Papers
Topics
Authors
Recent
2000 character limit reached

Privacy-Preserving Password Cracking: How a Third Party Can Crack Our Password Hash Without Learning the Hash Value or the Cleartext (2306.08740v1)

Published 14 Jun 2023 in cs.CR, cs.IT, and math.IT

Abstract: Using the computational resources of an untrusted third party to crack a password hash can pose a high number of privacy and security risks. The act of revealing the hash digest could in itself negatively impact both the data subject who created the password, and the data controller who stores the hash digest. This paper solves this currently open problem by presenting a Privacy-Preserving Password Cracking protocol (3PC), that prevents the third party cracking server from learning any useful information about the hash digest, or the recovered cleartext. This is achieved by a tailored anonymity set of decoy hashes, based on the concept of predicate encryption, where we extend the definition of a predicate function, to evaluate the output of a one way hash function. The protocol allows the client to maintain plausible deniability where the real choice of hash digest cannot be proved, even by the client itself. The probabilistic information the server obtains during the cracking process can be calculated and minimized to a desired level. While in theory cracking a larger set of hashes would decrease computational speed, the 3PC protocol provides constant-time lookup on an arbitrary list size, bounded by the input/output operation per second (IOPS) capabilities of the third party server, thereby allowing the protocol to scale efficiently. We demonstrate these claims both theoretically and in practice, with a real-life use case implemented on an FPGA architecture.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (51)
  1. L. O’Gorman, “Comparing passwords, tokens, and biometrics for user authentication,” Proceedings of the IEEE, vol. 91, no. 12, pp. 2021–2040, Dec. 2003. [Online]. Available: http://ieeexplore.ieee.org/document/1246384/
  2. S. Srinivas, “One step closer to a passwordless future,” May 2022. [Online]. Available: https://blog.google/technology/safety-security/one-step-closer-to-a-passwordless-future/
  3. J. Bonneau, C. Herley, P. C. v. Oorschot, and F. Stajano, “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes,” in 2012 IEEE Symposium on Security and Privacy, May 2012, pp. 553–567, iSSN: 2375-1207.
  4. K. Siddique, Z. Akhtar, and Y. Kim, “Biometrics vs passwords: a modern version of the tortoise and the hare,” Computer Fraud & Security, vol. 2017, no. 1, pp. 13–17, Jan. 2017. [Online]. Available: https://linkinghub.elsevier.com/retrieve/pii/S1361372317300076
  5. P. A. Grassi, J. L. Fenton, E. M. Newton, R. A. Perlner, A. R. Regenscheid, W. E. Burr, J. P. Richer, N. B. Lefkovitz, J. M. Danker, Y.-Y. Choong, K. K. Greene, and M. F. Theofanos, “Digital identity guidelines: authentication and lifecycle management,” National Institute of Standards and Technology, Tech. Rep., Jun. 2017. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
  6. N. Tihanyi, A. Kovacs, G. Vargha, and A. Lenart, “Unrevealed Patterns in Password Databases Part One: Analyses of Cleartext Passwords,” in Technology and Practice of Passwords, ser. Lecture Notes in Computer Science, S. F. Mjolsnes, Ed.   Cham: Springer International Publishing, 2015, pp. 89–101.
  7. P. Kamal, “Security of Password Hashing in Cloud,” Journal of Information Security, vol. 10, no. 2, pp. 45–68, Feb. 2019, number: 2 Publisher: Scientific Research Publishing. [Online]. Available: http://www.scirp.org/Journal/Paperabs.aspx?paperid=90861
  8. J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano, “Passwords and the evolution of imperfect authentication,” Communications of the ACM, vol. 58, no. 7, pp. 78–87, Jun. 2015. [Online]. Available: https://dl.acm.org/doi/10.1145/2699390
  9. M. Dell’Amico, P. Michiardi, and Y. Roudier, “Password Strength: An Empirical Analysis,” in 2010 Proceedings IEEE INFOCOM, Mar. 2010, pp. 1–9, iSSN: 0743-166X.
  10. M. Weir, S. Aggarwal, M. Collins, and H. Stern, “Testing metrics for password creation policies by attacking large sets of revealed passwords,” in Proceedings of the 17th ACM conference on Computer and communications security - CCS ’10.   Chicago, Illinois, USA: ACM Press, 2010, p. 162. [Online]. Available: http://portal.acm.org/citation.cfm?doid=1866307.1866327
  11. S. M. Egelman, S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, and L. F. Cranor, “Of Passwords and People: Measuring the Effect of Password-Composition Policies,” NIST, May 2011, last Modified: 2017-02-19T20:02-05:00 Publisher: Serge M. Egelman, Saranga Komanduri, Richard Shay, Patrick G. Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie F. Cranor. [Online]. Available: https://www.nist.gov/publications/passwords-and-people-measuring-effect-password-composition-policies
  12. Y.-Y. Choong, M. F. Theofanos, and H.-K. Liu, “United States Federal Employees’ Password Management Behaviors – A Department of Commerce Case Study,” NIST, Apr. 2014, last Modified: 2018-11-10T10:11-05:00 Publisher: Yee-Yin Choong, Mary F. Theofanos, Hung-Kung Liu. [Online]. Available: https://www.nist.gov/publications
  13. B. Ewaida, “Pass-the-hash attacks: Tools and Mitigation,” 2010. [Online]. Available: https://www.sans.org/white-papers/33283/
  14. Y. Li, H. Wang, and K. Sun, “Personal Information in Passwords and Its Security Implications,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 10, pp. 2320–2333, Oct. 2017. [Online]. Available: http://ieeexplore.ieee.org/document/7931642/
  15. D. Wang, P. Wang, D. He, and Y. Tian, “Birthday, name and bifacial-security: understanding passwords of Chinese web users,” in Proceedings of the 28th USENIX Conference on Security Symposium, ser. SEC’19.   USA: USENIX Association, Aug. 2019, pp. 1537–1554.
  16. R. Veras, C. Collins, and J. Thorpe, “On the Semantic Patterns of Passwords and their Security Impact,” in Proceedings 2014 Network and Distributed System Security Symposium.   San Diego, CA: Internet Society, 2014. [Online]. Available: https://www.ndss-symposium.org/ndss2014/programme/semantic-patterns-passwords-and-their-security-impact/
  17. R. L. Rivest, L. Adelmann, and M. L. Dertouzos, “On DataBanks And Privacy Homomorphisms,” Foundations of Secure Computation, 1987. [Online]. Available: http://people.csail.mit.edu/rivest/RivestAdlemanDertouzos-OnDataBanksAndPrivacyHomomorphisms.pdf
  18. M. Alloghani, M. M. Alani, D. Al-Jumeily, T. Baker, J. Mustafina, A. Hussain, and A. J. Aljaaf, “A systematic review on the status and progress of homomorphic encryption technologies,” Journal of Information Security and Applications, vol. 48, p. 102362, Oct. 2019. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S2214212618306057
  19. P. Parmar, S. Padhar, S. Patel, N. Bhatt, and R. Jhaveri, “Survey of Various Homomorphic Encryption algorithms and Schemes,” International Journal of Computer Applications, vol. 91, Mar. 2014.
  20. A. Acar, H. Aksu, A. S. Uluagac, and M. Conti, “A Survey on Homomorphic Encryption Schemes: Theory and Implementation,” ACM Computing Surveys, vol. 51, no. 4, pp. 79:1–79:35, Jul. 2018. [Online]. Available: https://doi.org/10.1145/3214303
  21. D. Hoover and B. Kausik, “Software smart cards via cryptographic camouflage,” in Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).   Oakland, CA, USA: IEEE Comput. Soc, 1999, pp. 208–215. [Online]. Available: http://ieeexplore.ieee.org/document/766915/
  22. H. Bojinov, E. Bursztein, X. Boyen, and D. Boneh, “Kamouflage: Loss-Resistant Password Management,” in Computer Security – ESORICS 2010, ser. Lecture Notes in Computer Science, D. Gritzalis, B. Preneel, and M. Theoharidou, Eds.   Berlin, Heidelberg: Springer, 2010, pp. 286–302.
  23. A. Juels and T. Ristenpart, “Honey Encryption: Security Beyond the Brute-Force Bound,” May 2014.
  24. A. Juels and R. L. Rivest, “Honeywords: making password-cracking detectable,” in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security - CCS ’13.   Berlin, Germany: ACM Press, 2013, pp. 145–160. [Online]. Available: http://dl.acm.org/citation.cfm?doid=2508859.2516671
  25. Jennifer Pullman, Kurt Thomas, and Elie Bursztein, “Protect your accounts from data breaches with Password Checkup,” 2019. [Online]. Available: https://security.googleblog.com/2019/02/protect-your-accounts-from-data.html
  26. K. Thomas, J. Pullman, K. Yeo, A. Raghunathan, P. G. Kelley, L. Invernizzi, B. Benko, T. Pietraszek, S. Patel, D. Boneh, and E. Bursztein, “Protecting accounts from credential stuffing with password breach alerting,” 2019, pp. 1556–1571. [Online]. Available: https://www.usenix.org/conference/usenixsecurity19/presentation/thomas
  27. L. Li, B. Pal, J. Ali, N. Sullivan, R. Chatterjee, and T. Ristenpart, “Protocols for Checking Compromised Credentials,” in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security.   London United Kingdom: ACM, Nov. 2019, pp. 1387–1403. [Online]. Available: https://dl.acm.org/doi/10.1145/3319535.3354229
  28. Z. Hou and D. Wang, “New Observations on Zipf’s Law in Passwords,” IEEE Transactions on Information Forensics and Security, pp. 1–1, 2022. [Online]. Available: https://ieeexplore.ieee.org/document/9777714/
  29. J. Bonneau, “The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords,” in 2012 IEEE Symposium on Security and Privacy, May 2012, pp. 538–552, iSSN: 2375-1207.
  30. J. Blocki, A. Datta, and J. Bonneau, “Differentially Private Password Frequency Lists,” in Proceedings 2016 Network and Distributed System Security Symposium.   San Diego, CA: Internet Society, 2016. [Online]. Available: https://www.ndss-symposium.org/wp-content/uploads/2017/09/differentially-private-password-frequency-lists.pdf
  31. D. Malone and K. Maher, “Investigating the Distribution of Password Choices,” Computing Research Repository - CORR, Apr. 2011.
  32. S. Aggarwal, S. Houshmand, and M. Weir, “New Technologies in Password Cracking Techniques,” in Cyber Security: Power and Technology, ser. Intelligent Systems, Control and Automation: Science and Engineering, M. Lehto and P. Neittaanmäki, Eds.   Cham: Springer International Publishing, 2018, pp. 179–198. [Online]. Available: https://doi.org/10.1007/978-3-319-75307-2_11
  33. M. Weir, S. Aggarwal, B. d. Medeiros, and B. Glodek, “Password Cracking Using Probabilistic Context-Free Grammars,” in 2009 30th IEEE Symposium on Security and Privacy, May 2009, pp. 391–405, iSSN: 2375-1207.
  34. A. Kanta, I. Coisel, and M. Scanlon, “PCWQ: A Framework for Evaluating Password Cracking Wordlist Quality,” The 12th EAI International Conference on Digital Forensics and Cyber Crime, Dec. 2021, publisher: Springer. [Online]. Available: https://markscanlon.co/papers/PasswordCrackingWordlistQuality.php
  35. A. Kanta, S. Coray, I. Coisel, and M. Scanlon, “How viable is password cracking in digital forensic investigation? Analyzing the guessability of over 3.9 billion real-world accounts,” Digit. Investig., 2021.
  36. J. Galbally, I. Coisel, and I. Sanchez, “A New Multimodal Approach for Password Strength Estimation Part I: Theory and Algorithms,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 12, pp. 2829–2844, Dec. 2017. [Online]. Available: https://ieeexplore.ieee.org/document/7776908/
  37. D. Wang, D. He, H. Cheng, and P. Wang, “fuzzyPSM: A New Password Strength Meter Using Fuzzy Probabilistic Context-Free Grammars,” in 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).   Toulouse, France: IEEE, Jun. 2016, pp. 595–606. [Online]. Available: http://ieeexplore.ieee.org/document/7579775/
  38. S. Oesch and S. Ruoti, “That Was Then, This Is Now: A Security Evaluation of Password Generation, Storage, and Autofill in Thirteen Password Managers,” Dec. 2019, arXiv:1908.03296 [cs]. [Online]. Available: http://arxiv.org/abs/1908.03296
  39. J. Galbally, I. Coisel, and I. Sanchez, “A New Multimodal Approach for Password Strength Estimation. Part II: Experimental Evaluation,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 12, pp. 2845–2860, Dec. 2017, conference Name: IEEE Transactions on Information Forensics and Security.
  40. S. Gorbunov, V. Vaikuntanathan, and H. Wee, “Predicate Encryption for Circuits from LWE,” in Advances in Cryptology – CRYPTO 2015, R. Gennaro and M. Robshaw, Eds.   Berlin, Heidelberg: Springer Berlin Heidelberg, 2015, vol. 9216, pp. 503–523, series Title: Lecture Notes in Computer Science. [Online]. Available: http://link.springer.com/10.1007/978-3-662-48000-7_25
  41. A. K. Lenstra, H. W. Lenstra, and L. Lovász, “Factoring polynomials with rational coefficients,” Mathematische Annalen, vol. 261, no. 4, pp. 515–534, Dec. 1982. [Online]. Available: https://doi.org/10.1007/BF01457454
  42. L. Sweeney, “k-ANONYMITY: A MODEL FOR PROTECTING PRIVACY,” International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, vol. 10, no. 05, pp. 557–570, Oct. 2002. [Online]. Available: https://www.worldscientific.com/doi/abs/10.1142/S0218488502001648
  43. R. Bayardo and R. Agrawal, “Data privacy through optimal k-anonymization,” in 21st International Conference on Data Engineering (ICDE’05), Apr. 2005, pp. 217–228, iSSN: 2375-026X.
  44. A. Pfitzmann, T. Dresden, M. Hansen, and U. Kiel, “Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management – A Consolidated Proposal for Terminology,” Citeseer, 2008. [Online]. Available: http://dud.inf.tu-dresden.de/Anon_Terminology.shtml
  45. P. Markert, D. V. Bailey, M. Golla, M. Dürmuth, and A. J. Aviv, “This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs,” in 2020 IEEE Symposium on Security and Privacy (SP), May 2020, pp. 286–303, iSSN: 2375-1207.
  46. D. Wang, Q. Gu, X. Huang, and P. Wang, “Understanding Human-Chosen PINs: Characteristics, Distribution and Security,” in Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security.   Abu Dhabi United Arab Emirates: ACM, Apr. 2017, pp. 372–385. [Online]. Available: https://dl.acm.org/doi/10.1145/3052973.3053031
  47. W. Li and J. Zeng, “Leet Usage and Its Effect on Password Security,” IEEE Transactions on Information Forensics and Security, vol. 16, pp. 2130–2143, 2021. [Online]. Available: https://ieeexplore.ieee.org/document/9316928/
  48. D. Wang, H. Cheng, P. Wang, X. Huang, and G. Jian, “Zipf’s Law in Passwords,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 11, pp. 2776–2791, Nov. 2017. [Online]. Available: http://ieeexplore.ieee.org/document/7961213/
  49. N. Lachtar, A. A. Elkhail, A. Bacha, and H. Malik, “A Cross-Stack Approach Towards Defending Against Cryptojacking,” IEEE Computer Architecture Letters, vol. 19, no. 2, pp. 126–129, Jul. 2020, conference Name: IEEE Computer Architecture Letters.
  50. S. Kumar, C. Paar, J. Pelzl, G. Pfeiffer, and M. Schimmler, “Breaking Ciphers with COPACOBANA –A Cost-Optimized Parallel Code Breaker,” in Cryptographic Hardware and Embedded Systems - CHES 2006, ser. Lecture Notes in Computer Science, L. Goubin and M. Matsui, Eds.   Berlin, Heidelberg: Springer, 2006, pp. 101–118.
  51. RIVYERA, “RIVYERA_s6_lx150_rev431_datasheet.” [Online]. Available: https://www.sciengines.com/wp-content/uploads/RIVYERA_S6_LX150_REV431_DATASHEET_4HU.pdf
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Slide Deck Streamline Icon: https://streamlinehq.com

Whiteboard

Dice Question Streamline Icon: https://streamlinehq.com

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
Lightbulb Streamline Icon: https://streamlinehq.com

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
List To Do Tasks Checklist Streamline Icon: https://streamlinehq.com

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets

Sign up for free to view the 1 tweet with 15 likes about this paper.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up for Free