隨著網際網路和主從式架構不斷的快速發展,人與人之間即使在不同的地方也可以透過網路舉行會議,利用電子信箱等服務進行溝通、交換訊息。然而,網際網路是一個共享的媒介,可能受到惡意的攻擊者監聽或試圖利用偽冒的方式來欺騙合法的使用者。因此,在主從式環境中,資訊安全是一個很重要的議題。至今,各種通訊協定被提出來並應用在不同的環境中。而大部分的通訊協定都必須滿足兩個最基本的安全標準:第一個是使用者身分認證,系統必須確認雙方的合法性。其次便是金鑰協議,使用者必須共同協議出一把金鑰,並且使用這把金鑰來加/解密所要傳輸的訊息,以防止被竄改或竊聽。 在本論文中,我們將討論三種在行動主從式架構下使用者認證和金鑰協議的協定,並且分別指出他們的安全性弱點。最後我們提出改善的方法。並且,相較於他們提出來的協定,我們的方法更安全、更有效率。
With the rapid development of Internet service the client/server architecture, a lot of people use the Internet to organize a conference or to communicate with each other such as e-mail even though they located in different places in the world. However, the network is a shared medium, so that it’s full of weakness security attacks such as eavesdropping and modification attack. Hence, information security becomes an important issue in the client/server environment. So far, many protocols have been proposed to achieve different purpose. Most of them have to achieve two basic security standards. The first one is user authentication; it allows a server and a login user to authenticate each other over public channels. The second one is key agreement; it is used to derive a shared secure session key by two or more parties, but no party can predetermine the resulting value. Users can securely exchange information over an open network by using the shared session key to encrypt/decrypt secure information. In this study, we will discuss three user authentication and key agreement protocols and point out that their protocols have some security weaknesses. Then we propose our improvement to eliminate the security weakness of their protocols. As compared with their protocols, our proposed schemes are more secure and efficient.