• Title/Summary/Keyword: password authentication

Search Result 551, Processing Time 0.021 seconds

Cryptanalysis and Enhancement of the An's Remote User Authentication Scheme using the Smart Cards (스마트카드를 이용한 An의 원격 사용자 인증 스킴의 안전성 분석 및 개선)

  • Shin, Seung-Soo;Han, Kun-Hee
    • Journal of the Korea Academia-Industrial cooperation Society
    • /
    • v.12 no.10
    • /
    • pp.4612-4617
    • /
    • 2011
  • Hsiang-Shin proposed a user authentication scheme which was created by improving Yoon's scheme. Afterwards, An showed the failure to meet security requirements which are considered in user authentication using password-based smart card in Hsiang-Shih-suggested scheme. In other words, it was found that an attacker can steal a user's card, and detect a user's password by temporarily accessing it and extracting the information stored in it. However, An-proposed scheme also showed its vulnerability to password-guessing attack and forgery/impersonation attack, etc. and thus, this paper proposed the improved user authentication scheme. The proposed authentication scheme can thwart the password-guessing attack completely and this paper proposed scheme also includes an efficient mutual authentication method that can make it possible for users and authentication server to certify the other party.

Formal Analysis of Authentication System based on Password using Smart Card (스마트카드를 이용한 패스워드 기반 인증시스템 정형분석)

  • Kim, Hyun-Seok;Kim, Ju-Bae;Jeong, Yeon-Oh;Han, Keun-Hee;Chai, Jin-Young
    • Journal of KIISE:Computer Systems and Theory
    • /
    • v.36 no.4
    • /
    • pp.304-310
    • /
    • 2009
  • Due to widely use of internet, a lot of users frequently access into remote server in distributed computing environment. However, transmitting the information using vulnerable channel without authentication security system can be exposed to replay attack, offline password attack, and impersonation attack. According to this possibility, there is research about authentication protocol to prevent these hostile attacks using smart card. In this paper, we analyze vulnerability of user authentication system based on password and propose modified user authentication system.

An Unproved Optimal Strong-Password Authentication (I-OSPA) Protocol Secure Against Stolen-Verifier Attack and Impersonation Attack (Stolen-Verifier 공격과 Impersonation 공격에 안전한 개선된 OSPA 프로토콜)

  • Kwak, Jin;Oh, Soo-Hyun;Yang, Hyung-Kyu;Won, Dong-Ho
    • The KIPS Transactions:PartC
    • /
    • v.11C no.4
    • /
    • pp.439-446
    • /
    • 2004
  • In the Internet, user authentication is the most important service in secure communications. Although password-based mechanism is the most widely used method of the user authentication in the network, people are used to choose easy-to-remember passwords, and thus suffers from some Innate weaknesses. Therefore, using a memorable password it vulnerable to the dictionary attacks. The techniques used to prevent dictionary attacks bring about a heavy computational workload. In this paper, we describe a recent solution, the Optimal Strong-Password Authentication (OSPA) protocol, and that it is vulnerable to the stolen-verifier attack and an impersonation attack. Then, we propose an Improved Optimal Strong-Password Authentication (I-OSPA) protocol, which is secure against stolen-verifier attack and impersonation attack. Also, since the cryptographic operations are computed by the processor in the smart card, the proposed I-OSPA needs relatively low computational workload and communicational workload for user.

A new password authentication scheme using two-way password in Smartphone Banking (이중 패스워드 방식을 이용한 스마트폰 뱅킹 관리)

  • Song, Jong-Gun;Kim, Tae-Yong;Lee, Hoon-Jae;Jang, Won-Tae
    • The Journal of the Institute of Internet, Broadcasting and Communication
    • /
    • v.12 no.3
    • /
    • pp.195-200
    • /
    • 2012
  • Smart Phone devices offer convenience for users, but present a new set of security issues due to loss or malicious code. In this paper, a mobile cloud system environment is used with existing smart phones in an attempt to solve the problems in a banking environment. In order to prevent financial damages due to loss or personal information leakage by malicious code, a mobile cloud computing service that provides control and protection of personal information in environment that ensures individual authentication is used. Existing ID / Password with certificate, with the way smart phone dual password authentication scheme using the gyro sensors proposed.

Password Authenticated Joux's Key Exchange Protocol (패스워드 인증된 Joux의 키 교환 프로토콜)

  • Lee Sang-gon;Hitcock Yvonne;Park Young-ho;Moon Sang-jae
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.15 no.5
    • /
    • pp.73-92
    • /
    • 2005
  • Joux's tripartite key agreement protocol is one of the most prominent developments in the area of key agreement. Although certificate-based and ID-based authentication schemes have been proposed to provide authentication for Joux's protocol, no provably secure password-based one round tripartite key agreement protocol has been proposed yet. We propose a secure one round password-based tripartite key agreement protocol that builds on Joux's protocol and adapts PAK-EC scheme for password-based authentication, and present a proof of its security.

Efficient and Secure Sound-Based Hybrid Authentication Factor with High Usability

  • Mohinder Singh B;Jaisankar N.
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.17 no.10
    • /
    • pp.2844-2861
    • /
    • 2023
  • Internet is the most prevailing word being used nowadays. Over the years, people are becoming more dependent on the internet as it makes their job easier. This became a part of everyone's life as a means of communication in almost every area like financial transactions, education, and personal-health operations. A lot of data is being converted to digital and made online. Many researchers have proposed different authentication factors - biometric and/or non-biometric authentication factors - as the first line of defense to secure online data. Among all those factors, passwords and passphrases are being used by many users around the world. However, the usability of these factors is low. Also, the passwords are easily susceptible to brute force and dictionary attacks. This paper proposes the generation of a novel passcode from the hybrid authentication factor - sound. The proposed passcode is evaluated for its strength to resist brute-force and dictionary attacks using the Shannon entropy and Passcode (or password) entropy formulae. Also, the passcode is evaluated for its usability. The entropy value of the proposed is 658.2. This is higher than that of other authentication factors. Like, for a 6-digit pin - the entropy value was 13.2, 101.4 for Password with Passphrase combined with Keystroke dynamics and 193 for fingerprint, and 30 for voice biometrics. The proposed novel passcode is far much better than other authentication factors when compared with their corresponding strength and usability values.

Ad-hoc Security Authentication Technique based on Verifier (검증자 기반 Ad-hoc 보안 인증기법)

  • Lee, Cheol-Seung;Hong, Seong-Pyo;Lee, Ho-Young;Lee, Joon
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2007.10a
    • /
    • pp.713-716
    • /
    • 2007
  • This paper suggests One-time Password key exchange authentication technique for a strong authentication based on Ad-hoc Networks and through identify wireless environment security vulnerabilities, analyzes current authentication techniques. The suggested authentication technique consists of 3 steps: Routing, Registration, and Running. The Routing step sets a safe route using AODV protocol. The Registration and Running step apply the One-time password S/key and the DH-EKE based on the password, for source node authentication. In setting the Session key for safe packet transmission and data encryption, the suggested authentication technique encrypts message as H(pwd) verifiers, performs key exchange and utilizes One time password for the password possession verification and the efficiency enhancement. EKE sets end to end session key using the DH-EKE in which it expounds the identifier to hash function with the modula exponent. A safe session key exchange is possible through encryption of the H(pwd) verifier.

  • PDF

Practical Password-Authenticated Three-Party Key Exchange

  • Kwon, Jeong-Ok;Jeong, Ik-Rae;Lee, Dong-Hoon
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.2 no.6
    • /
    • pp.312-332
    • /
    • 2008
  • Password-based authentication key exchange (PAKE) protocols in the literature typically assume a password that is shared between a client and a server. PAKE has been applied in various environments, especially in the “client-server” applications of remotely accessed systems, such as e-banking. With the rapid developments in modern communication environments, such as ad-hoc networks and ubiquitous computing, it is customary to construct a secure peer-to-peer channel, which is quite a different paradigm from existing paradigms. In such a peer-to-peer channel, it would be much more common for users to not share a password with others. In this paper, we consider password-based authentication key exchange in the three-party setting, where two users do not share a password between themselves but only with one server. The users make a session-key by using their different passwords with the help of the server. We propose an efficient password-based authentication key exchange protocol with different passwords that achieves forward secrecy in the standard model. The protocol requires parties to only memorize human-memorable passwords; all other information that is necessary to run the protocol is made public. The protocol is also light-weighted, i.e., it requires only three rounds and four modular exponentiations per user. In fact, this amount of computation and the number of rounds are comparable to the most efficient password-based authentication key exchange protocol in the random-oracle model. The dispensation of random oracles in the protocol does not require the security of any expensive signature schemes or zero-knowlegde proofs.

An Analysis of Password Meters for Domestic Web Sites (국내 웹 사이트 패스워드 미터 분석)

  • Kim, KyoungHoon;Kwon, Taekyoung
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.26 no.3
    • /
    • pp.757-767
    • /
    • 2016
  • Password authentication is the representative user authentication method and particularly text-based passwords are most widely used. Unfortunately, most users select weak passwords and so many web sites provide a password meter that measures password strength to derive the users to select strong passwords. However, some metering results are not consistent and incorrect strength feedbacks are made. In this paper, we tackle these problems regarding password meters and present an improvement direction.