• Title/Summary/Keyword: Password Vulnerability

Search Result 79, Processing Time 0.026 seconds

Formal Specification and Verification for S/KEY Against Dictionary Attack (사전공격 방지를 위한 S/KEY의 정형 명세 및 검증)

  • Kim Il-Gon;Choi Jin-Young
    • Journal of KIISE:Software and Applications
    • /
    • v.31 no.9
    • /
    • pp.1218-1225
    • /
    • 2004
  • S/KEY system was proposed to guard against intruder's password replay attack. But S/KEY system has vulnerability that if an attacker derive passphrase from his dictionary file, he can acquire one-time password required for user authentication. In this paper, we propose a correct S/KEY system mixed with EKE to solve the problem. Also, we specify a new S/KEY system with Casper and CSP, verify its secrecy and authentication requirements using FDR model checking tool.

Expanding the User Authentication Scheme in SIP (SIP에서의 강화된 사용자 인증 방식)

  • Go, Yun-Mi;Kwon, Kyung-Hee
    • The Journal of the Korea Contents Association
    • /
    • v.11 no.12
    • /
    • pp.88-93
    • /
    • 2011
  • Due to vulnerable authentication scheme of SIP, intruders can easily impersonate legitimate user. HTTP Digest authentication scheme or private key issued by trust third parties has been used to prevent impersonation attack. However, these methods have suffered security vulnerability or service delay due to computation overhead. In this paper, we propose new authentication method to generate automatically one-time password using the pre-shared password and time information of messages exchanged between SIP UA(User Agent) and SIP Registrar. This method protects against impersonation attack without significant modification of exiting SIP authentication procedure to build securer SIP environment.

Enhanced Transaction Signing-based Authentication Scheme for Secure Internet Banking (안전한 인터넷 뱅킹을 위한 트랜잭션 서명기법에 관한 연구)

  • Lim, Hyung-Jin;Lee, Jeong-Gun;Kim, Moon-Seong
    • Journal of Internet Computing and Services
    • /
    • v.9 no.6
    • /
    • pp.73-79
    • /
    • 2008
  • Nowadays, all over the world's banks use internet banking through various authentication methods. Although there are strong authentication methods using OTP (One Time Password), there still has vulnerability from sophisticated attacks such as MITM (Man In The Middle). This letter proposes signing-based authentication protocol that copes with attacks, such as MITB (Man In The Browser), and provides non-repudiation function. The protocol shows generic method to prevent the sophisticated attacks through connecting advantages from OTP and PKI (Public Key Infrastructure) certificate, and that can be deployed to various extended form in internet banking.

  • PDF

Implementation of the OTP Based Smart Locks Using Personal Information (개인 정보를 이용한 OTP 기반의 스마트 잠금장치구현)

  • Seong, Ki-Taek
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2016.05a
    • /
    • pp.766-768
    • /
    • 2016
  • Conventional locking device has a disadvantage such as a security vulnerability caused by using avoid traces of the keypad that are frequently used due to the complex password application. In this study, we proposed a OTP based locks by using user identical informations that overcomes the disadvantages of the conventional apparatus. We implemented and validated the proposed algorithm through simulations.

  • PDF

Security Vulnerability Analysis for Yang's Strong Password Authentication Scheme (Yang의 강력한 패스워드 인증 스킴에 대한 보안 취약점 분석)

  • Kim, Jun-Sub;Kwak, Jin
    • Proceedings of the Korea Information Processing Society Conference
    • /
    • 2011.04a
    • /
    • pp.797-799
    • /
    • 2011
  • 현재까지 많은 강력한 패스워드 인증 프로토콜들이 제안되고 있으나 이 프로토콜들은 여러 보안 취약점이 존재한다. 2010년 Yang 등은 Ku가 제안한 프로토콜이 훔친 검증자 공격에 취약하다는 것을 지적하며 SPAS를 제안하였다. 하지만 SPAS는 Ku의 프로토콜과 마찬가지로 훔친 검증자 공격에 대한 취약성을 가지고 있다. 따라서 본 논문에서는 SPAS를 분석하고 SPAS가 훔친 검증자 공격에 안전하지 못함을 증명한다.

Analysis on Vulnerability of ID/PW Management Solution and Proposal of the Evaluation Criteria (아이디/패스워드 통합 관리 제품의 취약성 분석 및 평가기준 제안)

  • Han, Jeong-Hoon;Lee, Byung-Hee;Hong, Su-Min;Kim, Seung-Hyun;Won, Dong-Ho;Kim, Seung-Joo
    • The KIPS Transactions:PartC
    • /
    • v.15C no.2
    • /
    • pp.125-132
    • /
    • 2008
  • As the development of Internet technology, the number of IDs managed by each individuals has been increased. And many software development institutes have developed ID/PW management solutions to facilitate secure and convenient management of ID/PW. However, these solutions also can be vulnerable in case of administrator's password exposure. Thus, we need to derive security requirements from the vulnerability analysis of these solutions, also we need evaluation criteria for secure ID/PW management solution development. In this paper, we analyze the vulnerability of ID/PW management solution and propose the evaluation criteria for secure ID/PW management solution.

Yi et al.'s Group Key Exchange Protocol : A Security Vulnerability and its Remediation (Yi등이 제안한 그룹 키 교환 프로토콜의 보안 취약성 및 개선 방법)

  • Lee, Young-Sook;Kim, Jee-Yeon;Won, Dong-Ho
    • Journal of the Korea Society of Computer and Information
    • /
    • v.17 no.4
    • /
    • pp.91-98
    • /
    • 2012
  • A group key exchange (GKE) protocol is designed to allow a group of parties communicating over a public network to establish a common secret key. As group-oriented applications gain popularity over the Internet, a number of GKE protocols have been suggested to provide those applications with a secure multicast channel. Among the many protocols is Yi et al.'s password-based GKE protocol in which each participant is assumed to hold their individual password registered with a trusted server. A fundamental requirement for password-based key exchange is security against off-line dictionary attacks. However, Yi et al.'s protocol fails to meet the requirement. In this paper, we report this security problem with Yi et al.'s protocol and show how to solve it.

Security Improvements on the Remote User Authentication Scheme Using Smart Cards (스마트카드를 사용한 원격 사용자 인증 스킴의 시큐리티 개선에 관한 연구)

  • Seo, Jeong-Man;An, Young-Hwa
    • Journal of the Korea Society of Computer and Information
    • /
    • v.15 no.3
    • /
    • pp.91-97
    • /
    • 2010
  • Recently Hu-Niu-Yang proposed the user authentication scheme to improve Liu et al's scheme. But the Hu-Niu-Yang's scheme has not been satisfied security requirements considering in the user authentication scheme using the password based smart card. In this paper, we proved that Hu-Niu-Yang's scheme is vulnerable to the off-line password guessing attack in case that the attacker steals the user's smart card and extracts the information in the smart card. Also, the improved user authentication scheme solving the security vulnerability was introduced, thus preventing the attacks, such as password guessing attack, forgery attack impersonation attack, and replay attack. For preventing those attacks, the our proposed scheme need more hash functions and exclusive-OR operations than Hu-Niu-Yang's scheme.

Design for Position Protection Secure Keypads based on Double-Touch using Grouping in the Fintech (핀테크 환경에서 그룹핑을 이용한 이중 터치 기반의 위치 차단이 가능한 보안 키패드 설계)

  • Mun, Hyung-Jin
    • Journal of Convergence for Information Technology
    • /
    • v.12 no.3
    • /
    • pp.38-45
    • /
    • 2022
  • Due to the development of fintech technology, financial transactions using smart phones are being activated. The password for user authentication during financial transactions is entered through the virtual keypad displayed on the screen of the smart phone. When the password is entered, the attacker can find out the password by capturing it with a high-resolution camera or spying over the shoulder. A virtual keypad with security applied to prevent such an attack is difficult to input on a small touch-screen, and there is still a vulnerability in peeping attacks. In this paper, the entire keypad is divided into several groups and displayed on a small screen, touching the group to which the character to be input belongs, and then touching the corresponding character within the group. The proposed method selects the group to which the character to be input belongs, and displays the keypad in the group on a small screen with no more than 10 keypads, so that the size of the keypad can be enlarged more than twice compared to the existing method, and the location is randomly placed, hence location of the touch attacks can be blocked.

Vulnerability Analysis and Improvement in Man-in-the-Middle Attack for Remote User Authentication Scheme of Shieh and Wang's using Smart Card (Shieh and Wang's의 스마트카드 상호인증 스킴에 대한 중간자공격 개선)

  • Shin, Kwang-Cheul
    • The Journal of Society for e-Business Studies
    • /
    • v.17 no.4
    • /
    • pp.1-16
    • /
    • 2012
  • Shieh and Wang [10] recently proposed an efficient mutual authentication scheme that combined the cost-effectiveness of operations of Lee et al. [6]. scheme and the security and key agreement of Chen and Yeh scheme. Shieh and Wang [10] scheme, however, does not satisfy the security requirements against a third party (the man-in the middle, attacker) that have to be considered in remote user authentication scheme using password-based smart cards. Shieh and Wang weaknesses are the inappropriateness that it cannot verify the forged message in 3-way handshaking mutual authentication, and the vulnerability that the system (server) secret key can easily be exposed. This paper investigates the problems of Shieh and Wang scheme in the verification procedure of the forged messages intercepted by the eavesdrop. An enhanced two-way remote user authentication scheme is proposed that is safe and strong against multiple attacks by adding the ability to perform integrity check on the server and proposed scheme is not expose user password information and the system's confidential information.