University of Surrey

Test tubes in the lab Research in the ATI Dance Research

Does Counting Still Count? Revisiting the Security of Counting based User Authentication Protocols against Statistical Attacks

Asghar, HJ, Li, S, Steinfeld, R and Pieprzyk, J (2013) Does Counting Still Count? Revisiting the Security of Counting based User Authentication Protocols against Statistical Attacks In: 20th Annual Network & Distributed System Security Symposium (NDSS 2013), 2013-02-24 - 2013-02-27, San Diego, CA, USA.

[img] Text
NDSS2013.pdf - ["content_typename_Accepted version (post-print)" not defined]
Restricted to Repository staff only
Available under License : See the attached licence file.

Download (675kB)
[img] PDF (licence)
SRI_deposit_agreement.pdf
Restricted to Repository staff only
Available under License : See the attached licence file.

Download (33kB)

Abstract

At NDSS 2012, Yan et al. analyzed the security of several challenge-response type user authentication protocols against passive observers, and proposed a generic counting based statistical attack to recover the secret of some counting based protocols given a number of observed authentication sessions. Roughly speaking, the attack is based on the fact that secret (pass) objects appear in challenges with a different probability from non-secret (decoy) objects when the responses are taken into account. Although they mentioned that a protocol susceptible to this attack should minimize this difference, they did not give details as to how this can be achieved barring a few suggestions. In this paper, we attempt to fill this gap by generalizing the attack with a much more comprehensive theoretical analysis. Our treatment is more quantitative which enables us to describe a method to theoretically estimate a lower bound on the number of sessions a protocol can be safely used against the attack. Our results include 1) two proposed fixes to make counting protocols practically safe against the attack at the cost of usability, 2) the observation that the attack can be used on non-counting based protocols too as long as challenge generation is contrived, 3) and two main design principles for user authentication protocols which can be considered as extensions of the principles from Yan et al. This detailed theoretical treatment can be used as a guideline during the design of counting based protocols to determine their susceptibility to this attack. The Foxtail protocol, one of the protocols analyzed by Yan et al., is used as a representative to illustrate our theoretical and experimental results.

Item Type: Conference or Workshop Item (UNSPECIFIED)
Authors :
AuthorsEmailORCID
Asghar, HJUNSPECIFIEDUNSPECIFIED
Li, SUNSPECIFIEDUNSPECIFIED
Steinfeld, RUNSPECIFIEDUNSPECIFIED
Pieprzyk, JUNSPECIFIEDUNSPECIFIED
Date : 2013
Contributors :
ContributionNameEmailORCID
PublisherInternet Society, UNSPECIFIEDUNSPECIFIED
Related URLs :
Depositing User : Symplectic Elements
Date Deposited : 28 Mar 2017 13:24
Last Modified : 28 Mar 2017 13:24
URI: http://epubs.surrey.ac.uk/id/eprint/804109

Actions (login required)

View Item View Item

Downloads

Downloads per month over past year


Information about this web site

© The University of Surrey, Guildford, Surrey, GU2 7XH, United Kingdom.
+44 (0)1483 300800