基于SM9的JWT强身份认证方案  被引量：1

作　　者：罗娇燕 左黎明 陈艺琳 郝恬 LUO Jiao-yan;ZUO Li-ming;CHEN Yi-lin;HAO Tian(School of Science,East China Jiaotong University,Nanchang 330013,China)

机构地区：[1]华东交通大学理学院,江西南昌330013

出　　处：《计算机技术与发展》2024年第3期110-117,共8页Computer Technology and Development

基　　金：江西省教育科技项目(GJJ200626,GJJ210625)。

摘　　要：随着网络信息技术的快速发展,身份认证的应用范围也在不断扩大。其中,JWT(JSON Web Token)作为基于Token的身份认证技术,被广泛应用于Web应用程序和API领域,以实现简单、可靠的身份验证和安全通信。然而,开发人员对于JWT标准和技术细节理解不够深入,导致该技术在实践中经常出现各种安全漏洞。文中分析了近年来出现的有关JWT技术的安全问题,包括“none”算法绕过、敏感信息泄露、算法混淆攻击和密钥穷举攻击等,并针对这些问题提出了一种基于国密SM9的JWT强身份认证方案。该方案使用SM9公钥密码算法对JWT进行签名和验证,结合基于时间戳和随机数的验证机制,以提高算法的安全性和可靠性。最后对该方案进行安全性分析,结果表明该方案实现方法相对简单,能够有效地防御各种常见的JWT安全漏洞,同时具有良好的安全性和易用性,为JWT技术的安全应用提供了一种高效可靠的解决方法。With the rapid development of network information technology,the application scope of identity authentication is continuously expanding.JSON Web Token(JWT),as a token-based identity authentication technology,has been widely used in web applications and API fields to achieve simple and reliable identity verification and secure communication.However,insufficient understanding of JWT standards and technical details among developers often leads to various security vulnerabilities in practice.We analyze security issues related to JWT technology that have emerged in recent years,including"none"algorithm bypass,sensitive information leakage,algorithm obfuscation attacks,and key enumeration attacks.To address these issues,a JWT strong authentication scheme based on China’s national encryption standard SM9 is proposed.This scheme employs the SM9 public key cryptography algorithm for JWT signing and verification,and combines a verification mechanism based on timestamps and random numbers to enhance the security and reliability of the algorithm.A security analysis of the proposed scheme indicates that its implementation method is relatively simple,and it is effective in preventing various common JWT security vulnerabilities.The scheme also exhibits good security and usability,providing an efficient and reliable solution for secure application of JWT technology.

关 键 词：身份认证 JWT SM9 数字签名 授权 

分 类 号：TP309.7[自动化与计算机技术—计算机系统结构]