SpringerLink
Log in

Cryptanalysis of Human Identification Protocol with Human-Computable Passwords

  • Conference paper
  • First Online:
Information Security Practice and Experience (ISPEC 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14341))

Abstract

In this paper we demonstrate effective attacks on Human Identification Protocol with Human-Computable Passwords (HIPHCP) presented in ISPEC’22. The protocol, which was designed to allow fast user identification, is vulnerable to both the active and the passive attacks, where the significant amount of the secret key can be learned by the adversary. This subsequently allow to compromise the full secret key via brute-forcing the remaining secret bits.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
GBP 19.95
Price includes VAT (United Kingdom)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
GBP 63.99
Price includes VAT (United Kingdom)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
GBP 79.99
Price includes VAT (United Kingdom)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free ship** worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Matelski, S.: Secure human identification protocol with human-computable passwords. In: Su, C., Gritzalis, D., Piuri, V. (eds.) ISPEC 2022. LNCS, vol. 13620, pp. 452–467. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-21280-2_25

    Chapter  Google Scholar 

  2. Jablon, D.P.: Extended password key exchange protocols immune to dictionary attacks. In: Proceedings, IEEE Computer Society 6th Workshop on Enabling Technologies (WET-ICE 1997), Infrastructure for Collaborative Enterprises, 18–20 June 1997, MIT, Cambridge, MA, USA, pp. 248–255(1997) . https://doi.org/10.1109/ENABL.1997.630822

  3. Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. IACR Cryptol. ePrint Arch. 14 (2000). http://eprint.iacr.org/2000/014

  4. Boyko, V., MacKenzie, P.D., Patel, S.: Provably secure password-authenticated key exchange using diffie-hellman. IACR Cryptol. ePrint Arch. 44 (2000). http://eprint.iacr.org/2000/044

  5. von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: using hard AI problems for security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_18

    Chapter  Google Scholar 

  6. Matsumoto, T., Imai, H.: Human identification through insecure channel. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 409–421. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_35

    Chapter  Google Scholar 

  7. Hopper, N.J., Blum, M.: Secure human identification protocols. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 52–66. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_4

    Chapter  Google Scholar 

  8. Brostoff, S., Inglesant, P., Sasse, M.A.: Evaluating the usability and security of a graphical one-time PIN system. In: McEwan, T., McKinnon, L. (eds.) Proceedings of the 2010 British Computer Society Conference on Human-Computer Interaction, BCS-HCI 2010, Dundee, United Kingdom, 6–10 September 2010, pp. 88–97. ACM (2010). http://dl.acm.org/citation.cfm?id=2146317

  9. Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991). https://doi.org/10.1007/BF00196725

    Article  MathSciNet  MATH  Google Scholar 

  10. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12

    Chapter  Google Scholar 

  11. Feige, U., Fiat, A., Shamir, A.: Zero-knowledge proofs of identity. J. Cryptol. 1(2), 77–94 (1988). https://doi.org/10.1007/BF02351717

    Article  MathSciNet  MATH  Google Scholar 

  12. Guillou, L.C., Quisquater, J.-J.: A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-45961-8_11

    Chapter  Google Scholar 

  13. Okamoto, T.: Provably secure and practical identification schemes and corresponding signature schemes. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 31–53. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_3

    Chapter  Google Scholar 

  14. Kim, H.-K., Yang, H.-S.: Security framework to verify the low level implementation codes. In: Gervasi, O., et al. (eds.) ICCSA 2005. LNCS, vol. 3481, pp. 52–61. Springer, Heidelberg (2005). https://doi.org/10.1007/11424826_6

    Chapter  Google Scholar 

  15. Kurosawa, K., Heng, S.-H.: The power of identification schemes. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 364–377. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_24

    Chapter  Google Scholar 

  16. Asghar, H.J., Li, S., Steinfeld, R., Pieprzyk, J.: Does counting still count? revisiting the security of counting based user authentication protocols against statistical attacks. In: 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, 24–27 February 2013, The Internet Society (2013). https://www.ndss-symposium.org/ndss2013/does-counting-still-count-revisiting-security-counting-based-user-authentication-protocols

  17. Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable zero-knowledge (extended abstract). In: Proceedings of the Thirty-second Annual ACM Symposium on Theory of Computing. STOC 2000, New York, NY, USA, pp. 235–244. ACM (2000). http://doi.acm.org/10.1145/335305.335334

  18. Bellare, M., Fischlin, M., Goldwasser, S., Micali, S.: Identification protocols secure against reset attacks. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 495–511. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_30

    Chapter  Google Scholar 

  19. Krzywiecki, Ł: Schnorr-like identification scheme resistant to malicious subliminal setting of ephemeral secret. In: Bica, I., Reyhanitabar, R. (eds.) SECITC 2016. LNCS, vol. 10006, pp. 137–148. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-47238-6_10

    Chapter  Google Scholar 

  20. Krzywiecki, L., Kutylowski, M.: Security of okamoto identification scheme: a defense against ephemeral key leakage and setup. In: Wang, C., Kantarcioglu, M., (eds.) Proceedings of the Fifth ACM International Workshop on Security in Cloud Computing, SCC@AsiaCCS 2017, Abu Dhabi, United Arab Emirates, 2 April 2017, pp. 43–50. ACM (2017). https://doi.org/10.1145/3055259.3055267

  21. MacKenzie, P.: On the security of the speke password-authenticated key exchange protocol. Cryptology ePrint Archive, Paper 2001/057 (2001). https://eprint.iacr.org/2001/057

  22. Hao, F., Shahandashti, S.F.: The SPEKE protocol revisited. IACR Cryptol. ePrint Arch. 585 (2014). http://eprint.iacr.org/2014/585

  23. Bender, J., Fischlin, M., Kügler, D.: Security analysis of the PACE key-agreement protocol. IACR Cryptol. ePrint Arch. 624 (2009). http://eprint.iacr.org/2009/624

  24. Bender, J., Dagdelen, Ö., Fischlin, M., Kügler, D.: The PACE|AA protocol for machine readable travel documents, and its security. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 344–358. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32946-3_25

    Chapter  Google Scholar 

  25. Hanzlik, L., Krzywiecki, Ł, Kutyłowski, M.: Simplified PACE|AA protocol. In: Deng, R.H., Feng, T. (eds.) ISPEC 2013. LNCS, vol. 7863, pp. 218–232. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38033-4_16

    Chapter  Google Scholar 

  26. Li, S., Shum, H.Y.: Secure human-computer identification (interface) systems against pee** attacks: Sechci. Cryptology ePrint Archive, Paper 2005/268 (2005). https://eprint.iacr.org/2005/268

  27. Yan, Q., Han, J., Li, Y., Deng, R.H.: On limitations of designing leakage-resilient password systems: attacks, principals and usability. In: 19th Annual Network and Distributed System Security Symposium, NDSS 2012, San Diego, California, USA, 5–8 February 2012. The Internet Society (2012)

    Google Scholar 

  28. Blocki, J., Blum, M., Datta, A., Vempala, S.S.: Towards human computable passwords. In: Papadimitriou, C.H. (ed.) 8th Innovations in Theoretical Computer Science Conference, ITCS 2017, 9–11 January 2017, Berkeley, CA, USA. Volume 67 of LIPIcs., Schloss Dagstuhl - Leibniz-Zentrum für Informatik, pp. 10:1–10:47 (2017). https://doi.org/10.4230/LIPIcs.ITCS.2017.10

Download references

Acknowledgment

The research was partially financed from the internal funds of the Department of Fundamentals of Computer Science of the Wrocław University of Science and Technology for conducting research.

Author information

Authors and Affiliations

  1. Adam Mickiewicz University, Poznań, Poland

    Maciej Grześkowiak

  2. Wroclaw University of Science and Technology, Wrocław, Poland

    Łukasz Krzywiecki

  3. Karol Niczyj Software House, Wrocław, Poland

    Karol Niczyj

Authors
  1. Maciej Grześkowiak
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Łukasz Krzywiecki
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Karol Niczyj
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Łukasz Krzywiecki .

Editor information

Editors and Affiliations

  1. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

  2. **dian University, **'an, China

    Zheng Yan

  3. University of Milan, Milan, Italy

    Vincenzo Piuri

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Grześkowiak, M., Krzywiecki, Ł., Niczyj, K. (2023). Cryptanalysis of Human Identification Protocol with Human-Computable Passwords. In: Meng, W., Yan, Z., Piuri, V. (eds) Information Security Practice and Experience. ISPEC 2023. Lecture Notes in Computer Science, vol 14341. Springer, Singapore. https://doi.org/10.1007/978-981-99-7032-2_21

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-7032-2_21

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-7031-5

  • Online ISBN: 978-981-99-7032-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation