Breach Extraction Attacks: Exposing and Addressing the Leakage in Second Generation Compromised Credential Checking Services

Dario Pasquini, Danilo Francati, Giuseppe Ateniese, Evgenios M. Evgenios M. Kornaropoulos

Publikation: Bidrag til bog/antologi/rapport/proceedingKonferencebidrag i proceedingsForskningpeer review

Abstract

Credential tweaking attacks use breached passwords to generate semantically similar passwords and gain access to victims' services. These attacks sidestep the first generation of compromised credential checking (C3) services. The second generation of compromised credential checking services, called 'Might I Get Pwned' (MIGP), is a privacy-preserving protocol that defends against credential tweaking attacks by allowing clients to query whether a password or a semantically similar variation is present in the server's compromised credentials dataset. The desired privacy requirements include not revealing the user's entered password to the server and ensuring that no compromised credentials are disclosed to the client.In this work, we formalize the cryptographic leakage of the MIGP protocol and perform a security analysis to assess its impact on the credentials held by the server. We focus on how this leakage aids breach extraction attacks, where an honest-but-curious client interacts with the server to extract information about the stored credentials. Furthermore, we discover additional leakage that arises from the implementation of Cloudflare's deployment of MIGP. We evaluate how the discovered leakage affects the guessing capability of an attacker in relation to breach extraction attacks. Finally, we propose MIGP 2.0, a new iteration of the MIGP protocol designed to minimize data leakage and prevent the introduced attacks.

OriginalsprogEngelsk
Titel2024 IEEE Symposium on Security and Privacy (SP) : Proceedings
Antal sider19
ForlagIEEE
Publikationsdato2024
Sider1405-1423
ISBN (Trykt)979-8-3503-3130-1
ISBN (Elektronisk)9798350331301
DOI
StatusUdgivet - 2024
Begivenhed45th IEEE Symposium on Security and Privacy - San Francisco, USA
Varighed: 19 maj 202423 nov. 2024

Konference

Konference45th IEEE Symposium on Security and Privacy
Land/OmrådeUSA
BySan Francisco
Periode19/05/202423/11/2024

Fingeraftryk

Dyk ned i forskningsemnerne om 'Breach Extraction Attacks: Exposing and Addressing the Leakage in Second Generation Compromised Credential Checking Services'. Sammen danner de et unikt fingeraftryk.

Citationsformater