| The rapid development and popularization of the Internet and its application services serve people's daily life conveniently.People increasingly rely on the Internet and information system to deal with problems in their daily lives and work.As the first security line of access control in an application service system,identity authentication has become an increasingly important issue.Mobile phones are widely used nowadays,which enables users to authenticate with the server with the help of mobile phones.However,existing schemes need to store the user's secret or ciphertext on the mobile phone,or assume a secure channel to transmit user's authentication credentials.Once the mobile phone is lost,adversaries may get the secret information on the phone,which will bring irreparable loss to the user.Aiming at the above problems,we propose an authentication scheme based on fingerprint and password which has no need to store secret in the mobile phone.Our scheme can effectively prevent the mobile phone from the dictionary attack.When the computer interacts with the mobile phone,the user's password will be blind,so that it can be protected from adversaries' attacks.The characteristics of the blind signature algorithm can ensure that the password is not known to the second party other than the user.So our scheme can protect the user's password,meanwhile,our scheme can effectively prevent session hijacking attacks.The main work of this paper is as follows:1)We analyze and study the existing mobile phone assistance authentication schemes,and summarize their common defects.Aiming at existing defects,we propose an authentication method which can avoid the storage of user's ciphertext on the mobile phone.2)We use and improve the HCR algorithm in our protocol.We use fingerprint combined with blind signature,so that we needn't assume the security channel between the mobile phone and the computer which increases the practicability of the scheme.3)Aiming at the defects of the algorithm's operation,we propose the other scheme based on RSA signature.In the other scheme,it needn't to operate a root of a number which may obtain the inaccurate results.4)We simulate the real scene and test our scheme in time and capacity of storage.The results show that the scheme has good performance and high availability.Theoretical analysis and experimental results show that our scheme reinforces the security of the user's secret.Meanwhile,our scheme can resist dictionary attacks,replay attacks and phishing attacks while reducing the storage pressure of the mobile phone along with easy deployment.At the end of this paper,we summarize our research and forecast our next step. |
PDF Full Text Request