• Title/Summary/Keyword: password guessing

검색결과 78건 처리시간 0.02초

Cryptanalysis on a Three Party Key Exchange Protocol-STPKE'

  • Tallapally, Shirisha;Padmavathy, R.
    • Journal of Information Processing Systems
    • /
    • 제6권1호
    • /
    • pp.43-52
    • /
    • 2010
  • In the secure communication areas, three-party authenticated key exchange protocol is an important cryptographic technique. In this protocol, two clients will share a human-memorable password with a trusted server, in which two users can generate a secure session key. On the other hand the protocol should resist all types of password guessing attacks. Recently, STPKE' protocol has been proposed by Kim and Choi. An undetectable online password guessing attack on STPKE' protocol is presented in the current study. An alternative protocol to overcome undetectable online password guessing attacks is proposed. The results show that the proposed protocol can resist undetectable online password guessing attacks. Additionally, it achieves the same security level with reduced random numbers and without XOR operations. The computational efficiency is improved by $\approx$ 30% for problems of size $\approx$ 2048 bits. The proposed protocol is achieving better performance efficiency and withstands password guessing attacks. The results show that the proposed protocol is secure, efficient and practical.

Vulnerability of Two Password-based Key Exchange and Authentication Protocols against Off-line Password-Guessing Attacks (두 패스워드 기반 키 교환 및 인증 프로토콜들에 대한 오프라인 패스워드 추측 공격의 취약성 분석)

  • Shim, Kyung-Ah;Lee, Hyang-Sook;Lee, Ju-Hee
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • 제18권1호
    • /
    • pp.3-10
    • /
    • 2008
  • Since a number of password-based protocols are using human memorable passwords they are vulnerable to several kinds of password guessing attacks. In this paper, we show that two password-based key exchange and authentication protocols are insecure against off-line password-guessing attacks.

Secure Password Authenticated Key Exchange Protocol for Imbalanced Wireless Networks (비대칭 무선랜 환경을 위한 안전한 패스워드 인증 키 교환 프로토콜)

  • Yang, Hyung-Kyu
    • Journal of the Korea Society of Computer and Information
    • /
    • 제16권2호
    • /
    • pp.173-181
    • /
    • 2011
  • User authentication and key exchange protocols are the most important cryptographic applications. For user authentication, most protocols are based on the users' secret passwords. However, protocols based on the users' secret passwords are vulnerable to the password guessing attack. In 1992, Bellovin and Merritt proposed an EKE(Encrypted Key Exchange) protocol for user authentication and key exchage that is secure against password guessing attack. After that, many enhanced and secure EKE protocols are proposed so far. In 2006, Lo pointed out that Yeh et al.'s password-based authenticated key exchange protocol has a security weakness and proposed an improved protocol. However, Cao and Lin showed that his protocol is also vulnerable to off-line password guessing attack. In this paper, we show his protocol is vulnerable to on-line password guessing attack using new attack method, and propose an improvement of password authenticated key exchange protocol for imbalanced wireless networks secure against password guessing attack.

Password Guessing Attack Resistant Circular Keypad for Smart Devices (패스워드 추정 공격에 강인한 스마트 기기용 순환식 키패드)

  • Tak, Dongkil;Choi, Dongmin
    • Journal of Korea Multimedia Society
    • /
    • 제19권8호
    • /
    • pp.1395-1403
    • /
    • 2016
  • In recent years, researches of security threats reported that various types of social engineering attack were frequently observed. In this paper, we propose secure keypad scheme for mobile devices. In our scheme, every edge of keypad is linked each other, and it looks like a sphere. With this keypad, users input their password using pre-selected grid pointer. Because of circulation of the keypad layout, even though the attacker snatch the user password typing motion through the human eyes or motion capture devices, attacker do not estimate the original password. Moreover, without the information of grid pointer position, the attacker do not acquire original password. Therefore, our scheme is resistant to password guessing attack.

Cryptanalysis on Lu-Cao's Key Exchange Protocol (Lu-Cao 패스워드기반 키 교환 프로토콜의 안전성 분석)

  • Youn, Taek-Young;Cho, Sung-Min;Park, Young-Ho
    • 한국정보통신설비학회:학술대회논문집
    • /
    • 한국정보통신설비학회 2008년도 정보통신설비 학술대회
    • /
    • pp.163-165
    • /
    • 2008
  • Recently, Lu and Cao proposed a password-authenticated key exchange protocol in the three party setting, and the authors claimed that their protocol works within three rounds. In this paper, we analyze the protocol and show the protocol cannot work within three rounds. We also find two security flaws in the protocol. The protocol is vulnerable to an undetectable password guessing attack and an off-line password guessing attack.

  • PDF

An Efficient and Reliable Authentication Protocol for Password-based Systems (패스워드 기반 시스템을 위한 효율적이고 안전한 인증 프로토콜의 설계 및 검증)

  • 권태경;강명호;송주석
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • 제7권2호
    • /
    • pp.27-42
    • /
    • 1997
  • We propose a new authentication and key distribution protocol which is efficient and reliable for password-based systems. Various guessing attacks have been detected in applying conventional protocols to the password-based systems and additional overheads have been made in refined protocols to defeat those attacks. Using a one-time pad and a strong hash function, our proposed protocol promotes reliability and efficiency. Compared with other protocols, our protocol is secure against various protocol attacks including guessing attacks. In addition, this protocol is efficient in reducing communication and computation costs.

Password-based Authenticated Key Agreement Protocol Secure Against Advanced Modification Attack (Advanced Modification 공격에 안전한 패스워드 기반 키 동의 프로토콜)

  • Kwak, Jin;Oh, Soo-Hyun;Yang, Hyung-Kyu;Won, Dong-Ho
    • The KIPS Transactions:PartC
    • /
    • 제11C권3호
    • /
    • pp.277-286
    • /
    • 2004
  • Password-based mechanism is widely used methods for user authentication. Password-based mechanisms are using memorable passwords(weak ferrets), therefore Password-based mechanism are vulnerable to the password guessing attack. To overcome this problem, man password-based authenticated key exchange protocols have been proposed to resist password guessing attacks. Recently, Seo-Sweeny proposed password-based Simple Authenticated Key Agreement(SAKA) protocol. In this paper, first, we will examine the SAKA and authenticated key agreement protocols, and then we will show that the proposed simple authenticated key agreement protocols are still insecure against Advanced Modification Attack. And we propose a password-based Simple Authenticated Key Agreement Protocol secure against Advanced Modification Attack.

Analysis on Security Vulnerability of Password-based key Exchange and Authentication Protocols (패스워드 기반 키 교환 및 인증 프로토콜의 안전성에 관한 분석)

  • Park, Choon-Sik
    • Journal of Korea Multimedia Society
    • /
    • 제11권10호
    • /
    • pp.1403-1408
    • /
    • 2008
  • A number of three party key exchange protocols using smart card in effort to reduce server side workload and two party password based key exchange authentication protocols has been proposed. In this paper, we introduce the survey and analysis on security vulnerability of smart card based three party authenticated key exchange protocols. Furthermore, we analyze Kwak et al's password based key exchange and authentication protocols which have shown security weakness such as Shim et al's off-line password guessing attack and propose the countermeasure to deter such attack.

  • PDF

A Novel Two-party Scheme against Off-line Password Guessing Attacks using New Theorem of Chaotic maps

  • Zhu, Hongfeng
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • 제11권12호
    • /
    • pp.6188-6204
    • /
    • 2017
  • Over the years, more password-based authentication key agreement schemes using chaotic maps were susceptible to attack by off-line password guess attack. This work approaches this problem by a new method--new theorem of chaotic maps: $T_{a+b}(X)+T_{a-b}(X)=2T_a(X)T_b(X)$,(a>b). In fact, this method can be used to design two-party, three-party, even in N-party intelligently. For the sake of brevity and readability, only a two-party instance: a novel Two-party Password-Authenticated Key Agreement Protocol is proposed for resisting password guess attack in this work. Compared with the related literatures recently, our proposed scheme can be not only own high efficiency and unique functionality, but is also robust to various attacks and achieves perfect forward secrecy. For capturing improved ratio of security and efficiency intuitively, the paper firstly proposes a new parameter called security/efficiency ratio(S/E Ratio). The higher the value of the S/E Ratio, the better it is. Finally, we give the security proof and the efficiency analysis of our proposed scheme.

Security Improvement of Remote User Authentication Scheme based on Smart Cards (스마트 카드 기반 사용자 인증 스킴의 보안 개선)

  • Joo, Young-Do;An, Young-Hwa
    • The Journal of the Institute of Internet, Broadcasting and Communication
    • /
    • 제11권5호
    • /
    • pp.131-137
    • /
    • 2011
  • Recently Lin et al. proposed a simple remote user authentication scheme using smart cards. But the proposed scheme has not satisfied security requirements which should be considered in the user authentication scheme using the password based smart card. In this paper, we show that Lin et al.'s scheme is insecure against off-line password guessing attack. In their scheme, any legal user's password may be derived from the password guessing when his/her smart card is stolen and the secret information is leaked from the smart card by an attacker. Accordingly, we demonstrate the vulnerability of their scheme and present an enhancement to resolve such security weakness. Our proposed scheme can withstand various possible attacks including password guessing attack. Furthermore, this improved scheme can provide mutual authentication to improve the security robustness. Performance evaluation shows that the proposed scheme is relatively more effective than Lin et al.'s scheme.