On the security of PAS (Predicate-based Authentication Service)

Shujun Li*, Hassan Jameel Asghar, Josef Pieprzyk, Ahmad Reza Sadeghi, Roland Schmitz, Huaxiong Wang

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference proceeding contributionpeer-review

18 Citations (Scopus)
53 Downloads (Pure)


Recently a new human authentication scheme called PAS (predicate-based authentication service) was proposed, which does not require the assistance of any supplementary device. The main security claim of PAS is to resist passive adversaries who can observe the whole authentication session between the human user and the remote server. In this paper we show that PAS is insecure against both brute force attack and a probabilistic attack. In particular, we show that its security against brute force attack was strongly overestimated. Furthermore, we introduce a probabilistic attack, which can break part of the password even with a very small number of observed authentication sessions. Although the proposed attack cannot completely break the password, it can downgrade the PAS system to a much weaker system similar to common OTP (one-time password) systems.

Original languageEnglish
Title of host publication25th Annual Computer Conference Security Applications, ACSAC 2009
EditorsSilvia Ceballos
Place of PublicationPistacaway, NJ
PublisherInstitute of Electrical and Electronics Engineers (IEEE)
Number of pages10
ISBN (Electronic)9780769539195
ISBN (Print)9781424453276
Publication statusPublished - 2009
Event25th Annual Computer Conference Security Applications, ACSAC 2009 - Honolulu, HI, United States
Duration: 7 Dec 200911 Dec 2009


Other25th Annual Computer Conference Security Applications, ACSAC 2009
Country/TerritoryUnited States
CityHonolulu, HI

Bibliographical note

Copyright 2009 IEEE. Reprinted from 25th Annual Computer Security Applications Conference : proceedings : Honolulu, Hawaii, 7-11 December 2009. This material is posted here with permission of the IEEE. Such permission of the IEEE does not in any way imply IEEE endorsement of any of Macquarie University’s products or services. Internal or personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution must be obtained from the IEEE by writing to [email protected]. By choosing to view this document, you agree to all provisions of the copyright laws protecting it.


Dive into the research topics of 'On the security of PAS (Predicate-based Authentication Service)'. Together they form a unique fingerprint.

Cite this