On the Security of PAS (Predicate-Based Authentication Service)

Author

Li, Shujun ; Asghar, Hassan Jameel ; Pieprzyk, Josef ; Sadeghi, Ahmad-Reza ; Schmitz, Roland ; Wang, Huaxiong

Author_Institution

Dept. of Comput. & Inf. Sci., Univ. Konstanz, Konstanz, Germany

fYear

2009

fDate

7-11 Dec. 2009

Firstpage

209

Lastpage

218

Abstract

Recently a new human authentication scheme called PAS (predicate-based authentication service) was proposed, which does not require the assistance of any supplementary device. The main security claim of PAS is to resist passive adversaries who can observe the whole authentication session between the human user and the remote server. In this paper we show that PAS is insecure against both brute force attack and a probabilistic attack. In particular, we show that its security against brute force attack was strongly overestimated. Furthermore, we introduce a probabilistic attack, which can break part of the password even with a very small number of observed authentication sessions. Although the proposed attack cannot completely break the password, it can downgrade the PAS system to a much weaker system similar to common OTP (one-time password) systems.

Keywords

authorisation; computer network security; probability; PAS security; brute force attack; human authentication scheme; one time password system; predicate based authentication service; probabilistic attack; Application software; Authentication; Computer security; Cryptography; Hardware; Humans; Information security; Protocols; Resists; Usability; Matsumoto-Imai threat model; OTP (one-time password); PAS; attack; authentication; security; usability;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer Security Applications Conference, 2009. ACSAC '09. Annual

Conference_Location

Honolulu, HI

ISSN

1063-9527

Print_ISBN

978-0-7695-3919-5

Type

conf

DOI

10.1109/ACSAC.2009.27

Filename

5380509