| 摘要: | 遠端使用者身分驗證機制(Remote User Authentication Schemes)早已廣泛地被應用在各種行動電子商務的領域之中。在過往學者的研究中,大多是採用智慧卡(Smart Card)來進行遠端身分驗證。
如何確保在不安全的網路傳輸環境中,仍能保護傳遞訊息的內容,避免訊息遭受截取、偽冒、竄改、竊聽與重送等攻擊並能確保適當的隱私性,一直都是被持續關注的重要議題。
2011年3月,Guo等人於「Computer Communications」發表的期刊文章,標題“An RFID secure authentication mechanism in WLAN”,提出了使用被動式RFID之遠端驗證方式,來取代傳統僅使用帳號、密碼之單因素驗證(Single-Factor Authentication)機制,同時也提供與智慧卡(Smart Card)相同之雙因素驗證(Two-Factor Authentication)方式,來達到低成本、高便利性與高安全性之目的。
然而,在本研究中發現Guo等人所提出之機制,並沒有達到所宣稱之雙因素驗證,而且仍有可被追蹤(Being Tracked)、隱私洩漏(Privacy Leakage)以及重送攻擊(Replay Attack)之安全缺陷。最後,本研究設計了新的安全機制並提出分析與改良方案。
Remote user authentication mechanism has been widely used in various operations of e-commerce sphere. In the past academic works, most mechanisms apply Smart Card for remote identity verification.
How to ensure secure network transmission environment, able to deliver the mes-sage content protection, to avoid messages being intercepted, forgery, tampering, eavesdropping and other attacks and replay and to ensure appropriate privacy, has been continuing important issues.
In early 2011, Guo et al., "Computer Communications", published a paper, titling "An RFID secure authentication mechanism in WLAN", proposing the use of passive RFID for remote authentication. Their mechanism not replays only the traditional password only like Single-Factor Authentication mechanism, but also provides a Smart Card Two Factor Authentication method to achieve Low Cost, High Convenience and High Security.
However, in this study, by we found that their mechanism does not reach the goal of the Two-Factor Authentication, and still has the security flaws of been tracked, Pri-vacy Leakage, and replay. Finally, this proposes a new security mechanism and its analysis to achieve secure RFID Two-Factor Authentication. |
