• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.7 no.1
• /
• pp.119-131
• /
• 2013

With the explosive growth of computer networks, many remote service providing servers and multi-server network architecture are provided and it is extremely inconvenient for users to remember numerous different identities and passwords. Therefore, it is important to provide a mechanism for a remote user to use single identity and password to access multi-server network architecture without repetitive registration and various multi-server authentication schemes have been proposed in recent years. Recently, Tsaur et al. proposed an efficient and secure smart card based user authentication and key agreement scheme for multi-server environments. They claimed that their scheme satisfies all of the requirements needed for achieving secure password authentication in multi-server environments and gives the formal proof on the execution of the proposed authenticated key agreement scheme. However, we find that Tsaur et al.'s scheme is still vulnerable to impersonation attack and many logged-in users' attack. We propose an extended scheme that not only removes the aforementioned weaknesses on their scheme but also achieves user anonymity for hiding login user's real identity. Compared with other previous related schemes, our proposed scheme keeps the efficiency and security and is more suitable for the practical applications.

• The Journal of Information Technology
• /
• v.7 no.2
• /
• pp.77-92
• /
• 2004

Global Electronic Trading means that trading partners trade each other via Global Electronic Trading Network, that is, global business to business electronic commerce. Electronic payment systems are how to make payment electronically in manner that is efficient, reliable, and secure. I suggest the Electronic payment systems such as TradeCard and SWIFT enable seller and buyer to conduct and settle international B2B electronic commerce in case of solving the above problems. And, where the cargo arrives ahead of the B/L, the importer cannot take delivery of the cargo without the B/L. This situation is referred to as the B/L dilemma. But the BOLERO system will resolve this B/L dilemma. Bolero Project is developing a cross industry utility platform for the secure, electronic transfer of commercial trade information world wide.

• Journal of KIISE:Computing Practices and Letters
• /
• v.16 no.6
• /
• pp.693-697
• /
• 2010

In current e-commerce system, it happens that client's confidential information such as credit card numbers, pin numbers, or digital certificate may pass through a web proxy server or an altered proxy server without client's awareness. Even though the confidential information is encrypted and sent through SSL(Secure Sockets Layer) or TLS(Transport Layer Security) protocol, it can be exposed to the risk of sniffing by the digital certificate forgery at the proxy server, which is called the SSL MITM(Man-In-The-Middle) Proxy attack. In this paper, current credit card web-payment systems, which is weak at proxy information alternation attack, are analyzed. A resolution with certificate proxy server is also proposed to prevent the MITM attack.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.11 no.2
• /
• pp.924-944
• /
• 2017

Telecare Medical Information System (TMIS) helps the patients to gain the health monitoring information at home and access medical services over the mobile Internet. In 2015, Das et al proposed a secure and robust user AKA scheme for hierarchical multi-medical server environment in TMIS, referred to as DAKA protocol, and claimed that their protocol is against all possible attacks. In this paper, we first analyze and show DAKA protocol is vulnerable to internal attacks, impersonation attacks and stolen smart card attack. Furthermore, DAKA protocol also cannot provide confidentiality. We then propose a lightweight pseudonym AKA protocol for multi-medical server architecture in TMIS (short for PAKA). Our PAKA protocol not only keeps good security features declared by DAKA protocol, but also truly provides patient's anonymity by using pseudonym to protect sensitive information from illegal interception. Besides, our PAKA protocol can realize authentication and key agreement with energy-saving, extremely low computation cost, communication cost and fewer storage resources in smart card, medical servers and physical servers. What's more, the PAKA protocol is proved secure against known possible attacks by using Burrows-Abadi-Needham (BAN) logic. As a result, these features make PAKA protocol is very suitable for computation-limited mobile device.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.38B no.3
• /
• pp.190-198
• /
• 2013

Since the facilities for the remote users tend to be deployed in distributed manner, authentication schemes for multi-server communication settings, which provide various web services, are required for real-world applications. A typical way to authenticate a remote user relies on password authentication mostly. However, this method is vulnerable to attacks and inconvenient as the system requires users to maintain different identities and corresponding passwords. On the other hand, the user can make use of a single password for all servers, but she may be exposed to variants of malicious attacks. In this paper, we propose an efficient and secure authentication scheme based on a brokered authentication along with smart-cards in multi-server environment. Further we show that our scheme is secure against possible attacks and analyze its performance with respect to communication and computational cost.

• The KIPS Transactions:PartC
• /
• v.10C no.6
• /
• pp.763-768
• /
• 2003

In this paper, we propose a S/KEY based authentication protocol using smart cards to address the vulnerebilities of both the S/KEY authentication protocol and the secure one-time password protpcol which YEH, SHEN and HWANG proposed [1]. Because out protpcel is based on public key, it can authenticate the server and distribute a session key without any pre-shared secret. Also, it can prevent off-line dictionary attacks by using the randomly generated user is stored in the users smart card. More importantly, it can truly achieve the strength of the S/KEY scheme that no secret information need be stored on the server.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.6
• /
• pp.161-174
• /
• 2009

IPTV provides their services only for their subscribers who have a eligibility to watch it by using Conditional Access System(CAS). CAS has been servicing their contents for subscribers by using set-top box or cable card so far, but these days, to solve the compatibility between kinds of devices, linkage with other services as DRM and confirming stability, the research of Downloadable CAS(DCAS) is being advanced steadily. On this paper, we analyse the vulnerability of DCAS based on the OpenCable and make up for the vulnerability in DCAS, then proposes to use secure DCAS system for IPTV. Also we show the result of the research and analyse the satisfaction of requirements.

• Journal of Digital Contents Society
• /
• v.12 no.2
• /
• pp.165-176
• /
• 2011

Recently, digital rights management (DRM) related researches are widely spreading with prosperity of IT industries. The DRM technology protects proprietor of copyright by preventing mischanneling and illegal copy. In this paper, we propose a new DRM model that has an enhanced and efficient protocol based on certificate using smart card. The proposed model overcomes weaknesses of WCDRM model and has following additional advantages: first, copy protection is enhanced by hiding user's specific information from attacker by storing the information within smart card; second, server load for contents encryption is reduced by making clear protocols among author, distributer, certificate authority, and users; third, offline user authentication is guaranteed by combining partial secret values in media players and smart card. Exposure of core information also is minimized by storing them in smart card. In addition, we show that the proposed system is more secure than WCDRM model by comparing various factors of anonymous attackers.

• Journal of Broadcast Engineering
• /
• v.13 no.1
• /
• pp.62-68
• /
• 2008

Remote user authentication scheme is a cryptographic tool which permits a server to identify a remote user. In 2007, Wang et al. pointed out that Ku's remote user authentication scheme is vulnerable to a dictionary attack by obtaining some secret information in a smart card using side channel attacks. They also proposed a remote user authentication scheme which is secure against dictionary attack. In this paper, we analyze the protocol proposed by Wang et al. In the paper, it is claimed that the protocol is secure even though some values, which is stored in a smart card, are revealed to an adversary, However, we show that their protocol is insecure if the values are disclosed to an adversary.

• Journal of the Korea Society of Computer and Information
• /
• v.29 no.6
• /
• pp.53-60
• /
• 2024

In this paper, we analyze the authentication scheme of Hwang et al. proposed in 2023 and propose a new authentication scheme that improves its problems. Hwang et al. claimed that their authentication scheme was practical and secure, but as a result of analysis in this paper, it is possible to attack the password/ID guessing attack and session key disclosure attack due to insider attack and stolen smart card attack. In addition, Hwang et al.'s authentication scheme, which provides user anonymity, does not provide user untraceability due to its unstable design. The proposed authentication scheme, which improves these problems, not only provides user untraceability, but also is secure for stolen smart card attack, insider attack, session key disclosure attack, and replay attack. In addition, except for one fuzzy extraction operation, it shows the same complexity or very similar one as related authentication schemes. Therefore, the proposed authentication scheme can be said to be an authentication scheme with safety and practicality.