di, Yang Chao, Jiang Qi, Ma Jianfeng. A New Password Authentication Method Based on Fingerprint and Mobile Phone Assistance[J]. Journal of Computer Research and Development, 2016, 53(10): 2400-2411. DOI: 10.7544/issn1000-1239.2016.20160439
    Citation: An Di, Yang Chao, Jiang Qi, Ma Jianfeng. A New Password Authentication Method Based on Fingerprint and Mobile Phone Assistance[J]. Journal of Computer Research and Development, 2016, 53(10): 2400-2411. DOI: 10.7544/issn1000-1239.2016.20160439

    一种新的基于指纹与移动端协助的口令认证方法

    A New Password Authentication Method Based on Fingerprint and Mobile Phone Assistance

    • 摘要: 智能手机和互联网应用的广泛普及,使用户可以借助手机结合口令与服务器认证.然而现有的方案需要在手机端存储用户的秘密信息.一旦存于手机的秘密信息被对手获得,将给用户带来不可挽回的损失.针对上述问题,提出了一种基于指纹和口令的认证方案,手机端无需存储秘密信息.其核心思想是,将密文存储在服务器端,用户登录时利用手机辅助其生成私钥,从而对注册阶段生成的密文解密生成认证密钥.生成私钥的过程需要输入口令和指纹,用户在电脑端输入口令后对口令进行盲化再与手机进行交互,这样就可以保护用户口令不被对手得到.理论分析及实验结果表明:该方案提高了用户秘密信息的安全性,可以抵御对手的字典攻击、重放攻击和钓鱼攻击,减少了手机的存储压力,易于部署.

       

      Abstract: Mobile phones and Internet applications are widely used nowadays,which enables users to authenticate with the server with the help of mobile phones. However,existing schemes need to store the user’s secret or ciphertext on the mobile phone. Once the mobile phone is lost, opponents may get the secret information on the phone, which will bring irreparable loss to the user. Aiming at the above problems, we propose a kind of authentication scheme based on fingerprint and password which has no need to store a secret in the mobile phone. The core idea is to store the encrypted text on the server side. When the user logs in, he uses his mobile phone to generate the private key which is used to decrypt the ciphertext generated during the registration phase. The user needs to enter his password and fingerprint at the private key generation process.When the computer interacts with the mobile phone, the user’s password will be blind so that it can be protected from adversaries’ attacks. Theoretical analysis and experimental results show that our scheme reinforces the security of the user’s secret. Meanwhile,our scheme can resist dictionary attacks,replay attacks and phishing attacks while reducing the storage pressure of the mobile phone along with easy deployment.

       

    /

    返回文章
    返回