The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

Smartphone Ownership and Location Checking Scheme for Fixing the Vulnerabilities of SMS-Based Authentication

SMS 기반 인증의 보안 취약점을 개선한 스마트폰 소유 및 위치 확인 기법

  • Received : 2016.12.27
  • Accepted : 2017.02.08
  • Published : 2017.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

Many Web sites adopt SMS(Short Message Service)-based user authentication when a user loses her password or approves an online payment. In SMS-based authentication, the authentication server sends a text in plaintext to a user's phone, and it allows an attacker who eavesdrops or intercepts the text to impersonate a valid user(victim). We propose a challenge-response scheme to prove to the authentication server that a user is in a certain place at the moment with her smartphone beside her. The proposed scheme generates a response using a challenge by the server, user's current location, and a secret on the user's smartphone all together. Consequently, the scheme is much more secure than SMS-based authentication that simply asks a user to send the same text arrived on her phone back to the server. In addition to entering the response, which substitutes the SMS text, the scheme also requests a user to input a passphrase to get the authentication process started. We believe, however, the additional typing should be tolerable to most users considering the enhanced security level of the scheme.

많은 웹 사이트들이 사용자가 패스워드를 분실하거나 온라인 결제를 진행하는 등의 상황에서 SMS(Short Message Service) 기반의 사용자 인증을 채택하고 있다. SMS 기반 인증에서 인증 서버는 텍스트를 평문으로 전송하기 때문에 공격자가 그 텍스트를 도청하거나 가로채면 다른 사람(피해자)인 것처럼 인증을 받을 수 있다. 본 논문에서는 사용자가 스마트폰을 지금, 어느 위치에서 소유하고 있는지를 인증하는 챌린지-응답(challenge-response) 형태의 인증 방식을 제안한다. 제안 방식은 서버가 보낸 챌린지, 사용자의 현재 위치정보, 스마트폰에 저장된 비밀 값을 모두 사용하여 응답을 생성한다. 그 결과로, 단순히 사용자가 받은 SMS 메시지를 어떤 가공도 없이 그대로 서버로 되돌리는 SMS 기반 인증에 비해, 제안 방식은 훨씬 더 안전하다. 제안 방식은 기존 SMS 기반 인증의 텍스트에 해당하는 응답의 입력과 더불어, 인증 과정의 시작을 위해 추가로 패스프레이즈(passphrase)의 입력을 요구하나, 추가 입력의 부담은 향상되는 보안성을 고려할 때 대부분의 사용자들이 감내할 수 있는 수준이라 판단한다.

Keywords

References

  1. B. Schneier, "Two-Factor Authentication: Too Little, Too Late," Commun. ACM, vol. 48, no. 4, p. 136, Apr. 2005. https://doi.org/10.1145/1053291.1053327
  2. AhnLab, Alert Smartphone malware to small sum settlement(2013), Retrieved January 11, 2013, from http://blog.ahnlab.com/ahnlab/1680.
  3. BBC, Telegram denies Iranian mass breach(2016), Retrieved August 3, 2016, from http://www.bbc.com/news/36964075.
  4. D. J. Seo and T. S. Kim, "Influence of personal information security vulnerabilities and perceived usefulness on bank customers' willingness to stay," J. KICS, vol. 40, no. 8, pp. 1577-1587, Aug. 2015. https://doi.org/10.7840/kics.2015.40.8.1577
  5. NIST(National Institute of Standards and Technology), DRAFT NIST Special Publication 800-63B Digital Authentication Guideline(2016), Retrieved May 18, 2016, from https://pages.nist.gov/800-63-3/sp800-63b.html.
  6. D. Strobel, "IMSI Catcher," Chair for Commun. Secur., Jul. 2007.
  7. R. Bott and J. Frick, Method for identifying the user of a mobile telephone or for eavesdropping on outgoing calls, Patent EP1051053 A3, 2001.
  8. D. W. Park and J. M. Seo, "A study of information leakage prevention through certified authentication in phishing, vishing, SMiShing attacks," J. The Korea Soc. Comput. Inf., vol. 12, no. 2, pp. 171-180, Jun. 2007.
  9. H. H. Kim and M. J. Choi, "Android malware detection using auto-regressive movingaverage model," J. KICS, vol. 40, no. 8, pp. 1551-1559, Aug. 2015. https://doi.org/10.7840/kics.2015.40.8.1551
  10. A. Varghese and D. Mathews, "Securing SMS-based approach for two factor authentication," J. Comput. and Commun. Technol., vol. 3, no. 3, pp. 25-28, Mar. 2014.
  11. S. S. Ji, "The improved scheme of two factor authentication using SMS," J. Korea Ind. Inf. Syst. Res., vol. 17, no. 6, pp. 25-30, Dec. 2012. https://doi.org/10.9723/jksiis.2012.17.6.025
  12. S. T. Ahmed and L. E. George, "Secure messaging system over GSM based on third party support," IJEIT, vol. 4, no. 2, pp. 27-32, 2014.
  13. S. T. Ahmed and L. E. George, "Secure SMS based on internet service," Int. J. Comput. Sci. Mob. Comput., vol. 3, no. 10, pp. 164-171, 2014.
  14. M. AiZomai, A. Josang, A. McCullagh, and E. Foo, "Strengthening SMS-Based authentication through usability," Int. Symp. Parall. and Distrib. Process. with Appl., pp. 683-688, 2008.
  15. J. Y. Park, J. I. Kim, M. S. Shin, and N. H. Kang, "QR-code based mutual authentication system for web service," J. KICS, vol. 39B, no. 04, pp. 207-215, Apr. 2014. https://doi.org/10.7840/kics.2014.39B.4.207
  16. S. H. Lee, H. Kim, and D. H. Lee, "Two-factor authentication scheme based on mobile messenger with improved usability," J. Secur. Eng., vol. 10, no. 5, pp. 549-566, Oct. 2013. https://doi.org/10.14257/jse.2013.10.5.02
  17. U. A. Abdurrahman, M. Kaiiali, and J. Muhammad, "A new mobile-based multifactor authentication scheme using pre-shared number, GPS location and time stamp," ICECCO, pp. 293-296, 2013.
  18. KISA, 2015 Survey on the Mobile Internet Usage Executive Report, p. 138, 2016.
  19. H. Wu, "A new stream cipher HC-256," Int. Wksp Fast Softw. Encryption, pp. 226-244, 2004.
  20. F. Mohsen and M. Shehab, "Android keylogging threat," 9th IEEE Int. Conf. Collaborative Computing: Netw., Appl. and Worksharing, pp. 545-552, 2013.