[1]罗娇燕,左黎明,陈艺琳,等.基于 SM9 的 JWT 强身份认证方案[J].计算机技术与发展,2024,34(03):110-117.[doi:10. 3969 / j. issn. 1673-629X. 2024. 03. 017]
 LUO Jiao-yan,ZUO Li-ming,CHEN Yi-lin,et al.JWT Strong Identity Authentication Scheme Based on SM9[J].,2024,34(03):110-117.[doi:10. 3969 / j. issn. 1673-629X. 2024. 03. 017]
点击复制

基于 SM9 的 JWT 强身份认证方案()
分享到:

《计算机技术与发展》[ISSN:1006-6977/CN:61-1281/TN]

卷:
34
期数:
2024年03期
页码:
110-117
栏目:
网络空间安全
出版日期:
2024-03-10

文章信息/Info

Title:
JWT Strong Identity Authentication Scheme Based on SM9
文章编号:
1673-629X(2024)03-0110-08
作者:
罗娇燕左黎明陈艺琳郝 恬
华东交通大学 理学院,江西 南昌 330013
Author(s):
LUO Jiao-yanZUO Li-mingCHEN Yi-linHAO Tian
School of Science,East China Jiaotong University,Nanchang 330013,China
关键词:
身份认证JWTSM9数字签名授权
Keywords:
identity authenticationJSON Web TokenSM9digital signatureauthorization
分类号:
TP309. 7
DOI:
10. 3969 / j. issn. 1673-629X. 2024. 03. 017
摘要:
随着网络信息技术的快速发展,身份认证的应用范围也在不断扩大。 其中,JWT( JSON Web Token) 作为基于Token 的身份认证技术,被广泛应用于 Web 应用程序和 API 领域,以实现简单、可靠的身份验证和安全通信。 然而,开发人员对于 JWT 标准和技术细节理解不够深入,导致该技术在实践中经常出现各种安全漏洞。 文中分析了近年来出现的有关JWT 技术的安全问题,包括“ none" 算法绕过、敏感信息泄露、算法混淆攻击和密钥穷举攻击等,并针对这些问题提出了一种基于国密 SM9 的 JWT 强身份认证方案。 该方案使用 SM9 公钥密码算法对 JWT 进行签名和验证,结合基于时间戳和随机数的验证机制,以提高算法的安全性和可靠性。 最后对该方案进行安全性分析,结果表明该方案实现方法相对简单,能够有效地防御各种常见的 JWT 安全漏洞,同时具有良好的安全性和易用性,为 JWT 技术的安全应用提供了一种高效可靠的解决方法。
Abstract:
With the rapid development of network information technology,the application scope of identity authentication is continuouslyexpanding. JSON Web Token ( JWT) ,as a token-based identity authentication technology,has been widely used in web applications andAPI fields to achieve simple and reliable identity verification and secure communication. However,insufficient understanding of JWTstandards and technical details among developers often leads to various security vulnerabilities in practice. We analyze security issuesrelated to JWT technology that have emerged in recent years,including " none" algorithm bypass,sensitive information leakage,algorithmobfuscation attacks,and key enumeration attacks. To address these issues,a JWT strong authentication scheme based on China's nationalencryption standard SM9 is proposed. This scheme employs?
the SM9 public key cryptography algorithm for JWT signing andverification,and combines a verification mechanism based on timestamps and random numbers to enhance the security and reliability ofthe algorithm. A security analysis of the proposed scheme indicates that its implementation method is relatively simple,and it is effectivein preventing various common JWT security vulnerabilities. The scheme also exhibits good security and usability,providing an efficientand reliable solution for secure application of JWT technology.

相似文献/References:

[1]田志英 廖晓群 赵安新.校园网认证计费系统的研究与实现[J].计算机技术与发展,2010,(05):202.
 TIAN Zhi-ying,LIAO Xiao-qun,ZHAO An-xin.Research and Implementation of Campus Network Authentication and Accounting System[J].,2010,(03):202.
[2]万久士 李翔 林祥.基于JSSh实现身份认证网站信息采集[J].计算机技术与发展,2009,(10):156.
 WAN Jiu-shi,LI Xiang,LIN Xiang.Information Collection of Website which Achieve Identity Authentication Based on JSSh[J].,2009,(03):156.
[3]贺锋 王汝传.一种基于PKI的P2P身份认证技术[J].计算机技术与发展,2009,(10):181.
 HE Feng,WANG Ru-chuan.A Peer- to- Peer Identity Authentication Technology Based on PKI[J].,2009,(03):181.
[4]吕武玲 黎忠文.SIP中基于身份认证的安全机制研究[J].计算机技术与发展,2009,(02):158.
 LU Wu-ling,LI Zhong-wen.Research on Identity- Based Authentication in SIP[J].,2009,(03):158.
[5]孙印杰 陈智芳 王敏 洪力.基于指纹和数字水印的网络身份认证系统研究[J].计算机技术与发展,2008,(04):147.
 SUN Yin-jie,CHEN Zhi-fang,WANG Min,et al.Research of Authentication System Based on Fingerprint and Digital Watermarking[J].,2008,(03):147.
[6]黄叶珏 陈勤.Web网站统一口令认证系统的设计与实现[J].计算机技术与发展,2007,(06):163.
 HUANG Ye-jue,CHEN Qin.Design and Implementation of Web Site Universal Password Authentication System[J].,2007,(03):163.
[7]徐小平 尹颖禹.基于数字签名的身份认证模型的一种方案[J].计算机技术与发展,2006,(02):220.
 XU Xiao-ping,YIN Ying-yu.A Model Scheme for Identity Verification Based on Digital Signature[J].,2006,(03):220.
[8]范宏生 叶震 侯保花.基于公钥密码体制的Kerberos协议的改进[J].计算机技术与发展,2006,(04):224.
 FAN Hong-sheng,YE Zhen,HOU Bao-hua.Improvement of Kerberos Protocol Based on Public Key Cryptosystem[J].,2006,(03):224.
[9]刘建明 贺占庄.硬盘加密和身份认证的硬件实现[J].计算机技术与发展,2006,(06):139.
 LIU Jian-ming,HE Zhan-zhuang.A Hardware Design of Harddisk Encryption and Identification[J].,2006,(03):139.
[10]张球河 李也白 王宇鸽 尹天明.电子政务资源安全管理的研究与应用[J].计算机技术与发展,2006,(09):222.
 ZHANG Qiu-he,LI Ye-bai,WANG Yu-ge,et al.Research and Application of E- Government Resource Security Management[J].,2006,(03):222.

更新日期/Last Update: 2024-03-10