Breaking Randomized Linear Generation Functions Based Virtual Password System

Author

Li, Shujun ; Khayam, Syed Ali ; Sadeghi, Ahmad-Reza ; Schmitz, Roland

Author_Institution

Dept. of Comput. & Inf. Sci., Univ. of Konstanz, Konstanz, Germany

fYear

2010

fDate

23-27 May 2010

Firstpage

1

Lastpage

6

Abstract

In ICC2008 and subsequent work, Lei et al. proposed a user authentication system (virtual password system), which is claimed to be secure against identity theft attacks, including phishing, keylogging and shoulder surfing. Their authentication system is a challenge-response protocol based on a randomized linear generation function, which uses a random integer in the responses of each login session to offer security against assorted attacks. In this paper we show that their virtual password system is insecure and vulnerable to multiple attacks. We show that with high probability an attacker can recover an equivalent password with only two (or a few more) observed login sessions. We also give a brief survey of the related work and discuss the main challenges in designing user authentication methods secure against identity theft.

Keywords

probability; security of data; user interfaces; attacker probability; challenge-response protocol; identity theft attacks; keylogging attack; phishing attack; random integer; randomized linear generation functions; shoulder surfing attack; user authentication system; virtual password system; Authentication; Communications Society; Computer science; Computer security; Information science; Information security; Peer to peer computing; Pins; Protocols; Random media;

fLanguage

English

Publisher

ieee

Conference_Titel

Communications (ICC), 2010 IEEE International Conference on

Conference_Location

Cape Town

ISSN

1550-3607

Print_ISBN

978-1-4244-6402-9

Type

conf

DOI

10.1109/ICC.2010.5502416

Filename

5502416