QR-Code Based Mutual Authentication System for Web Service

Password based authentication systems are most widely used for user convenience in web services. However such authentication systems are known to be vulnerable to various attacks such as password guessing attack, dictionary attack and key logging attack. Besides, many of the web systems just provide user authentication in a one-way fashion such that web clients cannot verify the authenticity of the web server to which they set access and give passwords. Therefore, it is too difficult to protect against DNS spoofing, phishing and pharming attacks. To cope with the security threats, web system adopts several enhanced schemes utilizing one time password (OTP) or long and strong passwords including special characters. However there are still practical issues. Users are required to buy OTP devices and strong passwords are less convenient to use. Above all, one-way authentication schemes generate several vulnerabilities. To solve the problems, we propose a multi-channel, multi-factor authentication scheme by utilizing QR-Code. The proposed scheme supports both user and server authentications mutually, thereby protecting against attacks such as phishing and pharming attacks. Also, the proposed scheme makes use of a portable smart device as a OTP generator so that the system is convenient and secure against traditional password attacks. 논문 14-39B-04-03 The Journal of Korea Information and Communications Society '14-04 Vol.39B No.04 http://dx.doi.org/10.7840/kics.2014.39B.4.207 207 ※ 본 연구는 미래창조과학부 및 정보통신산업진흥원의 대학 IT연구센터 지원사업의 연구결과로 수행되었음 (NIPA-2014-H0301-14-1010) First Author : Department of Information and Communication, Duksung women‘s university, jiyepark@duksung.ac.kr, 학생회원 ° Corresponding Author :Departtment of Digital media, Duksung women‘s university , kang@duksung.ac.kr, 정회원 * 덕성여자대학교 네트워크 보안 연구실 sny14@naver.com, minssu17@gmail.com 논문번호 : KICS2013-11-504, Received November 23, 2013; Revised January 21, 2014; Accepted April 11, 2014 The Journal of Korea Information and Communications Society '14-04 Vol.39B No.04