| With the advent of the mobile Internet era,more and more employees access to work through remote connection.Due to its security and ease of use,one-time password(OTP)is widely adopted by enterprises in their remote access authentication solutions.Thanks to the popularity of smartphones,software-based mobile dynamic tokens are used in many scenarios.However,because the dynamic token is located in the intelligent mobile terminal operating system,the critical data in the process of storage and transmission face many risks,the security of mobile dynamic token needs to be improved.At the same time,because of the current mobile dynamic token authentication system can only authenticate the identity of the access user,cannot authenticate the trustability of the access device,which is a big problem to the current mobile phone dynamic token authentication system.To solve the problems above,a new mobile dynamic token authentication system is designed and implemented.Firstly,based on the analysis of the risks and threats of the mobile token authentication system,we design our system's high-level architecture on the idea of cloud security storage and remote attestation.We put forward a key deployment scheme based on limited use key,which effectively reduces the risk of password disclosure.Secondly,for the issue of unsecure storage in the mobile dynamic token APP,this paper designs a mobile key management method based on PBKDF and a local security repository based on the white-box cryptography.Thirdly,according to the risks and threats in the network transmission,we design a secure key provisioning protocol.The protocol uses HSTS and HPKP technology to ensure the security at the transport layer.The message layer is protected by the channel binding technology.Fourthly,for the problem that the authentication system cannot authenticate the access device,an authentication protocol combined remote attestation and OTP authentication is designed.In this protocol,the access user's identity and the access device' trustability can be assured at the same time during the authentication process.Finally,we implement the mobile dynamic token authentication system we designed,test the system and do security analysis.The result of security analysis and system testing show that the system can effectively improve the security of the mobile token authentication system,solve the shortcomings of the existing authentication system,and has good applicability and flexibility. |
PDF Full Text Request