- 中国精品科技期刊
- CCF推荐A类中文期刊
- 计算领域高质量科技期刊T1类
| Citation: |
Ke Yuhong, Lin Chao, Huang Xinyi, Wu Wei, Chen Yujie. An Efficient Passwordless Authentication Scheme Based on Blockchain[J]. Journal of Computer Research and Development, 2024, 61(10): 2514-2525. DOI: 10.7544/issn1000-1239.202440468
|
Ke Yuhong: born in 2000. Master candidate. His main research interests include blockchain applications and identity authentication
Lin Chao: born in 1991. PhD, professor. His main research interests include applied cryptography and blockchain technology
Huang Xinyi: born in 1981. PhD, professor, PhD supervisor. His main research interests include applied cryptography and artificial intelligence
Wu Wei: born in 1981. PhD, senior lecturer. Her main research interests include cryptography and information security
Chen Yujie: born in 1990. Bachelor. Her main research interests include digital government network security and cryptography applications
In the digital era, data have become a core asset for the functioning of society, and identity authentication credentials are among the most critical and sensitive data elements. Traditional password-based authentication methods require servers to store credential information such as usernames and passwords, which poses a serious risk of data leakage. Passwordless authentication technology based on public-key cryptography replaces traditional passwords with public-private key pairs. Users employ their private keys to compute signatures for authentication information, while servers only store public information like public keys, thus eliminating the issue of servers leaking private key information. However, existing passwordless authentication systems face challenges such as incompatibility across multiple platforms, high latency in online authentication, and the difficulty of recovering private keys when devices are lost. Moreover, the transparency and auditability of these systems need improvement. To address these problems, we propose an efficient, multi-platform compatible, passwordless identity authentication scheme based on blockchain technology. The scheme combines FIDO2 passwordless authentication with blockchain, allowing users to generate and upload multiple account public keys to the blockchain network for public verification by service providers. Through optimizations such as offline account pre-registration, pre-computation of signatures, and on-chain data synchronization, the scheme achieves interoperability, low overhead, and scalability for large-scale user authentication. The scheme also incorporates an encrypted backup mechanism, enabling users to recover backup data using stored encrypted keys even if their devices are lost. Furthermore, the scheme leverages the immutable data storage provided by blockchain, allowing all participants to query the status of authentication authorizations, thus enhancing system transparency. We comprehensively evaluate the security and performance of the proposed scheme. Theoretical analysis and experiments show that the proposed scheme reduces online computational overhead by 89.09% and communication overhead by 85.57% compared with similar schemes while maintaining low-latency responses under high-load conditions.
| [1] |
Davey Winder. Why you should stop using LastPass after new Hack method update[EB/OL]. [2024-04-30]. https://www.forbes.com/sites/daveywinder/2023/03/03/why-you-should-stop-using-lastpass-after-new-hack-method-update/
|
| [2] |
王平,汪定,黄欣沂. 口令安全研究进展[J]. 计算机研究与发展,2016,53(10):2173−2188 doi: 10.7544/issn1000-1239.2016.20160483
Wang Ping, Wang Ding, Huang Xinyi. Advances in password security[J]. Journal of Computer Research and Development, 2016, 53(10): 2173−2188 (in Chinese) doi: 10.7544/issn1000-1239.2016.20160483
|
| [3] |
Bonneau J, Herley C, Van Oorschot P C, et al. Passwords and the evolution of imperfect authentication[J]. Communications of the ACM, 2015, 58(7): 78−87 doi: 10.1145/2699390
|
| [4] |
Lyastani S G, Schilling M, Neumayr M, et al. Is FIDO2 the kingslayer of user authentication? A comparative usability study of FIDO2 passwordless authentication[C]//Proc of 2020 IEEE Symp on Security and Privacy (SP). Piscataway, NJ: IEEE, 2020: 268−285
|
| [5] |
Wang Ding, Wang Nan, Wang Ping, et al. Preserving privacy for free: Efficient and provably secure two-factor authentication scheme with user anonymity[J]. Information Sciences, 2015, 321: 162−178 doi: 10.1016/j.ins.2015.03.070
|
| [6] |
Kormann D P, Rubin A D. Risks of the passport single Signon Protocol[J]. Computer Networks, 2000, 33(1-6): 51−58 doi: 10.1016/S1389-1286(00)00048-7
|
| [7] |
Bud A. Facing the future: The impact of Apple FaceID[J]. Biometric Technology Today, 2018, 2018(1): 5−7
|
| [8] |
Ross A, Shah J, Jain A K. From template to image: Reconstructing fingerprints from minutiae points[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2007, 29(4): 544−560 doi: 10.1109/TPAMI.2007.1018
|
| [9] |
Stajano F. Pico: No more passwords![C]//Proc of Int Workshop on Security Protocols. Berlin: Springer, 2011: 49−81
|
| [10] |
Yubico. Hardware authentication re-imagined[EB/OL]. [2024-04-30]. https://www.yubico.com/products/ease-of-use/
|
| [11] |
Zheng Nan, Paloski A, Wang Haining. An efficient user verification system using angle-based mouse movement biometrics[J]. ACM Transactions on Information and System Security, 2016, 18(3): 1−27
|
| [12] |
Chiasson S, Stobert E, Forget A, et al. Persuasive cued click-points: Design, implementation, and evaluation of a knowledge-based authentication mechanism[J]. IEEE Transactions on Dependable and Secure Computing, 2012, 9(2): 222−235 doi: 10.1109/TDSC.2011.55
|
| [13] |
Bonneau J, Herley C, Van P C, et al. The quest to replace passwords: A framework for comparative evaluation of Web authentication schemes[C]//Proc of 2012 IEEE Symp on Security and Privacy (SP). Piscataway, NJ: IEEE, 2012: 553−567
|
| [14] |
Zhu Bo, Fan Xinxin, Gong Guang. Loxin – A solution to password-less universal login[C]//Proc of the 2014 IEEE Conf on Computer Communications Workshops. Piscataway, NJ: IEEE, 2014: 488−493
|
| [15] |
Peeters R, Hermans J, Maene P, et al. n-Auth: Mobile authentication done right[C]//Proc of the 33rd Annual Computer Security Applications Conf. New York: ACM, 2017: 1−15
|
| [16] |
王亚伟,彭长根,丁红发,等. 基于标识符的Android客户端身份认证方案[J]. 网络与信息安全学报,2017,3(4):32−38 doi: 10.11959/j.issn.2096-109x.2017.00140
Wang Yawei, Peng Changgen, Ding Hongfa, et al. Identity authentication scheme of Android client based on identifiers[J]. Chinese Journal of Network and Information Security, 2017, 3(4): 32−38 (in Chinese) doi: 10.11959/j.issn.2096-109x.2017.00140
|
| [17] |
Chakraborty D, Bugiel S. simFIDO: FIDO2 user authentication with simTPM[C]//Proc of the 2019 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2019: 2569−2571
|
| [18] |
Barbosa M, Boldyreva A, Chen S, et al. Provable security analysis of FIDO2[C]//Advances in Cryptology–CRYPTO 2021: 41st Annual International Cryptology Conference. Berlin: Springer, 2021: 125−156
|
| [19] |
Wagner P, Heid K, Heider J. Remote WebAuthn: FIDO2 authentication for less accessible devices[C]//Proc of the 7th Int Conf on Information Systems Security and Privacy. Setúbal Portugal: SciTePress, 2021: 368−375
|
| [20] |
Schwarz F, Do K, Heide G, et al. FeIDo: Recoverable FIDO2 tokens using electronic IDs[C]//Proc of the 2022 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2022: 2581−2594
|
| [21] |
Conners J, Derbidge S, Devenport C, et al. Let’s authenticate: Automated certificates for user authentication[C]///Proc of the 26th Annual Network and Distributed System Security Symp. Reston, VA: The Internet Society, 2022: 24−28
|
| [22] |
Yeoh W Z, Kepkowski M, Heide G, et al. Fast identity online with anonymous credentials (FIDO-AC)[C]//Proc of the 32nd USENIX Security Symp. CA: USENIX Association, 2023: 3029–3046
|
| [23] |
Google. Hardware-backed Keystore[EB/OL]. [2024-04-30]. https://source.android.com/security/keystore
|
| [24] |
Biometrics Research Group. Apple launches web authentication using FIDO standard with Touch ID or Face ID biometrics in Safari[EB/OL]. [2024-04-30]. https://www.biometricupdate.com/202006/apple-launches-web-authentication-using-fido-standard-with-touch-id-or-face-id-biometrics-in-safari
|
| [25] |
Google. The beginning of the end of the password[EB/OL]. [2024-04-30]. https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/
|
| [26] |
Apple. Spotlight on: Passkeys[EB/OL]. [2024-04-30]. https://developer.apple.com/news/?id=mgdnfp8w
|
| [27] |
Jones J, Hodges J, Jones M, et al. Web authentication: An API for accessing public key credentials–Level 2[EB/OL]. [2024-04-30]. https://www.w3.org/TR/webauthn-2/
|
| [28] |
Bradley J, Hodges J, Jones M, et al. Client to authenticator protocol (CTAP)[EB/OL]. [2024-04-30]. https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html
|
| [29] |
Bindel N, Cremers C, Zhao Mang. FIDO2, CTAP 2.1, and WebAuthn 2: Provable security and post-quantum instantiation[C]//Proc of 2023 IEEE Symp on Security and Privacy (SP). Piscataway, NJ: IEEE, 2023: 1471−1490
|
| [30] |
Miller V S. Use of elliptic curves in cryptography[C]//Advances in Cryptology—CRYPTO’85 Proceeding: 5th Annual Int Cryptology Conf. Berlin: Springer, 1985: 417−426
|
| [31] |
Daemen J, Rijmen V. The Design Of Rijndael[M]. Berlin: Springer, 2020
|
| [1] | Wu Haibo, Liu Hui, Sun Yi, Li Jun. A Concurrent Conflict Transaction Optimization Method for Consortium Blockchain Hyperledger Fabric[J]. Journal of Computer Research and Development, 2024, 61(8): 2110-2126. DOI: 10.7544/issn1000-1239.202220644 |
| [2] | Yang Bo, Guo Haoran, Feng Junhui, Li Ge, Jin Zhi. A Rule Conflict Detection Approach for Intelligent System of Internet of Things[J]. Journal of Computer Research and Development, 2023, 60(3): 592-605. DOI: 10.7544/issn1000-1239.202110941 |
| [3] | Ding Xue’er, Niu Jun, Zhang Kaile, Mao Xinyi. Code Search Method Based on the Reachability Analysis of Petri Nets[J]. Journal of Computer Research and Development, 2022, 59(1): 236-250. DOI: 10.7544/issn1000-1239.20200586 |
| [4] | Zhou Hang, Huang Zhiqiu, Hu Jun, Zhu Yi. Real-Time System Resource Conflict Checking Based on Time Petri Nets[J]. Journal of Computer Research and Development, 2009, 46(9): 1578-1585. |
| [5] | Zhao Mingfeng, Song Wen, Yang Yixian. Confusion Detection Based on Petri-Net[J]. Journal of Computer Research and Development, 2008, 45(10): 1631-1637. |
| [6] | Cui Huanqing and Wu Zhehui. Structural Properties of Parallel Program's Petri Net Model[J]. Journal of Computer Research and Development, 2007, 44(12): 2130-2135. |
| [7] | Lao Songyang, Huang Guanglian, Alan F. Smeaton, Gareth J. F. Jones, Hyowon Lee. A Query Description Model of Soccer Video Based on BSU Composite Petri-Net[J]. Journal of Computer Research and Development, 2006, 43(1): 159-168. |
| [8] | Li Botao and Luo Junzhou. Modeling and Analysis of Non-Repudiation Protocols by Using Petri Nets[J]. Journal of Computer Research and Development, 2005, 42(9): 1571-1577. |
| [9] | Yao Jian, Mao Bing, and Xie Li. A DAG-Based Security Policy Conflicts Detection Method[J]. Journal of Computer Research and Development, 2005, 42(7): 1108-1114. |
| [10] | Jiang Hao and Dong Yisheng. A Time Performance Evaluation Method for Workflow Based on Extended Timed Petri Net[J]. Journal of Computer Research and Development, 2005, 42(5): 849-855. |
微信订阅号
(实时资讯)
微信服务号
(同步网站)
微信视频号
(视频分享)
CCF
(扫码入会)
Copyright © Editorial Department of Computer Research and Development
Supported by: Beijing Renhe Information Technology Co.,
Ltd. 
DownLoad: