• Title/Summary/Keyword: Password Based Authentication

Search Result 353, Processing Time 0.024 seconds

Password Authenticated Joux's Key Exchange Protocol (패스워드 인증된 Joux의 키 교환 프로토콜)

  • Lee Sang-gon;Hitcock Yvonne;Park Young-ho;Moon Sang-jae
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.15 no.5
    • /
    • pp.73-92
    • /
    • 2005
  • Joux's tripartite key agreement protocol is one of the most prominent developments in the area of key agreement. Although certificate-based and ID-based authentication schemes have been proposed to provide authentication for Joux's protocol, no provably secure password-based one round tripartite key agreement protocol has been proposed yet. We propose a secure one round password-based tripartite key agreement protocol that builds on Joux's protocol and adapts PAK-EC scheme for password-based authentication, and present a proof of its security.

A Study On Enterprise Password Management Recommendations (대규모 조직에서의 패스워드 관리에 관한 권고 고찰)

  • Park, Jin-Sub
    • Journal of National Security and Military Science
    • /
    • s.8
    • /
    • pp.421-465
    • /
    • 2010
  • Passwords are used in many ways to protect data, systems, and networks. Passwords are also used to protect files and other stored information. In addition, passwords are often used in less visible ways for authentication. In this article, We provides recommendations for password management, which is the process of defining, implementing, and maintaining password policies throughout an enterprise. Effective password management reduces the risk of compromise of password-based authentication systems. Organizations need to protect the confidentiality, integrity, and availability of passwords so that all authorized users - and no unauthorized users - can use passwords successfully as needed. Integrity and availability should be ensured by typical data security controls, such as using access control lists to prevent attackers from overwriting passwords and having secured backups of password files. Ensuring the confidentiality of passwords is considerably more challenging and involves a number of security controls along with decisions involving the characteristics of the passwords themselves.

  • PDF

Password-Based Mutual Authentication Protocol Against Phishing Attacks (피싱 공격에 대응하기 위한 패스워드 기반의 상호 인증 프로토콜)

  • Kim, Iksu;Choi, Jongmyung
    • KIPS Transactions on Computer and Communication Systems
    • /
    • v.7 no.2
    • /
    • pp.41-48
    • /
    • 2018
  • Until now, various studies on anti-phishing have been conducted. The most typical anti-phishing method is a method of collecting URL information of a phishing site in advance and then detecting phishing by comparing the URL of the visited site with the previously stored information. However, this blacklist-based anti-phishing method can not detect new phishing sites. For this reason, various anti-phishing authentication protocols have been proposed. but these protocols require a public key and a private key. In this paper, we propose a password-based mutual authentication protocol that is safe for phishing attacks. In the proposed protocol, the mutual authentication between the client and the server is performed through the authentication message including the password information. The proposed protocol is safe to eavesdropping attack because the authentication message uses the hash value of the password, not the original password, And it is safe to replay attack because different messages are used every time of authentication. In addition, since mutual authentication is performed, it is safe for man-in-the-middle attack. Finally, the proposed protocol does not require a key issuance process for authentication.

A Brokered Authentication Scheme Based on Smart-Card for Multi-Server Authentication (다중서버 인증을 위한 스마트카드 기반 중재 인증 기법 연구)

  • Kim, Myungsun
    • The Journal of Korean Institute of Communications and Information Sciences
    • /
    • v.38B no.3
    • /
    • pp.190-198
    • /
    • 2013
  • Since the facilities for the remote users tend to be deployed in distributed manner, authentication schemes for multi-server communication settings, which provide various web services, are required for real-world applications. A typical way to authenticate a remote user relies on password authentication mostly. However, this method is vulnerable to attacks and inconvenient as the system requires users to maintain different identities and corresponding passwords. On the other hand, the user can make use of a single password for all servers, but she may be exposed to variants of malicious attacks. In this paper, we propose an efficient and secure authentication scheme based on a brokered authentication along with smart-cards in multi-server environment. Further we show that our scheme is secure against possible attacks and analyze its performance with respect to communication and computational cost.

A Study on Secure Remote User Authentication Scheme using Smart Card (스마트카드를 이용한 안전한 원격 사용자 인증기법에 관한 연구)

  • Go, Sung Jong;Lee, Im Yeong
    • KIPS Transactions on Computer and Communication Systems
    • /
    • v.2 no.11
    • /
    • pp.503-510
    • /
    • 2013
  • Recently, the rapid development of network technology has enabled people to use various services on the internet. However, the existing password-based user authentication system used in the internet environment requires a password table, which is a potential security threat as it could be leaked by an insider. To solve this issue, remote user authentication methods that do not require a user password table have been proposed. Regarding remote user authentication using a smart card in particular, various methods have been suggested to reduce expenses and to improve stability and efficiency, but the possibility of impersonation attacks and password-guessing attacks using information saved in a user's smart card still exist. Therefore, this study proposes a remote user authentication method that can safeguard against impersonation attacks and password guessing attacks, by analyzing weak points of conventional methods and creating a smart card's ID and password that are based on the user's ID and password.

Generation and Management of Strong Passwords using an Ownership Verified Smartphone (소유권 확인된 스마트폰을 이용한 강력한 패스워드 생성 및 관리)

  • Park, Jun-Cheol
    • Smart Media Journal
    • /
    • v.9 no.1
    • /
    • pp.30-37
    • /
    • 2020
  • Enforcing additional authentication to password-based authentication, in addition to attempting to increase the security of the password itself, helps to improve the security of the password authentication scheme. For a well-known problem of using strong passwords that differ from site to site, we propose a scheme for password generation and management with an inherent supplementary authentication. Like the so-called password manager, the scheme retrieves and presents a strong site-specific password whenever requested without requiring the user to remember multiple passwords. Unlike the existing methods, however, the scheme permits the password retrieval process to proceed only through the authenticated user's ownership verified smartphone. Hence, even for sites not enforcing or supporting two-factor authentication, the logon process can benefit from the scheme's assurance of enhanced security with its two-factor equivalent authentication. The scheme can also prevent an attacker from impersonating a user or stealing secrets even when the stored information of the server for password retrieval service or the user's smartphone is leaked.

Remote Login Authentication Scheme based on Bilinear Pairing and Fingerprint

  • Kumari, Shipra;Om, Hari
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.9 no.12
    • /
    • pp.4987-5014
    • /
    • 2015
  • The bilinear pairing, also known as Weil pairing or Tate pairing, is widely used in cryptography and its properties help to construct cryptographic schemes for different applications in which the security of the transmitted data is a major concern. In remote login authentication schemes, there are two major requirements: i) proving the identity of a user and the server for legitimacy without exposing their private keys and ii) freedom for a user to choose and change his password (private key) efficiently. Most of the existing methods based on the bilinear property have some security breaches due to the lack of features and the design issues. In this paper, we develop a new scheme using the bilinear property of an elliptic point and the biometric characteristics. Our method provides many features along with three major goals. a) Checking the correctness of the password before sending the authentication message, which prevents the wastage of communication cost; b) Efficient password change phase in which the user is asked to give a new password after checking the correctness of the current password without involving the server; c) User anonymity - enforcing the suitability of our scheme for applications in which a user does not want to disclose his identity. We use BAN logic to ensure the mutual authentication and session key agreement properties. The paper provides informal security analysis to illustrate that our scheme resists all the security attacks. Furthermore, we use the AVISPA tool for formal security verification of our scheme.

Vulnerability Attack for Mutual Password Authentication Scheme with Session Key agreement (세션 키 동의를 제공하는 상호인증 패스워드 인증 스킴에 대한 취약점 공격)

  • Seo Han Na;Choi Youn Sung
    • Convergence Security Journal
    • /
    • v.22 no.4
    • /
    • pp.179-188
    • /
    • 2022
  • Password authentication schemes (PAS) are the most common mechanisms used to ensure secure communication in open networks. Mathematical-based cryptographic authentication schemes such as factorization and discrete logarithms have been proposed and provided strong security features, but they have the disadvantage of high computational and message transmission costs required to construct passwords. Fairuz et al. therefore argued for an improved cryptographic authentication scheme based on two difficult fixed issues related to session key consent using the smart card scheme. However, in this paper, we have made clear through security analysis that Fairuz et al.'s protocol has security holes for Privileged Insider Attack, Lack of Perfect Forward Secrecy, Lack of User Anonymity, DoS Attack, Off-line Password Guessing Attack.

Cryptanalysis of Multiple-Server Password-Authenticated Key Agreement Schemes Using Smart Cards

  • Lee, Sang-Gon
    • Journal of information and communication convergence engineering
    • /
    • v.9 no.4
    • /
    • pp.431-434
    • /
    • 2011
  • Password-based user-authentication schemes have been widely used when users access a server to avail internet services. Multiserver password-authentication schemes enable remote users to obtain service from multiple servers without separately registering with each server. In 2008, Jia-Lun Tsai proposed an improved and efficient password-authenticated key agreement scheme for a multiserver architecture based on Chang-Lee's scheme proposed in 2004. However, we found that Tsai's scheme does not provide forward secrecy and is weak to insider impersonation and denial of service attacks. In this article, we describe the drawbacks of Tsai's scheme and provide a countermeasure to satisfy the forward secrecy property.

Practical Password-Authenticated Three-Party Key Exchange

  • Kwon, Jeong-Ok;Jeong, Ik-Rae;Lee, Dong-Hoon
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.2 no.6
    • /
    • pp.312-332
    • /
    • 2008
  • Password-based authentication key exchange (PAKE) protocols in the literature typically assume a password that is shared between a client and a server. PAKE has been applied in various environments, especially in the “client-server” applications of remotely accessed systems, such as e-banking. With the rapid developments in modern communication environments, such as ad-hoc networks and ubiquitous computing, it is customary to construct a secure peer-to-peer channel, which is quite a different paradigm from existing paradigms. In such a peer-to-peer channel, it would be much more common for users to not share a password with others. In this paper, we consider password-based authentication key exchange in the three-party setting, where two users do not share a password between themselves but only with one server. The users make a session-key by using their different passwords with the help of the server. We propose an efficient password-based authentication key exchange protocol with different passwords that achieves forward secrecy in the standard model. The protocol requires parties to only memorize human-memorable passwords; all other information that is necessary to run the protocol is made public. The protocol is also light-weighted, i.e., it requires only three rounds and four modular exponentiations per user. In fact, this amount of computation and the number of rounds are comparable to the most efficient password-based authentication key exchange protocol in the random-oracle model. The dispensation of random oracles in the protocol does not require the security of any expensive signature schemes or zero-knowlegde proofs.