Protocols for Checking Compromised Credentials Lucy Li Bijeeta Pal - - PowerPoint PPT Presentation

protocols for checking compromised credentials
SMART_READER_LITE
LIVE PREVIEW

Protocols for Checking Compromised Credentials Lucy Li Bijeeta Pal - - PowerPoint PPT Presentation

Jul 19, 2023 209 likes •440 views

Protocols for Checking Compromised Credentials Lucy Li Bijeeta Pal Junade Ali Nick Sullivan Cornell Tech Cloudflare Inc. Cornell Tech Cloudflare Inc. Rahul Chatterjee Thomas Ristenpart University of WisconsinMadison Cornell T ech

slide-1
SLIDE 1

Protocols for Checking Compromised Credentials

Lucy Li

Cornell Tech

Bijeeta Pal

Cornell Tech

Thomas Ristenpart

Cornell T ech

Rahul Chatterjee

University of Wisconsin—Madison Cornell Tech

Junade Ali

Cloudflare Inc.

Nick Sullivan

Cloudflare Inc.

slide-2
SLIDE 2

Password breaches à Credential Stuffing

2

lucy@email.com myPassword123

website.com

Leaked Credentials Username Passwords … … lucy@email.com myPassword123 alice@yahoo.com Star246, p4ssw0rd1 … …

Around 40% of users reuse passwords across different websites!

[Das et al. 2014, Pearman et al. 2017]

slide-3
SLIDE 3

Compromised Credential Checking Services

3

Leaked Credentials Username Passwords … … lucy@email.com myPassword123 alice@yahoo.com Star246, p4ssw0rd1 … …

website.com

Cl Client C3 C3 Server pw pw OR (u (u, pw) OR

Credential Entity

Client finds out if their credential is in the server’s database

slide-4
SLIDE 4

Compromised Credential Checking Services

4

Leaked Credentials Username Passwords … … lucy@email.com myPassword123 alice@yahoo.com Star246, p4ssw0rd1 … …

website.com

Cl Client C3 C3 Server pw pw OR (u (u, pw) OR

Credential Entity

Can we use a third party checker and still preserve privacy of user credentials? Two big initial deployments: Password only: Username-password:

slide-5
SLIDE 5
  • 1. Formalization of compromised credential checking (C3) protocols

and threat model

  • 2. Show formally and empirically that HIBP and Google Password

Checkup (GPC v1) leak information about passwords

  • 3. New C3 protocols that leak less
  • Username-password: ID-based bucketization (now GPC v2)
  • Password only: Frequency-smoothing bucketization

Our contributions [Li et al. CCS 2019]

5

slide-6
SLIDE 6
  • Empirical results that motivate the move from GPC v1

to ID-based bucketization, and hopefully from HIBP to frequency-smoothing bucketization

  • Overview of frequency-smoothing bucketization, our

new password-only C3 protocol

Today

6

slide-7
SLIDE 7
  • Protect client’s password against malicious server

Threat model

7

C3 server

myPassword123

Client

myPassword123

alice@email.com

********

website.com

alice@email.com passwordGuess1

Ideally, no information about password leaked Partial information speeds up online guessing attacks

alice@email.com passwordGuessQ

slide-8
SLIDE 8
  • A C3 server stores hundreds of millions of passwords,
  • r billions of username-password pairs
  • Need to handle client requests efficiently

Efficiency

8

slide-9
SLIDE 9

Efficiency through bucketization

9

C3 server Client

myPassword123

Passwords … dog456 myPassword123 …

Combine bucketization with some private set membership protocol

slide-10
SLIDE 10

Efficiency through bucketization

10

C3 server

HIBP: prefix of H(pw) GPC v1: prefix of H(user || pw) Ke Key y secu curity y question: How much does knowing the bucket queried help an adversary guess a client’s password?

Client

myPassword123 Combine bucketization with some private set membership protocol

slide-11
SLIDE 11
  • How easily can an attacker guess passwords given the bucket

identifiers?

  • Breach dataset of 1.4 billion username-password pairs
  • Split into test set and leaked password set
  • Measure the percentage of passwords an attacker can guess in Q

queries, with access to usernames

Empirical security evaluation

11

github.com/lucy7li/compromised-credential-checking

slide-12
SLIDE 12

Results

12

10 20 30 40 50 60 70 80 1 10 100 1000

Attacker success rate (%) Number of queries given to the attacker

Baseline Hash Prefix (20 bits) Hash Prefix (16 bits) Frequency-smoothing (q'=100)

HIBP FSB (new)

Baseline / IDB / GPC v2

GPC v1

slide-13
SLIDE 13
  • Check for an exact us

user erna name me-pas password d pai pair match with a C3 server

  • Google Password Checkup (GPC v1) init

initia ially lly implemented a protocol that uses the prefix of H(user || pw) as the bucket identifier

  • As we saw in empirical evaluation, this protocol has poor security, if

if us user erna name is me is k kno nown t n to a attacker er

  • ID-based bucketization:

: use prefix of H(user) as the bucket identifier

ID-password C3 setting

13

slide-14
SLIDE 14
  • Checks if a password is in breach data
  • Avoids risk of C3 server storing username-password pairs
  • Have I Been Pwned leaks information about

passwords that speeds up remote guessing attacks

  • Frequency-smoothing bucketization leaks less

Password-only C3 setting

14

slide-15
SLIDE 15

Have I Been Pwned (HIBP)

15

password123

Hash of password123 = 15a56bd4dd…

15a56

15a56

Have I Been Pwned

Contains all password hashes with the same prefix 20-bit hash prefix

slide-16
SLIDE 16

Issue with HIBP

16

Password Probability Easy to guess the password if you know the bucket

Buckets

Colors in buckets correspond to probabilities of passwords given the bucket

slide-17
SLIDE 17

Frequency-smoothing bucketization (FSB)

17

Password Probability Go Goal: : Given a bucket, the probability of each password in the bucket is the same

Buckets

We propose FSB as a more secure bucketization algorithm

slide-18
SLIDE 18

FSB implementation details (Q = 1)

18

Password Probability

B: # buckets

Buckets: 1 B 𝑗

Start bucket: H(◼) Proportional to probability of password Range for password ◼ [ H(◼) , H(◼) + f(Pr(◼)) ] To check a password with the server: Client computes range, picks a bucket randomly

slide-19
SLIDE 19
  • Parameter Q reflects expected online guessing budget
  • Include the top Q passwords in every bucket, and

distribute the rest proportionally relative to probability

  • f the Qth most popular password

FSB: what about Q > 1?

19

slide-20
SLIDE 20
  • Theorem: If an attacker has ≤ Q guesses,

access to the FSB bucket will give no no ad advan antag age over baseline guessing

  • Bounds for > Q guesses shown in our paper
  • Higher Q → smaller security loss
  • But also larger bucket sizes

Security of FSB

20

slide-21
SLIDE 21

Performance

21

Setting Protocol Bandwidth (KB) Total time (ms) Password-

  • nly

HIBP 32 220 FSB 558 527 ID-password GPC 1,066 489 IDB 1,066 517

To Total tal ti time includes client-server communication and client- and server-side computations github.com/lucy7li/compromised-credential-checking

slide-22
SLIDE 22
  • Some deployed C3 protocols leak a lot of information

about a user’s password to the C3 server

  • To leak less information, we recommend using:
  • Password-only: Frequency-smoothing bucketization
  • Username-password: ID-based bucketization
  • Questions?

Conclusion

22

cs.cornell.edu/~lucy