Research On Three-factor Authentication And Key Agreement Protocol In Multi-server Environment

With the rapid development of computer and communication technology,Internet applications have become increasingly popular in people's life and work.Electronic payment,Internet finance,Internet of Things industry and various network information services have gradually affected all aspects of people's daily life.At the same time,information security issues are becoming increasingly obvious.As the first pass to protect network information security,identity authentication plays a role that cannot be ignored for users to provide a secure communication environment.Traditional identity authentication is based on password and smart card.However,the smart card has the disadvantages of being easily stolen and lost,and the user's password can be easily guessed by an attacker using a password dictionary.Therefore,authentication and key agreement protocols based on smart card and password are not secure.Biometric technology brings new opportunities for identity authentication.Biological characteristics are unique,not easy to be lost,not easy to be copied,not easy to be forged or distributed,and not easy to guess or destroy.Therefore,the research of three-factor authentication and key agreement protocol in multi-server environment has great significance for establishing a secure network communication environment.The specific research work is as follows:(1)Analyze the theoretical basics of authentication and key agreement protocols.Firstly,the cryptography theory used in protocol design is introduced,it mainly includes one-way hash function,discrete logarithm over finite field,elliptic curve cryptosystem,RSA public key cryptosystem and chaotic mapping.Secondly,the related contents of protocol analysis and design are studied,the basic principles of protocol design are summarized,the types of attacks that protocols are vulnerable are summarized,the main method of protocol formal analysis: BAN logic analysis are introduced.Finally,the fuzzy extractor for biometrics extraction in the three factor authentication and key agreement protocol is introduced.(2)Analyze anonymous authentication and key agreement protocol in multi-server environment.Cryptanalysis on two-factor authentication and key agreement protocols based on smart card and password proposed by Wei et al.It was found that the protocol not only cannot resist Denial of Service attack,user impersonation attack,and off-line password guessing attack,but also cannot verify password in time and cannot achieve user anonymity.In the system,once an attacker has cracked the server and stolen the user's smart card,they can use the information in the server and smart card to launch user impersonation attack and off-line password guessing attack.To remedy these attacks,an improved biometric-based three-factor authentication and key agreement protocol is proposed.In the improved protocol,biometric and password are combined for authentication,which avoids off-line password guessing attack.At the same time,the anonymity of the user is achieved by setting a dynamic identity.After security analysis,BAN logic analysis and performance comparison,it is proved that the improved protocol can resist various security threats,and the computational cost is lower,and it has better practicality.(3)Analyze the three-factor authentication and key agreement protocols based on public key cryptography.Cryptanalysis on the protocol proposed by Wang et al.,it was found that this protocol not only cannot withstand session key disclosure,forgery smart card attack,user impersonation attack,server spoofing attack,and Denial-of-Service attack,but also cannot achieve user anonymity and untraceability.An attacker can collude with any malicious but legitimate server to obtain the key distributed to the registration center.The attacker can calculate the session key negotiated between a user and a server by using the key and the message transmitted in the public channel.In this way,the communication content between the user and the server can be cracked.The Attacker can also forge a smart card and impersonate legitimate user to log into the server.In the system,a malicious server can also disguise itself as another server to trick the user.Cryptanalysis on the protocols proposed by Yang et al.,it was found that the protocol still cannot achieve user untraceability.And in this protocol,if the attacker colludes with the malicious server and eavesdrops the information in the public channel,he can launch session key disclosure attack,forgery smart card attack,user impersonation attack,server spoofing attack and Denial of Service attack.In order to overcome the above security flaws,an improved three-factor authentication and key agreement protocol based on public key cryptography is proposed.In the improved protocol,the registration center distributes the hash value of the pre-shared key and the server identity to each server,which can resist server spoofing attack.The improved protocol also uses public key cryptography to encrypt the session between the user and the server.Since only the server itself knows the private key,the improved protocol perfectly prevents the session key disclosure.Finally,through security analysis,it is proved that the improved protocol can also resist other types of attacks,and through BAN logic analysis and efficiency comparison,it is proved that the improved protocol achieves mutual authentication and has higher practicality.