• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.39B no.4
• /
• pp.207-215
• /
• 2014

Password based authentication systems are most widely used for user convenience in web services. However such authentication systems are known to be vulnerable to various attacks such as password guessing attack, dictionary attack and key logging attack. Besides, many of the web systems just provide user authentication in a one-way fashion such that web clients cannot verify the authenticity of the web server to which they set access and give passwords. Therefore, it is too difficult to protect against DNS spoofing, phishing and pharming attacks. To cope with the security threats, web system adopts several enhanced schemes utilizing one time password (OTP) or long and strong passwords including special characters. However there are still practical issues. Users are required to buy OTP devices and strong passwords are less convenient to use. Above all, one-way authentication schemes generate several vulnerabilities. To solve the problems, we propose a multi-channel, multi-factor authentication scheme by utilizing QR-Code. The proposed scheme supports both user and server authentications mutually, thereby protecting against attacks such as phishing and pharming attacks. Also, the proposed scheme makes use of a portable smart device as a OTP generator so that the system is convenient and secure against traditional password attacks.

• KIPS Transactions on Computer and Communication Systems
• /
• v.2 no.11
• /
• pp.503-510
• /
• 2013

Recently, the rapid development of network technology has enabled people to use various services on the internet. However, the existing password-based user authentication system used in the internet environment requires a password table, which is a potential security threat as it could be leaked by an insider. To solve this issue, remote user authentication methods that do not require a user password table have been proposed. Regarding remote user authentication using a smart card in particular, various methods have been suggested to reduce expenses and to improve stability and efficiency, but the possibility of impersonation attacks and password-guessing attacks using information saved in a user's smart card still exist. Therefore, this study proposes a remote user authentication method that can safeguard against impersonation attacks and password guessing attacks, by analyzing weak points of conventional methods and creating a smart card's ID and password that are based on the user's ID and password.

• Review of KIISC
• /
• v.19 no.4
• /
• pp.53-58
• /
• 2009

초고속 인터넷이 널리 보급되면서 오프라인에서만 가능했던 많은 서비스들을 이제 온라인에서도 사용할 수 있게 되었다. 온라인 서비스는 상대방을 대면하지 않기 때문에 적절한 사용자 인증과정이 반드시 필요하다. 현재 사용자 인증은 패스워드를 비롯하여 공인인증서, 보안토큰 등 다양한 방법을 사용하여 구현되고 있다. 그러나 공격방법이 다양화되고 지능화되면서 인증과정 역시 많은 취약점을 드러내고 있으며, 이를 극복하기 위한 개선방안에 대한 연구가 현재까지 활발하게 진행되고 있다. 따라서 본 고에서는 성균관대학교 정보보호 인증기술 연구센터가 지난 2008년 12월 종료된 ITRC 과제를 수행하면서 발표한 다양한 인증 프로토콜 취약점과, 취약점 발표 이후 대응 결과에 대해 서술한다. 본 고에서 다루어진 모든 취약점들은 발표 후 모두 패치되어 해결되었다.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.12 no.12
• /
• pp.5895-5901
• /
• 2011

This paper shows that a scheme provided by An[7] is not enough to satisfy security requirements for a user certification using a password-based smart card. In order to compensate this weakness, this study provides an improved user scheme with a hash function and ElGamal signature. This new scheme has some advantages protecting password guessing attack, masquerade, and replay attack as well as providing forward secrecy. Compared to An's certification scheme, this scheme suggests that the effect of computational complexity is similar but the efficiency of safety is better.

• Journal of Practical Engineering Education
• /
• v.15 no.3
• /
• pp.641-647
• /
• 2023

In the fintech environment, ensuring secure financial transactions with smartphones requires authenticating the device owner. Smartphone authentication techniques encompass a variety of approaches, such as passwords, biometrics, SMS authentication, and more. Among these, password-based authentication is commonly used and highly convenient for user authentication. Although it is a simple authentication mechanism, it is susceptible to eavesdropping and keylogging attacks, alongside other threats. Security keypads have been proposed to address vulnerabilities in password input on smartphones. One such innovation is a group keypad, resistant to attacks that guess characters based on touch location. However, improvements are needed for user convenience. In this study, we aim to propose a method that enhances convenience while being resistant to eavesdropping and recording attacks on the existing group keypad. The proposed method uses new signs to allow users to verify instead of the last character confirmation easily and employs dragging-to-touch for blocking recording attacks. We suggest diverse positioning methods tailored for domestic users, improving efficiency and security in password input compared to existing methods.

• Journal of the Korea Society of Computer and Information
• /
• v.12 no.1 s.45
• /
• pp.107-116
• /
• 2007

Is need Remote Access through internet for business of Ubiquitous Computing age, and apply OTP for confidentiality about inputed ID and Password, network security of integrity. Current OTP must be possessing hardware of Token, and there is limitation in security. Install a Snooping tool to OTP network in this treatise, and because using Cain, enforce ARP Cache poisoning attack and confirm limitation by Snooping about user password. Wish to propose new system that can apply Tokenless OTP by new security way, and secure confidentiality and integrity. Do test for access control inflecting Tokenless OTP at Remote Access from outside, and could worm and do interface control with certification system in hundred. Even if encounter hacking at certification process, thing that connection is impossible without pin number that only user knows confirmed. Because becoming defense about outward flow and misuse and hacking of password when apply this result Tokenless OTP, solidify security, and evaluated by security system that heighten safety.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2015.04a
• /
• pp.471-473
• /
• 2015

앞으로 IoT가 활성화 됨에 따라 IoT 디바이스(TV, 냉장고, 차트 등)에서 결제가 가능한 시스템이 보편화 될 것이다. IoT에 핀테크 결제 시스템이 융합되어 결제 시스템이 간소화 되면서 인증 시스템 또한 간소화 되고 있다. 편리성을 추구하는 핀테크 결제 시스템은 보안에 더욱 취약해질 것으로 예상된다. 현재의 핀테크 결제 시스템을 대상으로 패스워드 인증방법의 취약점과 지문 인증방법의 취약점을 도출하여 공격 시나리오를 제안한다. 본 논문에서는 지문 패턴 인증을 통하여 편리성을 유지하면서 보안을 강화하는 대응방안을 제안한다.

• KSCI Review
• /
• v.14 no.2
• /
• pp.205-214
• /
• 2006

Is need Remote Access through internet for business of Ubiquitous Computing age, and apply OTP for confidentiality about inputed ID and Password, network security of integrity. Current OTP must be possessing hardware or Token, and there is limitation in security. Install a Snooping tool to OTP network in this treatise, and because using Cain, enforce ARP Cache Poisoning attack and confirm limitation by Snooping about user password. Wish to propose new system that can apply Tokenless OTP by new security way, and secure confidentiality and integrity. Do test for access control inflecting Tokenless OTP at Remote Access from outside. and could worm and do interface control with certification system in hundred. Even if encounter hacking at certification process, thing that connection is impossible without pin number that only user knows confirmed. Because becoming defense about outward flow and misuse and hacking of password when apply this result Tokenless OTP, solidify security, and evaluated by security system that heighten safety.

• Journal of the Korea Society of Computer and Information
• /
• v.15 no.3
• /
• pp.91-97
• /
• 2010

Recently Hu-Niu-Yang proposed the user authentication scheme to improve Liu et al's scheme. But the Hu-Niu-Yang's scheme has not been satisfied security requirements considering in the user authentication scheme using the password based smart card. In this paper, we proved that Hu-Niu-Yang's scheme is vulnerable to the off-line password guessing attack in case that the attacker steals the user's smart card and extracts the information in the smart card. Also, the improved user authentication scheme solving the security vulnerability was introduced, thus preventing the attacks, such as password guessing attack, forgery attack impersonation attack, and replay attack. For preventing those attacks, the our proposed scheme need more hash functions and exclusive-OR operations than Hu-Niu-Yang's scheme.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2002.11b
• /
• pp.1115-1118
• /
• 2002

최근 해킹 기술이 다양화되고, 사용하기 손쉬운 해킹 툴들이 개발되고 확산되면서, 라우팅 프로토콜의 취약점을 이용한 해킹 사례 또한 급증하고 있다. 이는 RIP, OSPF, BGP 등의 초기 인터넷 라우팅 프로토콜이 보안에 대한 고려 없이 설계되어서, 이에 대한 간단한 패스워드 및 MD5 인증 등의 보완책으로 등장한 RIPv2, OSPFv2 BGPv4 등도 그 취약성을 계승하고 있기 때문이다. 따라서 현재의 전반적인 라우팅 프로토콜에 문제점을 파악하고, 이를 해결하기 위한 연구가 필요하다. 본 논문에서는 이러한 취약사항들을 이용한 위협 모델들을 분석하고, 이들 위협으로부터 미리 방비할 수 있도록 진단할 수 있는 시스템을 설계 및 구현에 대한 방법을 제시한다.