On the Security of PAS (Predicate-Based Authentication Service)

Shujun Li; Ahmad-Reza Sadeghi; Roland Schmitz; Hassan Jameel Asghar; Josef Pieprzyk; Huaxiong Wang

doi:10.1109/ACSAC.2009.27

A
ACSAC
2009
2009 Annual Computer Security Applications Conference
Abstract - On the Security of PAS (Predicate-Based Authentication Service)

	This Article
	Subscribers, please Login Purchase article: $19 PDF RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Shujun Li Articles by Hassan Jameel Asghar Articles by Josef Pieprzyk Articles by Ahmad-Reza Sadeghi Articles by Roland Schmitz Articles by Huaxiong Wang

2009 Annual Computer Security Applications Conference

On the Security of PAS (Predicate-Based Authentication Service)

Honolulu, Hawaii

December 07-December 11

ISBN: 978-0-7695-3919-5

	ASCII Text	x
	Shujun Li, Hassan Jameel Asghar, Josef Pieprzyk, Ahmad-Reza Sadeghi, Roland Schmitz, Huaxiong Wang, "On the Security of PAS (Predicate-Based Authentication Service)," Computer Security Applications Conference, Annual, pp. 209-218, 2009 Annual Computer Security Applications Conference, 2009.

	BibTex	x
	@article{ 10.1109/ACSAC.2009.27, author = {Shujun Li and Hassan Jameel Asghar and Josef Pieprzyk and Ahmad-Reza Sadeghi and Roland Schmitz and Huaxiong Wang}, title = {On the Security of PAS (Predicate-Based Authentication Service)}, journal ={Computer Security Applications Conference, Annual}, volume = {0}, year = {2009}, issn = {1063-9527}, pages = {209-218}, doi = {http://doi.ieeecomputersociety.org/10.1109/ACSAC.2009.27}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Computer Security Applications Conference, Annual TI - On the Security of PAS (Predicate-Based Authentication Service) SN - 1063-9527 SP209 EP218 A1 - Shujun Li, A1 - Hassan Jameel Asghar, A1 - Josef Pieprzyk, A1 - Ahmad-Reza Sadeghi, A1 - Roland Schmitz, A1 - Huaxiong Wang, PY - 2009 KW - PAS KW - authentication KW - Matsumoto-Imai threat model KW - attack KW - security KW - usability KW - OTP (one-time password) VL - 0 JA - Computer Security Applications Conference, Annual ER -

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/ACSAC.2009.27

Recently a new human authentication scheme called PAS (predicate-based authentication service) was proposed, which does not require the assistance of any supplementary device. The main security claim of PAS is to resist passive adversaries who can observe the whole authentication session between the human user and the remote server. In this paper we show that PAS is insecure against both brute force attack and a probabilistic attack. In particular, we show that its security against brute force attack was strongly overestimated. Furthermore, we introduce a probabilistic attack, which can break part of the password even with a very small number of observed authentication sessions. Although the proposed attack cannot completely break the password, it can downgrade the PAS system to a much weaker system similar to common OTP (one-time password) systems.

Index Terms:

PAS, authentication, Matsumoto-Imai threat model, attack, security, usability, OTP (one-time password)

Citation:

Shujun Li, Hassan Jameel Asghar, Josef Pieprzyk, Ahmad-Reza Sadeghi, Roland Schmitz, Huaxiong Wang, "On the Security of PAS (Predicate-Based Authentication Service)," acsac, pp.209-218, 2009 Annual Computer Security Applications Conference, 2009

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.