• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.9 no.12
• /
• pp.4987-5014
• /
• 2015

The bilinear pairing, also known as Weil pairing or Tate pairing, is widely used in cryptography and its properties help to construct cryptographic schemes for different applications in which the security of the transmitted data is a major concern. In remote login authentication schemes, there are two major requirements: i) proving the identity of a user and the server for legitimacy without exposing their private keys and ii) freedom for a user to choose and change his password (private key) efficiently. Most of the existing methods based on the bilinear property have some security breaches due to the lack of features and the design issues. In this paper, we develop a new scheme using the bilinear property of an elliptic point and the biometric characteristics. Our method provides many features along with three major goals. a) Checking the correctness of the password before sending the authentication message, which prevents the wastage of communication cost; b) Efficient password change phase in which the user is asked to give a new password after checking the correctness of the current password without involving the server; c) User anonymity - enforcing the suitability of our scheme for applications in which a user does not want to disclose his identity. We use BAN logic to ensure the mutual authentication and session key agreement properties. The paper provides informal security analysis to illustrate that our scheme resists all the security attacks. Furthermore, we use the AVISPA tool for formal security verification of our scheme.

• Convergence Security Journal
• /
• v.22 no.4
• /
• pp.179-188
• /
• 2022

Password authentication schemes (PAS) are the most common mechanisms used to ensure secure communication in open networks. Mathematical-based cryptographic authentication schemes such as factorization and discrete logarithms have been proposed and provided strong security features, but they have the disadvantage of high computational and message transmission costs required to construct passwords. Fairuz et al. therefore argued for an improved cryptographic authentication scheme based on two difficult fixed issues related to session key consent using the smart card scheme. However, in this paper, we have made clear through security analysis that Fairuz et al.'s protocol has security holes for Privileged Insider Attack, Lack of Perfect Forward Secrecy, Lack of User Anonymity, DoS Attack, Off-line Password Guessing Attack.

• Journal of information and communication convergence engineering
• /
• v.5 no.4
• /
• pp.346-350
• /
• 2007

Almost all network systems provide an authentication mechanism based on user ID and password. In such system, it is easy to obtain the user password using a sniffer program with illegal eavesdropping. The one-time password and challenge-response method are useful authentication schemes that protect the user passwords against eavesdropping. In client/server environments, the one-time password scheme using time is especially useful because it solves the synchronization problem. It is the stability that is based on Square Root Problem, and we would like to suggest PBSI(Password Based Secure Identification), enhancing the stability, for all of the well-known attacks by now including Off-line dictionary attack, password file compromise, Server and so on. The PBSI is also excellent in the aspect of the performance.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.27 no.11C
• /
• pp.1074-1080
• /
• 2002

In clients/server environments, the one-time password scheme using time is especially useful because it solves the synchronization problem. However, it has the problem that is time-slippage, and causes the authentication to fail. In this paper, we propose an effective one-time password algorithm, which solves the time-slippage problem through the use of 1-bit information, which denotes the duration in which the authentication could be failed because of time-slippage. This algorithm is added easily and quickly to current one-time password systems using time without requiring any change of protocols: the proposed algorithm can be implemented by adding only 1-bit information to the user authentication information, not by modifying the one-time password authentication system protocol. And we propose also the algorithm of time correction, which can be implemented by adding 2-bit information on the proposed one-time password.

• Journal of Korea Multimedia Society
• /
• v.19 no.1
• /
• pp.41-50
• /
• 2016

Moblie device based financial services are vulnerable to social engineering attacks because of the display screen of mobile devices. In other words, in the case of shoulder surfing, attackers can easily look over a user's shoulder and expose his/her password. To resolve this problem, a colour-based secure keyboard solution has been proposed. However, it is inconvenient for genuine users to verify their password using this method. Furthermore, password colours can be exposed because of fixed keyboard colours. Therefore, we propose a secure mobile authentication method to provide advanced functionality and strong privacy. Our authentication method is robust to social engineering attacks, especially keylogger and shoulder surfing attacks. According to the evaluation results, our method offers increased security and improved usability compared with existing methods.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2001.10a
• /
• pp.510-513
• /
• 2001

OTP(One-time Password) had been used much by method to do user certification so far. Because aspect that user certification that use OTP is efficient and economical fairly is much, it is one of method that can use easily. This treatise would apply OTP in message authentication and wishes to show that OTP is available for inter-authentication. First, examine about OTP's characteristic and overview in introduction, and explain about user certification method to use OTP in main discourse and method of message certification. And finally. wish to examine how OTP offers inter-authentication function.

• Journal of the Korea Convergence Society
• /
• v.9 no.9
• /
• pp.15-22
• /
• 2018

As smart devices become popular, users can use authentication services in various methods. Authentication services include authentication using an ID and a password, authentication using a sms, and authentication using an OTP(One Time Password). This paper proposed an authentication system that solves the security problem of knowledge-based authentication using optical character recognition and can easily and quickly authenticate users. The proposed authentication system extracts a character from an uploaded image by a user and authenticates the user using the extracted character information. The proposed authentication system has the advantage of not using a password or an OTP that are easily exposed or lost, and can not be authenticated without using accurate photographs. The proposed authentication system is platform independent and can be used for user authentication, file encryption and decryption.

• Journal of information and communication convergence engineering
• /
• v.3 no.4
• /
• pp.213-216
• /
• 2005

Almost all network systems provide an authentication mechanism based on user ID and password. In such system, it is easy to obtain the user password using a sniffer program with illegal eavesdropping. The one-time password and challenge-response method are useful authentication schemes that protect the user passwords against eavesdropping. In client/server environments, the one-time password scheme using time is especially useful because it solves the synchronization problem. It is the stability that is based on Square Root Problem, and we would like to suggest PBI(password Based Identification), enhancing the stability, for all of the well-known attacks by now including Off-line dictionary attack, password file compromise, Server and so on. The PBI is also excellent in the aspect of the performance.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.7 no.4
• /
• pp.23-30
• /
• 2011

Recently, Tsai proposed a remote user authentication scheme suited for multi-server environments, in which users can be authenticated using a single password shared with the registration center. Our analysis shows that Tsai et al's scheme does not achieve its fundamental goal of password security. We demonstrate this by mounting an undetectable on-line password guessing attack on Tsai et al.'s scheme.

• Journal of information and communication convergence engineering
• /
• v.9 no.4
• /
• pp.431-434
• /
• 2011

Password-based user-authentication schemes have been widely used when users access a server to avail internet services. Multiserver password-authentication schemes enable remote users to obtain service from multiple servers without separately registering with each server. In 2008, Jia-Lun Tsai proposed an improved and efficient password-authenticated key agreement scheme for a multiserver architecture based on Chang-Lee's scheme proposed in 2004. However, we found that Tsai's scheme does not provide forward secrecy and is weak to insider impersonation and denial of service attacks. In this article, we describe the drawbacks of Tsai's scheme and provide a countermeasure to satisfy the forward secrecy property.