• Title/Summary/Keyword: password

Search Result 883, Processing Time 0.031 seconds

Analysis on Security Vulnerability of Password-based key Exchange and Authentication Protocols (패스워드 기반 키 교환 및 인증 프로토콜의 안전성에 관한 분석)

  • Park, Choon-Sik
    • Journal of Korea Multimedia Society
    • /
    • v.11 no.10
    • /
    • pp.1403-1408
    • /
    • 2008
  • A number of three party key exchange protocols using smart card in effort to reduce server side workload and two party password based key exchange authentication protocols has been proposed. In this paper, we introduce the survey and analysis on security vulnerability of smart card based three party authenticated key exchange protocols. Furthermore, we analyze Kwak et al's password based key exchange and authentication protocols which have shown security weakness such as Shim et al's off-line password guessing attack and propose the countermeasure to deter such attack.

  • PDF

A Novel Two-party Scheme against Off-line Password Guessing Attacks using New Theorem of Chaotic maps

  • Zhu, Hongfeng
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.11 no.12
    • /
    • pp.6188-6204
    • /
    • 2017
  • Over the years, more password-based authentication key agreement schemes using chaotic maps were susceptible to attack by off-line password guess attack. This work approaches this problem by a new method--new theorem of chaotic maps: $T_{a+b}(X)+T_{a-b}(X)=2T_a(X)T_b(X)$,(a>b). In fact, this method can be used to design two-party, three-party, even in N-party intelligently. For the sake of brevity and readability, only a two-party instance: a novel Two-party Password-Authenticated Key Agreement Protocol is proposed for resisting password guess attack in this work. Compared with the related literatures recently, our proposed scheme can be not only own high efficiency and unique functionality, but is also robust to various attacks and achieves perfect forward secrecy. For capturing improved ratio of security and efficiency intuitively, the paper firstly proposes a new parameter called security/efficiency ratio(S/E Ratio). The higher the value of the S/E Ratio, the better it is. Finally, we give the security proof and the efficiency analysis of our proposed scheme.

User Authentication System using Base Password and Member Registration Information (기본 패스워드와 회원 가입 정보를 이용한 사용자 인증 시스템)

  • Jeong, Jongmun;Hwang, Mintae
    • Journal of the Korea Institute of Information and Communication Engineering
    • /
    • v.20 no.12
    • /
    • pp.2289-2296
    • /
    • 2016
  • The password rules to be applied for the user account creation are often different by websites. Thus we often forget the password to sign in website and it creates waste of time for frequent password reset. In order to solve this problem we propose a new authentication method in this paper. When user forget the password to sign in, the existing methods require a password reset step but our proposed method provides new sign in scheme through the additional authentication step with base password and personal information registered at the member sign up stage. From the result of performance comparison the proposed method is considered to be more efficient than others because it provides not only an equivalent level of security with others but also requires only a half of the number of transactions and the time required for password reset step.

A Digital Door Lock System Using Time- Synchronous One Time Password (시간 동기 방식의 OTP를 이용한 디지털 도어락 시스템)

  • Hwang, Hyung-Jin;Kim, Kweon-Yang;Ha, Il-Kyu
    • Journal of the Korea Institute of Information and Communication Engineering
    • /
    • v.21 no.5
    • /
    • pp.1027-1034
    • /
    • 2017
  • Recently, OTP (One-time-Password) log-in methods have been used in many areas to prevent leakage of personal information and enhance security. The OTP method is primarily used for security of bank personal account, this is one of the sophisticated security ways in which one time password is generated and checked to enhance security. Digital door locks frequently used in everyday life require convenience and safety simultaneously. Meanwhile, related technologies for digital door locks are evolving, but methods for enhancement of security are still unsatisfactory. Generally, the digital door lock using password input type has been most commonly used and especially it provides more convenience, but it has some problems such as password exposure and password oblivion. Therefore, in this study, we propose and implement the OTP-based digital door lock system with enhanced security and convenience features but without the risk of password exposure and oblivion.

Generation and Management of Strong Passwords using an Ownership Verified Smartphone (소유권 확인된 스마트폰을 이용한 강력한 패스워드 생성 및 관리)

  • Park, Jun-Cheol
    • Smart Media Journal
    • /
    • v.9 no.1
    • /
    • pp.30-37
    • /
    • 2020
  • Enforcing additional authentication to password-based authentication, in addition to attempting to increase the security of the password itself, helps to improve the security of the password authentication scheme. For a well-known problem of using strong passwords that differ from site to site, we propose a scheme for password generation and management with an inherent supplementary authentication. Like the so-called password manager, the scheme retrieves and presents a strong site-specific password whenever requested without requiring the user to remember multiple passwords. Unlike the existing methods, however, the scheme permits the password retrieval process to proceed only through the authenticated user's ownership verified smartphone. Hence, even for sites not enforcing or supporting two-factor authentication, the logon process can benefit from the scheme's assurance of enhanced security with its two-factor equivalent authentication. The scheme can also prevent an attacker from impersonating a user or stealing secrets even when the stored information of the server for password retrieval service or the user's smartphone is leaked.

A Study of Password Management System for Improves the Availability and Efficiency (효율성과 가용성을 향상시킨 패스워드 관리시스템 연구)

  • Seo, Mi-Suk;Park, Dea-Woo
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2013.10a
    • /
    • pp.150-153
    • /
    • 2013
  • By the development of IT, most business has been processed on the IT solution-based servers has increased Therefore, the importance of security of the server is highlighted. And the need for password management server efficient and safe is raised. There is a need to change at least 8 characters to mix the numbers and letters and password change passwords on a regular basis, you need a password for each system account is set in a different way, but the continuation of the system there is a tendency to password problems occur problems caused by the limits of the introduction of human resources and introduction basis occurs. The password management feature, though it is expensive is partially providing integrated access control solutions at home and abroad, there is a drawback that stresses the traffic on the server. Future, we conducted a study of password management solutions for the server of the server is determined IT transformation trend of non-IT field to accelerate, is continuously increasing it accordingly.

  • PDF

On the Security of a New C2C-PAKA Protocol (새로운 C2C-PAKA 프로토콜의 안전성 연구)

  • Byun, Jin-Wook
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.22 no.3
    • /
    • pp.473-483
    • /
    • 2012
  • To achieve an entire end-to-end security, the classical authentication setting such that all participants have a same password is not practical since a password is not a common secret but a personal secret depending on an individual. Thus, an efficient client to client different password-based authenticated key agreement protocol (for short, EC2C-PAKA) has been suggested in the cross-realm setting. Very recently, however, a security weakness of the EC2C-PAKA protocol has been analyzed by Feng and Xu. They have claimed that the EC2C-PAKA protocol is insecure against a password impersonation attack. They also have presented an improved version of the EC2C-PAKA protocol. In this paper, we demonstrate that their claim on the insecurity of EC2C-PAKA protocol against a password impersonation attack is not valid. We show that the EC2C-PAKA protocol is still secure against the password impersonation attack. In addition, ironically, we show that the improved protocol by Feng and Xu is insecure against an impersonation attack such that a server holding password of Alice in realm A can impersonate Bob in realm B. We also discuss a countermeasure to prevent the attack.

A Study on the User Authentication and Key Exchange Service for Group Environment (그룹 환경의 사용자 인증 및 키 교환 서비스 프로토콜 연구)

  • Byun, Jin-Wook;Lee, Su-Mi;Lee, Dong-Hoon
    • Journal of Information Technology Services
    • /
    • v.8 no.2
    • /
    • pp.117-136
    • /
    • 2009
  • Over the years a password has been used as a popular authentication method between a client and a server because of its easy-to-memorize property. But, most password-based authentication services have focused on a same password authentication scheme which provides an authentication and key exchange between a client and a server with the same password. With rapid change of communication environments in the fields such as mobile networks, home networking, etc., the end-to-end security allowing users to hold different password is considered as one of main concerns. In this paper, we consider a new authentication service of how each client with different own password is able to authenticate each other, which is a quite new service paradigm among the existing services. This new service can be used in the current or next generation network environment where a mobile user in cell A wants to establish a secure end-to-end channel with users in ceil B, C, and D using only their memorable passwords. This end-to-end security service minimizes the interferences from the operator controlled by network components. To achieve this end-to-end security, we propose an authentication and key exchange service for group users in different realm, and analyze its security in a formal way. We also discuss a generic construction with the existing authentication schemes.

Two Factor Authentication System base on Software type of Secure Card For Secure Login (안전한 로그인을 위한 보안카드 기반 이중 인증 시스템에 대한 연구)

  • Jo, Je-Gyeong;Seo, Jong-Won;Lee, Hyung-Woo
    • Proceedings of the Korea Information Processing Society Conference
    • /
    • 2007.05a
    • /
    • pp.977-980
    • /
    • 2007
  • 로그인 과정은 사용자의 ID와 Password를 기반으로 시스템에 대한 사용권한을 부여한다. 로그인 과정에서 입력된 ID와 Password 정보는 패킷 스니핑 또는 Keylogger 프로그램 등을 이용하여 악의적인 공격자에 의해 노출될 수 있다는 취약점이 있다. 웹서버 또는 웹메일 시스템 등에 등록된 ID와 Password가 노출된다면 이는 개인 프라이버시 문제와도 연결되어 매우 심각한 문제이기도 하다. 현재 대부분의 시스템에서는 ID와 Password 만을 가지고 사용자에 대한 인증 및 로그인 과정을 수행하기 때문에 더욱더 강력한 복합 로그인 메카니즘이 제시되어야 한다. 본 연구에서는 기존의 ID/Password 기반 로그인 기법과 더불어 소프트웨어 형태의 보안카드를 핸드폰에 설치하여 유무선망을 통한 이중 인증(Two factor authentication) 기법을 제시한다. 제안한 소프트웨어 형태의 보안카드 기반 로그인 기법은 ID/Password와 함께 부가적 정보로써 사용자의 핸드폰에 발급받은 보안카드내 난수 형태로 생성된 번호를 사용한다. 따라서 제안한 시스템을 사용할 경우 기존의 ID와 Password와 연계되어 일회용 패스워드 형태로 제공되는 보안카드 정보를 사용하여 로그인 과정을 수행하기 때문에 보다 안전한 인증 시스템을 구축할 수 있다.

  • PDF

Efficient Password-based Authenticated Key Exchange Protocol with Password Changing (패스워드를 변경 가능한 효율적인 패스워드 기반의 인증된 키 교환 프로토콜)

  • Lee Sung-Woon;Kim Hyun-Sung;Yoo Hee-Young
    • Journal of the Institute of Electronics Engineers of Korea TC
    • /
    • v.42 no.2 s.332
    • /
    • pp.33-38
    • /
    • 2005
  • In this paper, we propose a password-based authenticated key exchange protocol which authenticates each other and shares a session key using only a small memorable password between a client and a server over an insecure channel. The proposed protocol allows an authenticated client to freely change a his/her own password. The protocol is also secure against various attacks and provides the perfect forward secrecy. Furthermore, it has good efficiency compared with the previously well-known password-based protocols with the same security requirements.