Continuous authentication has been proposed as a complementary security mechanism to password-based authentication for computer devices that are handled directly by humans, such as smart phones. Continuous authentication has some privacy issues as certain user features and actions are revealed to the authentication server, which is not assumed to be trusted. Wei et al. proposed in 2021 a privacy-preserving protocol for behavioral authentication that utilizes homomorphic encryption. The encryption prevents the server from obtaining sampled user features. In this paper, we show that the Wei et al. scheme is insecure regarding both an honest-but-curious server and an active eavesdropper. We present two attacks: The first attack enables the authentication server to obtain the secret user key, plaintext behavior template and plaintext authentication behavior data from encrypted data. The second attack enables an active eavesdropper to restore the plaintext authentication behavior data from the transmitted encrypted data.
翻译:持续认证被提议作为人类直接处理的计算机设备(如智能电话)的密码认证的补充安全机制。 持续认证有一些隐私问题, 因为某些用户特征和行动被披露给认证服务器, 而认证服务器被认为不可信。 Wei等人在2021年提出了使用同质加密的行为认证隐私保护协议。 加密阻止服务器获得抽样用户特征。 在本文中, Wei 等人的系统在诚实但有争议服务器和活跃的窃听器上都不安全。 我们介绍了两个攻击: 第一次攻击使认证服务器能够从加密数据中获取秘密用户密钥、 简洁行为模板和简洁行为认证数据。 第二次攻击使得一个主动的窃听器能够从传输的加密数据中恢复纯文本认证行为数据。