国家自然科学基金(62072352, 62125205, 92167203, 62072359); 陕西省重点产业链项目(2020ZDLGY09-06)
当前基于用户名和口令的认证协议已难以满足日益增长的安全需求. 具体而言, 用户选择不同口令访问不同在线服务, 极大地增加了用户记忆负担; 此外, 口令认证安全性低, 面临许多已知攻击. 为了解决此类问题, 基于PS (Pointcheval-Sanders)签名提出一个以用户为中心的双因子认证密钥协商协议UC-2FAKA. 首先, 为防止认证因子泄露, 基于PS签名构造口令和生物特征双因子凭证, 并以零知识证明的方式向服务提供商(service provider, SP)验证身份; 其次, 采用以用户为中心的单点登录(single sign on, SSO)架构, 用户可以通过向身份提供商(identity provider, IDP)注册请求身份凭证来向不同的SP登录, 避免IDP和SP跟踪或链接用户; 再次, 采用Diffie-Hellman密钥交换认证SP身份并协商通信密钥, 保证后续的通信安全; 最后, 对所提出协议进行全面的安全性分析和性能对比, 结果表明所提出协议能够抵御各种已知攻击, 且所提出协议在通信开销和计算开销上表现更优.
The current authentication protocol based on username and password has been difficult to meet the increasing security requirements. Specifically, users choose different passwords to access different online services, which greatly increases the user’s memory burden. In addition, password authentication has low security and faces many known attacks. To solve such problems, this study proposes a user-centric two-factor authentication key agreement protocol UC-2FAKA based on the Pointcheval-Sanders signature. Firstly, to prevent the leakage of authentication factors, passwords, and biometric two-factor credentials are constructed based on the Pointcheval-Sanders signature. The identity is authenticated to the service provider (SP) in a zero-knowledge proof manner. Secondly, using a user-centric single sign-on (SSO) architecture, users can request identity credentials by registering with an identity provider (IDP) to log in different SPs to avoid IDP or SP tracking or linking users. Thirdly, the Diffie-Hellman key exchange is used to authenticate SP identities and negotiate communication keys to ensure subsequent communication security. Finally, comprehensive security analysis and performance comparison of the proposed protocol are carried out. The results show that the proposed protocol can resist various known attacks, and the proposed protocol performs better in communication overhead and computational overhead.