• Title/Summary/Keyword: Password-Based

Search Result 476, Processing Time 0.033 seconds

Remark on the Security of Password Schemes (패스워드 인증 키교환 프로토콜의 안전성에 관한 고찰)

  • 이희정
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.13 no.4
    • /
    • pp.161-168
    • /
    • 2003
  • We discuss the security of two famous password authenticated key exchange protocols, EKE2 and PAK. We introduce ′insider assisted attack′ Based on this assumption we point out weakness of the security of EKE2 and PAK protocols. More precisely, when the legitimate user wants to find other user′s password, called "insider-assisted attacker", the attacker can find out many ephemeral secrets of the server and then after monitoring on line other legitimate user and snatching some messages, he can guess a valid password of the user using the previous information. Of course for this kind of attack there are some constraints. Here we present a full description of the attack and point out that on the formal model, one should be very careful in describing the adversary′s behavior.

Remote Login Authentication Scheme based on Bilinear Pairing and Fingerprint

  • Kumari, Shipra;Om, Hari
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.9 no.12
    • /
    • pp.4987-5014
    • /
    • 2015
  • The bilinear pairing, also known as Weil pairing or Tate pairing, is widely used in cryptography and its properties help to construct cryptographic schemes for different applications in which the security of the transmitted data is a major concern. In remote login authentication schemes, there are two major requirements: i) proving the identity of a user and the server for legitimacy without exposing their private keys and ii) freedom for a user to choose and change his password (private key) efficiently. Most of the existing methods based on the bilinear property have some security breaches due to the lack of features and the design issues. In this paper, we develop a new scheme using the bilinear property of an elliptic point and the biometric characteristics. Our method provides many features along with three major goals. a) Checking the correctness of the password before sending the authentication message, which prevents the wastage of communication cost; b) Efficient password change phase in which the user is asked to give a new password after checking the correctness of the current password without involving the server; c) User anonymity - enforcing the suitability of our scheme for applications in which a user does not want to disclose his identity. We use BAN logic to ensure the mutual authentication and session key agreement properties. The paper provides informal security analysis to illustrate that our scheme resists all the security attacks. Furthermore, we use the AVISPA tool for formal security verification of our scheme.

A Client/Sever Authenticated Key Exchange Protocol using Shared Password (공유 패스워드를 이용한 클라이언트/서버 인증 키 교환 프로토콜)

  • 류은경;윤은준;유기영
    • Journal of KIISE:Information Networking
    • /
    • v.31 no.3
    • /
    • pp.252-258
    • /
    • 2004
  • In this paper, we propose a new authenticated key exchange protocol in which client and sever can mutually authenticate and establish a session key over an insecure channel using only a human memorable password. The proposed protocol is based on Diffie-Hellman scheme and has many of desirable security attributes: It resists off-line dictionary attacks mounted by either Passive or active adversaries over network, allowing low-entropy Passwords to be used safely. It also offers perfect forward secrecy, which protects past sessions when passwords are compromised. In particular, the advantage of our scheme is that it is secure against an impersonation attack, even if a server's password file is exposed to an adversary. The proposed scheme here shows that it has better performance when compared to the previous notable password-based key exchange methods.

Design of a Kerberos Authentication Mechanism based on Password (패스워드 기반의 커버로스 인증 메커니즘 설계)

  • 조경옥;김종우;하태진;한승조
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2004.05b
    • /
    • pp.733-738
    • /
    • 2004
  • In a distributed network system, Kerberos certification mechanism is operated by a user in local area on the premise reliability of Kerberos server in another area. But it has a demerit. If security information of certification server between Kerberos servers is released, Kerberos server can not guarantee the reliability. To solve this problem, the proposed mechanism prevents password speculating attack by increasing the random of password certifier through use of distributed password in stead of certification center and certification which was presented by existing Kerberos mechanism. Besides, it used password based certification method which uses secret distributed technique

  • PDF

Vulnerability Attack for Mutual Password Authentication Scheme with Session Key agreement (세션 키 동의를 제공하는 상호인증 패스워드 인증 스킴에 대한 취약점 공격)

  • Seo Han Na;Choi Youn Sung
    • Convergence Security Journal
    • /
    • v.22 no.4
    • /
    • pp.179-188
    • /
    • 2022
  • Password authentication schemes (PAS) are the most common mechanisms used to ensure secure communication in open networks. Mathematical-based cryptographic authentication schemes such as factorization and discrete logarithms have been proposed and provided strong security features, but they have the disadvantage of high computational and message transmission costs required to construct passwords. Fairuz et al. therefore argued for an improved cryptographic authentication scheme based on two difficult fixed issues related to session key consent using the smart card scheme. However, in this paper, we have made clear through security analysis that Fairuz et al.'s protocol has security holes for Privileged Insider Attack, Lack of Perfect Forward Secrecy, Lack of User Anonymity, DoS Attack, Off-line Password Guessing Attack.

Password-Based Authenticated Tripartite Key Exchange Protocol (패스워드 기반 인증된 3자 키 교환 프로토콜)

  • Lee, Sang-Gon;Lee, Hoon-Jae;Park, Jong-Wook;Yoon, Jang-Hong
    • Journal of Korea Multimedia Society
    • /
    • v.8 no.4
    • /
    • pp.525-535
    • /
    • 2005
  • A password-based authenticated tripartite key exchange protocol based on A. Joux's protocol was proposed. By using encryption scheme with shared password, we can resolve man-in-the-middle attack and lack of authentication problems. We also suggested a scheme to avoid the offline dictionary attack to which symmetric encryption schemes are vulnerable. The proposed protocol does not require a trusted party which is required in certificate or identity based authentication schemes. Therefore in a ad hoc network which is difficult to install network infrastructure, the proposed protocol would be very useful. The proposed protocol is more efficient in computation aspect than any existing password-based authenticated tripartite key exchange protocols. When it is used as a base line protocol of tree based group key exchange protocol, the computational weak points of the proposed protocol are compensated.

  • PDF

A Digital Door Lock System Using Time- Synchronous One Time Password (시간 동기 방식의 OTP를 이용한 디지털 도어락 시스템)

  • Hwang, Hyung-Jin;Kim, Kweon-Yang;Ha, Il-Kyu
    • Journal of the Korea Institute of Information and Communication Engineering
    • /
    • v.21 no.5
    • /
    • pp.1027-1034
    • /
    • 2017
  • Recently, OTP (One-time-Password) log-in methods have been used in many areas to prevent leakage of personal information and enhance security. The OTP method is primarily used for security of bank personal account, this is one of the sophisticated security ways in which one time password is generated and checked to enhance security. Digital door locks frequently used in everyday life require convenience and safety simultaneously. Meanwhile, related technologies for digital door locks are evolving, but methods for enhancement of security are still unsatisfactory. Generally, the digital door lock using password input type has been most commonly used and especially it provides more convenience, but it has some problems such as password exposure and password oblivion. Therefore, in this study, we propose and implement the OTP-based digital door lock system with enhanced security and convenience features but without the risk of password exposure and oblivion.

Generation and Management of Strong Passwords using an Ownership Verified Smartphone (소유권 확인된 스마트폰을 이용한 강력한 패스워드 생성 및 관리)

  • Park, Jun-Cheol
    • Smart Media Journal
    • /
    • v.9 no.1
    • /
    • pp.30-37
    • /
    • 2020
  • Enforcing additional authentication to password-based authentication, in addition to attempting to increase the security of the password itself, helps to improve the security of the password authentication scheme. For a well-known problem of using strong passwords that differ from site to site, we propose a scheme for password generation and management with an inherent supplementary authentication. Like the so-called password manager, the scheme retrieves and presents a strong site-specific password whenever requested without requiring the user to remember multiple passwords. Unlike the existing methods, however, the scheme permits the password retrieval process to proceed only through the authenticated user's ownership verified smartphone. Hence, even for sites not enforcing or supporting two-factor authentication, the logon process can benefit from the scheme's assurance of enhanced security with its two-factor equivalent authentication. The scheme can also prevent an attacker from impersonating a user or stealing secrets even when the stored information of the server for password retrieval service or the user's smartphone is leaked.

A Study of Password Management System for Improves the Availability and Efficiency (효율성과 가용성을 향상시킨 패스워드 관리시스템 연구)

  • Seo, Mi-Suk;Park, Dea-Woo
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2013.10a
    • /
    • pp.150-153
    • /
    • 2013
  • By the development of IT, most business has been processed on the IT solution-based servers has increased Therefore, the importance of security of the server is highlighted. And the need for password management server efficient and safe is raised. There is a need to change at least 8 characters to mix the numbers and letters and password change passwords on a regular basis, you need a password for each system account is set in a different way, but the continuation of the system there is a tendency to password problems occur problems caused by the limits of the introduction of human resources and introduction basis occurs. The password management feature, though it is expensive is partially providing integrated access control solutions at home and abroad, there is a drawback that stresses the traffic on the server. Future, we conducted a study of password management solutions for the server of the server is determined IT transformation trend of non-IT field to accelerate, is continuously increasing it accordingly.

  • PDF

On the Security of a New C2C-PAKA Protocol (새로운 C2C-PAKA 프로토콜의 안전성 연구)

  • Byun, Jin-Wook
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.22 no.3
    • /
    • pp.473-483
    • /
    • 2012
  • To achieve an entire end-to-end security, the classical authentication setting such that all participants have a same password is not practical since a password is not a common secret but a personal secret depending on an individual. Thus, an efficient client to client different password-based authenticated key agreement protocol (for short, EC2C-PAKA) has been suggested in the cross-realm setting. Very recently, however, a security weakness of the EC2C-PAKA protocol has been analyzed by Feng and Xu. They have claimed that the EC2C-PAKA protocol is insecure against a password impersonation attack. They also have presented an improved version of the EC2C-PAKA protocol. In this paper, we demonstrate that their claim on the insecurity of EC2C-PAKA protocol against a password impersonation attack is not valid. We show that the EC2C-PAKA protocol is still secure against the password impersonation attack. In addition, ironically, we show that the improved protocol by Feng and Xu is insecure against an impersonation attack such that a server holding password of Alice in realm A can impersonate Bob in realm B. We also discuss a countermeasure to prevent the attack.