DOI QR코드

DOI QR Code

SIP를 위한 Qiu등의 개선된 패스워드 인증 기법에 대한 보안 분석 및 강화 기법

Cryptanalysis and Remedy Scheme on Qiu et al.'s Enhanced Password Authentication Scheme for SIP

  • 김현성 (경일대학교 컴퓨터사이언스학부)
  • 투고 : 2020.03.11
  • 심사 : 2020.05.20
  • 발행 : 2020.05.28

초록

세션 시작 프로토콜(Session Initiation Protocol, SIP)은 인터넷 프로토콜 기반 네트워크에서 세션 생성과 관리 및 종료하는데 사용되는 신호 프로토콜이다. 이를 통해 음성 기반 전자 상거래나 인스턴트 메시징과 같은 서비스를 구현할 수 있다. 최근에 Qiu등은 SIP를 위한 개선된 패스워드 인증 기법을 제안하고 모든 알려진 공격에 안전하다고 주장하였다. 하지만, 본 논문에서는 Qiu등의 인증 기법이 오프라인 패스워드 추측 공격에 취약하고 서비스 거부의 문제가 있음을 도출한다. 또한, 이러한 문제를 해결하기 위한 강화된 패스워드 인증 기법을 제안한다. 제안한 기법은 서버의 검증자를 사용하지 않고 타원곡선암호의 기본 연산을 활용한다. 정형화된 보안 검증 툴인 ProVerif에 기반한 보안 검증을 제시한다. 보안 분석을 통해 본 논문에서 제안한 강화된 인증 기법이 SIP 상의 다양한 보안 공격에 안전함을 보인다.

The session initiation protocol (SIP) is a signaling protocol, which is used to controlling communication session creation, manage and finish over Internet protocol. Based on it, we can implement various services like voice based electronic commerce or instant messaging. Recently, Qiu et al. proposed an enhanced password authentication scheme for SIP. However, this paper withdraws that Qiu et al.'s scheme is weak against the off-line password guessing attack and has denial of service problem. Addition to this, we propose an improved password authentication scheme as a remedy scheme of Qiu et al.'s scheme. For this, the proposed scheme does not use server's verifier and is based on elliptic curve cryptography. Security validation is provided based on a formal validation tool ProVerif. Security analysis shows that the improved authentication scheme is strong against various attacks over SIP.

키워드

참고문헌

  1. J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley & E. Schooler. (2002). SIP: Session Initiation Protocol. RFC 3261.
  2. T. Robles, R. Ortiz & J. Salvachja. (2003). Porting the session initiation protocol to IPv6. IEEE Internet Computing, 7(3), 43-50. https://doi.org/10.1109/MIC.2003.1200300
  3. C. Shen, F. Shen, Z. Wu & J. Luo. (2009). Application of session initiation protocol to networked sensor interfaces. Computer Standards & Interfaces, 31(2), 454-457. https://doi.org/10.1016/j.csi.2008.05.006
  4. E. Y. Ha. (2014). A Scalable Management Method for Asterisk-based Internet Telephony System. Journal of Digital Convergence, 12(8), 235-242. https://doi.org/10.14400/JDC.2014.12.8.235
  5. H. U. Kim, H. J. Kim, J. H. Kang & M. S. Jun. (2016). A Study on Analysis and Countermeasure of Security Threat in NFC. Journal of Digital Convergence, 14(12), 183-191. https://doi.org/10.14400/JDC.2016.14.12.183
  6. H. Kim & S. W. Lee. (2010). Modified Authenticated Key Exchange Protocol for SIP using ECC. Journal of Security Engineering, 7(4), 279-286.
  7. J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen & L. Stewart. (1999). HTTP Authentication: Basic and Digest Access Authentication. RFC 2617.
  8. H. Tu, N. Kumar, N. Chilamkurti & S. Rho. (2015). An Improved Authentication Protocol for Session Initiation Protocol using Smart Card. Peer-to-peer Network and Application, 8(5), 903-910. https://doi.org/10.1007/s12083-014-0248-4
  9. M. S. Farash. (2016). Security Analysis and Enhancements of An Improved Authentication for Session Initiation Protocol with Provable Security. Peer-to-peer Network and Application, 9, 82-91. https://doi.org/10.1007/s12083-014-0315-x
  10. S. A. Chaudhry, H. Naqvi, M. Sher, M. S. Farash & M. U. Hassan. (2017). An Improved and Provably Secure Privacy Preserving Authentication Protocol for SIP. Peer-to-peer Network and Application, 10, 1-15. https://doi.org/10.1007/s12083-015-0400-9
  11. S. Qiu, G. Xu, H. Ahmad & Y. Guo. (2018). An Enhanced Password Authentication Scheme for Session Initiation Protocol with Perfect Forward Secrecy. Plos One, 13(3), e0194072. https://doi.org/10.1371/journal.pone.0194072
  12. S. Y. Jung & J. Kwak. (2013). Smart Card and Dynamic ID Based Electric Vehicle User Authentication Scheme. Journal of Digital Convergence, 11(7), 141-148. https://doi.org/10.14400/JDPM.2013.11.7.141
  13. H. W. Choi, S. Kim & M. Ryoo. (2019). Cryptanalysis and Solution on Secure Communication Scheme for Healthcare System using Wearable Devices. Journal of Digital Convergence, 17(2), 187-194. https://doi.org/10.14400/JDC.2019.17.2.187
  14. B. Blanchet. (2001). An efficient cryptographic protocol verifier based on prolog rules. Proc. of the 14th IEEE workshop on Computer Security Foundations, 82-96.
  15. D. Wang & P. Wang. (2016). Two Birds with One Stone: Two-Factor Authentication with Security Beyond Conventional Bound. IEEE Transactions on Dependable and Secure Computing, 15(4), 708-722. https://doi.org/10.1109/tdsc.2016.2605087