• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.11 no.4
• /
• pp.3-14
• /
• 2001

A Web server makes use of the HTTP(Hyper Text Transfer Protocol) to communicate with a client. The HTTP is a stateless protocol; the server does not maintain any state information for ongoing interactions with the client. Therefore, the HTTP inevitably requires additional overhead as repeating data key-in to user for continuing communications. This overhead in Web environment can be resolved by the cookie technologies. However, the cookie is usually unsecured due to the clear-text to transfer on the network and to store in the file. That is, information in the cookie is easy to exposure, copy, and even change. In this paper, we propose a secure cookie mechanism appropriate to Web environment, and then present a design and implement of secure Web system based on the scheme. The Web system can be used to any web environment. It also provides some security services, such as confidentiality, authentication, integrity.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.5
• /
• pp.181-195
• /
• 2011

There's a controversy about an invasion of privacy which includes a leakage of private information and linking of user's behavior on internet. Although many solutions for this problem are proposed, we think anonymous authentication, authorization, and payment mechanism is the best solution for this problem. In this paper, we propose an effective anonymity-based method that achieves not only authentication but also authorization. Our proposed method uses anonymous qualification certificate and group signature method as an underlying primitive, and combines anonymous authentication and qualification information. An eligible user is legitimately issued a group member key pair through key issuing process and issued some qualification certificates anonymously, and then, he can take the safe and convenience web service which supplies anonymous authentication and authorization. The qualification certificate can be expanded according to application environment and it can be used as payment token.

• Journal of KIISE
• /
• v.43 no.10
• /
• pp.1094-1103
• /
• 2016

Physical Web and Eddystone can be serviced by a single integrated application on the device by using their servers' URL. However, they have a limitation that their servers must be customized for service characteristics on a case by case basis. In other words, regardless of the service selected for BLE, it should have a modified linkage application for each device. Hence, we think that a new integrated service platform, which is able to link and support its Beacon from the central server and is also able to support its application, is needed for achieving better service quality. This platform consists of push (Broadcasting for Beacon service) parts and pull (Connection) parts to establish communication. Especially, Pull should be operated and controlled under the authorization (secure) management for safe and trustable communication. It means that BLE must have its new authorization communications protocol to protect its data as much as possible. In this paper, we propose a BLE integrated authorization protocol for a BLE device control server based on Physical Web and Eddystone.

• Journal of the Korea Society of Computer and Information
• /
• v.12 no.3
• /
• pp.19-26
• /
• 2007

In recent rears. web portal system has received much attention as a user interface for the grid environment. Grid system uses symmetric key for authenticating user identity while the traditional portal system does a password-based authentication. Regarding this, many researches are progressing to integrate portal accounts with symmetric key. Specially. researches such as GAMA and PURSE are active and those focus on easy usability for users who familiar with password-based authentication. However the protection of data and resources is a critical issue in Grid environment, because those are shared through a wide-area network. In this paper, we suggest a new authentication mechanism which unify authentication mechanisms between portal system and grid service by using symmetric key. It will improve a security level in UI layer as much as in grid service.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.3
• /
• pp.757-767
• /
• 2016

Password authentication is the representative user authentication method and particularly text-based passwords are most widely used. Unfortunately, most users select weak passwords and so many web sites provide a password meter that measures password strength to derive the users to select strong passwords. However, some metering results are not consistent and incorrect strength feedbacks are made. In this paper, we tackle these problems regarding password meters and present an improvement direction.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 1997.11a
• /
• pp.345-353
• /
• 1997

Password checking is the most popular user authentication method. The keystroke dynamics can be combined to result in a more secure system. We propose an autoassociator multilayer perceptron which is trained with the timing vectors of the owner's keystroke dynamics and then used to discriminate between the owner and an imposter. An imposter typing the correct password can be detected with a very high accuracy using the proposed approach. The approach can also be used over the internet such as World Wide Web when implemented using a Java applet.

• Journal of Internet Computing and Services
• /
• v.16 no.1
• /
• pp.21-28
• /
• 2015

Currently there are wide variety of web services and applications available for users. Such services restrict access to only authorized users, and therefore its users often need to go through the inconvenience of getting an authentication from each service every time. To resolve of such inconvenience, a third party application with OAuth(Open Authorization) protocol that can provide restricted access to different web services has appeared. OAuth protocol provides applicable and flexible services to its users, but is exposed to reply attack, phishing attack, impersonation attack. Therefore we propose method that after authentication Access Token can be issued by using the E-mail authentication. In proposed method, regular user authentication success rate is high when value is 5 minutes. However, in the case of the attacker, the probability which can be gotten certificated is not more than the user contrast 0.3% within 5 minutes.

• The KIPS Transactions:PartC
• /
• v.12C no.3 s.99
• /
• pp.339-346
• /
• 2005

In recent years, the Grid development focus is transitioning from resources to services, A Grid Service is defined as a Web Service that provides a set of well-defined interfaces and follows specific conventions. SAML as a standard for Web Services which enables exchange of authentication, authorization, and profile information between different entities provides interoperability among different security services in distributed environments. In this paper, we implemented SAML API. By offering interoperability for non XML-based authentication technologies using SAML specification offering a method to integrate the existing Single Sign-On technologies, the API provides convenience for accessing different services in Grid architecture.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2010.11a
• /
• pp.1186-1189
• /
• 2010

스마트폰의 사용자 증가로 인한 스마트폰의 성장과 더불어 제 3 자 개발자들이 개발한 애플리케이션이 오픈 마켓에 등록되면서, 오픈 마켓의 시장 규모가 급속히 증가하고 있다. 하지만 제 3 자 개발자는 보안 관점에서 신뢰 할 수 없는 개체이며, 이들이 개발한 애플리케이션은 악의적 또는 개발자 실수에 의해 보안 문제를 일으킬 수 있다. 따라서 스마트폰과 같은 디바이스와, 앱스토어, 제 3 자 개발자 간에 인증이 요구되고 있다. 이를 위해 본 논문에서는 기존의 사설 인증 시스템에 인증서 소유 검증 모듈과 인증서 유효성 검증 모듈을 추가하고, 시스템의 확장성과 관리를 용이하게 만들기 위해 Web 기반의 사설 인증 시스템을 설계하고 구현한다.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.42 no.2
• /
• pp.349-357
• /
• 2017

Many Web sites adopt SMS(Short Message Service)-based user authentication when a user loses her password or approves an online payment. In SMS-based authentication, the authentication server sends a text in plaintext to a user's phone, and it allows an attacker who eavesdrops or intercepts the text to impersonate a valid user(victim). We propose a challenge-response scheme to prove to the authentication server that a user is in a certain place at the moment with her smartphone beside her. The proposed scheme generates a response using a challenge by the server, user's current location, and a secret on the user's smartphone all together. Consequently, the scheme is much more secure than SMS-based authentication that simply asks a user to send the same text arrived on her phone back to the server. In addition to entering the response, which substitutes the SMS text, the scheme also requests a user to input a passphrase to get the authentication process started. We believe, however, the additional typing should be tolerable to most users considering the enhanced security level of the scheme.