Hidden Credential Retrieval (HCR) protocols are designed for access credentials management where users who remember short passwords can retrieve his/her various credentials (access keys and tokens) with the help of remote storage server over insecure networks (e.g., the Internet). In this paper, we revisit a HCR protocol (we call it B-HCR) based on Boldyreva's blind signature scheme. In particular, we show that the B-HCR protocol is insecure against an outside attacker who impersonates server S. Specifically, the attacker can find out the user's password pw with off-line dictionary attacks by eavesdropping the communications between the user and a third-party online service provider. And we discuss why Boyen's security model does not capture the attacks.
展开▼