Paper 2023/1848

Breach Extraction Attacks: Exposing and Addressing the Leakage in Second Generation Compromised Credential Checking Services

Dario Pasquini, SPRING lab, EPFL
Danilo Francati, Aarhus University
Giuseppe Ateniese, George Mason University
Evgenios M. Kornaropoulos, George Mason University
Abstract

Credential tweaking attacks use breached passwords to generate semantically similar passwords and gain access to victims' services. These attacks sidestep the first generation of compromised credential checking (C3) services. The second generation of compromised credential checking services, called "Might I Get Pwned" (MIGP), is a privacy-preserving protocol that defends against credential tweaking attacks by allowing clients to query whether a password or a semantically similar variation is present in the server's compromised credentials dataset. The desired privacy requirements include not revealing the user's entered password to the server and ensuring that no compromised credentials are disclosed to the client. In this work, we formalize the cryptographic leakage of the MIGP protocol and perform a security analysis to assess its impact on the credentials held by the server. We focus on how this leakage aids breach extraction attacks, where an honest-but-curious client interacts with the server to extract information about the stored credentials. Furthermore, we discover additional leakage that arises from the implementation of Cloudflare's deployment of MIGP. We evaluate how the discovered leakage affects the guessing capability of an attacker in relation to breach extraction attacks. Finally, we propose MIGP 2.0, a new iteration of the MIGP protocol designed to minimize data leakage and prevent the introduced attacks.

Note: Appearing in the proceedings of the 45th IEEE Symposium on Security and Privacy S&P 2024.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Published elsewhere. Minor revision. 45th IEEE Symposium on Security and Privacy
Keywords
Compromised Credential Checking ServicesExtraction AttackPasswords
Contact author(s)
dario pasquini @ epfl ch
dfrancati @ cs au dk
ateniese @ gmu edu
evgenios @ gmu edu
History
2023-12-01: revised
2023-11-30: received
See all versions
Short URL
https://ia.cr/2023/1848
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/1848,
      author = {Dario Pasquini and Danilo Francati and Giuseppe Ateniese and Evgenios M. Kornaropoulos},
      title = {Breach Extraction Attacks: Exposing and Addressing the Leakage in Second Generation Compromised Credential Checking Services},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1848},
      year = {2023},
      url = {https://eprint.iacr.org/2023/1848}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.