Secure Human Identification Protocols
ASIACRYPT '01 Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Noise-tolerant learning, the parity problem, and the statistical query model
Journal of the ACM (JACM)
Fast dictionary attacks on passwords using time-space tradeoff
Proceedings of the 12th ACM conference on Computer and communications security
Optimised to Fail: Card Readers for Online Banking
Financial Cryptography and Data Security
Password Cracking Using Probabilistic Context-Free Grammars
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
A One-Time Password Scheme with QR-Code Based on Mobile Phone
NCM '09 Proceedings of the 2009 Fifth International Joint Conference on INC, IMS and IDC
Using a personal device to strengthen password authentication from an untrusted computer
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Dynamic virtual credit card numbers
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Testing metrics for password creation policies by attacking large sets of revealed passwords
Proceedings of the 17th ACM conference on Computer and communications security
Authenticating pervasive devices with human protocols
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
| Hi-index | 0.00 |
SyferLock presents a one-time password system, GridCode, that allows an unaided human to authenticate, reducing the cost of deployment. The one-time password system is a human computable challenge-response protocol which they claim defends against key-logging, replay, and brute force attacks, among others. We evaluate the security of the Grid-Code one-time password system and challenge these claims. We identify weak preimage resistance and character independence as key weaknesses of the GridCode system, leading to a variety of attacks. Our analysis indicates their scheme is akin to providing an adversary the ability to perform a brute force attack on a user's password in parallel without significant effort, lowering the effort required to recover a strong user password. Given a small number of challenge-response pairs, an adversary can recover a user's password (e.g., 2--4 pairs), and additional secret (e.g., 1 pair).