Smart Media Journal (스마트미디어저널)

THE KOREAN INSTITUTE OF SMART MEDIA (한국스마트미디어학회)
권호 표지
DOI QR코드

DOI QR Code

Generation and Management of Strong Passwords using an Ownership Verified Smartphone

소유권 확인된 스마트폰을 이용한 강력한 패스워드 생성 및 관리

  • 박준철 (홍익대학교 컴퓨터공학과)
  • Received : 2020.02.05
  • Accepted : 2020.03.03
  • Published : 2020.03.31
Download PDF
⟨ Previous Next ⟩

Abstract

Enforcing additional authentication to password-based authentication, in addition to attempting to increase the security of the password itself, helps to improve the security of the password authentication scheme. For a well-known problem of using strong passwords that differ from site to site, we propose a scheme for password generation and management with an inherent supplementary authentication. Like the so-called password manager, the scheme retrieves and presents a strong site-specific password whenever requested without requiring the user to remember multiple passwords. Unlike the existing methods, however, the scheme permits the password retrieval process to proceed only through the authenticated user's ownership verified smartphone. Hence, even for sites not enforcing or supporting two-factor authentication, the logon process can benefit from the scheme's assurance of enhanced security with its two-factor equivalent authentication. The scheme can also prevent an attacker from impersonating a user or stealing secrets even when the stored information of the server for password retrieval service or the user's smartphone is leaked.

패스워드 자체의 보안성을 높이는 시도와 함께, 패스워드 기반의 인증에 추가적 인증을 강제하는 것은 패스워드 인증 방식의 보안성을 향상하는데 도움이 된다. 본 논문은 강력한 패스워드를 사이트마다 달리 사용하려는 잘 알려진 문제에 대하여, 스마트폰을 이용한 추가적 인증을 내재한 패스워드의 생성 및 관리 기법을 제안한다. 제안 기법은 패스워드 매니저라 알려진 기술과 마찬가지로, 사용자에게 다수의 패스워드를 기억할 것을 요구하지 않으면서 요구가 있을 때마다, 강력한 사이트별 패스워드를 생성해서 사용자에게 제시한다. 기존 기법들과 다른 점은, 제안 기법은 패스워드 추출을 위해 스마트폰 소유권 검증을 통해 인증된 사용자 스마트폰을 통해서만 패스워드 추출 과정 진행을 허용한다는 것이다. 따라서 이중 인증을 강제하지 않거나 지원하지 않는 사이트에 대해서도, 제안 기법 적용 시 이중 인증을 적용해 로그온을 하는 것과 같은 보안성 향상 효과를 낼 수 있다. 또한 제안 기법은 패스워드 추출 서비스를 제공하는 서버나 사용자 스마트폰의 저장 정보 유출 시에도, 공격자가 사용자로 위장하거나 비밀 정보를 탈취하는 것을 막을 수 있다.

Keywords

References

  1. B. Ives, K.R. Walsh and H. Schneider, "The Domino Effect of Password Reuse," Comm. of the ACM, vol. 47, no. 4, pp. 75-78, April 2004. https://doi.org/10.1145/975817.975820
  2. C. Wang, S.T.K. Jan, H. Hu, D. Bossart, and G. Wang, "The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services," Proc. of ACM Conf. in Data and Application Security and Privacy, pp. 196-203, Tempe, USA, Mar. 2018.
  3. S. Gunaratna, "Why reusing your passwords is riskier than ever," https://www.cbsnews.com/news/reusing-passwords-is-riskier-than-ever-botnet-cyber-attacks-security/, May 2016. (accessed Jan. 30, 2020).
  4. S. Oesch and S. Ruoti, "That Was Then, This Is Now: A Security Evaluation of Password Generation, Storage, and Autofill in Browser-Based Password Managers," Proc. of USENIX Security Symp., 2020(to appear).
  5. D. Silver, S. Jana, D. Boneh, E. Chen, and C. Jackson, "Password managers: Attacks and defenses," Proc. of USENIX Security Symp., pp. 449-464, San Diego, USA, Aug. 2014.
  6. S. G. Lyastani, M. Schilling, S. Fahl, M. Backes, and S. Bugiel, "Better managed than memorized? Studying the impact of managers on password strength and reuse," Proc. of USENIX Security Symp., pp.203-220, Baltimore, USA, Aug. 2018.
  7. M. Horsch, A. Hulsing, and J. Buchmann, "PALPAS PAsswordLess PAssword Synchronization," Proc. on Int'l Conf. on Availability, Reliability and Security, France, August 2015.
  8. F.A. Maqbali and C.J. Mitchell, "AutoPass: An Automatic Password Generator," Proc. of Int'l Carnahan Conf. on SecurityTechnology, Spain, Oct. 2017.
  9. Y.T. Liu, Y.B. Xia, H.B. Chen, B.Y. Zang, and Z. Liang, "SplitPass: A Mutually Distrusting Two-Party Password Manager," Jr. of Computer Science and Technology, vol. 30, no. 1, pp. 98-115, Jan. 2018.
  10. B. Lee, "Multi-factor secure password manager using a secret sharing scheme," Australian National University Technical Report, May 2019.
  11. K.C. Wang and M.K. Reiter, "How to End Password Reuse on the Web," Proc. of Network and Distributed System Security Symp., San Diego, USA, Feb. 2019.
  12. M. Shirvanian, S. Jarecki, H. Krawczyk, and N. Saxena, "SPHINX: A Password Store that Perfectly Hides Passwords from Itself," Proc. of IEEE Int'l Conf. on Distributed Computing Systems, pp. 1094-1104, 2017.
  13. Z.W. Li, W. He, D. Akhawe, and D. Song, "The emperor's new password manager: Security analysis of web-based password managers," Proc. of USENIX Security Symp., pp. 465-479, San Diego, USA, Aug. 2014.
  14. X. de C. de Carnavalet and M. Mannan, "From very weak to very strong: Analyzing password-strength meters," Proc. of Network and Distributed System Security Symp., San Diego, USA, Feb. 2014.
  15. D.L. Wheeler, "zxcvbn: Low-budget password strength estimation," Proc. USENIX Security Symp., pp. 157-174, Austin, USA, Aug. 2016.
  16. R. Grimes, "The many ways to hack 2FA," Network Security, vol. 2019, issue 9, pp. 8-13, Sept. 2019. https://doi.org/10.1016/s1353-4858(19)30107-2
  17. Mazar Bot Android Malware Distributed via SMS Spoofing Campaign(2016), https://www.tripwire.com/state-of-security/featured/mazarbotandroid-malware-distributed-via-sms-spoofing-campaign/ (accessed Jan. 31, 2020).
  18. BankBot-Mazain(2017), https://github.com/bem re/bankbot-mazain (accessed Jan. 31, 2020).
  19. How to Read Someone's Text Messages Without Having Their Phone?(2020), https://nexspy.com/read-someones-text-messages/ (accessed Jan. 31, 2020).
  20. H. Siadati, T. Nguyen, P. Gupta, M. Jakobsson, and N. Memon, "Mind your SMSes: Mitigating social engineering in second-factor authentication," Computers & Security, vol. 65, pp. 14-28, Mar. 2017. https://doi.org/10.1016/j.cose.2016.09.009
  21. 차병래, 최명수, 박선, 김종원, "보안 강화를 위한 NFC 기반 전자결제 시스템의 2 팩터 인증 기술의 초안 설계," 스마트미디어저널, 제5권, 제2호, 77-83쪽, 2016년 6월
  22. 이현영, 강승식, "워드 임베딩과 딥러닝 기법을 이용한 SMS 문자 메시지 필터링," 스마트미디어저널, 제7권, 제4호, 24-29쪽, 2018년 12월 https://doi.org/10.30693/smj.2018.7.4.24
  23. Hackers Hit Twitter CEO Jack Dorsey in a 'SIM Swap.' You're at Risk, Too(2019), https://nytimes.com/2019/09/05/technology/sim-swap-jack-dorsey-hack.html (accessed Jan. 31, 2020).
  24. 조우진, 김형식, "행위 유사도 기반 변종 악성코드 탐지 방법," 스마트미디어저널, 제8권 제4호, 25-32 쪽, 2019년 12월 https://doi.org/10.30693/SMJ.2019.8.4.25
  25. Busting SIM Swappers and SIM Swap Myths(2018), https://krebsonsecurity.com/2018/11/busting-sim-swappers-and-sim-swap-myths/ (accessed Jan 30, 2020).