Attacks on Human Identification Schemes

• Main Authors: Peng ,Maujy, 彭懋芝
• Other Authors: Tzonelih Hwang
• Format: Others
• Language: zh-TW
• Published: 1995
• Online Access: http://ndltd.ncl.edu.tw/handle/54659590209837200105

碩士 === 國立成功大學 === 資訊及電子工程研究所 === 83 === The security of a system often depends on identifying correctly the person at a terminal. There are many authentication mechanisms which support the security problem for computer systems. Among them, password authentication schemes are the most popular and inexpensive mechanisms used in many systems. In password authentication scheme, each user owns his/her identity and password. When he/she wants to login the computer system, he/she keys in his/her identity and password by himself/herself. This method, however, suffers both the peeping attacks where an intruder stands behind the login user to peep the typed password and the replay attacks where the intruder intercepts the password from the network and then impersonates the same user by replaying the intercepted password. A challenge-response type human identification scheme, withstands both the peeping and replay attacks, was proposed by Matsumoto and Imai in 1991. Each user and the host are assumed to share a common key. Knowing the common key shared with the user, the host can decide whether an answer replied from the user is correct or not. In their scheme, what the user has to do are simply to memorize a short secret and perform very simple operation based on the secret. In this thesis, three types of attacks, referred to here as the chosen challenge attack, the chosen response attack and the chosen challenge-response attack, on the human identification schemes are proposed. By these attacks, a malicious user first impersonates the host to send a forged challenge to the login user or impersonates the login user to send a modify response to the host, and then performs the intercepting or peeping attack to reveal the login user's secret password.