Abstract— As the Internet technology has developed rapidly, the number of identities (IDs) managed by each individual person has increased and various ID management technologies have been developed to assist users. However, most of these technologies are vulnerable to the existing hacking methods such as phishing attacks and key-logging. If the administrator’s password is exposed, an attacker can access the entire contents of the stolen user’s data files in other devices. To solve these problems, we propose here a new ID management scheme based on a Single Password Protocol. The paper presents the details of the new scheme as well as a formal analysis of the method using BAN Logic. Keywords—Anti-phishing, BAN Logic, ID management. I. INTRODUCTION S the Internet technology has developed, the number of the Internet users has increased rapidly. Most of the users use a simple and identical password to access different websites. Thus, the exposure of the password registered in a single website affects many other websites. To solve this problem, various ID management technologies have been developed such as CardSpace, AlPass, OpenID, Sxipper, KeePass, and RoboForm. However, these technologies are still vulnerable to the existing hacking methods such as phishing attacks and key-logging [1]. Furthermore, if the administrator’s password is compromised, an attacker can access the entire contents of the stolen user data file in the other devices [2]. To solve these problems, we propose a new ID management scheme in this paper. This paper is organized as follows: Section II explains details of related work which are base technologies for our ID management scheme. Section III proposes a new ID management scheme based on the Single Password Protocol. Section IV introduces the “BAN Logic” and presents a formal analysis of the proposed scheme and finally, Section V concludes the paper. “This research was supported by the Ministry of Knowledge Economy, Korea, under the ITRC(Information Technology Research Center) support program supervised by the IITA(Institute of Information Technology Advancement)” (IITA-2008-C1090-0801-0016) J. Han, D. Won and S. Kim are with the Information Security Group, Sungkyunkwan University, 300 Cheoncheon-dong, Jangan-gu, Suwon-si, Gyeonggi-do, 440-746, Korea (phone: 82-31-290-7213; fax: 82-31-290-7686; e-mail: {jhhan, dhwon, skim}@security.re.kr). Corresponding author: Seungjoo Kim. II. RELATED WORKS In this section, we summarize the results of our previous related research [2] to set the scene for the current work. In addition, we introduce the Single Password Protocol (SPP) and two authentication methods using a device’s unique information [3, 4, 5]. A. Previous Research Vulnerability analysis of the ID management technologies in previous research has been performed and Table 1 describes the results for each technology (where O means that the technology is vulnerable to the form of hacking indicated and X means it is resistant). Fig. 1 describes a general behavior of the ID management technologies. Fig. ᧭ Behavior of General ID Management Technologies In the previous research, we examined whether an administrator’s password and a user data file are exposed by using hacking tools in the section of ཰ and . We used “SKIn2000” and “NetBus” as the hacking tools [6, 7]. “SKIn2000” is a key-logging tool and provides not only “Static Text” information, but also “Edit Controls” information. “NetBus” is used for stealing the user data file. New Identity Management Scheme and its Formal Analysis Jeonghoon Han, Hanjae Jeong, Dongho Won, and Seungjoo Kim A World Academy of Science, Engineering and Technology 49 2009 617