KIPS Transactions on Computer and Communication Systems (정보처리학회논문지:컴퓨터 및 통신 시스템)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Security Analysis on Password Authentication System of Web Sites

웹사이트 패스워드 인증 시스템의 보안성 분석

  • 노희경 (고려대학교 정보보호대학원) ;
  • 최창국 (고려대학교 정보보호대학원) ;
  • 박민수 (고려대학교 정보보호대학원) ;
  • 김승주 (고려대학교 정보보호대학원)
  • Received : 2014.07.25
  • Accepted : 2014.10.24
  • Published : 2014.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

Portal site is not only providing search engine and e-mail service but also various services including blog, news, shopping, and others. The fact that average number of daily login for Korean portal site Naver is reaching 300 million suggests that many people are using portal sites. With the increase in number of users followed by the diversity in types of services provided by portal sites, the attack is also increasing. Most of studies of password authentication is focused on threat and countermeasures, however, in this study, we analyse the security threats and security requirement of membership, login, password reset first phase, password reset second phase. Also, we measure security score with common criteria of attack potential. As a result, we compare password authentication system of domestic and abroad portal sites.

포털사이트는 검색 엔진, 이메일 서비스뿐만 아니라 블로그, 뉴스, 쇼핑 등 다양한 서비스를 제공하고 있다. 국내 포털 업체인 네이버의 하루 평균 로그인 횟수가 3억 건에 달할 만큼 많은 사람들이 포털사이트를 이용하고 있음을 알 수 있다. 이와 같이 포털사이트가 제공하는 서비스의 종류가 다양해지고 더불어 이용자 수가 증가함에 따라 포털사이트를 대상으로 하는 공격도 증가하고 있다. 기존 패스워드 인증 시스템은 주로 로그인 단계에서의 보안 위협에 초점을 두고 이를 해결하기 위한 대안에 대한 연구를 진행한 반면, 본 연구에서는 패스워드 인증 시스템의 전체 절차인 회원가입, 로그인, 패스워드 재발급 1단계, 패스워드 재발급 2단계의 모든 단계에 대한 보안 위협 및 보안 요구사항에 대해 분석하였다. 또한 기존 공통평가기준의 공격 성공 가능성이 로그인 단계에만 국한되었던 것을 확대시켜 패스워드 인증의 모든 단계에 대한 공격 성공 가능성을 측정하였으며, 국내외 포털사이트 패스워드 인증 시스템의 보안성을 정량화된 수치로 비교 분석하였다.

Keywords

References

  1. Bruce Schneier, "Applied Cryptography," John Wiley & Sons, 1996.
  2. Perlman, Radia, and Charlie Kaufman, "User-centric PKI," Proceedings of the 7th Symposium on Identity and Trust on the Internet. ACM, 2008.
  3. Just, Mike, and David Aspinall, "Personal Choice and Challenge Questions: A Security and Usability Assessment," Poceedings of the 5th Symposium on Usable Privacy and Security. ACM, 2009.
  4. Jin, Lei, Hassan Takabi, and James BD Joshi, "Analysing security and privacy issues of using e-mail address as identity," International Journal of Information Privacy, Security and Integrity, 1.1. pp.34-58, 2011. https://doi.org/10.1504/IJIPSI.2011.043730
  5. C.E. Shannon, "A mathematical theory of communication," Bell System Technical Journal, Vol.27, pp.379-423, 1948. https://doi.org/10.1002/j.1538-7305.1948.tb01338.x
  6. Komanduri, Saranga, et al., "Of passwords and people: measuring the effect of password-composition policies," Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2011.
  7. Ma, Wanli, et al., "Password entropy and password quality," Network and System Security (NSS), 2010 4th International Conference on. IEEE, 2010.
  8. Yan, Jianxin Jeff, "A note on proactive password checking," Proceedings of the 2001 workshop on New security paradigms. ACM, 2001.
  9. Bishop, Matt, "Proactive password checking," 4th Workshop on Computer Security Incident Handling, 1992.
  10. "Common Methodology for Information Technology Security Evaluation," Common Criteria, Version 3.1. Jul., 2009.
  11. Cazier, Joseph A., and B. Dawn Medlin, "Password security: An empirical investigation into e-commerce passwords and their crack times," Information Systems Security 15.6. pp.45-55, 2006. https://doi.org/10.1080/10658980601051318
  12. Ji Sun Shin, "Study on Anti-Phishing Solutions, Related Researches and Future Directions," Journal of The Korea Institute of Information Security & Cryptology, Vol.23, No.6, Dec., 2013.
  13. Leijten, Marielle, and Luuk Van Waes, "Keystroke Logging in Writing Research Using Inputlog to Analyze and Visualize Writing Processes," Written Communication 30.3, pp.358-392, 2013. https://doi.org/10.1177/0741088313491692
  14. "2014 Trustwave Global Security Report," Trustwave, 2014.
  15. Dell'Amico, Matteo, Pietro Michiardi, and Yves Roudier, "Password strength: An empirical analysis," INFOCOM, 2010 Proceedings IEEE. IEEE, 2010.
  16. Irani, Danesh, et al., "Modeling unintended personalinformation leakage from multiple online social networks," Internet Computing, IEEE 15.3, pp.13-19, 2011.
  17. HyeongKyu Lee, "The Problems and Reformation of the Personal Identification by the Resident Registration Number on the Internet," Hanyang Law Review, Vol.23-1, pp.341-371, Feb., 2012.
  18. Von Ahn, Luis, et al., "CAPTCHA: Using hard AI problems for security," Advances in Cryptology-EUROCRYPT 2003. Springer Berlin Heidelberg, pp.294-311, 2003.
  19. Lei Jin, Hassan Takabi, James B.D. Joshi, "Analysing security and privacy issues of using e-mail address as identity," International Journal of Information Privacy, Security and Integrity, Vol.1, No.1, pp.34-58, 2011. https://doi.org/10.1504/IJIPSI.2011.043730
  20. Goring, Stuart P., Joseph R. Rabaiotti, and Antonia J. Jones, "Anti-keylogging measures for secure Internet login: an example of the law of unintended consequences," Computers & Security 26.6, pp.421-426, 2007. https://doi.org/10.1016/j.cose.2007.05.003
  21. "Kaspersky Releases Q1 Spam Report," Kaspersky, 2014.
  22. Lei Jin, Hassan Takabi, James B.D. Joshi, "Analysing security and privacy issues of using e-mail address as identity," International Journal of Information Privacy, Security and Integrity, Vol.1, No.1, pp.34-58, 2011. https://doi.org/10.1504/IJIPSI.2011.043730

Cited by

  1. A Study on the Operation and Personal Information Management of Public and Private Kindergarten Homepages vol.37, pp.6, 2016, https://doi.org/10.5723/kjcs.2016.37.6.119