| Summary: | 碩士 === 樹德科技大學 === 資訊工程學系 === 94 === In the internet environment, user authentication is very important. Server can avoid illegal user with user authentication. A password-based scheme is the most generally used method of authentication on the internet. However, static password is used in conventional password authentication scheme. Therefore, attackers may impersonate a regular user with replay or guessing attack. For this reason, user authentication system with OTP (One-Time Password) has been proposed. Authentication systems of one-time password change the verifier every time by sending the present verifier along with the next verifier. Therefore, attackers can not impersonate a regular user with verifier which had been used.
There are two kinds of password, weak password and strong password. Weak password which user is used to choosing easy to remember password, can not resist guessing attack. A strong password means that it is well-chosen, confused and hard to guess. Strong password is too hard to remember. Therefore, strong password must store in tamper-resistant hardware device, such as smart card.
In 1981, Lamport first proposed a one-time password method based on low-computation hash functions, but this method has problems. For solving these problems, many one-time password authentication methods have been proposed, such as S/KEY, CINON. Before, one-time password method do not force user to use strong password, thus these methods are unable to resist brute-force and guessing attacks. Till now, many one-time password authentication methods have been proposed with strong password. These methods can resist brute-force and guessing attacks, but none of them can resist all well-known attacks, such as man in the middle, impersonate and stolen verifier attacks.
In this thesis, we will review one-time password methods. Then, we propose a secure and low-computation one-time password method that can resist all well known attacks. Finally, we will implement this method with smart card.
|
|---|
