【作者】 崔建明；

【导师】 赖宗声；

【作者基本信息】 华东师范大学 ， 微电子学与固体电子学， 2013， 博士

【摘要】 作为个人身份证书安全有效的载体,智能卡,如金融IC卡、电信SIM卡、信用卡、电子政务和电子医保卡等,已经在全球范围内被普遍接受,正广泛应用于信息安全各个领域。随着计算机网络技术的发展,人们在非安全网络环境中通信,更易于造成信息泄漏及遭受各种通信上的攻击。身份认证作为整个信息安全体系的基础,越来越引起人们的高度重视。基于智能卡、口令和生物特征组合的多因素身份认证技术成为当前研究的热点。特别是以WiFi、3G/4G等代表的无线通信网络技术的发展,更需要高安全性、轻量级身份认证协议和更加适合协议的智能卡芯片技术支持。本文对关于智能卡在身份认证协议中的信息安全问题进行了广泛的调研；在此基础上,从设计三因素身份认证协议来增强身份认证抗攻击能力及其智能卡硬件进行了系统研究。取得的主要研究成果如下：1.针对前期的同类基于智能卡与口令的双因素身份认证协议中部分不足,提出了两点改进：即通过在注册阶段采用加密用户信息关键值的方法增强了抵抗离线密码猜测攻击能力；在登录阶段增强用户身份信息保密性的方法来增强抵抗用户匿名性攻击和用户模仿攻击的能力；并基于BAN逻辑对协议安全性进行了形式化证明；本协议既减轻通信量和计算量又达到更高的安全性,可适用于在线金融交易、无记名投票等应用场景中需要隐私保护的系统；2.提出了一种基于生物特征隐藏的智能卡和口令三因素注册登录方法,即对用户生物特征信息采取隐藏的方法以防止隐私泄露及增强抵抗明文攻击能力；采取特征点阈值比对解决了实际应用中因生物信息扰动带来的哈希散列值不匹配性；提出了一种注册中心不参与登录验证的三因素身份认证协议,通过对用户ID和密码的本地验证来抵抗DoS攻击;并基于BAN逻辑对协议安全性进行了形式化证明；可适用于企业局域网等注册中心与服务器相互信任的系统；3.提出了一种注册中心参与登录验证的三因素身份认证协议。服务器具有唯一的私有密钥,可有效抵抗服务器模仿服务器攻击。同时验证表不在服务器本地保存,增强了抵抗验证表被盗攻击、模仿用户攻击、窃听攻击以及密码猜测攻击等能力；通过用户、服务器和注册中心三方之间的相互验证,实现了可防止用户匿名攻击等多个安全目标；并基于BAN逻辑对协议安全性进行了形式化证明；可适用于金融支付等对安全要求高的系统；4.智能卡运算能力与存储空间均比较有限,与服务器相比其安全防护等级低,容易成为攻击对象,基于本文所提出的注册中心参与的三因素身份认证协议的硬件实现所需的速度、存储量等性能要求,提出了一款以开源32位RISC处理器为核心的芯片(原型)优化设计方案：采用开源32位RISC处理器OR1200,并裁剪了OR1200中本协议所不需要的MMU等单元；提出了一种基于哈希的随机数生成方法,并对哈希嵌套运算单元结构进行了改进,提高了读取效率。将身份认证协议程序写入ROM模块中,占用24976Byte存储量；5.针对所提出的注册中心参与的三因素身份认证协议和硬件设计方案,搭建了FPGA测试平台,对硬件方案进行了测试：测试结果表明所设计的SHA-3硬件加速模块计算速度是纯软件计算的2059倍；采用硬件加速模块后,相比于软件实现的系统,整体运行速度可提高23倍；模拟了本文提出的三因素身份认证协议所列出的攻击手段,在多服务器环境下进行了测试,其结果验证了该协议的高安全性和可实现性。更多还原

【Abstract】 As a safe and effective carrier of personal identity certificate, the smart card has been generally accepted worldwide, and it is widely used in various information security fields such as telecom SIM cards, financial IC cards, credit cards, e-government and e-health insurance cards. With the development of computer network technology, people communicate in a non-secure network environment, which is more liable to cause information leakage and subjected to all kinds of attacks on communications. As a foundation of the whole information security system, identity authentication has drawn increasing attention. Nowadays, based on smart cards, passwords and biometrics, multiple-factor identity authentication technology is becoming a research hotspot. In particular, with the development of WiFi and3G/4Q the representatives of wireless communication networks technology, there is a need to high security, lightweight authentication protocols and smart card chip technology applied in them. The paper conducts extensive research and in-depth research on information security issues of smart cards in identity authentication protocols. On this basis, the paper mainly researches two aspects:proposing three-factor authentication protocols to enhance anti-attack capability of authentication protocols; achieving hardware implementation by using smart card. The main results are as follows:1. For defects in previous similar two-factor authentication protocols based on smart card and password, the paper proposes two improvements:encrypting critical values of user’s information in registration phase to enhance the ability to resist offline password guessing attack; making user’s identity information more confidential in login phase to enhance the ability to resist user anonymity attack and masquerade attack as a legitimate user. Its security is proved with formal proof based on BAN logic. The protocol not only reduces the amount of communication and computation, but also achieves more security goals. The protocol is suitable for online financial transactions, secret ballot and other systems requiring privacy protection.2. A three-factor registration and login method based on hiding biometrics information, smart card and password is proposed. The paper adopts hiding biometric information to prevent privacy from disclosure and plaintext attack. Matching feature points to solve the mismatch of the biometrics caused by hash function in the practical application. The proposed three-factor identity authentication protocol doesn’t need involvement of registration center in verification, and it can resist DoS attack by local authentication of user ID and password. Its security is proved with formal proof based on BAN logic. The protocol applies to corporate LAN and other systems of mutual trust between the registration center and the server.3. A three-factor identity authentication protocol with involvement of registration center in verification is presented. The server has a unique private key, which can effectively resist impersonation attack as a legitimate server. There is no verifier-table in server, which enhances the capability to resist stolen verifier-attack, masquerade attack as a legitimate user, eavesdropping attack and password guessing attack and so on. The proposed protocol also can achieve user’s anonymity and many other security goals through mutual authentication among user, server and registration center. Its security is proved with formal proof based on BAN logic. The protocol can be applied to systems with high security requirements, such as financial system and so on.4. As the applicant of service and resources, smart card is limited to computing power and storage space. And it is easy to become the target of attack because of the low-level security. This paper designs a chip optimization program based on open-source32-bit RISC processor, in order to meet the demand of speed, storage capacity and other performance requirements in the proposed three-factor authentication protocol with the involvement of registration center. This paper crops OR1200by removing mmu which aren’t necessary when computing in our protocol. In addition, we propose a hash-based random number generation method, and improve the nested unit structure of hash operation to enhance the reading efficiency. Program of implementing protocol written to ROM takes24976Byte.5. For the proposed three-factor authentication protocol with involvement of registration center and its hardware design, the paper has simulated authentication protocols in multi-server environment and built FPGA test platform. Firstly, the paper has verified the security and the operability of the protocol, and then tested the designed hardware solution. Speed of hash computation by hardware is2059times of that by software, and system speed boosts23times when hardware acceleration module is added. The results show that test platform verified the safety and the operability of the protocol.更多还原