{"title":"Attack on the GridCode one-time password","authors":"Ian Molloy, Ninghui Li","doi":"10.1145/1966913.1966953","DOIUrl":null,"url":null,"abstract":"SyferLock presents a one-time password system, GridCode, that allows an unaided human to authenticate, reducing the cost of deployment. The one-time password system is a human computable challenge-response protocol which they claim defends against key-logging, replay, and brute force attacks, among others. We evaluate the security of the Grid-Code one-time password system and challenge these claims. We identify weak preimage resistance and character independence as key weaknesses of the GridCode system, leading to a variety of attacks. Our analysis indicates their scheme is akin to providing an adversary the ability to perform a brute force attack on a user's password in parallel without significant effort, lowering the effort required to recover a strong user password. Given a small number of challenge-response pairs, an adversary can recover a user's password (e.g., 2--4 pairs), and additional secret (e.g., 1 pair).","PeriodicalId":72308,"journal":{"name":"Asia CCS '22 : proceedings of the 2022 ACM Asia Conference on Computer and Communications Security : May 30-June 3, 2022, Nagasaki, Japan. ACM Asia Conference on Computer and Communications Security (17th : 2022 : Nagasaki-shi, Japan ; ...","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2011-03-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"13","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Asia CCS '22 : proceedings of the 2022 ACM Asia Conference on Computer and Communications Security : May 30-June 3, 2022, Nagasaki, Japan. ACM Asia Conference on Computer and Communications Security (17th : 2022 : Nagasaki-shi, Japan ; ...","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1966913.1966953","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 13
Abstract
SyferLock presents a one-time password system, GridCode, that allows an unaided human to authenticate, reducing the cost of deployment. The one-time password system is a human computable challenge-response protocol which they claim defends against key-logging, replay, and brute force attacks, among others. We evaluate the security of the Grid-Code one-time password system and challenge these claims. We identify weak preimage resistance and character independence as key weaknesses of the GridCode system, leading to a variety of attacks. Our analysis indicates their scheme is akin to providing an adversary the ability to perform a brute force attack on a user's password in parallel without significant effort, lowering the effort required to recover a strong user password. Given a small number of challenge-response pairs, an adversary can recover a user's password (e.g., 2--4 pairs), and additional secret (e.g., 1 pair).