In this paper we evaluate the security of a two-factor Graphical Password scheme proposed in [1]. As in the original paper, we model the attack of a passive adversary as a boolean formula whose truth assignment corresponds to the user secret. We show that there exist a small number of secrets that a passive adversary cannot extract, independently from the amount information she manages to eavesdrop. We then experimentally evaluate the security of the scheme. Our tests show that the number of sessions the adversary needs to gather in order to be able to extract the users secret is relatively small. However, the amount of time needed to actually extract the user secret from the collected information grows exponentially in the system parameters, making the secret extraction unfeasible. Finally we observe that the graphical password scheme can be easily restated in as a device-device authentication mechanism.


  1. 1.
    Catuogno, L., Galdi, C.: A graphical pin authentication mechanism for smart cards and low-cost devices. In: Onieva, J.A., Sauveron, D., Chaumette, S., Gollmann, D., Markantonakis, K. (eds.) WISTP 2008. LNCS, vol. 5019, pp. 16–35. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Suo, X., Zhu, Y., Owen, G.S.: Graphical passwords: a survey. In: Proceedings of 21st Annual Computer Security Application Conference (ACSAC 2005), Tucson AZ, US, December 5-9, pp. 463–472 (2005)Google Scholar
  3. 3.
    Golle, P., Wagner, D.: Cryptanalysis of a cognitive authentication scheme (extended abstract). In: IEEE Symposium on Security and Privacy, pp. 66–70. IEEE Computer Society, Los Alamitos (2007)Google Scholar
  4. 4.
    Thiffault, C., Bacchus, F., Walsh, T.: Solving non-clausal formulas with dpll search. In: Wallace, M. (ed.) CP 2004. LNCS, vol. 3258, pp. 663–678. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Jain, H., Bartzis, C., Clarke, E.M.: Satisfiability checking of non-clausal formulas using general matings. In: Biere, A., Gomes, C.P. (eds.) SAT 2006. LNCS, vol. 4121, pp. 75–89. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Juels, A., Weis, S.A.: Authenticating pervasive devices with human protocols. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 293–308. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2010

Authors and Affiliations

  • Luigi Catuogno
    • 1
  • Clemente Galdi
    • 2
  1. 1.Dipartimento di Informatica ed ApplicazioniUniversità di SalernoFiscianoItaly
  2. 2.Dipartimento di Scienze FisicheUniversità di Napoli “Federico II” Compl. Univ. Monte S.AngeloNapoliItaly

Personalised recommendations