北京邮电大学学报

  • EI核心期刊

北京邮电大学学报 ›› 2010, Vol. 33 ›› Issue (6): 64-67.doi: 10.13190/jbupt.201006.64.fanyj

• 论文 • 上一篇    下一篇

适用于移动商务环境的口令认证密钥交换协议

范亚军,温巧燕,金正平   

  1. 北京邮电大学 网络与交换技术国家重点实验室, 北京 100876
  • 收稿日期:2010-03-31 修回日期:2010-06-23 出版日期:2010-12-28 发布日期:2011-01-07
  • 通讯作者: 范亚军 E-mail:bestfyj@163.com
  • 基金资助:

    国家自然科学基金项目(60873191, 60903152, 61003286, 60821001)

A PasswordBased Authenticated Key Exchange  Protocol for MobileCommerce Environments

  • Received:2010-03-31 Revised:2010-06-23 Online:2010-12-28 Published:2011-01-07
  • Contact: Fan Ya-Jun E-mail:bestfyj@163.com

摘要:

在移动商务环境下为了解决全自动区分计算机和人类的公开图灵测试(CAPTCHA)技术易被攻击而失效的问题,提出了适用于该环境的口令认证密钥交换协议.将认证密钥交换过程与CAPTCHA挑战/应答过程巧妙融合,在不增加协议通信轮数的条件下,通过对称加密方案保护CAPTCHA问题实例;采用适于移动终端的椭圆曲线公钥系统,基于智能卡的安全特性,提高了协议的效率和安全性;在随机预言机模型下,给出了安全性证明.与同类协议相比,新协议仅需3轮通信就能使CAPTCHA问题实例免受攻击,无须存储口令验证表,具备前向安全性.

关键词: 口令认证密钥交换, 全自动区分计算机和人类的公开图灵测试, 椭圆曲线公钥系统, 智能卡

Abstract:

For mobilecommerce environments, a novel passwordbased authenticated key exchange protocol is proposed to solve that the technology to effectively prevent legitimate users’ abuse, named as completely automatic public Turing test to tell computer and human apart (CAPTCHA), is vulnerable to analytical attacks. The protocol elaborately combines the CAPTCHA challenge/response progress with the authenticated key exchange interaction. It introduces symmetric encryption scheme to make CAPTCHA secure without additional communication rounds. And it is based on smartcards to obtain stronger security and adopts elliptic curve cryptosystem which is suitable for the environments. In random oracle model it is provably secure. Compared with the other related protocols, it requires only three communication rounds, protects CAPTCHA against analytical attacks, needs no validation tables storing on the server and provides perfect forward secrecy.

Key words: passwordbased authenticated key exchange, completely automatic public Turing test to tell computer and human apart, elliptic curve cryptosystem, smart card