摘要
用户一般需要使用帐户和密码来访问各种平台和系统,如果用户使用弱密码的话,虽然很容易记住,但比较容易受到攻击;如果使用强密码,则使用起来不太方便,不容易记住。所以,我们提出了一种基于区块链的去中心化身份认证机制。该机制使用以太坊的Whisper协议来取代http/https协议;更具体地的说,接入该机制的网站通过接收来自Whisper的内容来验证用户的身份信息,不再需要让用户填写用户名与密码进行验证。这种机制也能防御“重放攻击”、“网络钓鱼攻击”和“模拟攻击”,最后本机制与“OAuth2.0”,“OpenID”和“SAML”进行对比,在“网络钓鱼攻击”方面更比其他机制更优,能够很好的防御此类攻击。
Users need to use accounts and passwords to access various platforms and systems. Weak passwords are easy to be remembered but vulnerable to attacks, while strong passwords are not easy-to-use. To this end, a blockchain-based and decentralized identity authentication mechanism without traditional passwords is proposed. Instead of using the http/https protocols, the Whisper protocol in Ethereum is adopted. More specifically, the website verifies the identity information of the user by receiving a content of a Whisper envelope, thus the website does not need to provide a web interface, in order to verify the identity information of the user. The proposed identity authorization process in a decentralized manner has been verified to defend against replay attack, phishing attack and impersonation attack, compared with OAuth2.0, OpenID and SAML.
出处
《计算机科学与应用》
2021年第3期579-587,共9页
Computer Science and Application
