• Convergence Security Journal
• /
• v.7 no.1
• /
• pp.55-62
• /
• 2007

In ubiquitous environment the authentication protocol design for RFID security is studied to protect user privacy in RFID system. The XOR-based approach of RFID security is implemented inexpensively and simply. However because of using same security informations, ones of tag is disclosed easily. In this paper, we enhance the previous XOR-based authentication protocol using a circular shift operation.

• Journal of Advanced Navigation Technology
• /
• v.17 no.1
• /
• pp.24-32
• /
• 2013

Authentication is one of the necessary elements in the network environment. Many researches have detected security vulnerabilities to the existing authentication mechanisms and suggested secure mutual authentication protocols by resolving these vulnerabilities. The representative ones of them are SPMA(Strong Pass Mutual Authentication) and I-SPMA(Improved Strong Password Mutual Authentication). However, these protocols cause a critical problem when the shared secret information is de-synchronized between the server and the client. This paper proposes a revised protocol to resolve the de-synchronization problem. Based on a security assessment on the proposed protocol, we consider the proposed protocol is safer than the previous ones and possible to effectively make a user authentication system mre secure.

• Journal of Advanced Navigation Technology
• /
• v.14 no.3
• /
• pp.415-425
• /
• 2010

In public network, user authentication is important security technology. Especially, password-based authentication method is used the most widely in distributed environments, and there are many authentication methods. Their SPMA protocol indicates vulnerability about problem that NSPA protocol does not offer mutual authentication, and proposed Strong Password Mutual Authentication protocol with mutual authentication. However, SPMA protocol has vulnerability of replay attack. In the paper, we analyzed vulnerability to replay attack of SPMA protocol. And we also proposed Improved Strong Password Mutual Authentication protocol to secure on replay attack with same efficiency.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.29 no.7C
• /
• pp.997-1006
• /
• 2004

The rapid expansion of the Internet has provided users with a diverse range of services. Most Internet users create many different IDs and passwords to subscribe to various Internet services. Thus, the SSO system has been proposed to supplement vulnerable security that may arise from inefficient management system where administrators and users manage a number of ms. The SSO system can provide heightened efficiency and security to users and administrators. Recently commercialized SSO systems integrate a single agent with the broker authentication model. However, this hybrid authentication system cannot resolve problems such as those involving user pre-registration and anonymous users. It likewise cannot provide non-repudiation service between joining objects. Consequently, the hybrid system causes considerable security vulnerability. Since it cannot provide security service for the agent itself, the user's private information and SSO system may have significant security vulnerability. This paper proposed an authentication model that integrates a broker authentication model, out of various authentication models of the SSO system, with a multi-agent system. The proposed method adopts a secure multi-agent system that supplements the security vulnerability of an agent applied to the existing hybrid authentication system. The method proposes an SSO authentication model that satisfies various security requirements not provided by existing broker authentication models and hybrid authentication systems.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.3
• /
• pp.579-590
• /
• 2018

In May 2014, AppCard(Which is a smartphone application designed to register and use a credit card in a mobile phone by credit card company.) was attacked by smshing and a vulnerability which could not obtainable phone number. After that, credit card companies have supplemented and operated by introducing additional authentication methods to supplement the vulnerability. However, The analysis of the authentication environments, purposes and methods is not enough to lower the level of vulnerability and risk from existing accidents. This study analyzes the authentication process of the AppCard in the electronic financial service by applying the NIST's authentication guidelines, identifies the problems and suggests improvement directions. The method analyzed in this study can be applied to the analysis of the authentication method in addition to the application card, so that it will be highly utilized.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.2
• /
• pp.315-327
• /
• 2017

Security threats such as unauthorized access and data tampering can occur during the virtual machine migration process. In particular, since virtual machine migration requires users to transfer important data and infrastructure information, it is relatively risky to other cloud services in case of security threats. For this reason, there is a need for dynamic authentication for virtual machine migration. Therefore, this paper proposes an OTP-based dynamic authentication framework to improve the vulnerabilities of the existing authentication mechanism for virtual machine migration. It consists of a virtual machine migration request module and an operation module. The request module includes an OTP-based user authentication process and a migration request process to a data center when a user requests a migration. The operation module includes a secure key exchange process between the data centers using SPEKE and a TOTP-based mutual authentication process between the data center and the physical server.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.2
• /
• pp.139-144
• /
• 2007

Due to the increasing use of Internet and spread of ubiquitous environment the security of private information became an important issue. For this reason, many suggestions have been made in order to protect the privacy of users. In the study of authentication system using a smart card which is one of the methods for protecting private information, the main idea is to offer user anonymity. In 2004, Das et al. suggested an authentication system that guarantees anonymity by using a dynamic ID for the first time. However, this scheme couldn't guarantee complete anonymity as the identity of the user became revealed at log-in phase. In 2005, Chien at al. suggested a authentication system that guarantees anonymity, but this was only safe to the outsider(attacker). In this paper, we propose a scheme that enables the mutual authentication between the user and the sewer by using a smart card. For the protection of the user privacy, we suggest an efficient user authentication system that guarantees perfect anonymity to both the outsider and remote server.

• International Journal of Internet, Broadcasting and Communication
• /
• v.9 no.3
• /
• pp.35-43
• /
• 2017

In 2013, Lee-Lie proposed secure smart card based authentication scheme of Zhu's authentication for TMIS which is secure against the various attacks and efficient password change. In this paper, we discuss the security of Lee-Lie's smart card-based authentication scheme, and we have shown that Lee-Lie's authentication scheme is still insecure against the various attacks. Also, we proposed the improved scheme to overcome these security problems of Lee-Lie's authentication scheme, even if the secret information stored in the smart card is revealed. As a result, we can see that the improved smart card based user authentication scheme for TMIS is secure against the insider attack, the password guessing attack, the user impersonation attack, the server masquerading attack, the session key generation attack and provides mutual authentication between the user and the telecare system.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.3
• /
• pp.525-536
• /
• 2012

This paper proposes methods of securing Smart Grid system against various types of cyber threats by separating AMI networks from the public network, the Internet, and providing an AMI specific authentication framework. Due to the fact that thousands and millions of AMI devices to be deployed would be directly or indirectly connected to the public network without any authentication procedures for access control, currently being developed AMI architectures could be widely exposed to considerable number of penetrating attacks. Furthermore, there have not been a sufficient number of researches on authentication frameworks with basis on the specific circumstances of AMI networking that should support varied authentication protocols among security associations and AMI linking devices. This work makes a proposal of isolating smart meters from HAN devices and the Internet and integrating network/application level authentication frameworks with an EAP-based authentication architecture. These approaches are beneficial to deploy AMI with security and efficiency.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.9 no.12
• /
• pp.4987-5014
• /
• 2015

The bilinear pairing, also known as Weil pairing or Tate pairing, is widely used in cryptography and its properties help to construct cryptographic schemes for different applications in which the security of the transmitted data is a major concern. In remote login authentication schemes, there are two major requirements: i) proving the identity of a user and the server for legitimacy without exposing their private keys and ii) freedom for a user to choose and change his password (private key) efficiently. Most of the existing methods based on the bilinear property have some security breaches due to the lack of features and the design issues. In this paper, we develop a new scheme using the bilinear property of an elliptic point and the biometric characteristics. Our method provides many features along with three major goals. a) Checking the correctness of the password before sending the authentication message, which prevents the wastage of communication cost; b) Efficient password change phase in which the user is asked to give a new password after checking the correctness of the current password without involving the server; c) User anonymity - enforcing the suitability of our scheme for applications in which a user does not want to disclose his identity. We use BAN logic to ensure the mutual authentication and session key agreement properties. The paper provides informal security analysis to illustrate that our scheme resists all the security attacks. Furthermore, we use the AVISPA tool for formal security verification of our scheme.