一种基于多因素认证与密钥协商的数据密钥管理方案  

作　　者：朱恩强 张宇[1] 江观华 许宇光 ZHU En-qiang;ZHANG Yu;JIANG Guan-hua;XU Yu-guang(Institute of Computing Science and Technology,Guangzhou University,Guangzhou 510006,China;College of Computer Science&Technology,Xi'an University of Science and Technology,Xi'an 710054,China)

机构地区：[1]广州大学计算科技研究院,广东广州510006 [2]西安科技大学计算机科学与技术学院,陕西西安710054

出　　处：《广州大学学报（自然科学版）》2024年第1期1-11,共11页Journal of Guangzhou University:Natural Science Edition

基　　金：国家自然科学基金资助项目(61872101);广州市基础研究计划市校(院)联合资助项目(202201020180)。

摘　　要：隐私数据远程存储技术为用户存储数据带来便捷的同时,也增加了敏感数据在传输过程中遭受拦截攻击的风险。为了提高数据的安全性,需要对上传到远程设备的敏感数据进行加密。因此,高效可靠的密钥管理是确保数据安全的关键。多因素认证是保证数据安全传输的关键技术之一,在安全领域具有广泛的应用,如隐私数据保护、访问权限管理和在线支付等。鉴于此,提出了一种基于多因素认证的密钥存储策略来加强密钥管理:(1)通过确定的设备身份信息对密钥进行Shamir(2,3)分割;(2)对设备身份信息进行公钥加密,然后利用用户私有登录口令和生物特征来隐藏密钥的Shamir分割份额和公钥加密的私钥;(3)对获得的密钥相关信息进行一系列计算处理并分别存储到相应的设备中。理论分析表明,所提方案具有认证灵活,密钥管理高效、可靠以及通信安全等优势。此外,为了进一步说明方案的有效性,进行了BAN逻辑分析和启发式安全分析。分析结果表明,框架能够安全地协商会话密钥并抵抗多种已知攻击。While remote storage technology for private data can provide convenience for users, the risk of interception attacks on private data during transmission is also increased. To improve security, sensitive data should be encrypted before uploading to remote devices. So, how to manage the secure key efficiently and reliably is very significant to data security. Multi-factor authentication is one of the key technologies to ensure the security of data transmission, and it has been widely applied in security fields, such as privacy data protection, access rights management, and online payment, etc. To address these problems, a key storage strategy based on multi-factor authentication is proposed to enhance secure key management. First, the key is split using chamir(2,3) based on the indentified device indentity information. Second, it encrypts the identity information of the devices using public key encryption, and concels a share of the secure key derived from Shamir's secret sharing, as well as the private key used in public key encryption, through the user's private login password and biometric feature. Finally, all of the above information related to the secure key is processed by a series of computations and then are stored in the designated devices, respectively. Analysis in theory shows that our framework possesses the advantages of flexible authentication, efficient and reliable key management, and secure communication. Moreover, to further illustrate the effectiveness of the approach, experiments on BAN logic analysis and heuristic security analysis were carried out. The experimental results show that the proposed framework can negotiate session keys securely and resist various known attacks.

关 键 词：隐私数据保护 多因素认证 加密 BAN逻辑 

分 类 号：TN918.4[电子电信—通信与信息系统]