• Title/Summary/Keyword: Stolen-Verifier 공격

Search Result 12, Processing Time 0.03 seconds

An Unproved Optimal Strong-Password Authentication (I-OSPA) Protocol Secure Against Stolen-Verifier Attack and Impersonation Attack (Stolen-Verifier 공격과 Impersonation 공격에 안전한 개선된 OSPA 프로토콜)

  • Kwak, Jin;Oh, Soo-Hyun;Yang, Hyung-Kyu;Won, Dong-Ho
    • The KIPS Transactions:PartC
    • /
    • v.11C no.4
    • /
    • pp.439-446
    • /
    • 2004
  • In the Internet, user authentication is the most important service in secure communications. Although password-based mechanism is the most widely used method of the user authentication in the network, people are used to choose easy-to-remember passwords, and thus suffers from some Innate weaknesses. Therefore, using a memorable password it vulnerable to the dictionary attacks. The techniques used to prevent dictionary attacks bring about a heavy computational workload. In this paper, we describe a recent solution, the Optimal Strong-Password Authentication (OSPA) protocol, and that it is vulnerable to the stolen-verifier attack and an impersonation attack. Then, we propose an Improved Optimal Strong-Password Authentication (I-OSPA) protocol, which is secure against stolen-verifier attack and impersonation attack. Also, since the cryptographic operations are computed by the processor in the smart card, the proposed I-OSPA needs relatively low computational workload and communicational workload for user.

A secure token-updated authentication scheme using security key (비밀키를 이용한 토큰 업데이트 보안 인증 기법)

  • Liang, Jun;Jang, In-Joo;Yoo, Hyeong-Seon
    • The Journal of Society for e-Business Studies
    • /
    • v.12 no.1
    • /
    • pp.89-97
    • /
    • 2007
  • Recently, a large number of authentication schemes based on smart cards have been proposed, using the thinking of OTP (one-time password) to withstand replay attack. Unfortunately, if these schemes implement on PCs instead of smart cards, most of themcannot withstand impersonation attack and Stolen-Verifier attack since the data on PCs is easy to read and steal. In this paper, a secure authentication scheme based on a security key and a renewable token is proposed to implement on PCs. A comparison with other schemes demonstrates the proposed scheme has following merits: (1) Withstanding Stolen-Verifier attack (2) Withstanding Impersonation attack (3) Providing mutual authentication; (4) Easy to construct secure session keys.

  • PDF

A Verifier-free Scheme for User Authentication and Access Control Using Smart Cards: Improvement of Chen-Yeh's Method (스마트 카드를 사용한 검증자 없는 사용자 인증 및 접근 제어 방법: Chen-Yeh 방법의 개선)

  • Kim, Yong;Chung, Min Gyo
    • Journal of Internet Computing and Services
    • /
    • v.14 no.4
    • /
    • pp.43-51
    • /
    • 2013
  • User authentication and access control are two important components in high security applications. Recently, Chen and Yeh proposed a method to integrate both of them seamlessly. However, Chen-Yeh's scheme is vulnerable to a stolen verifier attack, since it maintains a smart card identifier table in a remote server. Therefore, this paper modifies Chen-Yeh's scheme and propose a new integrated authentication and access control scheme that is resilient to the stolen verifier attack while inheriting all the merits of Chen-Yeh's scheme. Security analysis shows that the proposed scheme withstands well-known security attacks and exhibits many good features.

Analysis of the Lee-Chen's One-Time Password Authentication Scheme (Lee와 Chen의 일회용 비밀번호 인증기법 분석)

  • You, Il-Sun;Kim, Bo-Nam;Kim, Heung-Jun
    • Journal of the Korea Institute of Information and Communication Engineering
    • /
    • v.13 no.2
    • /
    • pp.285-292
    • /
    • 2009
  • In 2005, Lee and Chen suggested an enhanced one-time password authentication scheme which can prevent the stolen verifier attack that the Yeh-Shen-Whang's scheme has. The Lee-Chen's scheme addresses the stolen verifier attack by deriving each user's pre-shared secret SEED from the server secret. However, we investigated the weakness of the Lee-Chen's scheme and found out that it was suffering from the off-line dictionary attack on the server secret. We demonstrated that the off-line dictionary attack on the server secret can be easily tackled with only the help of the Hardware Security Modules (HSM). Moreover, we improved the scheme not to be weak to the denial of service attack and allow compromise of the past session keys even though the current password is stolen. Through the comparison between the Lee-Chen's scheme and the proposed one, we showed that the proposed one is stronger than other.

A Password-based Efficient Key Exchange Protocol (패스워드 기반의 효율적인 키 교환 프로토콜)

  • 이성운;김현성;유기영
    • Journal of KIISE:Information Networking
    • /
    • v.31 no.4
    • /
    • pp.347-352
    • /
    • 2004
  • In this paper, we propose a new key exchange protocol which authenticates each other and shares a session key between a user and a server over an insecure channel using only a small password. The security of the protocol is based on the difficulty of solving the discrete logarithm problem and the Diffie-Hellman problem and the cryptographic strength of hash function. The protocol is secure against the man-in-the-middle attack, the password guessing attack, the Denning-Sacco attack, and the stolen-verifier attack, and provide the perfect forward secrecy. Furthermore, it is more efficient than other well-known protocols in terms of protocol execution time because it could be executed in parallel and has a simple structure.

Efficient Password-based Key Agreement Protocol with Password Changing (패스워드를 변경 가능한 효율적인 패스워드 기반의 키 교환 프로토콜)

  • 이성운;김현성;유기영
    • Proceedings of the Korean Information Science Society Conference
    • /
    • 2003.10a
    • /
    • pp.622-624
    • /
    • 2003
  • 본 논문에서는 사람이 기억할 수 있는 패스워드만을 이용하여 안전하지 않은 통신상에서 사용자와 서버간에 서로를 인증하고 세션키를 공유하기 위한 새로운 키 교환 프로토콜을 제안한다. 제안된 프로토콜은 사용자가 자유롭게 자신의 패스워드를 변경할 수 있는 기능을 제공한다. 또한 여러 가지 다양한 공격들, 즉 패스워드 추측 공격, 중간 침입자 공격, Denning-Sacco 공격, Stolen-verifier 공격, 그리고 서비스 거부 공격에 안전하며, 완전한 전방향 보안성을 제공하도록 설계되었다.

  • PDF

Cryptanalysis of a Secure Remote User Authentication Scheme (안전한 원격사용자 인증스킴에 대한 취약성 분석)

  • Qiuyan, Jin;Lee, Kwang-Woo;Won, Dong-Ho
    • The Journal of Korean Institute of Communications and Information Sciences
    • /
    • v.37 no.8C
    • /
    • pp.697-702
    • /
    • 2012
  • In 2011, C.-T. Li et al. proposed a secure user authentication scheme, which is an improvement over Kim et al.'s scheme to resolve several security flaws such as off-line password guessing attack and masquerading attack. C.-T. Li et al. claimed that their scheme prevents smart card security related attacks. Moreover, it provides mutual authentication and session key establishment. However, we found that their scheme is vulnerable to password guessing attack through password change phase, smart card forgery attack and stolen verifier attack. Moreover, C.-T. Li et al.'s scheme is not secure against password guessing attack as they claimed. In this paper, we also point out that their scheme is not practical to use.

An Anonymous Authentication Scheme for Health Information Push Service Based on Indoor Location in Hospital (병원 실내 위치기반 의료정보 푸쉬 서비스를 위한 익명 인증 스킴)

  • Ahn, Hae-Soon;Yoon, Eun-Jun;Nam, In-Gil
    • The Journal of Korean Institute of Communications and Information Sciences
    • /
    • v.37 no.5C
    • /
    • pp.410-419
    • /
    • 2012
  • This paper proposes a secure and efficient anonymous authentication scheme for health information push service based on indoor location in hospital. The proposed scheme has the following benefits: (1)It is just based on a secure one-way hash function for avoiding complex computations for both health care operations users and health care centers. (2)It does not require sensitive verification table which may cause health care centers to become an attractive target for numerous attacks(e.g., insertion attacks and stolen-verifier attacks), (3)It provides higher security level (e.g., secure mutual authentication and key establishment, confidential communication, user's privacy, simple key management, and session key independence). As result, the proposed scheme is very suitable for various location-based medical information service environments using lightweight-device(e.g., smartphone) because of very low computation overload on the part of both health care operations users and health care centers.

Secure Handover Scheme in IEEE 802.16e/WiBro Networks (IEEE 802.16e/와이브로 망에서의 안전한 핸드오버 적용 방안)

  • Jo Hea-Suk;Jeon Woong-Ryul;Kim Seung-Joo;Won Dong-Ho
    • Proceedings of the Korea Institutes of Information Security and Cryptology Conference
    • /
    • 2006.06a
    • /
    • pp.318-321
    • /
    • 2006
  • 현재 국내 국책사업으로 추진 중인 와이브로(WiBro) 기술 규격이 포함되어 있는 휴대인터넷 표준 규격인 IEEE 802.16e는 IP기반으로, 이동성이 뛰어나고 고속전송 기능의 특징을 가지고 있다. 또한 기지국간의 핸드오버(Handover)를 지원함으로써 이동성을 지원한다. 그러나 이러한 핸드오버 기법에 있어서 Replay 공격, Man-in-the-Middle 공격, Stolen-Verifier 공격 등에 취약한 문제점이 드러나고 있다. 본 논문은 이러한 기존 핸드오버 기법의 취약점을 개선하기 위해서 사용자의 인증서와 Timestamp값을 통한 IEEE 802.16e/와이브로 망에서 안전한 핸드오버 적용 방안에 대해 제안한다.

  • PDF

A Two-Factor User Authorization Method and Its Implementation using TOTP and Password (TOTP와 패스워드를 이용한 Two-Factor 사용자 인증 방식 및 구현)

  • Jae, Ju-Hwan;Yoo, Seung-Lok;Lim, Hak-Chang;Bae, Dong-Hwan;Lee, Yun-Ho;Yang, Hyung-Gyu
    • Review of KIISC
    • /
    • v.20 no.6
    • /
    • pp.7-16
    • /
    • 2010
  • 인터넷 및 통신 기술의 발전은 사용자로 하여금 금융, 방송, 게임 등의 온라인 서비스 제공에 대한 시간 및 공간적 제한을 없애 주였지만, 다른 한편으로는 해커 등의 악의적 사용자로 인한 피해 가능성도 높이고 있다. 이를 해결하기 위한 다양한 보안 기법 가운데 하나가 OTP를 이용한 사용자 인증 방법이다. OTP는 재사용하지 않는 패스워드로서 기존 패스워드 인증 방식이 갖는 취약점을 해결할 수 있는 방식이다. 하지만 OTP 생성 단말의 도난이나 서버 해킹으로 인한 패스워드 추측공격 또는 Stolen verifier 공격 등에 취약할 수 있다. 본 논문에서는 위와 같은 문제점을 해결하기 위해서 두 가지 인증 정보 즉, 시간 기반 OTP 생성방식인 TOTP 및 패스워드를 이용하는 새로운 Two-Factor 인증 프로토콜인 POTP(Password embedded OTP)를 제안한다. 제안한 방식은 재전송 공격에 안전하며, 공격자가 OTP 생성용 디바이스를 획득하더라도 패스워드를 유추할 수 없고 서버의 인증 정보 데이터베이스를 획득하더라도 정상적인 사용자로 위장할 수 함께, 서버에서 인증 정보 보관시 연산 속도가 빠른 해쉬 함수를 이용할 수 있어 보다 효율적이다.