Cryptanalysis of the convex hull click human identification protocol

• Published in: International journal of information security Vol. 12; no. 2; pp. 83 - 96
• Main Authors: Asghar, Hassan Jameel, Li, Shujun, Pieprzyk, Josef, Wang, Huaxiong
• Format: Journal Article
• Language: English
• Published: Berlin/Heidelberg Springer-Verlag 01.04.2013; Springer; Springer Nature B.V
• Subjects: Access methods and protocols, osi model; Algorithmics. Computability. Computer arithmetics; Applied sciences; Authentication; Coding and Information Theory; Communications Engineering; Computer Communication Networks; Computer information security; Computer Science; Computer science; control theory; systems; Computer systems and distributed systems. User interface; Computer terminals; Cryptography; Cryptology; Cybersecurity; Exact sciences and technology; Hackers; Hulls; Hulls (structures); Human; Icons; Identification systems; Management of Computing and Information Systems; Memory and file management (including protection and security); Memory organisation. Data processing; Networks; Operating Systems; Passwords; Protocol; Regular Contribution; Science; Security; Software; Studies; Telecommunications; Telecommunications and information theory; Teleprocessing networks. Isdn; Theoretical computing; Usability; Graphical passwords; Human-computer cryptography; User authentication; Observer attack; Human identification protocols; Biometrics; Probabilistic approach; Transmission protocol; Click; Modeling; Space complexity; Convex hull; Authentication; Graphical interface; Observer; Cryptanalysis; Cryptography; Time complexity; Computer security; Usability; Password
• ISSN: 1615-5262; 1615-5270
• DOI: 10.1007/s10207-012-0161-x

Recently, a convex hull-based human identification protocol was proposed by Sobrado and Birget, whose steps can be performed by humans without additional aid. The main part of the protocol involves the user mentally forming a convex hull of secret icons in a set of graphical icons and then clicking randomly within this convex hull. While some rudimentary security issues of this protocol have been discussed, a comprehensive security analysis has been lacking. In this paper, we analyze the security of this convex hull-based protocol. In particular, we show two probabilistic attacks that reveal the user’s secret after the observation of only a handful of authentication sessions. These attacks can be efficiently implemented as their time and space complexities are considerably less than brute force attack. We show that while the first attack can be mitigated through appropriately chosen values of system parameters, the second attack succeeds with a non-negligible probability even with large system parameter values that cross the threshold of usability.