摘要： 提出了一种基于轻量级客户端的、基于散列函数的、用户端和服务器端双向基于口令的认证协议SPAS。指出了以往类似协议中存在的攻击问题，并分析了SPAS 的安全性， 指出 SPAS 能够抵御拒绝服务攻击、重放攻击、冒充攻击、服务器端验证信息泄密后的攻击。SPAS 协议能够应用于各种使用轻量级用户端的、在公共信道上进行认证的用户认证应用场景。

关键词: 认证；口令；散列函数；OSPA；SPAS

Abstract: Based on the analysis of OSPA protocol, which is a typical hash-based strong-password authentication protocol, this paper presents a hash-based strong-password mutual authentication scheme-SPAS. SPAS is resistant to DoS attacks, replay attacks, impersonation attacks, and stolen-verifier attacks. It expects SPAS can be employed in application scenarios where lightweight and secure user authentication scheme is required.

Key words: Authentication; Password; Hash; OSPA; SPAS