Welcome to the resource topic for 2023/1848
Title:
Breach Extraction Attacks: Exposing and Addressing the Leakage in Second Generation Compromised Credential Checking Services
Authors: Dario Pasquini, Danilo Francati, Giuseppe Ateniese, Evgenios M. Kornaropoulos
Abstract:Credential tweaking attacks use breached passwords to generate semantically similar passwords and gain access to victims’ services.
These attacks sidestep the first generation of compromised credential checking (C3) services.
The second generation of compromised credential checking services, called “Might I Get Pwned” (MIGP), is a privacy-preserving protocol that defends against credential tweaking attacks by allowing clients to query whether a password or a semantically similar variation is present in the server’s compromised credentials dataset.
The desired privacy requirements include not revealing the user’s entered password to the server and ensuring that no compromised credentials are disclosed to the client.
In this work, we formalize the cryptographic leakage of the MIGP protocol and perform a security analysis to assess its impact on the credentials held by the server.
We focus on how this leakage aids breach extraction attacks, where an honest-but-curious client interacts with the server to extract information about the stored credentials.
Furthermore, we discover additional leakage that arises from the implementation of Cloudflare’s deployment of MIGP.
We evaluate how the discovered leakage affects the guessing capability of an attacker in relation to breach extraction attacks. Finally, we propose MIGP 2.0, a new iteration of the MIGP protocol designed to minimize data leakage and prevent the introduced attacks.
ePrint: https://eprint.iacr.org/2023/1848
See all topics related to this paper.
Feel free to post resources that are related to this paper below.
Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.
For more information, see the rules for Resource Topics .