Multi-Factor Authentication Protocol Based On Haiting Key Derivation Functions

As one of the safe identity authentication technology, user password is playing an important role in the fields of both scientific computing and business. How can not affect the user experience while safely complete the user password authentication, has caused serious concern of researchers work in the field of cryptography and network security. As the password easy to remember, convenient to use, and without hardware support at this stage, constructing high quality identity authentication based on password authentication become a mature and effective approach. Security of Password Authenticated Key Exchange is totally dependent on the confidentiality of the user's password, so the password protection is particularly important. But the security issues in open environment have become increasingly prominent, and the authentication method of identity confirming only by a password to is facing severe challenges. User is vulnerable to be monitored when enters a password; or when using the keyboard to enter the password in the computer poisoning, the Trojans will record keyboard input. In order to easy to remember, the user usually use phone number, date of birth, street number and other numbers as passwords, which has poor security. And users often use the same password on several different websites, which further lead the collision attack.This paper proposes a multi-factor authentication protocol scheme based on the halting key derivation function which can prevent collision attack, and mainly to solve the problems of short user password in existing websites login system is vulnerable to brute force attack, and users often using the same password to log in different websites is vulnerable to collision attack. The program mainly to complete the goal that the user's short password is converted to high safety login password in the registration phase, achieving that the initial short passwords of same user will be mapped to different servers and the effect of storage for the result is different. The core idea is that users generate the original master key with a short password by the halting key derivation function, and then make the combination of the two random numbers which are respectively related to bracelets and mobile phones and take twice processing for the original master key, generating server storage password and storing it on the server; users combine bracelet with mobile phone to export original master key and two different random numbers in the subsequent logins stage, and regenerate the corresponding server storage password; users make interactive authentication with the target server by using server storage password. Compared with the existing technology, the innovative achievements achieved by this scheme are as follows:1. Users only need to remember a simple short password pwd, and enter different random number of r through the halting key derivation function(HKDF), thereby generate different original master keys k and authentication strings v for different sites, avoiding the collision attack fundamentally; there is further assurance for different sites that users' registered password pu is different, even if the malicious servers make conspiracy, It cannot get the users' login passwords on the other safety websites through cracking users' information; server storage password ps is generated by the server with different random number y produced by different users, and different servers for the same users generate different random numbers y, thus again avoiding the collision attack.2. This scheme carries out two operations combined with multi-factor for the original master key k, enhances the ability of verifying the identity of the user, and effectively avoids the risk that single password factor is theft easily and disguise identity. This scheme regards the convenient bracelet as another factor in addition to the phone factor, generates server storage password ps for final login by using bracelet, which is convenient for users' operation and has a wide application.The theoretical analysis and experimental results show that, the proposed scheme can generate a different original master key for different websites and by combining multi-factor make salt hashing ensure security for the master key; even in the case of a server is being attacked, which can be able to prevent users from library attacking for using a single password be stolen on multiple websites. The program can provide a higher intensity and ensure the introduction of lower cost at the same time, and meet the complex requirements of the authentication scenarios for practicality and protocol security of the balancing scheme.