University of Surrey

Test tubes in the lab Research in the ATI Dance Research

On the Security of PAS (Predicate-based Authentication Service)

Li, SJ, Asghar, HJ, Pieprzyk, J, Sadeghi, AR, Schmitz, R and Wang, HX (2009) On the Security of PAS (Predicate-based Authentication Service) In: 25th Annual Computer Security Applications Conference (ACSAC 2009), 2009-12-07 - 2009-12-11, Honolulu, HI, USA.

[img]
Preview
PDF
ACSAC2009.pdf
Available under License : See the attached licence file.

Download (358kB)
[img]
Preview
PDF (licence)
SRI_deposit_agreement.pdf

Download (33kB)

Abstract

Recently a new human authentication scheme called PAS (predicate-based authentication service) was proposed, which does not require the assistance of any supplementary device. The main security claim of PAS is to resist passive adversaries who can observe the whole authentication session between the human user and the remote server. In this paper we give a detailed security analysis of PAS and show that PAS is insecure against both brute force attack and a probabilistic attack. In particular we show that PAS security against brute force attack was strongly overestimated. Furthermore, we introduce a probabilistic attack, which breaks part of the password even with a very small number of observed authentication sessions. Although the proposed attack cannot completely break the password, it can downgrade the PAS system to a much weaker system similar to common OTP (one-time password) systems.

Item Type: Conference or Workshop Item (Conference Paper)
Divisions : Faculty of Engineering and Physical Sciences > Computing Science
Authors :
AuthorsEmailORCID
Li, SJUNSPECIFIEDUNSPECIFIED
Asghar, HJUNSPECIFIEDUNSPECIFIED
Pieprzyk, JUNSPECIFIEDUNSPECIFIED
Sadeghi, ARUNSPECIFIEDUNSPECIFIED
Schmitz, RUNSPECIFIEDUNSPECIFIED
Wang, HXUNSPECIFIEDUNSPECIFIED
Date : 2009
Identification Number : 10.1109/ACSAC.2009.27
Contributors :
ContributionNameEmailORCID
PublisherIEEE Computer Society, UNSPECIFIEDUNSPECIFIED
Uncontrolled Keywords : PAS, authentication, Matsumoto-Imai threat model, attack, security, usability, OTP (one-time password), HUMAN IDENTIFICATION
Related URLs :
Additional Information : © 2009 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Depositing User : Symplectic Elements
Date Deposited : 24 Sep 2014 13:54
Last Modified : 25 Sep 2014 01:33
URI: http://epubs.surrey.ac.uk/id/eprint/532447

Actions (login required)

View Item View Item

Downloads

Downloads per month over past year


Information about this web site

© The University of Surrey, Guildford, Surrey, GU2 7XH, United Kingdom.
+44 (0)1483 300800