【信安作业】0510-5身份认证([Xin’an operation] 0510-5 identity authentication)

题目

今天校园里到处是快递小哥,同学们也经常帮别人取快递,快递小哥不会很细致的核实身份,就允许代领,存在很多不安全因素。

设计一款基于手机的app,用于快递小哥验证身份,顾客领取快递。具体认证方法不限,简单易行。

(1)给出:app包含哪些部分(可加图示),每部分的功能;

(2)模仿kerberos的写法,描述交互过程,并加说明。

解答

一、app包含部分及功能

1.客户端

快递小哥/顾客通过客户端访问后台验证端,以自身的注册信息(如名字、身份证号)作为ID向后台验证端发送信号

快递小哥/顾客通过客户端访问后台验证端,获取快递信息及密码

3.后台验证端

对客户端的访问进行身份认证

对快递信息进行一定的加密,得出对应的密码并发给客户端

二、交互过程说明

1.身份验证服务交换:顾客完成身份认证,获得访问权限,登录app

(1)C->S:IDc||TS1

(2)S->C:Ekc[B0||TS2]

注:(1)为顾客C请求访问后台验证系统S并获取快递信息(如表示位于货架位置的取件码)(2)为返回加密后的票据信息

IDc:顾客C的用户标识;TS1:让S验证C的时钟与S的时钟是否同步的;

Ekc:基于用户口令的加密,使得S和C可以验证口令,并保护信息;B0:顾客C在系统S登记的已到未取的快递信息;TS2:告诉用户该信息签发的时间

2.密码获取:顾客选择需要领取的快递,将信息发给S,S加密出相应的验证密码返给顾客

(1)C->S:IDc||B1||TS3

(2)S->C:Ekc[key||TS4]

注:(1)为顾客C向S发送需要领取的快递信息(2)为S返给顾客用于最终验证的密码

B1:顾客C需要领取的快递信息;key:经过用只有后台验证系统S知道的密钥S加密得到的最终密码;key=Eks[IDc||B1||TS3];Eks:只有S知道的密钥,严格保密

3.快递领取服务交换:快递小哥完成身份认证,获得最终验证的密码

(1)A->S:IDa||B1||TS5

(2)S->A:Eka[key||TS6]

注:(1)为快递小哥A向S发送接收领取快递信息(2)为S返给快递小哥验证用的密码

IDa:快递小哥A的用户标识;Eka:基于快递小哥口令的加密,使S和A可以验证口令,并保护信息

由此,该app构建完成,用户C可以从后台系统S获取快递总信息B0,并发送需要领取的快递信息B1;然后快递小哥A可以通过app查看领取信息B1,并通过身份认证得到验证密码key;于是快递小哥A通过信息B1找到快递,领取时通过只有快递小哥A、系统S和顾客C知道的密码key,可以验证顾客信息,由此达到核实身份,减少不安全因素的目的。本系统的关键在于保证key和Eks的机密性。

————————

题目

Today, the campus is full of express brothers, and students often help others get express. The express brother will not carefully verify his identity and will be allowed to receive on behalf of others. There are many unsafe factors.

Design a mobile phone based app for the courier brother to verify his identity and the customer to receive the express. The specific authentication methods are not limited and simple.

(1) Give: which parts of the app (can be illustrated) and the functions of each part;

(2) Imitate the writing method of Kerberos, describe the interaction process and explain it.

解答

< strong > I. app includes some parts and functions < / strong >

1. Client

The express brother / customer accesses the background verification terminal through the client and sends a signal to the background verification terminal with his own registration information (such as name and ID number) as ID

Express brother / customer accesses the background verification terminal through the client to obtain express information and password

3. Background verification end

Authenticate the access of the client

Encrypt the express information, get the corresponding password and send it to the client

< strong > II. Description of interaction process < / strong >

1. Authentication service exchange: customers complete identity authentication, obtain access rights and log in to the app

(1)C-> S:IDc||TS1

(2)S-> C:Ekc[B0||TS2]

Note: (1) request customer C to access the background verification system s and obtain express information (such as the pick-up code at the shelf position) (2) return the encrypted bill information

IDC: user ID of customer C; TS1: let s verify whether the clock of C and s are synchronized;

EKC: encryption based on user password, so that s and C can verify password and protect information; B0: the received but not retrieved express information registered by customer C in system s; TS2: tell the user the issuing time of the information

2. Password acquisition: the customer selects the express to be received, sends the information to s, and s encrypts the corresponding verification password and returns it to the customer

(1)C-> S:IDc||B1||TS3

(2)S-> C:Ekc[key||TS4]

Note: (1) send the express information to be received for customer C to s (2) the password returned by s to the customer for final verification

B1: express information that customer C needs to receive; Key: the final password obtained by encrypting with the key s known only to the background verification system s; key=Eks[IDc||B1||TS3]; Eks: only s knows the key, which is strictly confidential

3. Exchange of express receiving service: the express brother completes the identity authentication and obtains the final verified password

(1)A-> S:IDa||B1||TS5

(2)S-> A:Eka[key||TS6]

Note: (1) it is the password used by s to send and receive the express information from express brother a to s (2) it is the password used by s to return it to express brother for verification

Ida: user ID of express brother a; Eka: encryption based on the password of the express brother enables s and a to verify the password and protect the information

Thus, after the app is built, user C can obtain the total express information B0 from the background system s and send the express information B1 to be received; Then, express brother a can view the receiving information B1 through the app and get the verification password key through identity authentication; Therefore, the express brother a finds the express through the information B1. When receiving, the customer information can be verified through the password key known only by the express brother a, the system s and the customer C, so as to verify the identity and reduce unsafe factors. The key of this system is to ensure the confidentiality of key and eks.