The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

A Design Secure QR-Login User Authentication Protocol and Assurance Methods for the Safety of Critical Data Using Smart Device

스마트 기기를 이용한 안전한 QR-Login 사용자 인증 프로토콜의 설계 및 중요 정보의 안전성 보증을 위한 방법

  • Received : 2012.06.30
  • Accepted : 2012.09.07
  • Published : 2012.10.30
Download PDF
⟨ Previous Next ⟩

Abstract

Our PC have been under constant threat of malicious codes and viruses today. As many new ways of cyber attacks are being developed, such as zero-day-attack, nobody's PC is guaranteed to be safe from the attacks. In case where a user uses the existing verification protocol on a unsecured PC, the user's verification information may well be threatened by sniffing or man-in-the-middle attack. Especially, deadly attacks like memory hacking would give hard time for users to even recognize any symptom of virus infection. Therefore, this paper designs secured QR-Login user verification protocol for smart devices that are ready to communicate with QR-Code and proposes a way to keep critical data safe when using the internet. This way, user would be able to safeguard his/her critical data even when under attack by unknown attacks and safely carry out extremely sensitive task, like financial trading, on the device.

최근 악성코드 및 바이러스 등으로 사용자 PC가 위협받고 있다. 특히, 제로데이 공격 등 알려지지 않은 공격들이 끊임없이 나오고 있어, 사용자 PC는 더 이상 안전하다고 확신하기 어려운 환경이 되었다. 따라서 인터넷 서비스의 이용에 있어서, 안전성이 보장되지 않은 PC를 이용하는 사용자가 기존의 인증 프로토콜을 이용하여 사용자를 인증할 경우, 인증 정보의 도난 및 중간자 공격 등 다양한 위협을 받을 수 있다. 또한 메모리 해킹등과 같은 공격을 당할 경우, 사용자는 자신의 PC가 감염되었는지 인지하기조차 어려운 상황에 놓이게 된다. 따라서 본 논문은 QR-Code와 통신기능이 가능한 스마트 기기를 활용한 안전한 QR-Login 사용자 인증 프로토콜을 설계하고, 인터넷 서비스 이용 시 중요정보의 안전성 보증을 위한 방법을 제안한다. 제안된 방법을 통하여 사용자는 알려지지 않은 공격으로부터 PC가 위협받는 경우에도 사용자의 중요정보를 보호할 수 있고, 금융거래와 같은 민감한 거래 시에도 안전하게 거래를 할 수 있다.

Keywords

References

  1. Bruce Schneier. "Two-factor authentication: too little, too late." Commun. ACM 48, pp. 136, Apr. 2005.
  2. Ziqing Mao, Florencio, D. Herley, C., "Painless migration from passwords to two factor authentication," Information Forensics and Security (WIFS), 2011 IEEE International Workshop on, Catalunya, Barcelona, pp. 1-6, Nov, 2011.
  3. 김영식(Young-Sik Kim), 임대운(Dae-Woon Lim), "스마트 카드를 이용한 서버 인증이 필요 없는 디지털 콘텐츠 보호 기법(Digital Contents Protection Without Server Authentication Using Smart Cards)," J-KICS vol.36, no.3, pp. 133-139, Mar, 2011
  4. 김현석(Hyun-Seok Kim), 김주배(Ju-Bae Kim), 정연오(Yeon-Oh Jeong), 한근희 (Keun-Hee Han), 최진영(Jin-Young Choi), " 스마트카드를 이용한 패스워드 기반 인증시스템 정형분석(Formal Analysis of Authentication System based on Password using Smart Card)," 정보과학회논문지. Journal of KIISE. 시스템 및 이론, pp. 304-310, Aug, 2009
  5. Xinyi Huang, Yang Xiang, Chonka. A., Jianying Zhou, Deng. R.H., "A generic framework for three-factor authentication: preserving security and privacy in Ddstributed systems," Parallel and Distributed Systems, IEEE Transactions on, vol.22, no.8, pp. 1390-1397, Aug, 2011. https://doi.org/10.1109/TPDS.2010.206
  6. Chun-I Fan, Yi-Hui Lin, "Provably secure remote truly three-factor authentication scheme with privacy protection on biometrics," Information Forensics and Security, IEEE Transactions on, vol.4, no.4, pp. 933-945, Kaohsiung, Taiwan, Dec, 2009. https://doi.org/10.1109/TIFS.2009.2031942
  7. 유한나(Han-na You), 이재식(Jae-Sik Lee), 김 정재(Jung-Jae Kim), 박재표(Jae-Pio Park), 전 문석(Moon-Seog Jun), "인터넷 뱅킹 환경에서 사용자 인증 보안을 위한 Two-Channel 인증 방식(A Study on the Two-channel Authentication Method which Provides Two-way Authentication using Mobile Certificate in the Internet Banking Environment)," J-KICS vol.36, no.8, pp. 939-946, Aug, 2011. https://doi.org/10.7840/KICS.2011.36B.8.939
  8. Vapen. A., Byers. D., Shahmehri. N., "2-clickAuth optical challenge-response authentication," Availability, Reliability, and Security, 2010. ARES '10 International Conference on, Krakow, Poland, pp. 79-86, Feb. 2010.
  9. Ben Dodson, Debangsu Sengupta, Dan Boneh, Monica S. Lam., "Secure, consumer-friendly web authentication and payments with a phone," In Conference on Mobile Computing, Applications, and Services (MobiCASE'10), pp. 17-38, Santa Clara, CA, USA, Oct, 2010.
  10. Jaesik Lee, C. H. Cho, M. S. Jun, "Secure quick response-payment(QR-Pay) system using mobile device," Advanced Communication Technology (ICACT), 2011 13th International Conference on, pp. 1424-1427, Seoul, South Korea, Feb. 2011.
  11. Kyeongwon Choi, Changbin Lee, Woongryul Jeon, Kwangwoo Lee, Dongho Won, "A mobile based anti-phishing authentication scheme using QR code," Mobile IT Convergence (ICMIC), 2011 International Conference on, pp. 109-113, Suwon, South Korea, Sep. 2011.
  12. Kuan-Chieh Liao, Wei-Hsun Lee, Min-Hsuan Sung, Ting-Ching Lin, "A one-time password scheme with QR-Code based on mobile phone," INC, IMS and IDC, 2009. NCM '09. Fifth International Joint Conference on, pp. 2069-2071, Taichung, Taiwan, 25-27 Aug. 2009.
  13. Kuan-Chieh Liao, Wei-Hsun Lee, "A novel user authentication scheme based on QR-Code," Journal of Networks, vol 5, no 8 (2010), pp. 937-941, Aug. 2010.
  14. Michiru Tanaka, Yoshimi Teshigawara, "A method and its usability for user authentication by utilizing a matrix code reader on mobile phones," Information Security Applications (WISA), 2006 Workshop on, LNCS 4298, pp. 225-236, Jeju Island, Korea, Aug, 2006.
  15. Yamamoto. N., Wakahara. T., "A user attestation system using a cellular phone equipped with digital camera," P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), 2010 International Conference on, pp. 431-435, Fukuoka, Japan, Nov. 2010.
  16. Wikipedia, "Smart device", "http://en.wikipedia.org/wiki/Smart_device", Wikipedia, June. 2012.
  17. Faldo, "Theories and methods of memory hacking," https://game-bot-aim-trainer-delphi.googlecode.com/files/Theories%20and%20Methods%20of%20Hacking.pdf, Dec, 2008.
  18. Widipedia, "QR-Code," http://en.wikipedia.org/wiki/QR_code, June 2012.
  19. Widipedia, "Transport Layer Security." http://en.wikipedia.org/wiki/Transport_Layer_Security, June 2012.