高级检索

    基于区块链的高效无口令认证方案

    An Efficient Passwordless Authentication Scheme Based on Blockchain

    • 摘要: 数字化时代,数据已成为社会运转的核心资产,而身份认证凭证是其中最关键且敏感的数据要素之一. 传统的口令认证方法需在服务器存储账号、口令等凭证信息,面临严重的数据泄露隐患. 基于公钥密码体系的无口令认证技术通过公私钥对替代传统口令,用户利用私钥计算认证信息的签名而实现认证,服务器仅存储公钥等公开信息,从而解决了服务器泄露私钥信息的问题. 然而,现有无口令认证系统存在多平台认证不互通、在线认证延迟高、设备丢失私钥难恢复等痛点,且系统的透明度和审计能力有待提高. 为解决这些问题,提出一种基于区块链的多平台兼容的高效无口令身份认证方案. 将FIDO2无口令认证技术与区块链技术相结合,允许用户生成并上传多个账户公钥至区块链网络,供服务方公开验证,同时通过账户线下预注册、签名预计算、链上数据同步等优化手段,实现了可互通、低开销、大规模用户适用的身份认证. 还设计了加密备份机制,即使用户设备遗失,也可利用保存的加密密钥恢复备份数据. 此外,利用区块链提供不可篡改的数据存证,所有参与方均可查询认证授权状态,提高了系统透明度. 最后,全面论述和评估了方案的安全性与系统性能,理论分析和实验结果表明,提出方案较同类型方案降低了89.09%的在线计算开销和85.57%的通信开销,且在高负载测试条件下仍能够保持低延迟的认证响应.

       

      Abstract: In the digital era, data have become a core asset for the functioning of society, and identity authentication credentials are among the most critical and sensitive data elements. Traditional password-based authentication methods require servers to store credential information such as usernames and passwords, which poses a serious risk of data leakage. Passwordless authentication technology based on public-key cryptography replaces traditional passwords with public-private key pairs. Users employ their private keys to compute signatures for authentication information, while servers only store public information like public keys, thus eliminating the issue of servers leaking private key information. However, existing passwordless authentication systems face challenges such as incompatibility across multiple platforms, high latency in online authentication, and the difficulty of recovering private keys when devices are lost. Moreover, the transparency and auditability of these systems need improvement. To address these problems, we propose an efficient, multi-platform compatible, passwordless identity authentication scheme based on blockchain technology. The scheme combines FIDO2 passwordless authentication with blockchain, allowing users to generate and upload multiple account public keys to the blockchain network for public verification by service providers. Through optimizations such as offline account pre-registration, pre-computation of signatures, and on-chain data synchronization, the scheme achieves interoperability, low overhead, and scalability for large-scale user authentication. The scheme also incorporates an encrypted backup mechanism, enabling users to recover backup data using stored encrypted keys even if their devices are lost. Furthermore, the scheme leverages the immutable data storage provided by blockchain, allowing all participants to query the status of authentication authorizations, thus enhancing system transparency. We comprehensively evaluate the security and performance of the proposed scheme. Theoretical analysis and experiments show that the proposed scheme reduces online computational overhead by 89.09% and communication overhead by 85.57% compared with similar schemes while maintaining low-latency responses under high-load conditions.

       

    /

    返回文章
    返回