On the Security of PAS (Predicate-based Authentication Service)

PDF
0.3MB

Shujun Li
University Konstanz
Germany

Hassan Jameel
Macquarie University
Australia

Josef Pieprzyk
Macquarie University
Australia

Ahmad-Reza Sadeghi
Ruhr-University Bochum
Germany

Roland Schmitz
Stuttgart Media University
Germany

Huaxiong Wang
Nanyang Technological University
Singapore

Abstract:
Recently a new human authentication scheme called PAS (predicate-based authentication service) was proposed, which does not require the assistance of any supplementary device. The main security claim of PAS is to resist passive adversaries who can observe the whole authentication session between the human user and the remote server. In this paper we give a detailed security analysis of PAS and show that PAS is insecure against both brute force attack and a probabilistic attack. In particular we show that PAS security against brute force attack was strongly overestimated. Furthermore, we introduce a probabilistic attack, which breaks part of the password even with a very small number of observed authentication sessions. Although the proposed attack cannot completely break the password, it can downgrade the PAS system to a much weaker system similar to common OTP (one-time password) systems.