In this paper, we attempt to fill this gap by generalizing the attack with a much more comprehensive theoretical analysis. Our treatment is more quantitative which enables us to describe a method to theoretically estimate a lower bound on the number of sessions a protocol can be safely used against the attack. Our results include 1) two proposed fixes to make counting protocols practically safe against the attack at the cost of usability, 2) the observation that the attack can be used on non-counting based protocols too as long as challenge generation is contrived, 3) and two main design principles for user authentication protocols which can be considered as extensions of the principles from Yan et al. This detailed theoretical treatment can be used as a guideline during the design of counting based protocols to determine their susceptibility to this attack. The Foxtail protocol, one of the protocols analyzed by Yan et al., is used as a representative to illustrate our theoretical and experimental results.
Category / Keywords: cryptographic protocols / Identification protocols, observer attack, human-computer cryptography. Publication Info: This is the full version of the paper with the same title which is to appear in the proceedings of the Network & Distributed System Security Symposium (NDSS) 2013. Date: received 19 Nov 2012 Contact author: hassan jameel at gmail com Available format(s): PDF | BibTeX Citation Version: 20121126:013024 (All versions of this report) Short URL: ia.cr/2012/659