The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

A Scheme for Secure Storage and Retrieval of (ID, Password) Pairs Using Smart Cards as Secure and Portable Storages

안전한 휴대 저장장치로서의 스마트카드를 활용한 (ID, 패스워드) 쌍들의 안전한 저장 및 검색 기법

  • Received : 2014.03.18
  • Accepted : 2014.05.26
  • Published : 2014.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

Despite the security weakness of reusing passwords, many Internet users are likely to use a single ID and password on various sites to avoid the inconvenience of remembering multiple credentials. This paper proposes a scheme for securely storing, retrieving, and updating randomly chosen (ID, password) pairs by using smart cards as secure and portable storages. The scheme makes a user free from remembering her (ID, password) pairs for Internet accesses. By splitting and scattering the (ID, password) pairs of a user across the user's smart card memory and a remote server's storage, it can protect the logon credentials even from the theft or loss of the smart card. Also, a user, if deemed necessary, can issue and let the server to delete all information belonging to the user. Hence even an attacker who cracked the smart card memory would not be able to obtain any (ID, password) pair of the victim thereafter. The scheme requires a user to input a site information and pass-phrase to her smart card to obtain the logon credentials, but it should be an acceptable overhead considering the benefits of not remembering the freely chosen (ID, password) pairs at all.

많은 인터넷 사용자들은 다수의 인증 정보를 기억해야 하는 불편함 때문에, 보안상의 취약점에도 불구하고 동일하거나 매우 유사한 패스워드 및 ID를 여러 사이트에서 재사용하려는 성향을 보인다. 본 논문에서는 안전한 휴대 저장장치로 스마트카드를 활용하여, 랜덤하게 생성한 다수의 (ID, 패스워드) 쌍들을 사용자가 기억할 필요 없이 안전하게 저장 및 검색, 갱신할 수 있는 기법을 제안한다. 제안 기법은 사이트의 (ID, 패스워드) 쌍 정보를 스마트 카드의 메모리 및 별도의 원격 서버에 분할하여 보관하기 때문에, 스마트카드의 분실 또는 도난에도 안전하다. 또한 제안 기법에는 원격 서버의 정보를 삭제하는 기능이 포함되어 있어서, 스마트카드 분실 및 메모리의 해킹이 의심되는 상황에서도 공격자가 스마트카드 소유자의 어떠한 (ID, 패스워드) 쌍도 구해내지 못하도록 막을 수 있다. 제안 기법을 적용할 경우 사용자는 (ID, 패스워드) 정보를 얻기 위해 접근을 원하는 사이트 정보와 패스프레이즈를 스마트카드에 입력해야 하나, 이 정도의 추가 부담은 ID와 패스워드를 자유롭게 선택할 수 있음에도 그것들을 전혀 기억할 필요가 없다는 장점을 고려할 때 감내할 수준이내라고 판단한다.

Keywords

References

  1. L. Lamport, "Password authentication with insecure communication," Commun. ACM, vol. 24, no 11, pp. 770-772, 1981. https://doi.org/10.1145/358790.358797
  2. N. Haller, The S/KEY one-time password system, RFC 1760, Feb. 1995.
  3. X. Li, J. Niu, M.K. Khan, and J. Liao, "An enhanced smart card based remote user password authentication scheme," J. Netw. Comput. Appl., vol. 36, pp. 1365-1371, 2013. https://doi.org/10.1016/j.jnca.2013.02.034
  4. M. Kim, "Security analysis and enhancement of Tsai et al.'s smart-card based authentication scheme," J. KICS, vol. 39B, no. 1, pp. 29-37, Jan. 2014. https://doi.org/10.7840/kics.2014.39B.1.29
  5. J. Qiuyan, K. Lee, and D. Won, "Cryptanalysis of a secure remote user authentication scheme," J. KICS, vol. 37C, no. 8, Aug. 2012. https://doi.org/10.7840/kics.2012.37C.8.697
  6. R. Madhusudhan and R. C. Mittal, "Dynamic ID-based remote user password authentication schemes using smart cards: a review," J. Netw. Comput. Appl., vol. 35, pp. 1235-1248, 2012. https://doi.org/10.1016/j.jnca.2012.01.007
  7. R. Song, "Advanced smart card based password authentication protocol," Computer Standards & Interfaces, vol. 32, pp. 321-325, 2010. https://doi.org/10.1016/j.csi.2010.03.008
  8. T. Dierks and E. Rescorla, "The transport layer security (TLS) protocol version 1.2," RFC 5246, Aug. 2008.
  9. M. Stamp, Information Security: Principles and Practice, 2nd Ed., pp. 229-254, NY: John Wiley & Sons, 2011.
  10. J. Yan, A. Blackwell, R. Anderson, and A. Grant, "Password memorability and security: empirical results," IEEE Security and Privacy, vol. 2, no. 5, pp. 25-31, Sept. 2004. https://doi.org/10.1109/MSP.2004.81
  11. S. Chiasson, A. Forget, E. Stobert, P.C. van Oorschot, and R. Biddle, "Multiple password interference in text passwords and click-based graphical passwords," in Proc. ACM Conf. Comput. Commun. Security (CCS), 2009.
  12. C. Kuo, S. Romanosky, and L.F. Cranor, "Human selection of mnemonic phrase-based passwords," in Proc. Symp. Usable Privacy and Security (SOUPS), 2006.
  13. S. Chiasson and P. C. van Oorschot, and R. Biddle "A usability study and critique of two password managers," in Proc. Conf. USENIX Security Symp.(USENIX-SS), vol. 15, 2006.
  14. R. Biddle, S. Chiasson, and P.C. van Oorschot, "Graphical passwords: Learning from the first twelve years," ACM Computing Surveys, vol. 44, no. 4, pp. 19:1-19:44, Sept. 2012.
  15. A. Forget, S. Chiasson, P.C. van Oorschot, and R. Biddle, "Improving text passwords through persuasion," in Proc. Symp. Usable Privacy and Security (SOUPS), pp. 1-12, Jul. 2008.
  16. N. Wright, A.S. Patrick, and R. Biddle, "Do you see your password? applying recognition to textual passwords," in Proc. Symp. Usable Privacy and Security (SOUPS), Jul. 2012.
  17. S. Maqsood, Text password authentication using cued text passwords, Honours Project, School of Computer Science, Carleton University, Dec. 2013.
  18. J. C. Park, "Improving data availability by data partitioning and partial overlapping on multiple cloud storages," J. KICS, vol. 36B, no. 12, pp. 1498-1508, Dec. 2011. https://doi.org/10.7840/KICS.2011.36B.12.1498