When are identification protocols with sparse challenges safe? The case of the Coskun and Herley attack

When are identification protocols with sparse challenges safe? The case of the Coskun and Herley attack

Cryptographic identification protocols enable a prover to prove its identity to a verifier. A subclass of such protocols are shared-secret challenge-response identification protocols in which the prover and the verifier share the same secret and the prover has to respond to a series of challenges fr...

Full description

Bibliographic Details
Main Authors: Asghar Hassan Jameel, Kaafar Mohamed Ali
Format: Article
Language:English
Published: De Gruyter 2017-10-01
Series:Journal of Mathematical Cryptology
Subjects:
identification protocols
human identification protocols
cryptography
information security
information theory
94a60
62b10
94a62
Online Access:https://doi.org/10.1515/jmc-2015-0059
id doaj-9ffae6cf6af04c0b8d4bbf4e01444c91
record_format Article
spelling doaj-9ffae6cf6af04c0b8d4bbf4e01444c912021-09-06T19:40:44ZengDe GruyterJournal of Mathematical Cryptology1862-29761862-29842017-10-0111317719410.1515/jmc-2015-0059When are identification protocols with sparse challenges safe? The case of the Coskun and Herley attackAsghar Hassan Jameel0Kaafar Mohamed Ali1Data Privacy Team, Data61, CSIRO, 13 Garden Street, Eveleigh, NSW 2015, Sydney, AustraliaData Privacy Team, Data61, CSIRO, 13 Garden Street, Eveleigh, NSW 2015, Sydney, AustraliaCryptographic identification protocols enable a prover to prove its identity to a verifier. A subclass of such protocols are shared-secret challenge-response identification protocols in which the prover and the verifier share the same secret and the prover has to respond to a series of challenges from the verifier. When the prover is a human, as opposed to a machine, such protocols are called human identification protocols. To make human identification protocols usable, protocol designers have proposed different techniques in the literature. One such technique is to make the challenges sparse, in the sense that only a subset of the shared secret is used to compute the response to each challenge. Coskun and Herley demonstrated a generic attack on shared-secret challenge-response type identification protocols which use sparse challenges. They showed that if the subset of the secret used is too small, an eavesdropper can learn the secret after observing a small number of challenge-response pairs. Unfortunately, from their results, it is not possible to find the safe number of challenge-response pairs a sparse-challenge protocol can be used for, without actually implementing the attack on the protocol and weeding out unsafe parameter sizes. Such a task can be time-consuming and computationally infeasible if the subset of the secret used is not small enough. In this work, we show an analytical estimate of the number of challenge-response pairs required by an eavesdropper to find the secret through the Coskun and Herley attack. Against this number, we also give an analytical estimate of the time complexity of the attack. Our results will help protocol designers to choose safe parameter sizes for identification protocols that employ sparse challenges.https://doi.org/10.1515/jmc-2015-0059identification protocolshuman identification protocolscryptographyinformation securityinformation theory94a60 62b10 94a62
collection DOAJ
language English
format Article
sources DOAJ
author Asghar Hassan Jameel
Kaafar Mohamed Ali
spellingShingle Asghar Hassan Jameel
Kaafar Mohamed Ali
When are identification protocols with sparse challenges safe? The case of the Coskun and Herley attack
Journal of Mathematical Cryptology
identification protocols
human identification protocols
cryptography
information security
information theory
94a60
62b10
94a62
author_facet Asghar Hassan Jameel
Kaafar Mohamed Ali
author_sort Asghar Hassan Jameel
title When are identification protocols with sparse challenges safe? The case of the Coskun and Herley attack
title_short When are identification protocols with sparse challenges safe? The case of the Coskun and Herley attack
title_full When are identification protocols with sparse challenges safe? The case of the Coskun and Herley attack
title_fullStr When are identification protocols with sparse challenges safe? The case of the Coskun and Herley attack
title_full_unstemmed When are identification protocols with sparse challenges safe? The case of the Coskun and Herley attack
title_sort when are identification protocols with sparse challenges safe? the case of the coskun and herley attack
publisher De Gruyter
series Journal of Mathematical Cryptology
issn 1862-2976
1862-2984
publishDate 2017-10-01
description Cryptographic identification protocols enable a prover to prove its identity to a verifier. A subclass of such protocols are shared-secret challenge-response identification protocols in which the prover and the verifier share the same secret and the prover has to respond to a series of challenges from the verifier. When the prover is a human, as opposed to a machine, such protocols are called human identification protocols. To make human identification protocols usable, protocol designers have proposed different techniques in the literature. One such technique is to make the challenges sparse, in the sense that only a subset of the shared secret is used to compute the response to each challenge. Coskun and Herley demonstrated a generic attack on shared-secret challenge-response type identification protocols which use sparse challenges. They showed that if the subset of the secret used is too small, an eavesdropper can learn the secret after observing a small number of challenge-response pairs. Unfortunately, from their results, it is not possible to find the safe number of challenge-response pairs a sparse-challenge protocol can be used for, without actually implementing the attack on the protocol and weeding out unsafe parameter sizes. Such a task can be time-consuming and computationally infeasible if the subset of the secret used is not small enough. In this work, we show an analytical estimate of the number of challenge-response pairs required by an eavesdropper to find the secret through the Coskun and Herley attack. Against this number, we also give an analytical estimate of the time complexity of the attack. Our results will help protocol designers to choose safe parameter sizes for identification protocols that employ sparse challenges.
topic identification protocols
human identification protocols
cryptography
information security
information theory
94a60
62b10
94a62
url https://doi.org/10.1515/jmc-2015-0059
work_keys_str_mv AT asgharhassanjameel whenareidentificationprotocolswithsparsechallengessafethecaseofthecoskunandherleyattack
AT kaafarmohamedali whenareidentificationprotocolswithsparsechallengessafethecaseofthecoskunandherleyattack
_version_ 1717767931704639488

Similar Items