{"title":"攻击GridCode一次性密码","authors":"Ian Molloy, Ninghui Li","doi":"10.1145/1966913.1966953","DOIUrl":null,"url":null,"abstract":"SyferLock presents a one-time password system, GridCode, that allows an unaided human to authenticate, reducing the cost of deployment. The one-time password system is a human computable challenge-response protocol which they claim defends against key-logging, replay, and brute force attacks, among others. We evaluate the security of the Grid-Code one-time password system and challenge these claims. We identify weak preimage resistance and character independence as key weaknesses of the GridCode system, leading to a variety of attacks. Our analysis indicates their scheme is akin to providing an adversary the ability to perform a brute force attack on a user's password in parallel without significant effort, lowering the effort required to recover a strong user password. Given a small number of challenge-response pairs, an adversary can recover a user's password (e.g., 2--4 pairs), and additional secret (e.g., 1 pair).","PeriodicalId":72308,"journal":{"name":"Asia CCS '22 : proceedings of the 2022 ACM Asia Conference on Computer and Communications Security : May 30-June 3, 2022, Nagasaki, Japan. ACM Asia Conference on Computer and Communications Security (17th : 2022 : Nagasaki-shi, Japan ; ...","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2011-03-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"13","resultStr":"{\"title\":\"Attack on the GridCode one-time password\",\"authors\":\"Ian Molloy, Ninghui Li\",\"doi\":\"10.1145/1966913.1966953\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"SyferLock presents a one-time password system, GridCode, that allows an unaided human to authenticate, reducing the cost of deployment. The one-time password system is a human computable challenge-response protocol which they claim defends against key-logging, replay, and brute force attacks, among others. We evaluate the security of the Grid-Code one-time password system and challenge these claims. We identify weak preimage resistance and character independence as key weaknesses of the GridCode system, leading to a variety of attacks. Our analysis indicates their scheme is akin to providing an adversary the ability to perform a brute force attack on a user's password in parallel without significant effort, lowering the effort required to recover a strong user password. Given a small number of challenge-response pairs, an adversary can recover a user's password (e.g., 2--4 pairs), and additional secret (e.g., 1 pair).\",\"PeriodicalId\":72308,\"journal\":{\"name\":\"Asia CCS '22 : proceedings of the 2022 ACM Asia Conference on Computer and Communications Security : May 30-June 3, 2022, Nagasaki, Japan. ACM Asia Conference on Computer and Communications Security (17th : 2022 : Nagasaki-shi, Japan ; ...\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2011-03-22\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"13\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Asia CCS '22 : proceedings of the 2022 ACM Asia Conference on Computer and Communications Security : May 30-June 3, 2022, Nagasaki, Japan. ACM Asia Conference on Computer and Communications Security (17th : 2022 : Nagasaki-shi, Japan ; ...\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/1966913.1966953\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Asia CCS '22 : proceedings of the 2022 ACM Asia Conference on Computer and Communications Security : May 30-June 3, 2022, Nagasaki, Japan. ACM Asia Conference on Computer and Communications Security (17th : 2022 : Nagasaki-shi, Japan ; ...","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1966913.1966953","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
SyferLock presents a one-time password system, GridCode, that allows an unaided human to authenticate, reducing the cost of deployment. The one-time password system is a human computable challenge-response protocol which they claim defends against key-logging, replay, and brute force attacks, among others. We evaluate the security of the Grid-Code one-time password system and challenge these claims. We identify weak preimage resistance and character independence as key weaknesses of the GridCode system, leading to a variety of attacks. Our analysis indicates their scheme is akin to providing an adversary the ability to perform a brute force attack on a user's password in parallel without significant effort, lowering the effort required to recover a strong user password. Given a small number of challenge-response pairs, an adversary can recover a user's password (e.g., 2--4 pairs), and additional secret (e.g., 1 pair).