• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.14 no.4
• /
• pp.91-96
• /
• 2004

In this paper, we introduce two forgery attacks on the PMAC. If it has no truncation then the attack requires about $2^{n}$ 2+1/ chosen texts, otherwise, the attack requires about $2^{n}$ 2+1/ chosen texts and $2^{n-}$$\tau$ MAC verifications where $\tau$ is the size of the MAC. We also give a forgery attack on the TMAC variant which requires about $2^{n}$ 2+1/ texts.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.8
• /
• pp.4060-4075
• /
• 2019

ACORN is an authenticated encryption algorithm proposed as a candidate in the currently ongoing CAESAR competition. ACORN has a good performance on security and efficiency which has been a third-round candidate. This paper mainly concentrates on the security of ACORN under the forgery attack and the non-repudiation of ACORN. Firstly, we analyze the differential properties of the feedback function in ACRON are analyzed. By taking advantage of these properties, the forgery attacks on round-reduced ACORN are proposed with a success probability higher than $2^{-128}$ when the number of finalization rounds is less than 87. Moreover, the non-repudiation of ACRON in the nonce-reuse setting is analyzed. The known collision can be used to deny the authenticated message with probability $2^{-120}$. This paper demonstrates that ACORN cannot generate the non-repudiation completely. We believe it is an undesirable property indeed.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.1
• /
• pp.103-107
• /
• 2007

This paper represents a forgery attack on new authenticated encryption mode $NAE^{[1]}$ which was proposed at JCCI 2003. NAE is a new authenticated encryption mode which is combined with CFB mode and CTR mode. And it provides confidentiality. In this paper, we show that it is possible to make a valid ciphertext-tag pair only by modifying a ciphertext.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.13 no.1
• /
• pp.273-278
• /
• 2013

Recently, user authentication schemes using smart cards for multi-server environment have been proposed for practical applications. In 2009, Liao-Wang proposed a secure dynamic ID based remote user authentication scheme for multi-server environment that can withstand the various possible attacks and provide user anonymity. In this paper, we analyze the security of Liao-Wang's scheme, and we show that Liao-Wang's scheme is still insecure against the forgery attack, the password guessing attack, the session key attack, and the insider attack. In addition, Liao-Wang's scheme does not provide user anonymity between the user and the server.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.6 no.3
• /
• pp.69-77
• /
• 2010

Authentication and key establishment are fundamental procedures to establish secure communications over public insecure network. A password-based scheme is common method to provide authentication. In 2008, Khan proposed an efficient password-based authentication scheme using smart cards to solve the problems inherent in Wu-Chieu's authentication scheme. As for security, Khan claimed that his scheme is secure and provides mutual authentication between legal users and a remote server. In this paper, we demonstrate Khan's scheme to be vulnerable to various attacks, i. e., password guessing attack, insider attack, reflection attack and forgery attack. Our study shows that Khan's scheme does not provide mutual authentication and is insecure for practical applications. This paper proposes an improved scheme to overcome these problems and to preserve user anonymity that is an issue in e-commerce applications.

• Proceedings of the KSRS Conference
• /
• 2005.10a
• /
• pp.678-682
• /
• 2005

IETF suggested AAA for safe and reliable user authentication on various network and protocol caused by development in internet and increase in users. Diameter standard authentication system does not provide mutual authentication and non-repudiation. AAA authentication system using public key was suggested to supplement such Diameter authentication but application in mobile service control nodes is difficult due to overhead of communication and arithmetic. ID based AAA authentication system was suggested to overcome such weak point but it still has the weak point against collusion attack or forgery attack. In this thesis, new ID based AAA authentication system is suggested which is safe against collusion attack and forgery attack and reduces arithmetic quantity of mobile nodes with insufficient arithmetic and power performance. In this thesis, cryptological safety and arithmetical efficiency is tested to test the suggested system through comparison and assessment of current systems. Suggested system uses two random numbers to provide stability at authentication of mobile nodes. Also, in terms of power, it provides the advantage of seamless service by reducing authentication executing time by the performance of server through improving efficiency with reduced arithmetic at nodes.

• Journal of Convergence Society for SMB
• /
• v.5 no.3
• /
• pp.27-31
• /
• 2015

As the number of smartphone users is increasing with the development of mobile devices, the range of monetary transaction from the individual use is increasing. Therefore, hacking methods are diversified and the information forgery of mobile devices has been a current issue. The forgery via apps in mobile devices is a hacking method that creates an app similar to well-known apps to deceive the users. The forgery attack corresponds to the violation of integrity, one of three elements of security. Due to the forgery, the value and credibility of an app decreases with the risk increased. With the forgery in app, private information and data can be stolen and the financial losses can occur. This paper examined the forgery, and suggested a way to detect it, and sought the countermeasure to the forgery.

• Journal of the Korea Society of Computer and Information
• /
• v.15 no.2
• /
• pp.119-125
• /
• 2010

Recently Hsiang-Shih proposed the user authentication scheme to improve Yoon et al's scheme. But the proposed scheme has not been satisfied security requirements considering in the user authentication scheme using the password based smart card. In this paper, we proved that Hsiang-Shih's scheme is vulnerable to the off-line password guessing attack. In other words, the attacker can get the user's password using the off-line password guessing attack on the scheme when the attacker steals the user's smart card and extracts the information in the smart card. Also, the improved scheme based on the hash function and random number was introduced, thus preventing the attacks, such as password guessing attack, forgery attack and impersonation attack etc. And we suggested the effective mutual authentication scheme that can authenticate each other at the same time between the user and server.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.15 no.3
• /
• pp.109-114
• /
• 2005

On the research for constructing secure group-oriented proxy signature schemes, there are several proposals of threshold proxy signature schemes which combine the notions of proxy signature with threshold signature. Recently, Hsu and Wu proposed a threshold proxy signature scheme which uses a self-certified public key based on discrete logarithm problem. In this paper, we show that this scheme is vulnerable to original signer's forgery attack. So our attack provides the evidence that this scheme does not satisfy nonrepudiation property.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.39B no.3
• /
• pp.162-168
• /
• 2014

Cross-Site Request Forgery is one of the attack techniques occurring in today's Web Applications. It allows an unauthorized attacker to send authorized requests to Web Server through end-users' browsers. These requests are approved by the Web Server as normal requests therefore unexpected results arise. The problem is that the Web Server verifies an end-user using his Cookie information. In this paper, we propose an enhanced CSRF defense scheme which uses Page Identifier and user password's hash value in addition to the Cookie value which is used to verify the normal requests. Our solution is simple to implement and solves the problem of the token disclosure when only a random token is used for normal request verification.