Browse > Article
http://dx.doi.org/10.13089/JKIISC.2011.21.1.77

On the Security of S3PAS against Intersection Attack  

Shin, Dong-Oh (Inha University)
Kang, Jeon-Il (Inha University)
Nyang, Dae-Hun (Inha University)
Lee, Kyung-Hee (University of Suwon)
Abstract
While The passwords that combined with characters and numbers are easy to memorize and use, they have low complexity. Therefore they can easily be revealed by the shoulder-surfing attack when they are inputted through the input devices such like keyboard. To overcome these problems, many new authentication schemes, which change the user secret different form or let users input their secrets through the more complex manners, have been suggested, but it is still hard to find the balanced point between usability and security. S3PAS is one of well-known schemes which had both usability and security against shoulder-surfing attack. However, this scheme was not considered about intersection attack that the attacker tried to pass the authentication system after observing several authentication sessions. In this paper, we consider the security problem of S3PAS; what the attacker can do when he can observe the authentication sessions in several times. We confirm it through user study and experiments. And also we consider the alternative that overcomes the problem.
Keywords
Password Authentication; Alternative Password; Shoulder-surfing Resistance;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 X. Bai, W. Gu, S. Chellappan, X. Wang, D. Xuan, and B. Ma, "PAS: Predicate-based Authentication Services Against Powerful Passive Adversaries," Proc. of 2008 Annual Computer Security Applications Conference (ACSAC), pp. 433-442, Dec. 2008.
2 강전일, 맹영재, 양대헌, 이경희, 전인경, "행렬 상에서 문자 간 연산을 수행하는 패스워드 인증 기법," 한국정보처리학회논문지, 19(5), pp. 175-188, 2009년 10월.
3 D. Weinshall, "Cognitive Authentication Schemes Safe Against Spyware (Short Paper)," Proc. of the 2006 IEEE Symposium on Security and Privacy (S&P), pp. 1-16, May 2006.
4 P. Golle and D. Wagner, "Cryptanalysis of a Cognitive Authentication Scheme (Extended Abstract)," Proc. of the 2007 IEEE Symposium on Security and Privacy (S&P), pp. 66-70, May 2007.
5 H. Jameel, R.A. Shaikh, H. Lee, and S. Lee, "Human Identification Through Image Evaluation Using Secret Predicates," Proc. of The Cryptographer's Track at RSA Conference (CT-RSA), LNCS 4377, pp. 67-84, 2007.
6 N. Hopper and M. Blum, "Secure Human Identification Protocols," Proc. of ASIACRYPT, LNCS 2248, pp. 52-66, 2001.
7 H. Zhao and X. Li, "S3PAS:A Scalable Shoulder-Surfing Resistant Textual- Graphical Password Authentication Scheme," 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07), vol. 2, pp. 467-472, 2007.
8 S. Wiedenbeck, J. Waters, J.C. Birget, A. Brodskily, and N. Memon, "PassPoints: Design and longitudinal evaluation of a graphical passwords system," International Journal of Human-Computer Studies (Special Issue on HCI Research in Privacy and Security), vol. 63, pp. 102-127, May 2005.
9 S. Wiedenbeck, J. Waters, L. Sobrado, and J.C. Birget, "Design and Evaluation of a Shoulder-Surfing Resistant Graphical Password Scheme," Proc. of Advanced Visual Interfaces (AVI), pp. 177-184, May 2006.
10 T. Matsumoto and H. Imai, "Human Identification Through Insecure Channel," Proc. of EUROCRYT 91, LNCS 547, pp. 402-421, 1991.
11 R. Dhamija and A. Perrig, "Déjà Vu: A User Study Using Images for Authentication," Proc. of 9th USENIX Security Symposium, p. 4, Aug. 2000.