مروری بر کاربرد رمزهای یک بار مصرف ترکیبی و حملات به ویژه فیشینگ

•   آرشیو : نسخه بهار 1401
•   کد پذیرش : 1396
•   موضوع : مهندسی کامپیوتر
• نویسنده/گان : | سمیه نصیری
•   زبان : فارسی
•   نوع مقاله : مروری
•   چکیده مقاله به فارسی : حملات فیشینگ گروهی از حملات هستند که امنیت کاربران و اطلاعات حیاتی آنها از جمله رمز عبور آنها را به خطر می‌اندازند و تاکنون راه حل‌های زیادی از جمله رمزهای یک بار مصرف برای جلوگیری از تهدیدات موجود ارائه شده است. علیرغم تلاش‌ها برای استفاده از رمزهای عبور یک بار مصرف برای جلوگیری از حملات فیشینگ، این هنوز یک چالش بزرگ است و تحقیقات بیشتری مورد نیاز است. بیشترین حمله برای جذب کاربران (با استفاده از تکنیک‌های مهندسی اجتماعی) به وب‌سایت‌های فیشینگ کاملاً طراحی شده است که شبیه وب‌سایت‌های سازمان‌های هدف اصلی هستند تا با پر کردن برخی فرم‌ها، اطلاعات شخصی کاربران را دریافت کنند. فیشینگ، از جمله فیشینگ نیزه‌ای، به دلیل غیرقابل پیش بینی بودن، به یک مشکل جدی تبدیل شده است. این به نوبه خود به محققان و دست اندرکاران این امکان را می‌دهد تا راه حل‌هایی برای دفاع از آن یا حداقل آگاه ساختن کاربران از خطر این پدیده بیابند. کارایی روش پیشنهادی به صورت تحلیلی با استفاده از تعریف سناریو، مدل‌سازی و شبیه‌سازی محاسبه می‌شود و بر اساس معیار نرخ پیشگیری و همچنین ضریب پیچیدگی روش پیشنهادی اندازه‌گیری می‌شود که نشان‌دهنده بعید است که توسط مهاجمان حدس زده شود.
•   لیست منابع : [1] G.Aaron, and R. Rasmussen, Global phishing survey: trends and domain name use in 2H2014, Anti-Phishing Working Group (APWG), Lexington, MA, 2014.
  [2] M. Abdalla, O. Chevassut, and D. Pointcheval, One-time verifier-based encrypted key exchange. In Public Key Cryptography-PKC 2005, Springer Berlin Heidelberg, pp. 47-64, 2005.
  [3] M. Adham, A. Azodi, Y. Desmedt, and I. Karaolis, How to attack two-factor authentication internet banking. In Financial Cryptography and Data Security, Springer Berlin Heidelberg, pp. 322-328, 2013.
  [4] I.G.N. Agung, A.K. Agung, G.M.A. Sasmita, Dynamic Mobile Token for Web Security using MD5 and One Time Password Method, International Journal of Computer Applications, vol. 55, no. 6, 2012.
  [5] M.H. Almeshekah, M.J. Atallah, E.H. Spafford, Defending against Password Exposure using Deceptive Covert Communication, 2015.
  [6] A.J. Atkinson, D.L. McDonald, D.L. Mcdonald, R.J. Atkinson, and C. Metz, One time passwords in everything (OPIE): Experiences with building and using stronger authentication. In In Proc, 5th USENIX Security Symposium, 1995.
  [7] H. Berghel, J. Carpinter, and J.Y. Jo, Phish phactors: Offensive and defensive strategies, Advances in Computers, vol. 70, pp. 223-268, 2007.
  [8] R.S. Bhuvaneshwari, and P. Anuja, Secured Password Management Technique Using One-Time Password Protocol In Smartphone, International Journal of Computer Science and Mobile Computing, IJCSMC, vol. 3, no. 3, pp. 976-981, 2014.
  [9] K. Biçakci, and N. Baykal, Improving the security and flexibility of one-time passwords by signature chains, Turkish Journal of Electrical Engineering & Computer Sciences, vol. 11, no. 3, pp. 223-236, 2003.
  [10] S. Brostoff, P. Inglesant, and M.A. Sasse, Evaluating the usability and security of a graphical one-time PIN system, InProceedings of the 24th BCS Interaction Specialist Group Conference, British Computer Society, pp. 88-97, September 2010.
  [11] P.Chan, T. Halevi, and N. Memon, Glass OTP: Secure and Convenient User Authentication on Google Glass. In Financial Cryptography and Data Security, Springer Berlin Heidelberg, pp. 298-308, 2015.
  [12] G.K. Chaudhary, Development Review on Phishing: A Computer Security Threat, 2014.
  [13] A.G. Chellaiah, Preventing Phishing attacks using anti-phishing prevention technique,. In International Journal of Engineering Development and Research, vol. 2, March 2014,
  [14] C. Chen, C.J. Mitchell, and S. Tang, Ubiquitous one-time password service using the Generic Authentication Architecture, Mobile Networks and Applications, vol. 18, no. 5, pp. 738-747, 2013.
  [15] R. Coombs, Securing the Future of Authentication with ARM TrustZone-based Trusted Execution Environment and Fast Identity Online (FIDO). ARM White Paper, 2015.
  [16] O. Delgado, A. Fúster Sabater, and J.M. Sierra, Analysis of new threats to online banking authentication schemes, 2008.
  [17] J.S. Downs, M. Holbrook, and L.F. Cranor, Behavioral response to phishing risk. In Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit, pp. 37-44, October 2007.
  [18] A. Dmitrienko, C. Liebchen, C. Rossow, and A.R. Sadeghi, Security analysis of mobile two-factor authentication schemes, Intel® Technology Journal, vol. 18, no. 4, 2014.
  [19] M.H. Eldefrawy, M.K. Khan, K. Alghathbar, T.H. Kim, H. Elkamchouchi, Mobile one‐time passwords: two‐factor authentication using mobile phones, Security and Communication Networks, vol. 5, no. 5, pp. 508-516, 2012.
  [20] A. Emigh, Online identity theft: Phishing technology, chokepoints and countermeasures, Identity Theft Technology Council, 2005.
  [21] D. Emm, M. Garnaeva, R. Unuchek, D. Makrushin, and A. Ivanov, IT THREAT EVOLUTION IN Q3 2015, 2014.
  [22] D. Florêncio, and C. Herley, One-time password access to any server without changing the server. In Information Security, Springer Berlin Heidelberg, pp. 401-420, 2008.
  [23] M.M. Gaurav, and A. Jain, Anti-Phishing Techniques: A Review, International Journal of Engineering Research and Applications, vol. 2, no. 2, pp. 350-355, 2012.
  [24] E. Ghazizadeh, Z.S. Shams Dolatabadi, R. Khaleghparast, M. Zamani, A.A. Manaf, and M.S. Abdullah, Secure OpenID authentication model by using Trusted Computing. In Abstract and Applied Analysis, Hindawi Publishing Corporation, Vol. 2014, November 2014.
  [25] V. Goyal, A. Abraham, S. Sanyal, and S.Y. Han, The N/R one time password system. In Information Technology: Coding and Computing, 2005. ITCC 2005, International Conference, Vol. 1, pp. 733-738, April 2005.
  [26] B. Groza, and D. Petrica, One-time passwords for uncertain number of authentications. Proceedings of CSCS15, 2005.
  [27] M.G. Gouda, A.X. Liu, L.M. Leung, and M.A. Alam, Single password, multiple accounts. In Proc. 3rd Int. Conf. on Applied Cryptography and Network Security. New York City, NY, USA, pp. 1-12, 2005.
  [28] N. Gupta, Analysis of Issues in phishing attack and development of prevention mechanism. Journal of Global Research in Computer Science, vol. 5, no. 6, pp. 22-25. 2014.
  [29] R. Gupta, and P.K. Shukla, Performance Analysis of Anti-Phishing Tools and Study of Classification Data Mining Algorithms for a Novel Anti-Phishing System, International Journal of Computer Network and Information Security (IJCNIS), vol. 7, no. 12, p. 70, 2015.
  [30] R. Gupta, and P.K. Shukla, System Design, Investigation and Countermeasure of Phishing Attacks using Data Mining Classification Methods and its Analysis. International Journal of Advanced Science and Technology, vol. 78, pp. 29-40, 2015.
  [31] S. Gupta, S. Sahni, P. Sabbu, S. Varma, and S.V. Gangashetty, Passblot: A Highly Scalable Graphical One Time Password System, International Journal of Network Security & Its Applications, vol. 4, no. 2, pp. 201, 2012.
  [32] T.H. Gurav, and M. Dhage, Remote client authentication using mobile phone generated OTP, International Journal of Scientific and Research Publications, vol.2, no. 5, p. 4, 2012.
  [33] S. Hamdare, V. Nagpurkar, and J. Mittal, Securing SMS Based One Time Password Technique from Man in the Middle Attack. arXiv preprint arXiv:1405.4828, 2014.
  [34] J. Hong, The state of phishing attacks, Communications of the ACM, vol. 55, no. 1, pp. 74-81, 2012.
  [35] R. Howard, R. Thomas, J. Burstein, and R. Bradescu, Cyber Fraud Trends and Mitigation. In The International Conference on Forensic Computer Science (ICoFCS), 2007.
  [36] C.Y. Huang, S.P. Ma, and K.T. Chen, Using one-time passwords to prevent password phishing attacks. Journal of Network and Computer Applications, vol. 34, no. 4, pp. 1292-1301, 2011.
  [37] H. Huang, J. Tan, and L. Liu, Countermeasure techniques for deceptive phishing attack. In New Trends in Information and Service Science, 2009. NISS'09. International Conference, pp. 636-641, June 2009.
  [38] Y. Huang, Z. Huang, H. Zhao, and X. Lai, A new one-time password method. IERI Procedia, vol. 4, pp. 32-37, 2013.
  [39] J.J. Hwang, Y.C. Hsu, and G.Y. Liao, An SMS-Based One-Time-Password Scheme with Client-Side Validation, Journal of Digital Information Management, vol. 13, no. 2, 2015.
  [40] R. Isawa, and M. Morii, One-Time Password Authentication Scheme to Solve Stolen Verifier Problem. In Proc, of Forum on Information Technology, 2011.
  [41] B. Issac, R. Chiong, and S.M. Jacob, Analysis of Phishing Attacks and Countermeasures. arXiv preprint arXiv:1410.4672, 2014.
  [42] M. Jakobsson, and J. Ratkiewicz, Designing ethical phishing experiments: a study of (ROT13) rOnl query features. In Proceedings of the 15th international conference on World Wide Web. ACM.Jakobsson, M., & Myers, S. (Eds.). (2006). Phishing and countermeasures: understanding the increasing problem of electronic identity theft. John Wiley & Sons, pp. 513-522, May 2006.
  [43] M. Jakobsson, and A.L. Young, Distributed Phishing Attacks. IACR Cryptology ePrint Archive, p. 91. 2005.
  [44] A. Jesudoss, and N. Subramaniam, A Survey on Authentication Attacks and Countermeasures in a Distributed Environment, IJCSE, vol, 5, no. 2, 2014.
  [45] E. Kalaikavitha, and J. Gnanaselvi, Secure Login Using Encrypted One Time Password (Otp) and Mobile Based Login Methodology', Research Inventy: International Journal of Engineering and Science, vol. 2, no. 10, pp. 14-17, 2013.
  [46] A. Kavoukis, and S. Aljareh, Efficient time synchronized one-time password scheme to provide secure wake-up authentication on wireless sensor networks. arXiv preprint arXiv:1302.1756, 2013.
  [47] A.A. Khan, Preventing phishing attacks using one time password and user machine identification. arXiv preprint arXiv:1305.2704, 2013.
  [48] M. Kim, B. Lee, S. Kim, and D. Won, Weaknesses and improvements of a one-time password authentication scheme, International Journal of Future Generation Communication and Networking, vol. 2, no. 4, 2009.
  [49] P.P.N. G. Kumar, and R.J. Mathew, An Advanced Anti Phishing Approach Based On Two-Tier Validation, IJRCCT, vol. 3, no. 9, pp. 1015-1017, 2014.
  [50] B.K. Kushwaha, An approach for user authentication One Time Password (Numeric and Graphical) Scheme, Journal of Global Research in Computer Science, vol. 3, no. 11, 2012.
  [51] M.A. Kute, Modern Method for Detecting Web Phishing Using Visual Cryptography (VC) and Quick Response Code (QR code), International Journal of engineering Research and Applications, vol. 1, no. 5, pp.1-5, 2015.
  [52] Y. Lee, and H. Kim, Insider Attack-Resistant OTP (One-Time Password) Based on Bilinear Maps. International Journal of Computer and Communication Engineering, vol. 2, no. 3, p. 304, 2013.
  [53] Z. Li, W. He, D. Akhawe, and D. Song, The emperor’s new password manager: Security analysis of web-based password managers, In 23rd USENIX Security Symposium (USENIX Security 14), pp. 465-479, 2014.
  [54] A.Y. Lindell, Time versus Event Based One-Time Passwords, Aladdin Knowledge Systems, 2007.
  [55] D. Mahto, and D.K. Yadav, Security Improvement of One-Time Password Using Crypto-Biometric Model. In Proceedings of 3rd International Conference on Advanced Computing, Networking and Informatics. Springer India, pp. 347-353, 2016.
  [56] R. Manning, and G. Aaron, Phishing Activity Trends Report. Anti-Phishing Working Group (APWG), Rep, 1st Quarter 2014, 2014.
  [57] R. Manning, and G. Aaron, Phishing Activity Trends Report. Anti-Phishing Working Group (APWG), Rep. 1st-3rd Quarter 2015, 2015.
  [58] R. Manning, and G. Aaron, Phishing Activity Trends Report, Anti-Phishing Working Group (APWG), Rep. 4th Quarter 2015, 2016.
  [59] K. Marimuthu, D.G. Gopal, H. Mehta, and A.R.P. Boominathan, A NOVEL WAY OF INTEGRATING VOICE RECOGNITION AND ONE TIME PASSWORDS TO PREVENT PASSWORD PHISHING ATTACKS, International Journal of Distributed and Parallel Systems, vol. 5, no. 4, p. 11, 2014.
  [60] C.J. Marinakis, and N.N. Karanikolas, Strengthening the security of e-banking transactions. The case of NBG, Current Trends in Informatics, pp. 559-570, 2007.
  [61] J. Milletary, and C.C. Center, Technical trends in phishing attacks, Retrieved December, vol. 1, pp. 3-3, 2005.
  [62] M. Mishra, J.A. Gaurav, and A. Jain, A Preventive Anti-Phishing Technique using Code word, International Journal of Computer Science and Information Technologies, vol. 3, no. 3, pp. 4248-4250, 2012.
  [63] C. Mulliner, R. Borgaonkar, P. Stewin, and J.P. Seifert, SMS-based one-time passwords: attacks and defense. In Detection of Intrusions and Malware, and Vulnerability Assessment, Springer Berlin Heidelberg, pp. 150-159, 2013.
  [64] P.J. Nero, B. Wardman, H. Copes, and G. Warner, Phishing: Crime that pays. In eCrime Researchers Summit (eCrime), pp. 1-10, November 2011.
  [65] A. Onashoga, A. Sodiya, and A. Afolorunso, A One-Time Server-Specific Password Authentication Scheme. CIT, Journal of Computing and Information Technology, vol. 20, no. 2, pp. 85-93, 2012.
  [66] D. Oswald, B. Richter, and C. Paar, Side-channel attacks on the Yubikey 2 one-time password generator. In Research in Attacks, Intrusions, and Defenses, Springer Berlin Heidelberg, pp. 204-222, 2013.
  [67] H. Parmar, N. Nainan, and S. Thaseen, Generation of secure one-time password based on image Authentication. Computer Science & Information Technology, 195206, 2012.
  [68] Y. Patel, and M.S.C. Diana, Fingerprint Authentication Technique to Prevent Phishing using Pattern Matrix, International Journal of Engineering Research and Development, Volume 6, Issue 8, pp. 88-92, April 2013
  [69] B. Parno, C. Kuo, and A. Perrig, Phoolproof phishing prevention. Springer Berlin Heidelberg, pp. 1-19, 2006.
  [70] A. Perrig, The BiBa one-time signature and broadcast authentication protocol. In Proceedings of the 8th ACM conference on Computer and Communications Security, pp. 28-37, November 2001.
  [71] M.V. Prakash, P.A. Infant, and S.J. Shobana, Eliminating vulnerable attacks using one time password and passtext analytical study of blended schema, Universal Journal of Computer Science and Engineering Technology, vol. 1, no. 2, pp. 133-140, 2010.
  [72] S. Purkait, Phishing counter measures and their effectiveness-literature review. Information Management & Computer Security, vol. 20, no. 5, pp. 382-420, 2012.
  [73] H. Raddum, L.H. Nestås, and K.J. Hole, Security analysis of mobile phones used as OTP generators. In Information Security Theory and Practices. Security and Privacy of Pervasive Systems and Smart Devices, Springer Berlin Heidelberg, pp. 324-331, 2010.
  [74] C.J.N. Rani, L. Joseph, and E.R. Naganathan, Secure One Time Password Generation for Website Security using Mobile Phone with Biometrics, 2013.
  [75] D.D. Rao, G. Kour, and D. Jyoti, One Time Password Security through Cryptography for Mobile Banking, 2011.
  [76] A.D. Rubin, Independent one-time passwords. Computing Systems, vol. 9, no. 1, pp. 15-27, 1996.
  [77] M. Slyman, An evaluation of hypothetical attacks against the PassWindow authentication method [Electronic resource]. The PassWindow method.–2009.–Available at:http://www.passwindow.Com/evaluation_of_hypothetical_attacks_against_passwindow. Pdf.
  [78] H. Sun, K. Sun, Y. Wang, and J. Jing, TrustOTP: Transforming Smartphones into Secure One-Time Password Tokens, InProceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 976-988, October 2015.
  [79] A. Tandon, R. Sharma, S. Sodhiya, and P.M. Vincent, QR Code based secure OTP distribution scheme for Authentication in Net-Banking, International Journal of Engineering & Technology, pp. 0975-4024, 2013.
  [80] R. Van Rijswijk-Deij, Simple Location-Based One-time Passwords.Utrecht: Technical Paper, 2010.
  [81] I.R. Widiasari, Combining Advanced Encryption Standard (AES) and One Time Pad (OTP) Encryption for Data Security, International Journal of Computer Applications, vol. 57, no. 20, 2012.
  [82] M. Wu, R.C. Miller, and S.L. Garfinkel, Do security toolbars actually prevent phishing attacks? In Proceedings of the SIGCHI conference on Human Factors in computing systems, pp. 601-610, April 2006.
  [83] S. Yadav, and B. Bohra, A review on recent phishing attacks in Internet. In Green Computing and Internet of Things (ICGCIoT), 2015 International Conference on, pp. 1312-1315, October 2015.
•   کلمات کلیدی به فارسی : فیشینگ، رمزیکبارمصرف.
•   چکیده مقاله به انگلیسی : Phishing attacks are a group of attacks that compromise user's sensitive information, including user security and passwords, and many solutions are offered, including one-time passwords, to prevent existing threats. Despite efforts to use one-time passwords to prevent phishing attacks, this remains a major challenge and requires further investigation. Most of the attacks that direct users to phishing websites (using social engineering techniques) are just like the websites of major target organizations that fill out some forms to retrieve their personal information. Designed to be visible. Phishing, including spearfishing, has become a serious problem due to its unpredictability. This allows researchers and practitioners to find a solution that protects the danger of this phenomenon, or at least warns the user. The efficiency of the proposed method is calculated analytically using scenario definition, modeling and simulation and is measured based on the prevention rate criterion as well as the complexity coefficient of the proposed method, which indicates that it is unlikely to be guessed by attackers.
•   کلمات کلیدی به انگلیسی : One-time password, Phishing
•  صفحات : 1-17
•   دانلود فایل ( 552.46 KB )