한국컴퓨터정보학회논문지 (Journal of the Korea Society of Computer and Information)

  • 제15권1호
  • /
  • Pages.139-147
  • /
  • 2010
  • /
  • 1598-849X(pISSN)
  • /
  • 2383-9945(eISSN)
한국컴퓨터정보학회 (Korean Society of Computer Information)
권호 표지
DOI QR코드

DOI QR Code

스마트카드를 이용한 사용자 인증 스킴의 안전성 분석 및 개선

Cryptanalysis and Enhancement of a Remote User Authentication Scheme Using Smart Cards

  • 이영숙 (호원대학교 사이버수사 경찰학부) ;
  • 원동호 (성균관대학교 전기전자컴퓨터공학부)
  • 투고 : 2009.11.23
  • 심사 : 2010.01.26
  • 발행 : 2010.01.31
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

사용자 인증 스킴은 개방된 통신환경에서 원격지에 있는 사용자가 서버에 로긴할 때 정당한 사용자 인지를 확인하는 것이다. 2005년 Liao등은 스마트 카드를 이용해서 사용자의 익명성을 보장하는 사용자 인증 스킴을 제안하였다. 최근 Yoon등은 Liao가 제안한 사용자 인증 스킴의 안전성 분석을 수행한 후 그 스킴에 존재하는 결점을 보완하는 향상된 스킴을 제안하였다. 그러나 안타깝게도 그들이 제안한 스킴은 사용자가 서버를 인증하는 방식과 서버가 사용자를 인증 방식을 모두 수행할 수 없고 패스워드의 안전성에도 문제점이 존재한다. 이러한 문제점을 이 논문에서는 서버 가장 공격, 사용자 가장 공격, 오프라인 사전공격을 수행하여 지적하였다. 아울러 본 논문에서는 Yoon등이 제안한 논문의 취약점을 제거하여 보다 안전한 사용자 인증 스킴을 제안하였다.

A remote user authentication scheme is a two-party protocol whereby an authentication server in a distributed system confirms the identity of a remote individual logging on to the server over an untrusted, open network. In 2005, Liao et al. proposed a remote user authentication scheme using a smart card, in which users can be authenticated anonymously. Recently, Yoon et al. have discovered some security flaws in Liao et al.'s authentication scheme and proposed an improved version of this scheme to fix the security flaws. In this article, we review the improved authentication scheme by Yoon et al. and provide a security analysis on the scheme. Our analysis shows that Yoon et al.'s scheme does not guarantee not only any kind of authentication, either server-to-user authentication or user-to-server authentication but also password security. The contribution of the current work is to demonstrate these by mounting two attacks, a server impersonation attack and a user impersonation attack, and an off-line dictionary attack on Yoon et al.'s scheme. In addition, we propose the enhanced authentication scheme that eliminates the security vulnerabilities of Yoon et al.'s scheme.

키워드

참고문헌

  1. L. Lamport, "Password authentication with insecure communication," Communications of the ACM, Vol. 24, No. 11, pp. 770-772, 1981. https://doi.org/10.1145/358790.358797
  2. C.-C. Chang, T.-C. Wu, "Remote password authentication with smart cards," IEE Proceedings E - Computers and Digital Techniques, Vol. 138, No. 3, pp. 165-168, 1991. https://doi.org/10.1049/ip-e.1991.0022
  3. W.-H. Yang, S.-P. Shieh, "Password authentication schemes with smart card," Computers & Security, Vol. 18, No. 8, pp. 727-733, 1999. https://doi.org/10.1016/S0167-4048(99)80136-9
  4. M.-S. Hwang, L.-H. Li, "A new remote user authentication scheme using smart cards," IEEE Transaction on Consumer Electronics, Vol. 46, No. 1, pp. 28-30, 2000. https://doi.org/10.1109/30.826377
  5. H.-M. Sun, "An efficient remote user authentication scheme using smart cards," IEEE Transaction on Consumer Electronics, Vol. 46, No. 4, pp. 958-961, 2000. https://doi.org/10.1109/30.920446
  6. H.-Y. Chien, J.-K. Jan, Y.-M. Tseng, "An efficient and practical solution to remote authentication: smart card," Computers & Security, Vol. 21, No. 4, pp. 372-375, 2002. https://doi.org/10.1016/S0167-4048(02)00415-7
  7. E.-J. Yoon, E.-K. Ryu, K.-Y. "Yoo, An improvement of Hwang-Lee-Tang's simple remote user authentication scheme," Computers & Security, Vol. 24, No. 1, pp. 50-56, 2005. https://doi.org/10.1016/j.cose.2004.06.004
  8. Anti-Phishing Working Group (http://www.antiphishing.org).
  9. 최병훈, 김상근, 배제민. "다중체계 인증을 이용한 중요 시스템 보안 접근에 관한 연구," 한국컴퓨터정보학회논문지, 제 14권, 제 7호, 2009년 7월.
  10. W. Diffie, P. C. van Oorschot, M. J. Wiener, "Authentication and authenticated key exchange," Designs, Codes and Cryptography, Vol. 2, No. 2, pp. 107-125, 1992. https://doi.org/10.1007/BF00124891
  11. R. Bird, I. Gopal, A. Herzberg, P. A. Janson, S. Kutten, R. Molva, M. Yung, "Systematic design of a family of attack-resistant authentication protocols," IEEE Journal on Selected Areas in Communications, Vol. 11, No. 5, pp. 679-693, 1993. https://doi.org/10.1109/49.223869
  12. U. Carlsen, "Cryptographic protocol flaws: know your enemy," Proceedings of the 7th IEEE Computer Security Foundations Workshop, pp. 192-200, 1994.
  13. G. Lowe, "An attack on the Needham-Schroeder public-key authentication protocol," Information Processing Letters, Vol. 56, No. 3, pp. 131-133, 1995. https://doi.org/10.1016/0020-0190(95)00144-2
  14. C.-L. Hsu, "Security of Chien et al.'s remote user authentication scheme using smart cards," Computer Standards and Interfaces, Vol. 26, No. 3, pp. 167-169, 2004. https://doi.org/10.1016/S0920-5489(03)00094-1
  15. E.-J. Yoon, W.-H. Kim, K.-Y. Yoo, "Security enhancement for password authentication schemes with smart cards," Proceedings of the 2nd International Conference on Trust, Privacy, and Security in Digital Business (TrustBus 2005), Lecture Notes in Computer Science, Vol. 3592, pp. 90-99, 2005.
  16. W.-C. Ku, S.-T. Chang, M.-H. Chiang, "Weaknesses of a remote user authentication scheme using smart cards for multi-server architecture," IEICE Transactions on Communications, Vol. E88-B, No. 8, pp. 3451-3454, 2005. https://doi.org/10.1093/ietcom/e88-b.8.3451
  17. P. Kocher, J. Jaffe, B. Jun, "Differential power analysis," Advances in Cryptology{CRYPTO99}, pp. 388-397, 1999.
  18. T.-S. Messerges, E.-A. Dabbish, R.-H. Sloan, "Examining smart card security under the threat of power analysis attacks," IEEE Transaction on Computers, Vol. 51, No. 5, pp. 541-552, 2002. https://doi.org/10.1109/TC.2002.1004593
  19. M.L. Das, A. Saxena, V.P. Gulati, "A dynamic ID-based remote user authentication scheme," IEEE Transaction on Consumer Electronics, Vol. 50, No. 2, pp. 629-631, 2004. https://doi.org/10.1109/TCE.2004.1309441
  20. I.-E. Liao, C.-C. Lee, M.-S. "Hwang, Security enhancement for a dynamic ID-based remote user authentication scheme," Proceedings of the IEEE International Conference on Next Generation Web Services Practices (NWeSp'05), pp. 437-440, 2005.
  21. E.-J. Yoon, K.-Y. Yoo, "Improving the Dynamic ID-Based Remote Mutual Authentication Scheme," Proceedings of 2006 OTM Confederated International workshops (OTM 2006), Lecture Notes in Computer Science, Vol. 4277, pp. 499-507, 2006.