On the security of PAS (predicate-based authentication service)

Li, Shujun, Asghar, Hassan Jameel, Pieprzyk, Josef, Sadeghi, Ahmad-Reza, Schmitz, Roland, & Wang, Huaxiong (2009) On the security of PAS (predicate-based authentication service). In Proceedings of 2009 Annual Computer Security Applications Conference (ACSAC '09), IEEE, Honolulu, Hawaii, pp. 209-218.

View at publisher


Recently a new human authentication scheme called PAS (predicate-based authentication service) was proposed, which does not require the assistance of any supplementary device. The main security claim of PAS is to resist passive adversaries who can observe the whole authentication session between the human user and the remote server.

In this paper we show that PAS is insecure against both brute force attack and a probabilistic attack. In particular, we show that its security against brute force attack was strongly overestimated. Furthermore, we introduce a probabilistic attack, which can break part of the password even with a very small number of observed authentication sessions. Although the proposed attack cannot completely break the password, it can downgrade the PAS system to a much weaker system similar to common OTP (one-time password) systems.

Impact and interest:

11 citations in Scopus
7 citations in Web of Science®
Search Google Scholar™

Citation counts are sourced monthly from Scopus and Web of Science® citation databases.

These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.

Citations counts from the Google Scholar™ indexing service can be viewed at the linked Google Scholar™ search.

ID Code: 70170
Item Type: Conference Paper
Refereed: Yes
Keywords: PAS, Authentication, Matsumoto-Imai threat model, Attack, Security, Usability, OTP (one-time password)
DOI: 10.1109/ACSAC.2009.27
ISBN: 9780769539195
Divisions: Current > Schools > School of Electrical Engineering & Computer Science
Current > QUT Faculties and Divisions > Science & Engineering Faculty
Copyright Owner: Copyright 2009 IEEE
Deposited On: 15 Apr 2014 04:31
Last Modified: 21 Nov 2014 03:49

Export: EndNote | Dublin Core | BibTeX

Repository Staff Only: item control page