Does counting still count? Revisiting the security of counting based user authentication protocols against statistical attacks


Autoria(s): Asghar, Hassan Jameel; Li, Shujun; Steinfeld, Ron; Pieprzyk, Josef
Contribuinte(s)

Hutton, Thomas

Data(s)

2013

Resumo

At NDSS 2012, Yan et al. analyzed the security of several challenge-response type user authentication protocols against passive observers, and proposed a generic counting based statistical attack to recover the secret of some counting based protocols given a number of observed authentication sessions. Roughly speaking, the attack is based on the fact that secret (pass) objects appear in challenges with a different probability from non-secret (decoy) objects when the responses are taken into account. Although they mentioned that a protocol susceptible to this attack should minimize this difference, they did not give details as to how this can be achieved barring a few suggestions. In this paper, we attempt to fill this gap by generalizing the attack with a much more comprehensive theoretical analysis. Our treatment is more quantitative which enables us to describe a method to theoretically estimate a lower bound on the number of sessions a protocol can be safely used against the attack. Our results include 1) two proposed fixes to make counting protocols practically safe against the attack at the cost of usability, 2) the observation that the attack can be used on non-counting based protocols too as long as challenge generation is contrived, 3) and two main design principles for user authentication protocols which can be considered as extensions of the principles from Yan et al. This detailed theoretical treatment can be used as a guideline during the design of counting based protocols to determine their susceptibility to this attack. The Foxtail protocol, one of the protocols analyzed by Yan et al., is used as a representative to illustrate our theoretical and experimental results.

Formato

application/pdf

Identificador

http://eprints.qut.edu.au/69680/

Publicador

The Internet Society 2013

Relação

http://eprints.qut.edu.au/69680/1/Authors_draft_Pieprzyk.pdf

https://www.internetsociety.org/sites/default/files/10_5.pdf

Asghar, Hassan Jameel, Li, Shujun, Steinfeld, Ron, & Pieprzyk, Josef (2013) Does counting still count? Revisiting the security of counting based user authentication protocols against statistical attacks. In Hutton, Thomas (Ed.) Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS 2013), The Internet Society 2013, San Diego, California, pp. 1-18.

Direitos

Copyright 2013 Internet Society

Fonte

School of Electrical Engineering & Computer Science; Science & Engineering Faculty

Tipo

Conference Paper