Scheduled System Maintenance:
Some services will be unavailable Sunday, March 29th through Monday, March 30th. We apologize for the inconvenience.
By Topic

On the Security of PAS (Predicate-Based Authentication Service)

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

The purchase and pricing options are temporarily unavailable. Please try again later.
6 Author(s)
Shujun Li ; Dept. of Comput. & Inf. Sci., Univ. Konstanz, Konstanz, Germany ; Asghar, H.J. ; Pieprzyk, J. ; Sadeghi, A.
more authors

Recently a new human authentication scheme called PAS (predicate-based authentication service) was proposed, which does not require the assistance of any supplementary device. The main security claim of PAS is to resist passive adversaries who can observe the whole authentication session between the human user and the remote server. In this paper we show that PAS is insecure against both brute force attack and a probabilistic attack. In particular, we show that its security against brute force attack was strongly overestimated. Furthermore, we introduce a probabilistic attack, which can break part of the password even with a very small number of observed authentication sessions. Although the proposed attack cannot completely break the password, it can downgrade the PAS system to a much weaker system similar to common OTP (one-time password) systems.

Published in:

Computer Security Applications Conference, 2009. ACSAC '09. Annual

Date of Conference:

7-11 Dec. 2009