Hidden Credential Retrieval, Revisited

  • SHIN SeongHan
    Research Institute for Secure Systems (RISEC), National Institute of Industrial Science and Technology (AIST)
  • KOBARA Kazukuni
    Research Institute for Secure Systems (RISEC), National Institute of Industrial Science and Technology (AIST)

Abstract

Hidden Credential Retrieval (HCR) protocols are designed for access credentials management where users who remember short passwords can retrieve his/her various credentials (access keys and tokens) with the help of a remote storage server over insecure networks (e.g., the Internet). In this paper, we revisit two HCR protocols, both of which are based on blind signature schemes: one (we call it B-HCR) was proposed in ASIACCS 2009 and the other (we call it MRS-HCR) was in WISA 2010. In particular, we show that the B-HCR protocol is insecure against an outside attacker who impersonates server S. Specifically, the attacker can find out the user's password pw with off-line dictionary attacks by eavesdropping the communications between the user and a third-party online service provider. Also, we show that the MRS-HCR protocol does not work correctly itself. In other words, user U can not retrieve the plaintext Msg (i.e., credentials) even if he/she has a knowledge of the password.

Journal

References(5)*help

See more

Details 詳細情報について

Report a problem

Back to top