The rapid development of information and network technologies motivates the emergence of various new computing paradigms, such as distributed computing, and edge computing. This also enables more and more network enterprises to provide multiple different services simultaneously. To ensure these services can conveniently be accessed only by authorized users, many password and smart card-based authentication schemes for multi-server architecture have been proposed. In this paper, we review several dynamic ID-based password authentication schemes for multi-server environments. New attacks against four of these schemes are presented, demonstrating that an adversary can impersonate either legitimate or fictitious users. The impact of these attacks is the failure to achieve the main security requirement: authentication. Thus, the security of the analyzed schemes is proven to be compromised. We analyze these four dynamic ID-based schemes and discuss the reasons for the success of the new attacks. Additionally, we propose a new set of design guidelines to prevent such exploitable weaknesses on dynamic ID-based authentication protocols. Finally, we apply the proposed guidelines to the analyzed protocols and demonstrate that violation of these guidelines leads to insecure protocols.
翻译:信息和网络技术的迅速发展激励了各种新的计算模式的出现,如分布式计算和边际计算。这也使越来越多的网络企业能够同时提供多种不同的服务。为了确保这些服务能够方便地由授权用户使用,已经提出了许多多服务器结构的密码和智能卡认证计划。我们在本文件中审查了多服务器环境的若干动态基于身份的密码认证计划。对其中四个计划的新的攻击表明,对手可以冒充合法或虚构的用户。这些攻击的影响是未能达到主要的安全要求:认证。因此,经过分析的系统的安全被证明会受到损害。我们分析了这四个动态的基于身份的系统,并讨论了新袭击成功的原因。此外,我们提出了一套新的设计准则,以防止动态基于身份的认证协议出现这种可以利用的弱点。最后,我们对经过分析的议定书适用拟议的准则,并证明违反这些准则会导致不安全的协议。
相关内容
微信扫码咨询专知VIP会员