스마트카드를 이용한 패스워드 기반 인증시스템 정형분석

Formal Analysis of Authentication System based on Password using Smart Card

  • 김현석 (고려대학교 컴퓨터학과) ;
  • 김주배 (고려대학교 컴퓨터학과) ;
  • 정연오 (고려대학교 컴퓨터학과) ;
  • 한근희 (행정안전부 정보보호정책과) ;
  • 최진영 (고려대학교 컴퓨터학과)
  • 발행 : 2009.08.15

초록

인터넷의 범용적인 사용으로 많은 사용자들이 분산된 컴퓨팅 환경에서 원격 서버에 접속하는 일이 빈번해 지고 있다. 하지만 인증된 보호시스템 없이 안전하지 않은 채널을 통한 데이터의 전송은 재생공격이나 오프라인 패스워드 공격 및 가장공격등과 같은 문제점들에 노출되어 있다. 이에 따라 악의적인 공격들을 막기 위해 스마트카드를 이용한 인증프로토콜들에 대해 활발히 연구되고 있다. 본 논문은 패스워드 기반 사용자 인증시스템의 취약성을 분석하고 이에 대해 개선된 사용자 인증 시스템을 제안한다.

Due to widely use of internet, a lot of users frequently access into remote server in distributed computing environment. However, transmitting the information using vulnerable channel without authentication security system can be exposed to replay attack, offline password attack, and impersonation attack. According to this possibility, there is research about authentication protocol to prevent these hostile attacks using smart card. In this paper, we analyze vulnerability of user authentication system based on password and propose modified user authentication system.

키워드

참고문헌

  1. Chien, H.Y. and Chen, C.H., "A Remote Authentication Scheme Preserving User Anonymity," IEEE AINA'05, Vol.2, pp. 245-248, 2005.
  2. Das, M.L., Saxena, A., and Gulati, V.P., "A dynamic ID-based remote user authentication Scheme," IEEE Transactions on Consumer Electronics, Vol. 50, No.2, pp. 629-631, 2004. https://doi.org/10.1109/TCE.2004.1309441
  3. MacKenzie, P., Shrimpton, T., and Jakobsson, M., "Threshold Password Authenticated Key Exchange (extended abstract)," Advances in Cryptology Proc. of CRYPTO 2002, pp. 385-400, 2002.
  4. MacKenzie, P., "More Efficient Password Authenticated Key Exchange," RSA Conference, Cryptographer's Track, pp. 361-377, 2001.
  5. Boyko, V., MacKenzie, P. and Patel, S., "Provably Secure Password Authentication and key Exchange Using Diffie-Hellman(extended abstract)," EuroCrypt 2000, pp. 156-171, 2000.
  6. Munilla, J. and Peinado, A., "Off-line password guessing attack to Peyravian-Jeffries's remote user authentication protocol," A Computer Communications 30, pp. 52-54, 2006. https://doi.org/10.1016/j.comcom.2006.07.012
  7. Bellovin, S. M. and Merritt. M., "Encrypted Key Exchange: Password-based Protocols Secure against Dictionary Attacks," In Proc. of IEEE Security and Privacy, pp. 72-84, 1992.
  8. Bellovin, S.M. and Merritt, M., "Augmented encrypted key exchange : a password-based protocol secure against dictionary attacks and password file compromise," Technical report, AT&T Bell Laboratories, 1994.
  9. Kwon, T. and Song, J., "Secure agreement scheme for gxy via password authen-tication," Electronics Letters Vol.35, No.11, pp. 892-893, 1999. https://doi.org/10.1049/el:19990623
  10. Chen, T.H. and Lee, W.B., "A new method for using hash functions to solve remote user authentication," Computers and Electrical Engineering 34, pp. 53-62, 2008. https://doi.org/10.1016/j.compeleceng.2007.01.001
  11. Lowe, G., "Casper: A compiler for the analysis of Security Protocols," In Proc. of the 1997 IEEE Computer Security Foundations Workshop X, IEEE Computer Society, Silver Spring, MD, pp. 18-30, 1997.
  12. Hoare, C.A.R., Communicating Sequential Processes, Prentice-Hall, 1985.
  13. Formal Systems Ltd. FDR2 User Manual, Aug. 1999.
  14. Lin, C.L., Wen, H.A., Hwang, T. and Sun, H.M. "Provably secure three-party password-authenticated key exchange," IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences E87-A (11), pp. 2990-3000, 2004.
  15. Ku, W.C. and Chen, S.M., "Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards," IEEE Transactions on Consumer Electronics 50 (1), pp. 204-207, 2004. https://doi.org/10.1109/TCE.2004.1277863
  16. Hwang, T. and Ku, W.C., "Reparable key distribution protocols for Internet environ- ments," IEEE Trans.Commun., Vol.43, No.5, pp. 1947-1949, May, 1995. https://doi.org/10.1109/26.387429
  17. Kocher, P., Jaffe, J. and Jun, B., "Differential power analysis," In Proc.of Advances in Cryptology (CRYPTO'99), pp. 388-397, 1999.
  18. Messerges, T.S., Dabbish, E.A. and Sloan, R.H., "Examining smart card security under the threat of power analysis attacks," IEEE Transactions on Computers 51(5), pp. 541-552, 2002. https://doi.org/10.1109/TC.2002.1004593