The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

QR Code Based Mobile Dual Transmission OTP System

QR 코드를 이용한 모바일 이중 전송 OTP 시스템

  • 서세현 (강원대학교 컴퓨터정보통신공학전공) ;
  • 최창열 (강원대학교 컴퓨터정보통신공학전공) ;
  • 이구연 (강원대학교 컴퓨터정보통신공학전공) ;
  • 최황규 (강원대학교 컴퓨터정보통신공학전공)
  • Received : 2013.01.31
  • Accepted : 2013.04.19
  • Published : 2013.05.31
Download PDF
⟨ Previous Next ⟩

Abstract

In order to improve the security strength in the password based user authentication, in which the security vulnerability is increased while the same password is repeatedly used, the OTP(One-Time Password) system has been introduced. In the OTP systems, however, the user account information and OTP value may be hacked if the user PC is infected by the malicious codes, because the user types the OTP value, which is generated by the mobile device synchronized with the server, directly onto the user PC. In this paper, we propose a new method, called DTOTP(Dual Transmission OTP), to solve this security problem. The DTOTP system is an improved two-factor authentication method by using the dual transmission, in which the user performs the server authentication by typing the user account and password information onto the PC, and then for the OTP authentication the mobile device scans the QR code displayed on the PC and the OTP value is sent to the server directly. The proposed system provides more improved security strength than that of the existing OTP system, and also can adopt the existing OTP algorithm without any modification. As a result, the proposed system can be safely applied to various security services such like banking, portal, and game services.

비밀번호 기반의 사용자 인증은 동일한 비밀번호를 반복 사용하므로 보안이 취약하여 OTP(One-Time Password)가 도입되었다. 하지만 보안이 강화된 OTP를 서버와 동기된 모바일 기기에서 생성하여 PC에 입력하는 경우 PC가 악성코드에 감염되어 있으면 해커가 사용자 계정과 비밀번호 그리고 OTP값을 해킹할 수 있다. 본 논문에서는 OTP값 유출에 따른 보안 취약성을 해소하기 위해 사용자는 계정과 비밀번호를 PC에 입력하여 서버인증을 수행하고, PC 화면에 출력된 QR코드를 모바일 기기에서 스캔하여 OTP값을 직접 서버로 전송함으로써 정보 유출에 따른 해킹을 방지하고 PC에 OTP값을 입력하는 불편함을 줄이는 새로운 이중 인증 방식인 DTOTP를 제안한다. 시스템은 이중 전송을 통해 PC인증 방식의 OTP 보다 향상된 보안성을 제공하면서 기존 OTP 알고리즘을 그대로 사용할 수 있어 구현이 용이하며 은행, 포털 및 게임 서비스 등에 안전하게 활용할 수 있다.

Keywords

References

  1. IETF, HOTP: An HMAC-Based One-Time Password Algorithm, RFC 4226, Dec. 2005.
  2. D. H. Shin, Y. S. Choi, S. J. Park, S. J. Kim, and D. H. Won, "Cryptanalysis on the authentication mechanism of the NateOn messenger," J. KIISC, vol. 17, no. 1, pp. 67-80, Feb. 2007.
  3. Y. S. Lee, "Online banking authentication system using Mobile-OTP with QR-code," in Proc. 5th Int. Conf. Comput. Sci. Convergence Inform. Technol. (ICCIT), pp. 644-648, Dhaka, Bangladesh, Nov. 2010.
  4. S. D. Park, Mobile authentication system and its application based on 2-dimensional barcode and OTP, M.S. thesis, Dept. Electron. Comput. Sci. Eng., Graduate School of Hanyang University, Seoul, Korea, Feb. 2009.
  5. J.-H. Che, "A two-factor user authorization method and its implementation using TOTP and password," J. KIISC, vol. 20, no. 6, pp. 7-16, Dec. 2010.
  6. D. DeFigueiredo, "The case for mobile two-factor authentication," IEEE Security Privacy, vol. 9, no. 5, pp. 81-85, Sep. 2011. https://doi.org/10.1109/MSP.2011.144
  7. AIM, Uniform Symbology Specification: QR code, 1996.
  8. Y.-W. Kwon, S.-H. Jung, and C.-B. Sim, "A implementation of gravestone management system based on smart phone using QR-Code," in Proc. 2011 Fall Conf. KIECS, vol. 5, no. 2, pp. 259-263, Gurye, Korea, Nov. 2011.
  9. W. H. Jung and Y. J. Chung, "A design of U-learning study support system using QR code," in Proc. 2010 Autumn Conf. KMMS, vol. 13, no. 2, pp. 607-610, Seoul, Korea, Nov. 2010.
  10. C. H. Ko, S. H. Seo, S. A. Kim, and J. H. Seo, "Smart phone application for intelligent ID management," in Proc. 2010 Autumn Conf. KMMS, vol. 13, no. 2, pp. 641-643, Seoul, Korea, Nov. 2010.
  11. J.-S. Lee, H.-N. You, C.-H. Cho, and M.-S. Jun, "A design secure QR-login user authentication protocol and assurance methods for the safety of critical data using smart," J. KICS, vol. 37, no. 10, pp. 949-964, Oct. 2012. https://doi.org/10.7840/kics.2012.37C.10.949
  12. Y.-S. Jeong, S.-H. Han, and S.-S. Shin, "A study on mobile OTP generation model," J. Digital Policy Manage., vol. 10, no. 2, pp. 183-191, Mar. 2012.
  13. T. I. Song and C. S. Hong, "Energy efficient password-based authenticated group key exchange protocol mechanism using trusted server," J. KIISE, vol. 39, no. 4, pp. 350-359, Aug. 2012.
  14. Y.-W. Kao, "Physical access control based on QR code," in Proc. Int. Conf. Cyber-Enabled Distributed Comput. Knowledge Discovery (CyberC 2011), pp. 285-288, Beijing, China, Oct. 2011.
  15. TTA, Security Requirements for the OTP Token, Dec. 2010.

Cited by

  1. Design and Implementation of Medical Information System using QR Code vol.16, pp.2, 2015, https://doi.org/10.7472/jksii.2015.16.2.109