Paper 2023/1848
Breach Extraction Attacks: Exposing and Addressing the Leakage in Second Generation Compromised Credential Checking Services
Abstract
Credential tweaking attacks use breached passwords to generate semantically similar passwords and gain access to victims' services. These attacks sidestep the first generation of compromised credential checking (C3) services. The second generation of compromised credential checking services, called "Might I Get Pwned" (MIGP), is a privacy-preserving protocol that defends against credential tweaking attacks by allowing clients to query whether a password or a semantically similar variation is present in the server's compromised credentials dataset. The desired privacy requirements include not revealing the user's entered password to the server and ensuring that no compromised credentials are disclosed to the client. In this work, we formalize the cryptographic leakage of the MIGP protocol and perform a security analysis to assess its impact on the credentials held by the server. We focus on how this leakage aids breach extraction attacks, where an honest-but-curious client interacts with the server to extract information about the stored credentials. Furthermore, we discover additional leakage that arises from the implementation of Cloudflare's deployment of MIGP. We evaluate how the discovered leakage affects the guessing capability of an attacker in relation to breach extraction attacks. Finally, we propose MIGP 2.0, a new iteration of the MIGP protocol designed to minimize data leakage and prevent the introduced attacks.
Note: Appearing in the proceedings of the 45th IEEE Symposium on Security and Privacy S&P 2024.
Metadata
- Available format(s)
- Category
- Attacks and cryptanalysis
- Publication info
- Published elsewhere. Minor revision. 45th IEEE Symposium on Security and Privacy
- Keywords
- Compromised Credential Checking ServicesExtraction AttackPasswords
- Contact author(s)
-
dario pasquini @ epfl ch
dfrancati @ cs au dk
ateniese @ gmu edu
evgenios @ gmu edu - History
- 2023-12-01: revised
- 2023-11-30: received
- See all versions
- Short URL
- https://ia.cr/2023/1848
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/1848, author = {Dario Pasquini and Danilo Francati and Giuseppe Ateniese and Evgenios M. Kornaropoulos}, title = {Breach Extraction Attacks: Exposing and Addressing the Leakage in Second Generation Compromised Credential Checking Services}, howpublished = {Cryptology {ePrint} Archive, Paper 2023/1848}, year = {2023}, url = {https://eprint.iacr.org/2023/1848} }