You are looking at a specific version 20090929:053234 of this paper. See the latest version.

Paper 2009/476

On the Security of PAS (Predicate-based Authentication Service)

Shujun Li, Hassan Jameel Asghar, Josef Pieprzyk, Ahmad-Reza Sadeghi, Roland Schmitz and Huaxiong Wang

Abstract

Recently a new human authentication scheme called PAS (predicate-based authentication service) was proposed, which does not require the assistance of any supplementary device. The main security claim of PAS is to resist passive adversaries who can observe the whole authentication session between the human user and the remote server. In this paper we give a detailed security analysis of PAS and show that PAS is insecure against both brute force attack and a probabilistic attack. In particular we show that the security of PAS against brute force attack was strongly overestimated. Furthermore, we introduce a probabilistic attack, which can break part of the password even with a very small number of observed authentication sessions. Although the proposed attack cannot completely break the password, it can downgrade the PAS system to a much weaker system similar to common OTP (one-time password) systems.

Note: This is a full edition of a paper (to-be-)published in the proceedings of ACSAC2009. A preprint of the published edition is available at http://www.hooklee.com/Papers/ACSAC2009.pdf.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Full edition of a paper (to-be-)published in the Proceedings of 25th Annual Computer Security Applications Conference (ACSAC 2009).
Keywords
PASauthenticationMatsumoto-Imai threat modelattacksecurityusabilityOTP (one-time password)
Contact author(s)
hooklee @ gmail com
History
2009-09-29: received
Short URL
https://ia.cr/2009/476
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.