TY - GEN
T1 - On the security of PAS (Predicate-based Authentication Service)
AU - Li, Shujun
AU - Asghar, Hassan Jameel
AU - Pieprzyk, Josef
AU - Sadeghi, Ahmad Reza
AU - Schmitz, Roland
AU - Wang, Huaxiong
N1 - Copyright 2009 IEEE. Reprinted from 25th Annual Computer Security Applications Conference : proceedings : Honolulu, Hawaii, 7-11 December 2009. This material is posted here with permission of the IEEE. Such permission of the IEEE does not in any way imply IEEE endorsement of any of Macquarie University’s products or services. Internal or personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution must be obtained from the IEEE by writing to pubs-permissions@ieee.org. By choosing to view this document, you agree to all provisions of the copyright laws protecting it.
PY - 2009
Y1 - 2009
N2 - Recently a new human authentication scheme called PAS (predicate-based authentication service) was proposed, which does not require the assistance of any supplementary device. The main security claim of PAS is to resist passive adversaries who can observe the whole authentication session between the human user and the remote server. In this paper we show that PAS is insecure against both brute force attack and a probabilistic attack. In particular, we show that its security against brute force attack was strongly overestimated. Furthermore, we introduce a probabilistic attack, which can break part of the password even with a very small number of observed authentication sessions. Although the proposed attack cannot completely break the password, it can downgrade the PAS system to a much weaker system similar to common OTP (one-time password) systems.
AB - Recently a new human authentication scheme called PAS (predicate-based authentication service) was proposed, which does not require the assistance of any supplementary device. The main security claim of PAS is to resist passive adversaries who can observe the whole authentication session between the human user and the remote server. In this paper we show that PAS is insecure against both brute force attack and a probabilistic attack. In particular, we show that its security against brute force attack was strongly overestimated. Furthermore, we introduce a probabilistic attack, which can break part of the password even with a very small number of observed authentication sessions. Although the proposed attack cannot completely break the password, it can downgrade the PAS system to a much weaker system similar to common OTP (one-time password) systems.
UR - http://www.scopus.com/inward/record.url?scp=77950838084&partnerID=8YFLogxK
U2 - 10.1109/ACSAC.2009.27
DO - 10.1109/ACSAC.2009.27
M3 - Conference proceeding contribution
AN - SCOPUS:77950838084
SN - 9781424453276
SP - 209
EP - 218
BT - 25th Annual Computer Conference Security Applications, ACSAC 2009
A2 - Ceballos, Silvia
PB - Institute of Electrical and Electronics Engineers (IEEE)
CY - Pistacaway, NJ
T2 - 25th Annual Computer Conference Security Applications, ACSAC 2009
Y2 - 7 December 2009 through 11 December 2009
ER -