skip to main content
10.1145/1966913.1966953acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
research-article

Attack on the GridCode one-time password

Published: 22 March 2011 Publication History

Abstract

SyferLock presents a one-time password system, GridCode, that allows an unaided human to authenticate, reducing the cost of deployment. The one-time password system is a human computable challenge-response protocol which they claim defends against key-logging, replay, and brute force attacks, among others. We evaluate the security of the Grid-Code one-time password system and challenge these claims. We identify weak preimage resistance and character independence as key weaknesses of the GridCode system, leading to a variety of attacks. Our analysis indicates their scheme is akin to providing an adversary the ability to perform a brute force attack on a user's password in parallel without significant effort, lowering the effort required to recover a strong user password. Given a small number of challenge-response pairs, an adversary can recover a user's password (e.g., 2--4 pairs), and additional secret (e.g., 1 pair).

References

[1]
M. Barot and J. A. de la Peña. Estimating the size of a union of random subsets of fixed cardinality. Elemente der Mathematik, 56(4):163--169, 4 2001.
[2]
A. Biryukov, J. Lano, and B. Preneel. Recent attacks on alleged securid and their practical implications. Computers & Security, 2005.
[3]
A. Blum, A. Kalai, and H. Wasserman. Noise-tolerant learning, the parity problem, and the statistical query model. Journal of the ACM, 50(4), Jul 2003.
[4]
W. E. Burr, D. F. Dodson, and W. T. Polk. NIST SP 800--63 Electronic Authentication Guideline. Technical report, NIST, 2006.
[5]
S. Contini and Y. L. Yin. Improved cryptanalysis of SecurID. Cryptology ePrint Archive, Report 2003/205, 2003.
[6]
D. Coopersmith. Another birthday attack. CRYPTO, 1985.
[7]
S. Drimer, S. J. Murdoch, and R. Anderson. Optimised to fail: Card readers for online banking. In Financial Cryptography, 2009.
[8]
L. Ginzberg. User authentication system and method. United States Patent 7,143,440, SyferLock Technology Corporation, November 28 2006.
[9]
L. Ginzburg, P. Sitar, and G. K. Flanagin. User authentication system and method. US Patent 7,725,712, SyferLock Technology Corporation, 2010.
[10]
N. M. Haller. The S/KEY one-time password system. In Symposium on Network and Distributed System Security, 1994.
[11]
N. Hopper and M. Blum. Secure human identification protocols. ASIACRYPT, 2001.
[12]
A. Joux. Multicollisions in iterated hash functions. application to cascaded constructions. In M. K. Franklin, editor, CRYPTO, 2004.
[13]
A. Juels and S. Weis. Authenticating pervasive devices with human protocols. CRYPTO, 2005.
[14]
K.-C. Liao, W.-H. Lee, M.-H. Sung, and T.-C. Lin. A one-time password scheme with QR-code based on mobile phone. Networked Computing and Advanced Information Management, 2009.
[15]
M. Mannan and P. C. van Oorschot. Using a personal device to strengthen password authentication from an untrusted computer. In Financial Cryptography, 2007.
[16]
J. L. Massey. Guessing and entropy. International Symposium on Information Theory, 1994.
[17]
G. A. Miller. The magical number seven, plus or minus two: Some limits on our capacity for processing information. The Psychological Review, 1956.
[18]
I. Molloy, J. Li, and N. Li. Dynamic virtual credit card numbers. Financial Cryptography, 2007.
[19]
D. M'Raihi, M. Bellare, F. Hoornaert, D. Naccache, and O. Ranen. HOTP: An HMAC-based one-time password algorithm. RFC 4226, Network Working Group, December 2005.
[20]
A. Narayanan and V. Shmatikov. Fast dictionary attacks on passwords using time-space tradeoff. CCS, 2005.
[21]
M. Weir, S. Aggarwal, M. Collins, and H. Stern. Testing metrics for password creation policies by attacking large sets of revealed passwords. CCS, 2010.
[22]
M. Weir, S. Aggarwal, B. de Medeiros, and B. Glodek. Password cracking using probabilistic context-free grammars. Symposium on Security and Privacy, 2009.

Cited By

View all
  • (2021)Analyzing the Security of OTP 2FA in the Face of Malicious TerminalsInformation and Communications Security10.1007/978-3-030-86890-1_6(97-115)Online publication date: 17-Sep-2021
  • (2016)On the Security and Usability of Segment-based Visual Cryptographic Authentication ProtocolsProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2978417(603-615)Online publication date: 24-Oct-2016
  • (2014)Dynamic combination of authentication factors based on quantified risk and benefitSecurity and Communication Networks10.1002/sec.7297:2(385-396)Online publication date: 1-Feb-2014
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
March 2011
527 pages
ISBN:9781450305648
DOI:10.1145/1966913
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 March 2011

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. attack
  2. human authentication
  3. one-time password

Qualifiers

  • Research-article

Conference

ASIA CCS '11
Sponsor:

Acceptance Rates

ASIACCS '11 Paper Acceptance Rate 35 of 217 submissions, 16%;
Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)6
  • Downloads (Last 6 weeks)1
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2021)Analyzing the Security of OTP 2FA in the Face of Malicious TerminalsInformation and Communications Security10.1007/978-3-030-86890-1_6(97-115)Online publication date: 17-Sep-2021
  • (2016)On the Security and Usability of Segment-based Visual Cryptographic Authentication ProtocolsProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2978417(603-615)Online publication date: 24-Oct-2016
  • (2014)Dynamic combination of authentication factors based on quantified risk and benefitSecurity and Communication Networks10.1002/sec.7297:2(385-396)Online publication date: 1-Feb-2014
  • (2012)Phishing counter measures and their effectiveness – literature reviewInformation Management & Computer Security10.1108/0968522121128654820:5(382-420)Online publication date: 23-Nov-2012

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media