摘要
OAuth2.0协议是当前最流行的API访问控制模型之一,然而该协议在实施过程中采用传统的认证方式具有一定的局限性:一方面授权服务器不仅要管理授权信息,还需要管理用户认证信息;另一方面传统基于用户名口令的认证方式容易遭受攻击破解。文章将基于FIDO UAF架构的身份认证方案与OAuth2.0协议相结合,在用户登录时采用生物特征识别技术进行认证,满足安全性、用户体验等需求。文章首先研究了OAuth2.0协议的原理与FIDO UAF认证架构,设计了基于FIDO UAF架构的认证方案与基于OAuth2.0协议的授权方案,并将两种方案结合。对方案的实现架构、具体的认证流程、授权流程进行了详细的介绍。最后通过系统测试结合工程应用实例验证方案的可行性与有效性。
OAuth2.0as open authorization standard,is one of the most popular API access control.While using the traditional authentication has some limitations:authorization server is responsiblefor issuing the access token as well as managing user’s information;traditional authenticationsuch as username/password is vulnerable to many attacks.This scheme will be based on FIDOUAF architectural identity authentication combined with OAuth2.0agreement,when a user logs inusing biometric identification technology to identity himself,meeting the demand of security,userexperience,etc.This paper studies OAuth2.0and FIDO UAF,then designs authentication scheme andauthorization scheme and mix them.We describe the framework and detail process of authenticationand authorization.Finally,we give an example of system design to fulfi ll the new scheme.
作者
李梁磊
邵立嵩
王传勇
刘勇
LI Lianglei;SHAO Lisong;WANG Chuanyong;LIU Yong(Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;Data Assurance and Communication Security Research Center of Chinese Academy of Sciences, Beijing 100093, China;Nari Group Corporation, Nanjing Jiangsu 211000, China;STATE GRID Zaozhuang Power Supply Company,Zaozhuang Shandong 277100, China;STATE GRID Shandong Power Supply Company, Jinan Shandong 250001, China)
出处
《信息网络安全》
CSCD
2017年第6期35-42,共8页
Netinfo Security
基金
国家自然科学基金[614002470]
