| Summary: | 碩士 === 國立臺灣科技大學 === 資訊管理系 === 99 === With the development of Internet and World Wide Web, more and more people access digital information, use services and finish business transaction via Internet. However, there are more and more security information issues, such as Internet fraud, transaction data leakage and private information exposure. Therefore, user authentication mechanism indeed is the keystone for developing electronic transaction.
In 1981, Lamport first proposed a remote user authentication mechanism with a password table and claimed that the proposed mechanism is still secure even though an attacker intercepts the communications between a user and a remote system. In 2009, Wang et al. proposed a dynamic ID-based remote user authentication scheme without any verification table which provides user anonymity and resists stolen-verifier and DOS attacks. However, Khan et al. pointed out that Wang et al.’s scheme cannot achieve user anonymity. Further, Khan et al. proposed an improved scheme to overcome the mentioned weakness. However, we find that Khan et al’s scheme is insecure, because the remote server needs to maintain a verifier table for authenticating users. It results in stolen verifier and denial of service attacks. In this paper, we first propose a remote authentication mechanism that can improve Wang et al’s and Khan et al’s mechanism. The proposed mechanism achieves user anonymity, mutual authentication, and session key establishment and provides resistance to a replay attack, a denial of service attack, and a stolen verifier attack. Due to variety of electronic services, a user can only register with single account management center, and then the user can access different services. In this paper, we also propose a remote authentication mechanism for single sign-on. In the proposed mechanism, a user needs to register with a key distribution center. After verification for the user, the key distribution center will issue a smart card to the user, in which the smart card contains some information, such as authentication token. After that, the user can use the smart card to login to the remote server for accessing services or resources. The proposed mechanism can achieve user anonymity, mutual authentication, and session key establishment. It also supplies user single sign-on and resistance to a replay attack, a denial of service attack, and a stolen verifier attack.
|
|---|
