• Title/Summary/Keyword: Insider Attack

Search Result 45, Processing Time 0.027 seconds

Security Analysis and Enhancement on Smart card-based Remote User Authentication Scheme Using Hash Function (효율적인 스마트카드 기반 원격 사용자 인증 스킴의 취약점 분석 및 개선 방안)

  • Kim, Youngil;Won, Dongho
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.24 no.6
    • /
    • pp.1027-1036
    • /
    • 2014
  • In 2012, Sonwanshi et al. suggested an efficient smar card based remote user authentication scheme using hash function. In this paper, we point out that their scheme is vulnerable to offline password guessing attack, sever impersonation attack, insider attack, and replay attack and it has weakness for session key vulnerability and privacy problem. Furthermore, we propose an improved scheme which resolves security flaws and show that the scheme is more secure and efficient than others.

Problem Analysis and Enhancement of 'An Improved of Enhancements of a User Authentication Scheme'

  • Mi-Og Park
    • Journal of the Korea Society of Computer and Information
    • /
    • v.29 no.6
    • /
    • pp.53-60
    • /
    • 2024
  • In this paper, we analyze the authentication scheme of Hwang et al. proposed in 2023 and propose a new authentication scheme that improves its problems. Hwang et al. claimed that their authentication scheme was practical and secure, but as a result of analysis in this paper, it is possible to attack the password/ID guessing attack and session key disclosure attack due to insider attack and stolen smart card attack. In addition, Hwang et al.'s authentication scheme, which provides user anonymity, does not provide user untraceability due to its unstable design. The proposed authentication scheme, which improves these problems, not only provides user untraceability, but also is secure for stolen smart card attack, insider attack, session key disclosure attack, and replay attack. In addition, except for one fuzzy extraction operation, it shows the same complexity or very similar one as related authentication schemes. Therefore, the proposed authentication scheme can be said to be an authentication scheme with safety and practicality.

Vulnerability Analysis of Insider Attack on TPM Command Authorization Protocol and Its Countermeasure (TPM 명령어 인가 프로토콜에 대한 내부자 공격 취약점 분석 및 대응책)

  • Oh, Doo-Hwan;Choi, Doo-Sik;Kim, Ki-Hyun;Oh, Soo-Hyun;Ha, Jae-Cheol
    • Journal of the Korea Academia-Industrial cooperation Society
    • /
    • v.12 no.3
    • /
    • pp.1356-1366
    • /
    • 2011
  • The TPM(Trusted Platform Module) is a hardware chip to support a trusted computing environment. A rightful user needs a command authorization process in order to use principal TPM commands. To get command authorization from TPM chip, the user should perform the OIAP(Object-Independent Authorization Protocol) or OSAP(Object-Specific Authorization Protocol). Recently, Chen and Ryan alerted the vulnerability of insider attack on TPM command authorization protocol in multi-user environment and presented a countermeasure protocol SKAP(Session Key Authorization Protocol). In this paper, we simulated the possibility of insider attack on OSAP authorization protocol in real PC environment adopted a TPM chip. Furthermore, we proposed a novel countermeasure to defeat this insider attack and improve SKAP's disadvantages such as change of command suructures and need of symmetric key encryption algorithm. Our proposed protocol can prevent from insider attack by modifying of only OSAP command structure and adding of RSA encryption on user and decryption on TPM.

Analysis and Improved Solution of Hussian et al.'s Authentication Protocol for Digital Rights Management

  • Mi-Og Park
    • Journal of the Korea Society of Computer and Information
    • /
    • v.28 no.5
    • /
    • pp.67-74
    • /
    • 2023
  • In this paper, we analyze the authentication protocol for DRM proposed by Hussain et al. in 2022, and present an improved solution. Hussain et al. argued that their authentication protocol guarantees man-in-the-middle attack, replay attacks, and mutual authentication. However, as a result of analyzing Hussain et al.'s authentication protocol in this paper, Hussain et al.'s authentication protocol still has an insider attack problem, a problem with Yu et al.'s authentication protocol that they pointed out. For this reason, when an inside attacker acquires information on a mobile device, a user impersonation attack was also possible. In addition, there were problems with the user's lack of ID format verification and the problem of the secret key mismatch of the digital contents between the server and the user. Therefore, this paper proposes an improved solution to solve these problems. As a result of analysis in this paper, the improved solution is safe from various attacks such as smart card attack, insider attack, and password guessing attack and can safely authenticate users of DRM.

Secure Remote User Authentication Protocol against Privileged-Insider Attack (Privileged-Insider 공격에 안전한 원격 사용자 인증 프로토콜)

  • Lee, SungYup;Park, YoHan;Park, YoungHo
    • Journal of Korea Multimedia Society
    • /
    • v.20 no.4
    • /
    • pp.614-628
    • /
    • 2017
  • Recently, Due to the rapid development of the internet and IT technology, users can conveniently use various services provided by the server anytime and anywhere. However, these technologies are exposed to various security threat such as tampering, eavesdropping, and exposing of user's identity and location information. In 2016, Nikooghadam et al. proposed a lightweight authentication and key agreement protocol preserving user anonymity. This paper overcomes the vulnerability of Nikooghadam's authentication protocol proposed recently. This paper suggests an enhanced remote user authentication protocol that protects user's password and provides perfect forward secrecy.

Vulnerability Attack for Mutual Password Authentication Scheme with Session Key agreement (세션 키 동의를 제공하는 상호인증 패스워드 인증 스킴에 대한 취약점 공격)

  • Seo Han Na;Choi Youn Sung
    • Convergence Security Journal
    • /
    • v.22 no.4
    • /
    • pp.179-188
    • /
    • 2022
  • Password authentication schemes (PAS) are the most common mechanisms used to ensure secure communication in open networks. Mathematical-based cryptographic authentication schemes such as factorization and discrete logarithms have been proposed and provided strong security features, but they have the disadvantage of high computational and message transmission costs required to construct passwords. Fairuz et al. therefore argued for an improved cryptographic authentication scheme based on two difficult fixed issues related to session key consent using the smart card scheme. However, in this paper, we have made clear through security analysis that Fairuz et al.'s protocol has security holes for Privileged Insider Attack, Lack of Perfect Forward Secrecy, Lack of User Anonymity, DoS Attack, Off-line Password Guessing Attack.

Remark on the Security of Password Schemes (패스워드 인증 키교환 프로토콜의 안전성에 관한 고찰)

  • 이희정
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.13 no.4
    • /
    • pp.161-168
    • /
    • 2003
  • We discuss the security of two famous password authenticated key exchange protocols, EKE2 and PAK. We introduce ′insider assisted attack′ Based on this assumption we point out weakness of the security of EKE2 and PAK protocols. More precisely, when the legitimate user wants to find other user′s password, called "insider-assisted attacker", the attacker can find out many ephemeral secrets of the server and then after monitoring on line other legitimate user and snatching some messages, he can guess a valid password of the user using the previous information. Of course for this kind of attack there are some constraints. Here we present a full description of the attack and point out that on the formal model, one should be very careful in describing the adversary′s behavior.

Weaknesses Cryptanalysis of Khan's Scheme and Improved Authentication Scheme preserving User Anonymity (Khan 인증기법의 취약점 분석과 개선된 사용자 익명성 제공 인증기법)

  • Park, Mi-Og
    • Journal of the Korea Society of Computer and Information
    • /
    • v.18 no.2
    • /
    • pp.87-94
    • /
    • 2013
  • In this paper, we analyse the weaknesses of authentication scheme preserving user anonymity proposed by Khan et al in 2011 and we propose a new authentication schemes preserving user anonymity that improved these weaknesses. Khan et al's authentication scheme is vulnerable to insider attack and doesn't provide user anonymity to the server. Also, this scheme is still a weakness of wrong password input by mistake in spite of proposing the password change phase. In this paper, we will show that Khan et al's scheme is vulnerable to the stolen smart card attack and the strong server/user masquerade attack. The proposed authentication scheme propose the improved user anonymity, which can provide more secure privacy to user by improving these weaknesses.

Security Analysis and Enhancement of Tsai et al.'s Smart-Card Based Authentication Scheme (스마트카드 기반 Tsai et al. 인증기법의 안전성 분석과 새로운 보안기법 연구)

  • Kim, Myungsun
    • The Journal of Korean Institute of Communications and Information Sciences
    • /
    • v.39B no.1
    • /
    • pp.29-37
    • /
    • 2014
  • In this paper we show that a dynamic ID authentication scheme using smart cards proposed by Tsai et al. is not secure against DoS attack and insider attack. Further we claim that their scheme may raise a security problem when a user changes his/her password. Then we come up with a security-enhanced version only with small additional computational cost. Our scheme is based on the security of cryptographic hash function and the infeasibility assumption of discrete logarithm problem. In addition, we provide details of security and computational cost analysis.

Remote System User Authentication Scheme using Smartcards (스마트카드를 이용한 원격 시스템 사용자 인증 프로토콜)

  • Jeong, Min-Kyoung;Shin, Seung-Soo;Han, Kun-Hee;Oh, Sang-Young
    • Journal of the Korea Academia-Industrial cooperation Society
    • /
    • v.10 no.3
    • /
    • pp.572-578
    • /
    • 2009
  • Bindu et al. pointed out that Chein et al. scheme is insecure insider attack and man-in-middle attack. And then they proposed new one. In the paper, However, Bindu et al's scheme also have some problems; It is strong masquerading server/user attack and restricted reply attack. Hence we proposed improved scheme. finally, we completely had evaluated the one's security on strong masquerading server/user attack, Insider attack, Restricted attack, Stolen-verifier attack and forward secrecy. In this paper, although proposed scheme includes more operation than Bindu et al. scheme, our scheme overcomes problems of Bindu et al. scheme by the operation that is light as not to influence on modern computing technology.