• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.34 no.1
• /
• pp.61-70
• /
• 2024

As users use various services along with the rapid increase in Internet services, it may be difficult to manage accounts. To solve these difficulties, various password management applications are emerging. From a forensic point of view, password management applications can provide clues to obtain criminal evidence. The purpose of this paper is to acquire the data stored by the user in the password management application. To this end, we propose a better way to decrypt the encrypted data through reverse engineering, evaluate the security of the application to be analyzed, and safely store the data.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.5
• /
• pp.17-30
• /
• 2008

In the paper, we consider password-based authenticated key exchange with different passwords, where the users do not share a password between themselves, but only with the server. The users make a session key using their different passwords with the help of the server. We propose an efficient password-based authenticated key exchange protocol with different passwords which achieves forward secrecy without random oracles. In fact this amount of computation and the number of rounds are comparable to the most efficient password-based authenticated key exchange protocol in the random oracle model. The protocol requires a client only to memorize a human-memorable password, and all other information necessary to run the protocol is made public.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.7 no.4
• /
• pp.23-30
• /
• 2011

Recently, Tsai proposed a remote user authentication scheme suited for multi-server environments, in which users can be authenticated using a single password shared with the registration center. Our analysis shows that Tsai et al's scheme does not achieve its fundamental goal of password security. We demonstrate this by mounting an undetectable on-line password guessing attack on Tsai et al.'s scheme.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.2 no.6
• /
• pp.312-332
• /
• 2008

Password-based authentication key exchange (PAKE) protocols in the literature typically assume a password that is shared between a client and a server. PAKE has been applied in various environments, especially in the “client-server” applications of remotely accessed systems, such as e-banking. With the rapid developments in modern communication environments, such as ad-hoc networks and ubiquitous computing, it is customary to construct a secure peer-to-peer channel, which is quite a different paradigm from existing paradigms. In such a peer-to-peer channel, it would be much more common for users to not share a password with others. In this paper, we consider password-based authentication key exchange in the three-party setting, where two users do not share a password between themselves but only with one server. The users make a session-key by using their different passwords with the help of the server. We propose an efficient password-based authentication key exchange protocol with different passwords that achieves forward secrecy in the standard model. The protocol requires parties to only memorize human-memorable passwords; all other information that is necessary to run the protocol is made public. The protocol is also light-weighted, i.e., it requires only three rounds and four modular exponentiations per user. In fact, this amount of computation and the number of rounds are comparable to the most efficient password-based authentication key exchange protocol in the random-oracle model. The dispensation of random oracles in the protocol does not require the security of any expensive signature schemes or zero-knowlegde proofs.

• The Transactions of the Korea Information Processing Society
• /
• v.7 no.11
• /
• pp.3438-3444
• /
• 2000

In this paper, we propose an efficient passwork management scheme using the Pseudopia function which performs a mukti-password management and change scheme in the cyberspace. For a givne user and a web-site, the Pseudopia automatically generates a user name and a password that can be used to establish an anonvous account at the web-site. In the proposed scheme, a user can protect his password using " the personal etropy" which relates to his own life experiences, that identified only by himself. The proposed scheme can be applied to the broad tools for the internet related applications such as electronic commerce and Internet banking system.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.9 no.12
• /
• pp.5135-5149
• /
• 2015

Communications among multi-party must be fast, cost effective and secure. Today's computing environments such as internet conference, multi-user games and many more applications involve multi-party. All participants together establish a common session key to enable multi-party and secure exchange of messages. Multi-party password-based authenticated key exchange scheme allows users to communicate securely over an insecure network by using easy-to-remember password. Kwon et al. proposed a practical three-party password-based authenticated key exchange (3-PAKE) scheme to allow two users to establish a session key through a server without pre-sharing a password between users. However, Kwon et al.'s scheme cannot meet the security requirements of key authentication, key confirmation and anonymity. In this paper, we present a novel, simple and efficient multi-party password-based authenticated key exchange (M-PAKE) scheme based on the elliptic curve cryptography for mobile environment. Our proposed scheme only requires two round-messages. Furthermore, the proposed scheme not only satisfies security requirements for PAKE scheme but also achieves efficient computation and communication.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.4 no.1
• /
• pp.261-266
• /
• 2000

The password is the first step for computer security. If security of password is unimportant even constructing of fire-wall, it is useless. But end-user is not able to manage a high-difficulty password. So complement for password management is needed. In this paper, algorithm which produces one time password by using random number in client is used. Not oかy this is easy for end-user to manage password, but also this can eliminate insecurity for server hacking.

• Smart Media Journal
• /
• v.9 no.1
• /
• pp.30-37
• /
• 2020

Enforcing additional authentication to password-based authentication, in addition to attempting to increase the security of the password itself, helps to improve the security of the password authentication scheme. For a well-known problem of using strong passwords that differ from site to site, we propose a scheme for password generation and management with an inherent supplementary authentication. Like the so-called password manager, the scheme retrieves and presents a strong site-specific password whenever requested without requiring the user to remember multiple passwords. Unlike the existing methods, however, the scheme permits the password retrieval process to proceed only through the authenticated user's ownership verified smartphone. Hence, even for sites not enforcing or supporting two-factor authentication, the logon process can benefit from the scheme's assurance of enhanced security with its two-factor equivalent authentication. The scheme can also prevent an attacker from impersonating a user or stealing secrets even when the stored information of the server for password retrieval service or the user's smartphone is leaked.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.4 no.2
• /
• pp.21-28
• /
• 2008

There are some problems on the system that uses a password comprising a digital signature to identify the secret key owner under the public key infrastructure. For example, the password can be difficult to remember or easy to be disclosure, and users should make more complex password to protect it. A number of studies have been proceeded in order to overcome these defects using the fingerprint identification technologies, but they need to change the current standard of public key infrastructure. On the suggested private key escrow system, the private key can be withdrawn only through the enrollment and identification of a fingerprint template after it is saved to a reliable third system. Therefore, this new private key escrow system can remove previous inconveniences of managingthe private key on current public key infrastructure, and it exhibited superior results in terms of the evaluation items when compared with the integrated method of the existing fingerprint identification and public key infrastructure.

• Journal of Digital Convergence
• /
• v.11 no.12
• /
• pp.423-430
• /
• 2013

With the active Internet e-commerce and the financial sector, mutual authentication between users and service providers has become very important. Because ID- and password-based authentication is of low security, one-time password authentication methods are widely used. The existing one-time password authentication scheme of S/Key authentication method is fraught with a number of issues in addition to plain text transmission, and the method of Kim Gong-ki et al. does not offer suggestions for session key generation and distribution method. Proposed in this paper is a protocol that solves these problems.