Browse > Article
http://dx.doi.org/10.13089/JKIISC.2011.21.1.15

Study on Mobile OTP(One Time Password) Mechanism based PKI for Preventing Phishing Attacks and Improving Availability  

Kim, Tha-Hyung (Financial Information Security, Graduate School for Information Security, Korea University)
Lee, Jun-Ho (Financial Information Security, Graduate School for Information Security, Korea University)
Lee, Dong-Hoon (Financial Information Security, Graduate School for Information Security, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.21, no.1, 2011 , pp. 15-26 More about this Journal
Abstract
The development of IT technology and information communication networks activated to online financial transactions; the users were able to get a variety of financial services. However, unlike the positive effect that occurred on 7 July 2009 DDoS(Distribute Denial of Service) attacks, such as damaging to the user, which was caused negative effects. Authentication technology(OTP) is used to online financial transaction, which should be reviewed to safety with various points because the unpredictable attacks can bypass the authentication procedure such as phishing sites, which is occurred. Thus, this paper proposes mobile OTP(One Time Password) Mechanism, which is based on PKI to improve the safety of OTP authentication. The proposed Mechanism is operated based on PKI; the secret is transmitted safely through signatures and public key encryption of the user and the authentication server. The users do not input in the web site, but the generated OTP is directly transmitted to the authentication server. Therefore, it is improvement of the availability of the user and the resolved problem is exposed from the citibank phishing site(USA) in 2006.
Keywords
OTP; Mobile OTP; Authentication; Phishing; Availability;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 "무선단말기에서의 공인인증서 저장 및 이용 기술규격", v1.12, 한국인터넷진흥원(KISA), 2010년 3월.
2 "무선단말기와 PC간 공인인증서 전송을 위한 기술규격", v2.00, 한국인터넷진흥원(KISA), 2010년 3월.
3 Jongpil Jeong, Min Young Chung, and Hyunseung Choo, "Integrated OTP-Based User Authentication and Access Control Scheme in Home Networks" APNOMS 2007, LNCS 4773, pp. 123-133, 2007.
4 Steffen Hallsteinsen, Ivar Jorstad, Do Van Thanh, "Using the mobile phone as a security token for unified authentication," Second International Conference on Systems and Networks Communications (ICSNC 2007), icsnc, pp.68, August. 2007
5 Fadi Aloul, Syed Zahidi, Wassim El-Hajj, "Two Factor Authentication Using Mobile Phones", Computer Systems and Applications, AICCSA 2009. IEEE/ACS International Conference. May. 2009.
6 Helena Rif`a-Pous, "A Secure Mobile-Based Authentication System for e-Banking", OTM 2009, Part II, LNCS 5871, pp. 848-860, Nov. 2009.
7 Hyeran Mun, Kyusuk Han and Kwangjo Kim, "3G-WLAN Interworking: Security Analysis and New Authentication and Key Agreement based on EAP-AKA", Proceedings of Wireless Telecommunication Symposium, Prague, pp 1-8, Apr. 2009.
8 Mitchell, C.J, Chen, L., "Comments on the S/KEY User Authentication Scheme", ACM Operating Systems Review. Vol. 30. No. 4. pp. 12- 16, Oct. 1996.   DOI   ScienceOn
9 강우진, "OTP 기술동향 및 센터소개", OTP 보안과 최신 인증기술 세미나, 금융보안연구원(FSA). 2010년 6월.
10 Brian Krebs. "Citibank Phish Spoofs 2-Factor Authentication", The washington post, Security Fix, Jul. 2006 (http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_sp
11 Christoforos Ntantogian, Christos Xenakis, "One-Pass EAP-AKA Authentication in 3G-WLAN Integrated Networks", Wireless Pers Commun Vol48, pp 569-584, March. 2009   DOI   ScienceOn
12 강수영, 이임영, "OTP를 활용한 UICC (Universal IC Card) 기반의 인증 메커니즘에 관한 연구", 한국정보보호학회논문지. Vol.18, No 2, pp.21-31, 2008년 4월
13 최재덕, 정수환, "이질적인 무선 네트워크 환경에서 인증 연동을 위한 비UICC 방식의 EAP-AKA 인증", 대한전자공학회논문지, Vol46, No.5, pp. 168-177, 2009년 5월.
14 Fadi Aloul1, Syed Zahidi1, Wasim El-Hajj, "Multi Factor Authentication Using Mobile Phones", International Journal of Mathematics and Computer Science, Vol4, no. 2, pp. 65-80, 2009(Special Issue-Analytic Number Theory)
15 Abdulaziz S., Almazyad and Yasir Ahmad, "A New Approach in T-FA Authentication with OTP Using Mobile Phone", SecTech 2009, CCIS, Vol 58, pp.9-17, Dec. 2009
16 Jacek Lach, "Using Mobile Devices for User Authentication", CN 2010, CCIS 79, pp. 263-268, June. 2010.
17 Haller, N.M, C. Metz, P. Nesser, M. Straw, "A One-Time Password System", RFC 2289. Fab. 1998.
18 Yeh, T.C., Shen, H.Y., Hwang, J.J, "A Secure One-time Password Authentication Scheme Using Smart Cards", IEICE Trans. Commun. Vol. E85-B. No. 11. Nov. 2002.