Journal of Internet Computing and Services (인터넷정보학회논문지)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Study on Elliptic Curve Diffie-Hellman based Verification Token Authentication Implementation

타원곡선 디피헬만 기반 검증 토큰인증방식 구현 연구

  • Received : 2018.02.20
  • Accepted : 2018.08.29
  • Published : 2018.10.31
Download PDF
⟨ Previous Next ⟩

Abstract

Since existing server-based authentications use vulnerable password-based authentication, illegal leak of personal data occurs frequently. Since this can cause illegal ID compromise, alternative authentications have been studied. Recently token-based authentications like OAuth 2.0 or JWT have been used in web sites, however, they have a weakness that if a hacker steals JWT token in the middle, they can obtain plain authentication data from the token, So we suggest a new authentication method using the verification token of authentic code to encrypt authentication data with effective time. The verification is to compare an authentication code from decryption of the verification-token with its own code. Its crypto-method is based on do XOR with ECDH session key, which is so fast and efficient without overhead of key agreement. Our method is outstanding in preventing the personal data leakage.

기존 서버기반 인증방식은 취약한 패스워드 기반 인증을 사용함으로 개인정보유출사고가 빈번했다. 이는 불법적 아이디 도용의 문제를 야기함으로 대체할 새로운 인증방안이 연구되었다. 최근 OAuth 2.0 및 JWT 토큰기반 인증을 웹사이트 인증에 사용하고 있지만 토큰 도청만으로 인증정보가 유출되는 취약점이 있어 보완책이 강구되고 있다. 이를 위해 본 논문은 유효시간이 포함된 암호화 인증코드를 담은 검증토큰을 사용한 인증방식을 제안한다. 이 방안의 검증은 검증토큰을 복호화 하여 나온 인증코드를 자신의 계산과 비교하면 된다. 본 토큰 암복호화 방식은 타원곡선 그룹연산 기반 DH(디피헬만)의 세션키 방식과 빠른 XOR 암호방식을 사용하므로 세션키 합의 오버헤드가 없고 암호화 계산이 빠르다. 본 논문의 인증은 기존 토큰인증의 장점, 빠른 XOR 암호화의 장점, 그리고 안전한 DH 세션키 방식을 사용하여 인증 취약점으로 인한 개인정보 유출위협에 대응하는 탁월한 인증방식이다.

Keywords

References

  1. "Leakage of 1,230 Personal Info. in KT LGU+ SKT," Moneytoday, MARCH 11, 2014. http://news.mt.co.kr/mtview.php?no=2014031111001655436&type=1
  2. "Leakage of 20 millin personal info. of drivers in Administrative Portal of Automotive Complaints," MBCnews, March 26, 2014, http://imnews.imbc.com/replay/2014/nwdesk/article/3436559_18451.html
  3. Sun-Jae Sung, "Personal Information Protection Act," Seoul Economy and Management Pub., 2014. ISBN 9788997937172
  4. "Personal Information Leakage Accident 'Nonghyup, KB Card, Lotte Card' Penalty," http://news.jtbc.joins. com/article/ArticlePrint.aspx?news_id=NB11273154, [JTBC] input 2016-07-15 17:16:05 modified
  5. Tae-Myung Jung, 2, "A study on the prevention of a privacy exposure and the protection of privacy information on the Internet," Korea Information Security Agency, Technical Report KISA-WP-2007-0042, Dec. 2007, https://www.kisa.or.kr/jsp/common/libraryDown.jsp?folder=012271
  6. Kyung-Ae Kim, "The First cause of Personal Information is External Attack! Frequent 4 Hacking method is:," Security News, http://www.boannews.com/media/view.asp?idx=56616, Aug-2, 2017. http://dx.doi.org/10.14257/jse.2017.04.02
  7. S.R,Cho, O.S. Choi, S.H, Jin and H.H. Lee, "Passwordless Authentication Technology-FIDO," Electronics and Telecommunications Trends, Vol. 29, Issue 4, Aug. 2014. https://doi.org/10.22648/ETRI.2014.J.290411
  8. Byung-Rae Cha, Nam-Ho Kim, Jong-Won Kim, "Design of OTP based on Mobile Device using Voice Characteristic Parameter," The journal of Korea Navigation Institute, Vol 14 Issue 4, Aug. 2010. http://kiss.kstudy.com/thesis/thesis-view.asp?key=2867972
  9. Woo Chan Hong, Kwang Woo Lee, Seung Joo Kim, Dong Ho Won, "Vulnerabilities Analysis of the OTP Implemented on a PC," The KIPS Transactionsty C, Vol. 17, No. 4, pp. 361-370, 2010. https://doi.org/ 10.3745/KIPSTC.2010.17C.4.361
  10. Nam Ho Kim, Bu Hyun Hwang, "Fingerprint overlay technique of mobile OTP to extent seed of password," The journal of Korea Navigation Institute, Vol. 16, No. 2, pp. 375-385, 2012. https://doi.org/10.12673/jkoni.2012.16.2.375
  11. Seo Il Kang, Im Yeong Lee, "A Study on PIN-based Authentication and ID Registration by Transfer in AAA System," The KIPS transactions : Part C, Vol. 13, No. 3, 2006. http://www.riss.kr/link? id=A101859859
  12. Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, Oct. 2012. https://doi.org/10.17487/RFC6749
  13. velopert, "[JWT] Introduction on Token based Authentication," Dec. 4 2016. https://velopert.com/2350
  14. Byoungcheon Lee, “Strengthening of Token Authentication Using Time-based Randomization,” Journal of Security Engineering, Vol. 14, No. 2, pp. 103-114, 2017. http://dx.doi.org/10.14257/jse.2017.04.02
  15. Namho Kim, ChoongSeon Hong, "OAuth-Based Authentication with Kerberos for IoT Network," 2016 Proceedings of the Korean Information Science Society Conference, 2016. https://www.dbpia.co.kr/Journal/ArticleDetail/NODE07017547
  16. Jin-Tak Choi, "A Study on Authentication Management Technique Used of SSO," J. KSIAM IT series, Vol. 7, No. 2, pp. 1-9, 2003. https://www.dbpia.co.kr/Journal/ArticleDetail/NODE00992033
  17. I. Liusvaara, "CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)," Request for Comments: 8037, January 2017. http://dx.doi.org/10.17487/RFC8037, https://tools.ietf.org/html/rfc8037
  18. Song, Bo-Yeon, Kim, Kwang-Jo, "Key Agreement Protocol based on Diffie-Hellman Problem Over Elliptic Curve ," Proceedings of the Korea Information Processing Society Conference (1), pp.785-788, Oct. 13 2000. http://caislab.kaist.ac.kr/publication/paper_files/2000/bysong/kips14_song.pdf
  19. Kyoungsook Jung, TaeChoong Chung, "Hybrid Cryptosystem based on Diffie-Hellman over Elliptic Curve," Journal of the Korea Society of Computer and Information, Vol. 8, No. 4, pp. 104-110, Dec. 2003. http://insight.dbpia.co.kr/article/related.do?nodeId=NODE06535740
  20. Cheong H. Choi, "IBE based Mobile IP Security", Proceedings for ICONI & APIC-IST 2010, Mactan Island, Philippines, pp115-118, 2010-12-17.
  21. Hyun-Wook You, "Design of a XOR encryption based file sharing system that provides efficient in cloud server environments ", Thesis of MS, Hanyang Univ., Feb 2017. http://www.riss.kr/link?id=T14385365