KIPS Transactions on Computer and Communication Systems (정보처리학회논문지:컴퓨터 및 통신 시스템)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Password-Based Mutual Authentication Protocol Against Phishing Attacks

피싱 공격에 대응하기 위한 패스워드 기반의 상호 인증 프로토콜

  • Received : 2017.06.29
  • Accepted : 2017.09.19
  • Published : 2018.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

Until now, various studies on anti-phishing have been conducted. The most typical anti-phishing method is a method of collecting URL information of a phishing site in advance and then detecting phishing by comparing the URL of the visited site with the previously stored information. However, this blacklist-based anti-phishing method can not detect new phishing sites. For this reason, various anti-phishing authentication protocols have been proposed. but these protocols require a public key and a private key. In this paper, we propose a password-based mutual authentication protocol that is safe for phishing attacks. In the proposed protocol, the mutual authentication between the client and the server is performed through the authentication message including the password information. The proposed protocol is safe to eavesdropping attack because the authentication message uses the hash value of the password, not the original password, And it is safe to replay attack because different messages are used every time of authentication. In addition, since mutual authentication is performed, it is safe for man-in-the-middle attack. Finally, the proposed protocol does not require a key issuance process for authentication.

지금까지 피싱에 대응하기 위한 여러 연구가 진행되어 왔다. 가장 대표적인 안티 피싱 방법은 피싱 사이트의 URL 정보를 미리 수집한 뒤, 사용자가 방문하는 사이트의 URL과 미리 저장된 정보를 비교하여 피싱을 탐지하는 방법이다. 하지만 이러한 블랙리스트 기반의 안티피싱 방법은 새로운 피싱 사이트를 탐지하지 못하는 한계를 갖는다. 이에 다양한 안티 피싱 인증 프로토콜이 제안되어 왔지만 대부분 인증과정에서 공개키와 비밀키를 필요로 한다. 이에 본 논문에서는 피싱 공격에 안전한 패스워드 기반 상호 인증 프로토콜을 제안한다. 제안된 프로토콜에서 클라이언트와 서버간의 상호 인증은 패스워드 정보가 포함된 인증 메시지를 통해 수행된다. 인증 과정에서 사용되는 인증 메시지에는 패스워드 원본이 아닌 패스워드의 해시 값이 포함되며, 인증 시 매번 다른 메시지가 사용되기 때문에 재생공격, 도청 공격에 안전하다. 또한, 상호 인증을 수행하기 때문에 중간자 공격에 안전하며, 인증을 위한 별도의 키 발급 과정이 필요없다.

Keywords

References

  1. M. Sharifi and S. H. Siadati, "A phishing sites blacklist generator," in Proceedings of the 6th ACS/IEEE International Conference on Computer Systems and Applications, pp.840-843, 2008.
  2. Y. Zhang, J. Hong, and L. Cranor, "CANTINA: A content-based approach to detecting phishing web sites," in Proceedings of the 16th International Conference on World Wide Web, Banff, pp.8-12, 2007.
  3. J. H. Sa and S. J. Lee, "Real-time phishing site detection method," Journal of the KIISC, Vol.22, No.4, pp.819-825, 2012.
  4. OpenSSL, SSL/TLS MITM vulnerability (CVE-2014-0224) [Internet], https://www.openssl.org/news/secadv/20140605.txt.
  5. T. Li and Y. Wu, "Trust on web browser: attack vs. defense," in Proceedings of the International Conference on Applied Cryptography and Network Security, pp.241-253, 2003.
  6. NETCRAFT, Netcraft Extension [Internet], http://toolbar.netcraft.com.
  7. PhishTank, Join the fight against phishing [Internet], http://www.phishtank.com.
  8. Mozilla, FirePhish Anti-Phishing Extension [Internet], https://addons.mozilla.org/en-US/firefox/addon/firephish-anti-phishing-extens.
  9. S. Kim, J. Kang, and Y. Kim, "Countermeasures against phishing/pharming via portal site for general users," The Journal of KICS, Vol.40, No.6, pp.1107-1113, 2015. https://doi.org/10.7840/kics.2015.40.6.1107
  10. Y. S. Lee, N. H. Kim, H. T. Lim, H. K. Jo, and H. J. Lee, "Online banking authentication system using mobile-OTP with QR-code," in Proceedings of 5th International Conference on Computer Sciences and Convergence Information Technology, pp.644-648, 2010.
  11. A. Gandhi, B. Salunke, S. Ithape, V. Gawade, and S. Chaudhari, "Advanced online banking authentication system using one time passwords embedded in Q-R code," International Journal of Computer Science and Information Technologies, Vol.5, No.2, pp.1327-1329, 2014.
  12. J. Lee, H. You, C. Cho, and M. Jun, "A design secure QR-Login user authentication protocol and assurance methods for the safety of critical data using smart device," The Journal of KICS, Vol.37C, No.10, pp.949-964, 2012. https://doi.org/10.7840/kics.2012.37C.10.949
  13. S. Seo, C. Choi, G. Lee, and H. Choi, "QR code based mobile dual transmission OTP system," The Journal of KICS, Vol.38B, No.5, pp.377-384, 2013. https://doi.org/10.7840/kics.2013.38B.5.377
  14. J. Park, J. Kim, M. Shin, and N. Kang, "QR-code based mutual authenctication system for web service," The Journal of KICS, Vol.39B, No.4, pp.207-215, 2014. https://doi.org/10.7840/kics.2014.39B.4.207
  15. M. Sandirigama, A. Shimizu, and M. T. Noda, "Simple and secure password authentication protocol(SAS)," IEICE Transactions on Communications, Vol.E83-B, pp.1363-1365, 2000.
  16. C. L. Lin, H. M. Sun, and T. Hwang, "Attacks and solutions on strong-password authentication," IEICE Transactions on Communications, Vol.E84-B, pp.2622-2627, 2001.
  17. C. Y. Huang, S. P. Ma, and K. T. Chen, "Using one-time passwords to prevent password phishing attacks," Journal of Network and Computer Application, Vol.34, pp.1292-1301, 2011. https://doi.org/10.1016/j.jnca.2011.02.004
  18. W. C. Kuo and Y. C. Lee, "Attack and improvement on the one-time password authentication protocol against theft attacks," in Proceedings of the 6th International Conference on Machine Learning and Cybernetics, pp.1918-1922, 2007.
  19. M. Kim, B. Lee, S. Kim, and D. Won, "Weaknesses and improvements of a one-time password authentication scheme," International Journal of Future Generation Communication and Networking, Vol.2, pp.29-38, 2009.
  20. M. Sharifi, A. Saberi, M. Vahidi, and M. Zorufi, "A zero knowledge password proof mutual authentication technique against real-time phishing attacks," in Proceedings of the 3rd International Conference on Information Systems Security, pp.254-258, 2007.
  21. M. Saeed and H. S. Shahhoseini, "APPMA: An anti-phishing protocol with mutual authentication," in Proceedings of the 15th IEEE Symposium on Computers and Communications, pp.308-313, 2010.