使用通行碼的數位簽章協定

Abstract

我們知道使用通行碼的協定必須能抵抗字典攻擊法，因此我們提出一個必須結合服務者的秘密資訊、客戶所知道的秘密資訊及通行碼才能產生合法的數位簽章的協定。因為協定的需求是正確的客戶及服務者才能產生合法的數位簽章，所以我們必須要確認客戶以及服務者的身份。完成了身份認證的要求後所產生的數位簽章可以利用相對應的公開金鑰來驗證其合法性。在客戶的秘密資訊洩漏，或是服務者的秘密資訊洩漏的情況下，攻擊者皆無法利用字典攻擊法得知通行碼或是偽造出一個合法的數位簽章。另外我們也對我們的協定給予一個安全性的證明。

We know that password-based schemes must be able to against dictionary attacks. We proposed a digital signature scheme that we have to know the password, client and server’s secret to sign out a valid signature. Because we require that the valid signature could only be produced if both client and server are correct, client and server need to authenticate each other. We can verify the signature which is produced after authentication by the corresponding public keys. If the secret either server or client holds has been leaked out, the attacker can not neither find out the correct password nor forge a valid signature by using dictionary attacks. And there is also a security proof for our signature scheme.