• Journal of Korea Society of Digital Industry and Information Management
• /
• v.4 no.2
• /
• pp.21-28
• /
• 2008

There are some problems on the system that uses a password comprising a digital signature to identify the secret key owner under the public key infrastructure. For example, the password can be difficult to remember or easy to be disclosure, and users should make more complex password to protect it. A number of studies have been proceeded in order to overcome these defects using the fingerprint identification technologies, but they need to change the current standard of public key infrastructure. On the suggested private key escrow system, the private key can be withdrawn only through the enrollment and identification of a fingerprint template after it is saved to a reliable third system. Therefore, this new private key escrow system can remove previous inconveniences of managingthe private key on current public key infrastructure, and it exhibited superior results in terms of the evaluation items when compared with the integrated method of the existing fingerprint identification and public key infrastructure.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.34 no.4B
• /
• pp.435-441
• /
• 2009

The one-time password system solves the problem concerning password reuse caused by the repeated utilization of an identical password. The password reuse problem occurs due to the cyclic repetition at the time of password creation, and authentication failure can occur due to time deviation or non-synchronization of the number of authentication. In this study, the password is created asynchronously and exchanged with the user, who then signs using a digital signature in exchange for the password and a valid verification is requested along with the certificate to ensure non-repudiation. Besides this, a verification system for one-time password is proposed and designed to improve security by utilizing the validity verification that is divided into certificate verification and password verification. Comparative analysis shows that the mechanism proposed in this study is better than the existing methods in terms of replay attack, non-repudiation and synchronization failure.

• The Journal of Society for e-Business Studies
• /
• v.16 no.4
• /
• pp.1-16
• /
• 2011

A digital certificate mandated by the Electronic Signature Act has become familiar in our daily lives as 95% of the economically active population hold certificates. Due to upgrades to 256 bit level security that have become effective recently, the security and reliability of digital certificates are expected to increase. Digital certificates based on Public Key Infrastructure (PKI) have been known as "no big problem," but the possibility of password exposure in cases of leaked digital certificates still exists. To minimize this vulnerability, various existing studies have introduced alternative password methods, expansion of certificate storage media, and multiple certification methods. These methods perform enhanced functions but also have limitations including the fact that the secureness of passwords is not guaranteed. This study suggests an alternative method for enhancing the level of password secureness as a way to improve password security. This new method improves security management and enhances the convenience of using digital technologies. The results may be used for developing digital certificate related security technologies and research in the future.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2017.05a
• /
• pp.271-274
• /
• 2017

An educational institution issued a degree certificate to those students who have successfully completed all studies included in different levels of the degree program. The degree certificate presented by the University is of major significance in the person's life but the fabrication and circulation of fake certificates is inexpensive because a paper document can easily be forged with the availability of advance printing and copying technologies. So, there is a need to adopt a centralized authentication process that can verify and ensure the authenticity of a document. In order to prevent the spread of fake degree certificates a method is proposed where the integrity of the contents with in the certificate can be verified with the use of and Smart Phone Application. A Quick Response (QR) Code will contain a digital signature over the data such as degree holder's name, major program, Grade Point Average (GPA) obtained etc. Which will be signed by university authorities after the registration in central system and deployed in university. In order to verify the digital signature a person need to use a specific smart phone application which will scan and authenticate the certificate without gaining access to a user's security credentials such as password.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.4
• /
• pp.139-146
• /
• 2006

A Signcryption proposed by Yuliang Zheng in 1997 is a hybrid public key primitive that combines a digital signature and a encryption. It provides more efficient method than a straightforward composition of an signature scheme with a encryption scheme. In a mobile communication environment, the authenticated key agreement protocol should be designed to have lower computational complexity and memory requirements. The password-based authenticated key exchange protocol is to authenticate a client and a server using an easily memorable password. This paper proposes an secure Authenticated Key Exchange protocol using Signcryption scheme. In Addition we also show that it is secure and a more efficient that other exiting authenticated key exchange protocol.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.5
• /
• pp.781-793
• /
• 2014

A Public Key Infrastructure (PKI) is security standards to manage and use public key cryptosystem. A PKI is used to provide digital signature, authentication, public key encryption functionality on insecure channel, such as E-banking and E-commerce on Internet. A soft-token private key in PKI is leaked easily because it is stored in a file at standardized location. Also it is vulnerable to a brute-force password attack as is protected by password-based encryption. In this paper, we proposed a new method that detects private key compromise and is probabilistically secure against a brute-force password attack though soft-token private key is leaked. The main idea of the proposed method is to use a genuine signature key pair and (n-1) fake signature key pairs to make an attacker difficult to generate a valid signature with probability 1/n even if the attacker found the correct password. The proposed method provides detection and notification functionality when an attacker make an attempt at authentication, and enhances the security of soft-token private key without the additional cost of construction of infrastructure thereby extending the function of the existing PKI and SSL/TLS.

• Journal of the Institute of Electronics Engineers of Korea TC
• /
• v.46 no.1
• /
• pp.121-132
• /
• 2009

Default password protection used in operating systems have had many advances, but when the attacker has physical access to the server or gets root(administrator) privileges, the attacker can steal the password information(e.g. shadow file in Unix-like systems or SAM file in Windows), and using brute force and dictionary attacks can manage to obtain users' passwords. It is really difficult to obligate users to use complex passwords, so it is really common to find weak accounts to exploit. In this paper, we present a secure authentication scheme based on digital signatures and secure key storage that solves this problem, and explain the possible implementations using Trusted Platform Module(TPM). We also make a performance analysis of hardware and software TPMs inside implementations.

• Proceedings of the Korea Contents Association Conference
• /
• 2004.05a
• /
• pp.283-288
• /
• 2004

Authentication and digital signature make secured existing contract in remote spot. But, It required method of storing and managing secret, such as private key password. For this method, we make efforts solution of security with smart cart, such as java card. This paper implement SEED algorithm based on Java Card

• Journal of Digital Convergence
• /
• v.10 no.5
• /
• pp.215-222
• /
• 2012

A smart phone has functions of both telephone and computer. The wide spread use of smart phones has sharply increased the demand for mobile commerce. The smart phone based mobile services are available anytime, anywhere. In commercial transactions, a digital signature scheme is used to make legally binding signature to prove both integrity of commercial document and verification of the signer. Smart phones are more risky compared with personal computers on the problems of how to protect privacy information. It's also easy to let proxy user to authenticate instead of the smart phone owner. In existing password or token based schemes, the ID is not physically bound to the owner. Thus, those schemes can not solve the problem of proxy authentication. To utilize the smart phone as the platform of mobile commerce, a study on the new type of authentication scheme is needed where the scheme should provide protocol to get legally binding signature and not to authenticate proxy user. In this paper, we create the mobile ID by using both the USIM and voice template of the smart phone owner. We also design and implement the user authentication scheme based on the mobile ID.

• The KIPS Transactions:PartC
• /
• v.10C no.6
• /
• pp.747-754
• /
• 2003

Thia paper suggests a milti user-authentication system comprises that DNA biometric informatiom, owner's RFID(Radio Frequency Identification) smartcard of hardware token, and PKI digital signqture of software. This system improved items proposed in [1] as follows : this mechanism provides one RFID smartcard instead of two user-authentication smartcard(the biometric registered seal card and the DNA personal ID card), and solbers user information exposure as RFID of low proce when the card is lost. In addition, this can be perfect multi user-autentication system to enable identification even in cases such as identical twins, the DNA collected from the blood of patient who has undergone a medical procedure involving blood replacement and the DNA of the blood donor, mutation in the DNA base of cancer cells and other cells. Therefore, the proposed system is applied to terminal log-on with RFID smart card that stores accurate digital DNA biometric information instead of present biometric user-authentication system with the card is lost, which doesn't expose any personal DNA information. The security of PKI digital signature private key can be improved because secure pseudo random number generator can generate infinite one-time pseudo randon number corresponding to a user ID to keep private key of PKI digital signature securely whenever authenticated users access a system. Un addition, this user-authentication system can be used in credit card, resident card, passport, etc. acceletating the use of biometric RFID smart' card. The security of proposed system is shown by statistical anaysis.