On the Security of PAS (Predicate-Based Authentication Service)

Thumbnail Image
Files
Li.1pdf.pdf(350.26 KB)
Date
2009
Authors
Asghar, Hassan Jameel
Pieprzyk, Josef
Sadeghi, Ahmad-Reza
Schmitz, Roland
Wang, Huaxiong
Editors
Contact
Journal ISSN
Electronic ISSN
ISBN
Bibliographical data
Publisher
Series
URI (citable link)
urn:nbn:de:bsz:352-opus-127202
DOI (citable link)
10.1109/ACSAC.2009.27
ArXiv-ID
International patent number
Link to the license
In Copyright
EU project number
Project
Open Access publication
Collections
Informatik und Informationswissenschaft
Zukunftskolleg
Restricted until
Title in another language
Research Projects
Organizational Units
Journal Issue
Publication type
Contribution to a conference collection
Publication status
Published in
2009 Annual Computer Security Applications Conference. - IEEE, 2009. - pp. 209-218. - ISBN 978-0-7695-3919-5
Abstract
Recently a new human authentication scheme called PAS (predicate-based authentication service) was proposed, which does not require the assistance of any supplementary device. The main security claim of PAS is to resist passive adversaries who can observe the whole authentication session between the human user and the remote server. In this paper we show that PAS is insecure against both brute force attack and a probabilistic attack. In particular, we show that its security against brute force attack was strongly overestimated. Furthermore, we introduce a probabilistic attack, which can break part of the password even with a very small number of observed authentication sessions. Although the proposed attack cannot completely break the password, it can downgrade the PAS system to a much weaker system similar to common OTP (one-time password) systems.
Summary in another language
Subject (DDC)
004 Computer Science
Keywords
authentication,Matsumoto-Imai threat model,attack,security,usability,OTP (one-time password)
Conference
2009 Annual Computer Security Applications Conference (ACSAC), Dec 7, 2009 - Dec 11, 2009, Honolulu, Hawaii, USA
Review
undefined / . - undefined, undefined. - (undefined; undefined)
Cite This
ISO 690LI, Shujun, Hassan Jameel ASGHAR, Josef PIEPRZYK, Ahmad-Reza SADEGHI, Roland SCHMITZ, Huaxiong WANG, 2009. On the Security of PAS (Predicate-Based Authentication Service). 2009 Annual Computer Security Applications Conference (ACSAC). Honolulu, Hawaii, USA, Dec 7, 2009 - Dec 11, 2009. In: 2009 Annual Computer Security Applications Conference. IEEE, pp. 209-218. ISBN 978-0-7695-3919-5. Available under: doi: 10.1109/ACSAC.2009.27
BibTex
@inproceedings{Li2009-12Secur-5986,
  year={2009},
  doi={10.1109/ACSAC.2009.27},
  title={On the Security of PAS (Predicate-Based Authentication Service)},
  isbn={978-0-7695-3919-5},
  publisher={IEEE},
  booktitle={2009 Annual Computer Security Applications Conference},
  pages={209--218},
  author={Li, Shujun and Asghar, Hassan Jameel and Pieprzyk, Josef and Sadeghi, Ahmad-Reza and Schmitz, Roland and Wang, Huaxiong}
}
RDF
<rdf:RDF
    xmlns:dcterms="http://purl.org/dc/terms/"
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
    xmlns:bibo="http://purl.org/ontology/bibo/"
    xmlns:dspace="http://digital-repositories.org/ontologies/dspace/0.1.0#"
    xmlns:foaf="http://xmlns.com/foaf/0.1/"
    xmlns:void="http://rdfs.org/ns/void#"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema#" > 
  <rdf:Description rdf:about="https://kops.uni-konstanz.de/server/rdf/resource/123456789/5986">
    <bibo:uri rdf:resource="http://kops.uni-konstanz.de/handle/123456789/5986"/>
    <dc:creator>Pieprzyk, Josef</dc:creator>
    <dcterms:bibliographicCitation>First publ in: Proceedings : 25th Annual Computer Security Applications Conference, Honolulu, Hawaii, 7-11 December, 2009. Los Alamitos, Calif. : IEEE Computer Society, 2009. pp. 209 - 218</dcterms:bibliographicCitation>
    <dc:contributor>Li, Shujun</dc:contributor>
    <dc:creator>Sadeghi, Ahmad-Reza</dc:creator>
    <dc:contributor>Wang, Huaxiong</dc:contributor>
    <dspace:hasBitstream rdf:resource="https://kops.uni-konstanz.de/bitstream/123456789/5986/1/Li.1pdf.pdf"/>
    <dc:contributor>Sadeghi, Ahmad-Reza</dc:contributor>
    <dc:rights>terms-of-use</dc:rights>
    <dcterms:hasPart rdf:resource="https://kops.uni-konstanz.de/bitstream/123456789/5986/1/Li.1pdf.pdf"/>
    <dcterms:issued>2009-12</dcterms:issued>
    <dc:creator>Asghar, Hassan Jameel</dc:creator>
    <dc:creator>Wang, Huaxiong</dc:creator>
    <dc:creator>Schmitz, Roland</dc:creator>
    <dc:contributor>Pieprzyk, Josef</dc:contributor>
    <dcterms:title>On the Security of PAS (Predicate-Based Authentication Service)</dcterms:title>
    <dc:language>eng</dc:language>
    <dspace:isPartOfCollection rdf:resource="https://kops.uni-konstanz.de/server/rdf/resource/123456789/52"/>
    <dspace:isPartOfCollection rdf:resource="https://kops.uni-konstanz.de/server/rdf/resource/123456789/36"/>
    <dcterms:isPartOf rdf:resource="https://kops.uni-konstanz.de/server/rdf/resource/123456789/52"/>
    <dc:date rdf:datatype="http://www.w3.org/2001/XMLSchema#dateTime">2011-03-24T16:08:34Z</dc:date>
    <dc:contributor>Asghar, Hassan Jameel</dc:contributor>
    <dc:format>application/pdf</dc:format>
    <foaf:homepage rdf:resource="http://localhost:8080/"/>
    <dcterms:rights rdf:resource="https://rightsstatements.org/page/InC/1.0/"/>
    <dcterms:isPartOf rdf:resource="https://kops.uni-konstanz.de/server/rdf/resource/123456789/36"/>
    <void:sparqlEndpoint rdf:resource="http://localhost/fuseki/dspace/sparql"/>
    <dc:creator>Li, Shujun</dc:creator>
    <dc:contributor>Schmitz, Roland</dc:contributor>
    <dcterms:available rdf:datatype="http://www.w3.org/2001/XMLSchema#dateTime">2011-03-24T16:08:34Z</dcterms:available>
    <dcterms:abstract xml:lang="eng">Recently a new human authentication scheme called PAS (predicate-based authentication service) was proposed, which does not require the assistance of any supplementary device. The main security claim of PAS is to resist passive adversaries who can observe the whole authentication session between the human user and the remote server. In this paper we show that PAS is insecure against both brute force attack and a probabilistic attack. In particular, we show that its security against brute force attack was strongly overestimated. Furthermore, we introduce a probabilistic attack, which can break part of the password even with a very small number of observed authentication sessions. Although the proposed attack cannot completely break the password, it can downgrade the PAS system to a much weaker system similar to common OTP (one-time password) systems.</dcterms:abstract>
  </rdf:Description>
</rdf:RDF>
Internal note
xmlui.Submission.submit.DescribeStep.inputForms.label.kops_note_fromSubmitter
Contact
URL of original publication
Test date of URL
Examination date of dissertation
Method of financing
Comment on publication
Alliance license
Corresponding Authors der Uni Konstanz vorhanden
International Co-Authors
Bibliography of Konstanz
Yes
Refereed