Abstract: The password-based authentication has advantages of simplicity，convenience，flexibility and mobility.It is widely used in Internet banking，ATM，such as remote login environment，ATM etc.The intrinsic problems with password-based authentication are password itself has lower entropy，lower security and the password file is very hard to protect.The password amplification is such an algorithm，which accepts a lower entropy password and a higher entropy random number and outputs a new higher entropy password，this can improve the security of authentication protocol and do not increase the hardness of users.Human biometric is the owned physiological and behavioral characteristics，the fuzzy extractor can extract a high entropy random string from the human biometrics.The combination of password amplification and biometrics can overcome the drawbacks of password-based authentication protocol，and enhance its security.In this paper，a new one-way?authentication protocol，which integrates the human biometric and password amplification，is proposed，it has the advantages of human biometric and password authentication and has ability of error-tolerant.

Key words: authentication protocol, human biometrics, password amplification, fuzzy extractor

摘要： 基于口令的认证协议具有简单、方便、强适应性及移动性等优点，它广泛应用于网上银行、ATM等远程登录环境中。但是一般用户的口令具有低熵、安全性低、口令数据难以保护等缺点，从而使系统存在许多安全隐患。口令放大是这样的一种算法，它输入用户的低熵的口令和一个高熵的随机数，然后输出一个高熵的新口令，从而提高了系统的安全性，也不增加用户的负担。人体生物特征是人体所固有的生理和行为特征，而模糊提取器可以从人体的生物特征中提取出高熵的随机串。生物特征和口令放大的结合，恰好可以克服基于口令的认证协议的缺点，提高其安全性。提出了一种结合人体生物特征和口令放大的单向认证协议，充分发挥了基于口令的认证协议所具有的简单易用和生物特征高熵、安全性高等优点，并且具有一定的容错能力。

关键词: 认证协议, 生物特征, 口令放大, 模糊提取器