Our Publications
Here you find our publications.
2018
Bouder, Hélène Le; Thomas, Gaël; Bourget, Edwin; Graa, Mariem; Cuppens, Nora; Lanet, Jean Louis
Theoretical security evaluation of the human semantic authentication protocol Journal Article
In: ICETE 2018 - Proceedings of the 15th International Joint Conference on e-Business and Telecommunications, vol. 2, pp. 332–339, 2018, ISBN: 9789897583193.
Abstract | Links | BibTeX | Tags: Authentication, Dynamic Password, Graphical Password, Human Semantic Authentication Protocol, PIN Code, Shoulder Surfing Attack
@article{LeBouder2018,
title = {Theoretical security evaluation of the human semantic authentication protocol},
author = {H\'{e}l\`{e}ne Le Bouder and Ga\"{e}l Thomas and Edwin Bourget and Mariem Graa and Nora Cuppens and Jean Louis Lanet},
doi = {10.5220/0006841703320339},
isbn = {9789897583193},
year = {2018},
date = {2018-01-01},
journal = {ICETE 2018 - Proceedings of the 15th International Joint Conference on e-Business and Telecommunications},
volume = {2},
pages = {332--339},
abstract = {Using a secret password or a PIN (Personal Identification Number) code is a common way to authenticate a user. Unfortunately this protection does not resist an attacker that can eavesdrop on the user (shoulder surfing attack). The Human Semantic Authentication (HSA) protocol proposes a solution against this attack. The main idea is to have concept passwords and to propose images that the user must correctly select in order to authenticate. A concept can be represented by different pictures, so one observation is not enough to retrieve the secret. In this paper, the security/efficiency trade-off in the HSA protocol is evaluated. A probabilistic approach is used. Under the assumption that the picture/concept database is known to the attacker, we show that HSA is barely more resistant to shoulder surfing attacks than a PIN code. More precisely we show that the probability to retrieve the secret concept password increases rapidly with the number of observations. Moreover the constraints on the size of the picture/concept database are very difficult to satisfy in practice.},
keywords = {Authentication, Dynamic Password, Graphical Password, Human Semantic Authentication Protocol, PIN Code, Shoulder Surfing Attack},
pubstate = {published},
tppubtype = {article}
}
Using a secret password or a PIN (Personal Identification Number) code is a common way to authenticate a user. Unfortunately this protection does not resist an attacker that can eavesdrop on the user (shoulder surfing attack). The Human Semantic Authentication (HSA) protocol proposes a solution against this attack. The main idea is to have concept passwords and to propose images that the user must correctly select in order to authenticate. A concept can be represented by different pictures, so one observation is not enough to retrieve the secret. In this paper, the security/efficiency trade-off in the HSA protocol is evaluated. A probabilistic approach is used. Under the assumption that the picture/concept database is known to the attacker, we show that HSA is barely more resistant to shoulder surfing attacks than a PIN code. More precisely we show that the probability to retrieve the secret concept password increases rapidly with the number of observations. Moreover the constraints on the size of the picture/concept database are very difficult to satisfy in practice.