Abstract
In this paper we demonstrate effective attacks on Human Identification Protocol with Human-Computable Passwords (HIPHCP) presented in ISPEC’22. The protocol, which was designed to allow fast user identification, is vulnerable to both the active and the passive attacks, where the significant amount of the secret key can be learned by the adversary. This subsequently allow to compromise the full secret key via brute-forcing the remaining secret bits.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Matelski, S.: Secure human identification protocol with human-computable passwords. In: Su, C., Gritzalis, D., Piuri, V. (eds.) ISPEC 2022. LNCS, vol. 13620, pp. 452–467. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-21280-2_25
Jablon, D.P.: Extended password key exchange protocols immune to dictionary attacks. In: Proceedings, IEEE Computer Society 6th Workshop on Enabling Technologies (WET-ICE 1997), Infrastructure for Collaborative Enterprises, 18–20 June 1997, MIT, Cambridge, MA, USA, pp. 248–255(1997) . https://doi.org/10.1109/ENABL.1997.630822
Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. IACR Cryptol. ePrint Arch. 14 (2000). http://eprint.iacr.org/2000/014
Boyko, V., MacKenzie, P.D., Patel, S.: Provably secure password-authenticated key exchange using diffie-hellman. IACR Cryptol. ePrint Arch. 44 (2000). http://eprint.iacr.org/2000/044
von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: using hard AI problems for security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_18
Matsumoto, T., Imai, H.: Human identification through insecure channel. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 409–421. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_35
Hopper, N.J., Blum, M.: Secure human identification protocols. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 52–66. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_4
Brostoff, S., Inglesant, P., Sasse, M.A.: Evaluating the usability and security of a graphical one-time PIN system. In: McEwan, T., McKinnon, L. (eds.) Proceedings of the 2010 British Computer Society Conference on Human-Computer Interaction, BCS-HCI 2010, Dundee, United Kingdom, 6–10 September 2010, pp. 88–97. ACM (2010). http://dl.acm.org/citation.cfm?id=2146317
Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991). https://doi.org/10.1007/BF00196725
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Feige, U., Fiat, A., Shamir, A.: Zero-knowledge proofs of identity. J. Cryptol. 1(2), 77–94 (1988). https://doi.org/10.1007/BF02351717
Guillou, L.C., Quisquater, J.-J.: A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-45961-8_11
Okamoto, T.: Provably secure and practical identification schemes and corresponding signature schemes. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 31–53. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_3
Kim, H.-K., Yang, H.-S.: Security framework to verify the low level implementation codes. In: Gervasi, O., et al. (eds.) ICCSA 2005. LNCS, vol. 3481, pp. 52–61. Springer, Heidelberg (2005). https://doi.org/10.1007/11424826_6
Kurosawa, K., Heng, S.-H.: The power of identification schemes. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 364–377. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_24
Asghar, H.J., Li, S., Steinfeld, R., Pieprzyk, J.: Does counting still count? revisiting the security of counting based user authentication protocols against statistical attacks. In: 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, 24–27 February 2013, The Internet Society (2013). https://www.ndss-symposium.org/ndss2013/does-counting-still-count-revisiting-security-counting-based-user-authentication-protocols
Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable zero-knowledge (extended abstract). In: Proceedings of the Thirty-second Annual ACM Symposium on Theory of Computing. STOC 2000, New York, NY, USA, pp. 235–244. ACM (2000). http://doi.acm.org/10.1145/335305.335334
Bellare, M., Fischlin, M., Goldwasser, S., Micali, S.: Identification protocols secure against reset attacks. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 495–511. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_30
Krzywiecki, Ł: Schnorr-like identification scheme resistant to malicious subliminal setting of ephemeral secret. In: Bica, I., Reyhanitabar, R. (eds.) SECITC 2016. LNCS, vol. 10006, pp. 137–148. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-47238-6_10
Krzywiecki, L., Kutylowski, M.: Security of okamoto identification scheme: a defense against ephemeral key leakage and setup. In: Wang, C., Kantarcioglu, M., (eds.) Proceedings of the Fifth ACM International Workshop on Security in Cloud Computing, SCC@AsiaCCS 2017, Abu Dhabi, United Arab Emirates, 2 April 2017, pp. 43–50. ACM (2017). https://doi.org/10.1145/3055259.3055267
MacKenzie, P.: On the security of the speke password-authenticated key exchange protocol. Cryptology ePrint Archive, Paper 2001/057 (2001). https://eprint.iacr.org/2001/057
Hao, F., Shahandashti, S.F.: The SPEKE protocol revisited. IACR Cryptol. ePrint Arch. 585 (2014). http://eprint.iacr.org/2014/585
Bender, J., Fischlin, M., Kügler, D.: Security analysis of the PACE key-agreement protocol. IACR Cryptol. ePrint Arch. 624 (2009). http://eprint.iacr.org/2009/624
Bender, J., Dagdelen, Ö., Fischlin, M., Kügler, D.: The PACE|AA protocol for machine readable travel documents, and its security. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 344–358. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32946-3_25
Hanzlik, L., Krzywiecki, Ł, Kutyłowski, M.: Simplified PACE|AA protocol. In: Deng, R.H., Feng, T. (eds.) ISPEC 2013. LNCS, vol. 7863, pp. 218–232. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38033-4_16
Li, S., Shum, H.Y.: Secure human-computer identification (interface) systems against pee** attacks: Sechci. Cryptology ePrint Archive, Paper 2005/268 (2005). https://eprint.iacr.org/2005/268
Yan, Q., Han, J., Li, Y., Deng, R.H.: On limitations of designing leakage-resilient password systems: attacks, principals and usability. In: 19th Annual Network and Distributed System Security Symposium, NDSS 2012, San Diego, California, USA, 5–8 February 2012. The Internet Society (2012)
Blocki, J., Blum, M., Datta, A., Vempala, S.S.: Towards human computable passwords. In: Papadimitriou, C.H. (ed.) 8th Innovations in Theoretical Computer Science Conference, ITCS 2017, 9–11 January 2017, Berkeley, CA, USA. Volume 67 of LIPIcs., Schloss Dagstuhl - Leibniz-Zentrum für Informatik, pp. 10:1–10:47 (2017). https://doi.org/10.4230/LIPIcs.ITCS.2017.10
Acknowledgment
The research was partially financed from the internal funds of the Department of Fundamentals of Computer Science of the Wrocław University of Science and Technology for conducting research.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Grześkowiak, M., Krzywiecki, Ł., Niczyj, K. (2023). Cryptanalysis of Human Identification Protocol with Human-Computable Passwords. In: Meng, W., Yan, Z., Piuri, V. (eds) Information Security Practice and Experience. ISPEC 2023. Lecture Notes in Computer Science, vol 14341. Springer, Singapore. https://doi.org/10.1007/978-981-99-7032-2_21
Download citation
DOI: https://doi.org/10.1007/978-981-99-7032-2_21
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-7031-5
Online ISBN: 978-981-99-7032-2
eBook Packages: Computer ScienceComputer Science (R0)