On the security of PAS (Predicate-based Authentication Service)

Shujun Li; Hassan Jameel Asghar; Josef Pieprzyk; Ahmad Reza Sadeghi; Roland Schmitz; Huaxiong Wang

doi:10.1109/ACSAC.2009.27

On the security of PAS (Predicate-based Authentication Service)

Shujun Li^*, Hassan Jameel Asghar, Josef Pieprzyk, Ahmad Reza Sadeghi, Roland Schmitz, Huaxiong Wang

^*Corresponding author for this work

School of Computing

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

16 Citations (Scopus)

29 Downloads (Pure)

Abstract

Recently a new human authentication scheme called PAS (predicate-based authentication service) was proposed, which does not require the assistance of any supplementary device. The main security claim of PAS is to resist passive adversaries who can observe the whole authentication session between the human user and the remote server. In this paper we show that PAS is insecure against both brute force attack and a probabilistic attack. In particular, we show that its security against brute force attack was strongly overestimated. Furthermore, we introduce a probabilistic attack, which can break part of the password even with a very small number of observed authentication sessions. Although the proposed attack cannot completely break the password, it can downgrade the PAS system to a much weaker system similar to common OTP (one-time password) systems.

Original language	English
Title of host publication	25th Annual Computer Conference Security Applications, ACSAC 2009
Editors	Silvia Ceballos
Place of Publication	Pistacaway, NJ
Publisher	Institute of Electrical and Electronics Engineers (IEEE)
Pages	209-218
Number of pages	10
ISBN (Electronic)	9780769539195
ISBN (Print)	9781424453276
DOIs	https://doi.org/10.1109/ACSAC.2009.27
Publication status	Published - 2009
Event	25th Annual Computer Conference Security Applications, ACSAC 2009 - Honolulu, HI, United States Duration: 7 Dec 2009 → 11 Dec 2009

Other

Other	25th Annual Computer Conference Security Applications, ACSAC 2009
Country/Territory	United States
City	Honolulu, HI
Period	7/12/09 → 11/12/09

Bibliographical note

Copyright 2009 IEEE. Reprinted from 25th Annual Computer Security Applications Conference : proceedings : Honolulu, Hawaii, 7-11 December 2009. This material is posted here with permission of the IEEE. Such permission of the IEEE does not in any way imply IEEE endorsement of any of Macquarie Universityâ€™s products or services. Internal or personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution must be obtained from the IEEE by writing to pubs-permissions@ieee.org. By choosing to view this document, you agree to all provisions of the copyright laws protecting it.

Access to Document

10.1109/ACSAC.2009.27

Publisher version (open access).pdfFinal published version, 379 KB

Cite this

@inproceedings{367f380a2f8149c9aca8a14358265d2a,

title = "On the security of PAS (Predicate-based Authentication Service)",

abstract = "Recently a new human authentication scheme called PAS (predicate-based authentication service) was proposed, which does not require the assistance of any supplementary device. The main security claim of PAS is to resist passive adversaries who can observe the whole authentication session between the human user and the remote server. In this paper we show that PAS is insecure against both brute force attack and a probabilistic attack. In particular, we show that its security against brute force attack was strongly overestimated. Furthermore, we introduce a probabilistic attack, which can break part of the password even with a very small number of observed authentication sessions. Although the proposed attack cannot completely break the password, it can downgrade the PAS system to a much weaker system similar to common OTP (one-time password) systems.",

author = "Shujun Li and Asghar, {Hassan Jameel} and Josef Pieprzyk and Sadeghi, {Ahmad Reza} and Roland Schmitz and Huaxiong Wang",

note = "Copyright 2009 IEEE. Reprinted from 25th Annual Computer Security Applications Conference : proceedings : Honolulu, Hawaii, 7-11 December 2009. This material is posted here with permission of the IEEE. Such permission of the IEEE does not in any way imply IEEE endorsement of any of Macquarie University{\^a}€{\texttrademark}s products or services. Internal or personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution must be obtained from the IEEE by writing to pubs-permissions@ieee.org. By choosing to view this document, you agree to all provisions of the copyright laws protecting it.; 25th Annual Computer Conference Security Applications, ACSAC 2009 ; Conference date: 07-12-2009 Through 11-12-2009",

year = "2009",

doi = "10.1109/ACSAC.2009.27",

language = "English",

isbn = "9781424453276",

pages = "209--218",

editor = "Silvia Ceballos",

booktitle = "25th Annual Computer Conference Security Applications, ACSAC 2009",

publisher = "Institute of Electrical and Electronics Engineers (IEEE)",

address = "United States",

}

Li, S, Asghar, HJ , Pieprzyk, J, Sadeghi, AR, Schmitz, R & Wang, H 2009, On the security of PAS (Predicate-based Authentication Service). in S Ceballos (ed.), 25th Annual Computer Conference Security Applications, ACSAC 2009., 5380509, Institute of Electrical and Electronics Engineers (IEEE), Pistacaway, NJ, pp. 209-218, 25th Annual Computer Conference Security Applications, ACSAC 2009, Honolulu, HI, United States, 7/12/09. https://doi.org/10.1109/ACSAC.2009.27

On the security of PAS (Predicate-based Authentication Service). / Li, Shujun; Asghar, Hassan Jameel ; Pieprzyk, Josef et al.

25th Annual Computer Conference Security Applications, ACSAC 2009. ed. / Silvia Ceballos. Pistacaway, NJ : Institute of Electrical and Electronics Engineers (IEEE), 2009. p. 209-218 5380509.

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

TY - GEN

T1 - On the security of PAS (Predicate-based Authentication Service)

AU - Li, Shujun

AU - Asghar, Hassan Jameel

AU - Pieprzyk, Josef

AU - Sadeghi, Ahmad Reza

AU - Schmitz, Roland

AU - Wang, Huaxiong

N1 - Copyright 2009 IEEE. Reprinted from 25th Annual Computer Security Applications Conference : proceedings : Honolulu, Hawaii, 7-11 December 2009. This material is posted here with permission of the IEEE. Such permission of the IEEE does not in any way imply IEEE endorsement of any of Macquarie Universityâ€™s products or services. Internal or personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution must be obtained from the IEEE by writing to pubs-permissions@ieee.org. By choosing to view this document, you agree to all provisions of the copyright laws protecting it.

PY - 2009

Y1 - 2009

N2 - Recently a new human authentication scheme called PAS (predicate-based authentication service) was proposed, which does not require the assistance of any supplementary device. The main security claim of PAS is to resist passive adversaries who can observe the whole authentication session between the human user and the remote server. In this paper we show that PAS is insecure against both brute force attack and a probabilistic attack. In particular, we show that its security against brute force attack was strongly overestimated. Furthermore, we introduce a probabilistic attack, which can break part of the password even with a very small number of observed authentication sessions. Although the proposed attack cannot completely break the password, it can downgrade the PAS system to a much weaker system similar to common OTP (one-time password) systems.

AB - Recently a new human authentication scheme called PAS (predicate-based authentication service) was proposed, which does not require the assistance of any supplementary device. The main security claim of PAS is to resist passive adversaries who can observe the whole authentication session between the human user and the remote server. In this paper we show that PAS is insecure against both brute force attack and a probabilistic attack. In particular, we show that its security against brute force attack was strongly overestimated. Furthermore, we introduce a probabilistic attack, which can break part of the password even with a very small number of observed authentication sessions. Although the proposed attack cannot completely break the password, it can downgrade the PAS system to a much weaker system similar to common OTP (one-time password) systems.

UR - http://www.scopus.com/inward/record.url?scp=77950838084&partnerID=8YFLogxK

U2 - 10.1109/ACSAC.2009.27

DO - 10.1109/ACSAC.2009.27

M3 - Conference proceeding contribution

AN - SCOPUS:77950838084

SN - 9781424453276

SP - 209

EP - 218

BT - 25th Annual Computer Conference Security Applications, ACSAC 2009

A2 - Ceballos, Silvia

PB - Institute of Electrical and Electronics Engineers (IEEE)

CY - Pistacaway, NJ

T2 - 25th Annual Computer Conference Security Applications, ACSAC 2009

Y2 - 7 December 2009 through 11 December 2009

ER -

On the security of PAS (Predicate-based Authentication Service)

Abstract

Other

Bibliographical note

Access to Document

Other files and links

Fingerprint

Cite this