• Title/Summary/Keyword: Password Vulnerability

Search Result 79, Processing Time 0.022 seconds

A Multi-Channel Security Card based on Cryptographically Secure Pseudo-Random Number Generator (난수생성기를 이용한 멀티채널 보안카드 설계)

  • Seo, Hwa-jeong;Seok, Seon-hee;Kim, Kyoung-hoon;Kim, Ho-won
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.25 no.3
    • /
    • pp.501-507
    • /
    • 2015
  • The online banking service handles a banking business over the internet, it is necessary to ensure that all financial transactions are processed securely. So, there are various authentication technique for e-banking service : a certificate, a personal identification number(PIN), a security card and a one-time password(OTP). Especially, the security card is most important means including secret information. If the secret information of card is leaked, it means not only loss of security but also easy to attack because security card is a difficult method to get. In this paper, we propose that a multi-channel security card saves an secret information in distributed channel. Proposed multi-channel security card reduces vulnerability of the exposed and has a function to prevent phishing attacks through decreasing the amount of information displayed and generating secret number randomly.

A Remote Authentication Protocol Using Smartcard to Guarantee User Anonymity (사용자 익명성을 제공하는 스마트카드 기반 원격 인증 프로토콜)

  • Baek, Yi-Roo;Gil, Kwang-Eun;Ha, Jae-Cheol
    • Journal of Internet Computing and Services
    • /
    • v.10 no.6
    • /
    • pp.229-239
    • /
    • 2009
  • To solve user authentication problem, many remote user authentication schemes using password and smart card at the same time have been proposed. Due to the increasing of interest in personal privacy, there were some recent researches to provide user anonymity. In 2004, Das et al. firstly proposed an authentication scheme that guarantees user anonymity using a dynamic ID. In 2005, Chien et al. pointed out that Das et al.'s scheme has a vulnerability for guaranteing user anonymity and proposed an improved scheme. However their authentication scheme was found some weaknesses about insider attack, DoS attack, and restricted replay attack. In this paper, we propose an enhanced scheme which can remove vulnerabilities of Chien et al.'s scheme. The proposed authentication protocol prevented insider attack by using user's Nonce value and removed the restricted replay attack by replacing time stamp with random number. Furthermore, we improved computational efficiency by eliminating the exponentiation operation.

  • PDF

Unlocking Shared Bike System by Exploiting an Application Log (애플리케이션 로그를 이용한 공유 자전거 시스템의 잠금장치 해제 방법)

  • Cho, Junwan;Lee, Jeeun;Kim, Kwangjo
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.29 no.4
    • /
    • pp.719-728
    • /
    • 2019
  • Recently, there has been a growing market for shared mobility businesses that share 'transport' such as cars and bikes, and many operators offer a variety of services. However, if the fare can not be charged normally because of security vulnerability, the operator can not continue the business. So there should be no security loopholes. However, there is a lack of awareness and research on shared mobility security. In this paper, we analyzed security vulnerabilities exposed in application log of shared bike service in Korea. We could easily obtain the password of the bike lock and the encryption key of the AES-128 algorithm through the log, and confirmed the data generation process for unlocking using software reverse engineering. It is shown that the service can be used without charge with a success rate of 100%. This implies that the importance of security in shared mobility business and new security measures are needed.

A Proposal for Matrix Shape Security Keypad for the Nintendo Switch (향상된 보안의 닌텐도 스위치 행렬 형태 보안 키패드 제안)

  • Kwon, Hyeok-dong;Kwon, Yong-bin;Choi, Seung-ju;Seo, Hwa-jeong
    • Journal of the Korea Institute of Information and Communication Engineering
    • /
    • v.23 no.9
    • /
    • pp.1152-1159
    • /
    • 2019
  • The Nintendo Switch(NSW), which appeared as an 8th generation console, has succeeded worldwide as a hybrid gaming console. The NSW has E-shop itself, users can sign in to their account and purchase games. The keypad built in the NSW is similar to QWERTY keyboard. In the password input field the input information is hidden, but it's possible to get the value entered from the keypad with shoulder surfing attack. Because of the NSW with many party or family games, there is a high probability that someone else is watching the screen nearby, which acts as a vulnerability in account security. Thus we designed the new keypad which improve from this issue. In this paper, we check the problem about the keypad which built in the NSW, we present the proposed keypad and the compared to the built in keypad by showing the test result of unspecified individuals use.

A Study on Key Protection Method based on WhiteBox Cipher in Block Chain Environment (블록체인 환경에서 화이트박스 암호기반 키 보호 기법에 관한 연구)

  • Choi, Do-Hyeon;Hong, Chan-Ki
    • Journal of Convergence for Information Technology
    • /
    • v.9 no.10
    • /
    • pp.9-15
    • /
    • 2019
  • Recently, in the field of next-generation e-commerce and finance, interest in blockchain-based technologies such as Bitcoin and Ethereum is great. Although the security of blockchain technology is known to be secure, hacking incidents / accidents related to cryptocurrencies are being issued. The main causes were vulnerabilities in the external environment, such as taking over login sessions on cryptocurrency wallets, exposing private keys due to malware infection, and using simple passwords. However, private key management recommends general methods such as utilizing a dedicated application or local backup and physical archiving through document printing. In this paper, we propose a white box password-based private key protection scheme. As a result of safety and performance analysis, we strengthened the security against vulnerability of private key exposure and proved the processing efficiency of existing protocol.

Efficient and Secure User Authentication and SDP Encryption Method in SIP (일회성 암호를 이용한 효율적이고 안전한 SIP 사용자 인증 및 SDP 암호화 기법)

  • Kim, Jung-Je;Chung, Man-Hyun;Cho, Jae-Ik;Shon, Tae-Shik;Moon, Jong-Sub
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.22 no.3
    • /
    • pp.463-472
    • /
    • 2012
  • This paper propose a security method that performs mutual authentication between the SIP UA and the server, check for integrity of the signaling channel and protection of SDP information for VoIP using a One-Time Password. To solve the vulnerability of existing HTTP Digest authentication scheme in SIP, Various SIP Authentication schemes have been proposed. But, these schemes can't meet security requirements of SIP or require expensive cryptographic operations. Proposed method uses OTP that only uses hash function and is updated each authentication. So Proposed method do not require expensive cryptographic operations but performs user authentication efficiently and safely than existing methods. In addition, Proposed method verifies the integrity of the SIP messages and performs SDP encryption/decryption through OTP that used for user authentication. So Proposed method can reduce communication overhead when applying S/MIME or TLS.

A Study on Privacy Violation Vulnerability Through E-Mail Sent to Expired Domains (만료된 도메인의 전자우편을 통한 개인정보 유출에 관한 연구)

  • Kim, DongHyun;Hong, YunSeok
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2022.10a
    • /
    • pp.146-149
    • /
    • 2022
  • With internet development, many peoples use their email to exchange documents, register for web services, and much more. Some individuals/organizations (including educational institutions) use their own domain name for email instead of a domain provided by commercial email services. However, suppose the domain used for custom email expires. In that case, other individuals/organizations can reuse the domain, and the new domain owner can send and receive all emails incoming to the domain. It makes us concerned about Privacy violations. Email that new domain owners can look into also contains sensitive emails like password reset notifications, credit card statements, order history, and more. In this research, we would like to describe the privacy violations caused by the expired domain used for email that did not remove all dependencies of email users and propose a solution.

  • PDF

Vulnerability Analysis for Industrial Control System Cyber Security (산업제어시스템의 사이버보안을 위한 취약점 분석)

  • Kim, Do-Yeon
    • The Journal of the Korea institute of electronic communication sciences
    • /
    • v.9 no.1
    • /
    • pp.137-142
    • /
    • 2014
  • Industrial control system (ICS) is a computer based system which are typically used in nation-wide critical infra-structure facilities such as electrical, gas, water, wastewater, oil and transportation. In addition, ICS is essentially used in industrial application domain to effectively monitor and control the remotely scattered systems. The highly developed information technology (IT) and related network techniques are continually adapted into domains of industrial control system. However, industrial control system is confronted significant side-effects, which ICS is exposed to prevalent cyber threats typically found in IT environments. Therefore, cyber security vulnerabilities and possibilities of cyber incidents are dramatically increased in industrial control system. The vulnerabilities that may be found in typical ICS are grouped into Policy and Procedure, Platform, and Network categories to assist in determining optimal mitigation strategies. The order of these vulnerabilities does not necessarily reflect any priority in terms of likelihood of occurrence or severity of impact. Firstly, corporate security policy can reduce vulnerabilities by mandating conduct such as password usage and maintenance or requirements for connecting modems to ICS. Secondly, platfom vulnerabilities can be mitigated through various security controls, such as OS and application patching, physical access control, and security software. Thirdly, network vulnerabilities can be eliminated or mitigated through various security controls, such as defense-in-depth network design, encrypting network communication, restricting network traffic flows, and providing physical access control for network components.

Shoulder Surfing Attack Modeling and Security Analysis on Commercial Keypad Schemes (어깨너머공격 모델링 및 보안 키패드 취약점 분석)

  • Kim, Sung-Hwan;Park, Min-Su;Kim, Seung-Joo
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.24 no.6
    • /
    • pp.1159-1174
    • /
    • 2014
  • As the use of smartphones and tablet PCs has exploded in recent years, there are many occasions where such devices are used for treating sensitive data such as financial transactions. Naturally, many types of attacks have evolved that target these devices. An attacker can capture a password by direct observation without using any skills in cracking. This is referred to as shoulder surfing and is one of the most effective methods. There has been only a crude definition of shoulder surfing. For example, the Common Evaluation Methodology(CEM) attack potential of Common Criteria (CC), an international standard, does not quantitatively express the strength of an authentication method against shoulder surfing. In this paper, we introduce a shoulder surfing risk calculation method supplements CC. Risk is calculated first by checking vulnerability conditions one by one and the method of the CC attack potential is applied for quantitative expression. We present a case study for security-enhanced QWERTY keyboard and numeric keypad input methods, and the commercially used mobile banking applications are analyzed for shoulder surfing risks.