The KIPS Transactions:PartD (정보처리학회논문지D)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Design and Implementation of Pinpad using Secure Technology from Shoulder Surfing Attack

비밀번호 훔쳐보기로부터 안전한 기술을 내장시킨 비밀번호 입력기의 설계 및 구현

  • 강문설 (광주대학교 컴퓨터공학과) ;
  • 김용일 (호남대학교 인터넷소프트웨어학과)
  • Received : 2009.12.09
  • Accepted : 2010.03.28
  • Published : 2010.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

When entering the PIN(personal identification number), the greatest security threat is shoulder surfing attack. Shoulder surfing attack is watching the PIN being entered from over the shoulder to obtain the number, and it is the most common and at the same time the most powerful security threat of stealing the PIN. In this paper, a psychology based PINpad technology referred to as DAS(Dynamic Authentication System) that safeguards from shoulder surfing attack was proposed. Also, safety of the proposed DAS from shoulder surfing attack was tested and verified through intuitive viewpoint, shoulder surfing test, and theoretical analysis. Then, a PINpad with an internal DAS that was certified for its safety from shoulder surfing attack was designed and produced. Because the designed PINpad significantly decreases the chances for shoulder surfing attackers being able to steal the PIN when compared to the ordinary PINpad, it was determined to be suitable for use at ATM(automated teller machine)s operated by banks and therefore has been introduced and is being used by many financial institutions.

비밀번호를 입력하는 과정에서 가장 큰 보안 위협은 비밀번호를 훔쳐보는 것이다. 비밀번호 훔쳐보기는 비밀번호를 입력하는 과정을 옆에서 지켜보고 비밀번호를 획득하려고 하는 행위로서 비밀번호를 획득하는 가장 전통적인 방법이며 강력한 보안 위협이다. 본 논문에서는 인지심리학에 기초한 비밀번호 훔쳐보기로부터 안전한 기술인 역동 인증 체계(DAS)라 불리는 비밀번호 입력 기술을 제안하였다. 그리고 제안한 역동 인증 체계의 비밀번호 훔쳐보기에 대한 안전성을 직관적인 관점, 훔쳐보기 실험, 이론적인 분석으로 구분하여 검증하였다. 비밀번호 훔쳐보기로부터 안정성이 입증된 역동 인증 체계를 내장시킨 비밀번호 입력기를 설계하여 구현하였다. 구현한 비밀번호 입력기는 일반 패스워드 입력방식 보다 훔쳐보기 공격자의 비밀번호 획득 확률을 현저하게 낮출 수 있으므로 은행에서 운영하는 금융자동화기기에 적용 및 운영되기에 적합한 것으로 평가를 받아 금융기관에서 도입하여 활용되고 있다.

Keywords

References

  1. Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone, "Applied Cryptography," CRC Press, 1997.
  2. 금융감독원, "영국의 인터넷뱅킹 관련 사기 피해 증가," 금융감독정보, 통권 396호, pp.43-44, Nov., 2006.
  3. Wikipedia, the free encyclopedia(http://en.wikipedia.org/wiki/ PINpad).
  4. TTA(Telecommunications Technology Association), "Standard of Contact Type IC Card Terminal," Telecommunications Technology Association, 2003.
  5. C.Y. Han, H.W. Jang, "An Empirical Study on the Use of POS System for Inventory Efficiency," Journal of Korean Industrial Information Systems Society, Vol.10, No.1, pp.81-88, 2005.
  6. Jablon, P.D. "Strong password-only authenticated key exchange," ACM SIGCOMM Computer Communication Review, (26:5), pp.5-20, 1996. https://doi.org/10.1145/242896.242897
  7. Halevi, S. and Krawczyk, H. "Public-key cryptography and password protocols," ACM Conference on Computer and Communications Security, pp.122-131, 1998. https://doi.org/10.1145/288090.288118
  8. Bellovin, M.S. and Merrit, M. "Augmented encrypted key exchange: Password-based protocol secure against dictionary attack and password file compromise," Proceedings of the 1st ACM Conference on Computer and Communications Security, pp.244-250, 1993. https://doi.org/10.1145/168588.168618
  9. Halevi, S. and Krawczyk, H. "Public-key cryptography and password protocols," ACM Conference on Computer and Communications Security, pp.122-131, 1998. https://doi.org/10.1145/288090.288118
  10. Li, Zhi., Sun, Qibin., Lian, Yong., Giusto, D.D., "An Association-Based Graphical Password Design Resistant to Shoulder-Surfing Attack," 2005 IEEE International Conference on Multimedia and Expo(ICME-05), pp.245-248, 2005. https://doi.org/10.1109/ICME.2005.1521406
  11. Lei, M., Xiao, Y., Vrbsky, S.V., "Virtual password using random linear functions for on-line services, ATM machines, and pervasive computing," Computer communications, Vol.31, No.18, pp.4367-4375, 2008. https://doi.org/10.1016/j.comcom.2008.05.005
  12. Park, S.B., Kang, M.S. and Lee, S.J. "Authenticated key exchange protocol secure against off-line dictionary attack and server compromise," Lecture Notes in Computer Science, Vol.3032, pp.924-931, 2004.
  13. Park, S.B., Kang, M.S. and Lee, S.J. "New authentication system," Lecture Notes in Computer Science, Vol.3032, pp.1095-1098, 2004.
  14. Park, S.B., Kang, M.S. and Lee, S.J. "User authentication protocol based on human memorable password and using ECC," Lecture Notes in Computer Science, Vol.3032, pp.1091-1094, 2004. https://doi.org/10.1007/978-3-540-24679-4_188
  15. 소리나무미디어, "일회용 비밀번호 생성 및 해석 방법," 대한민국 특허청, 2007. 01.
  16. Nebojsa Jojic and Paul Roberts, "image based password systems," http://research.microsoft.com/en-us/um/people/ darkok/projectssyscli.htm.
  17. D. Kirovski, N. Jojic, and P. Roberts. "Click Passwords," 21st IFIP International Information Security Conference, pp. 351-363, 2006. https://doi.org/10.1007/0-387-33406-8_30
  18. RealUser, "Passfaces: Two Factor Authentication, Graphical Password," http://www.realuser.com/index.htm.
  19. Manu Kumar, Tal Garfinkel, Dan Boneh, Terry Winograd, "Reducing Shoulder-surfing by Using Gaze-based Password Entry," Proceedings of the 3rd symposium on Usable Privacy and Security(SOUPS 2007), pp.13-19, 2007. https://doi.org/10.1145/1280680.1280683
  20. Nemeth, Garth Snyder, and Trent R. Hein, "Linux Administration Handbook(2nd Edition)," Prentice Hall PTR, 2006.
  21. Edward K. Vogel & Maro G. Machizawa, "Neural activity predicts individual differences in visual working memory capacity," Nature, Vol.428, pp.748-151, 15 April, 2004. https://doi.org/10.1038/nature02447
  22. S.B. Park, M.S. kang, Secure Password System against Imposter, The KIPS Transactions : Part C, Vol.10-C, No.2, pp.141-144, 2003. https://doi.org/10.3745/KIPSTC.2003.10C.2.141
  23. S.B, Park, N.K. Joo, M.S. Kang, Practically Secure and Efficient Random Bit Generator Using Digital Fingerprint Image for the Source of Random, The KIPS Transactions: Part D, Vol.10-D, No.3, pp.541-146, 2003. https://doi.org/10.3745/KIPSTD.2003.10D.3.541
  24. (주)비원플러스, 리듬패스 & 참아이디, http://www.beone.co.kr/.

Cited by

  1. Advanced Password Input Method in Automated Teller Machines/Cash Dispenser vol.18C, pp.2, 2011, https://doi.org/10.3745/KIPSTC.2011.18C.2.071