{"title":"保护隐私的加密账户凭证检查协议","authors":"Xiaopeng Yu , Dianhua Tang , Zhen Zhao , Wei Zhao","doi":"10.1016/j.csi.2023.103823","DOIUrl":null,"url":null,"abstract":"<div><p>Hundreds of millions of accounts are sold on the Dark Web as a result of hacking. These stolen accounts can be used to maliciously log into the victim’s application, which is also known as credential stuffing attacks. Recently, to resist these attacks, several compromised credential checking (C3) services have been deployed to provide users with APIs to check whether their accounts have been exposed. However, these C3 services provide the security at the cost of high latency and bandwidth. There is also the problem implicitly trusting the server to properly handle the hash prefixes containing passwords. To solve these problems, we present an efficient C3 protocol for account protection, which enables a client to check whether its account appears in a database storing the compromised credentials, without disclosing the queried account to the server. Compared to existing C3 services, the proposed C3 protocol has <span><math><mrow><mn>10</mn><mo>∼</mo><mn>20</mn><mo>×</mo></mrow></math></span> and <span><math><mrow><mn>17</mn><mo>.</mo><mn>8</mn><mo>∼</mo><mn>20</mn><mo>.</mo><mn>7</mn><mtext>%</mtext></mrow></math></span><span> improvement in computational time for both the client and server during the online phase, respectively, while maintaining the same computational time for server during the preprocessing phase. Meanwhile, the proposed C3 protocol improves the communication cost of client-to-server by </span><span><math><mrow><mn>17</mn><mo>∼</mo><mn>33</mn><mo>×</mo></mrow></math></span> while maintaining the same communication cost of server-to-client.</p></div>","PeriodicalId":50635,"journal":{"name":"Computer Standards & Interfaces","volume":"89 ","pages":"Article 103823"},"PeriodicalIF":4.1000,"publicationDate":"2023-12-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Privacy-preserving compromised credential checking protocol for account protection\",\"authors\":\"Xiaopeng Yu , Dianhua Tang , Zhen Zhao , Wei Zhao\",\"doi\":\"10.1016/j.csi.2023.103823\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>Hundreds of millions of accounts are sold on the Dark Web as a result of hacking. These stolen accounts can be used to maliciously log into the victim’s application, which is also known as credential stuffing attacks. Recently, to resist these attacks, several compromised credential checking (C3) services have been deployed to provide users with APIs to check whether their accounts have been exposed. However, these C3 services provide the security at the cost of high latency and bandwidth. There is also the problem implicitly trusting the server to properly handle the hash prefixes containing passwords. To solve these problems, we present an efficient C3 protocol for account protection, which enables a client to check whether its account appears in a database storing the compromised credentials, without disclosing the queried account to the server. Compared to existing C3 services, the proposed C3 protocol has <span><math><mrow><mn>10</mn><mo>∼</mo><mn>20</mn><mo>×</mo></mrow></math></span> and <span><math><mrow><mn>17</mn><mo>.</mo><mn>8</mn><mo>∼</mo><mn>20</mn><mo>.</mo><mn>7</mn><mtext>%</mtext></mrow></math></span><span> improvement in computational time for both the client and server during the online phase, respectively, while maintaining the same computational time for server during the preprocessing phase. Meanwhile, the proposed C3 protocol improves the communication cost of client-to-server by </span><span><math><mrow><mn>17</mn><mo>∼</mo><mn>33</mn><mo>×</mo></mrow></math></span> while maintaining the same communication cost of server-to-client.</p></div>\",\"PeriodicalId\":50635,\"journal\":{\"name\":\"Computer Standards & Interfaces\",\"volume\":\"89 \",\"pages\":\"Article 103823\"},\"PeriodicalIF\":4.1000,\"publicationDate\":\"2023-12-16\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computer Standards & Interfaces\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0920548923001046\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Standards & Interfaces","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0920548923001046","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}
Privacy-preserving compromised credential checking protocol for account protection
Hundreds of millions of accounts are sold on the Dark Web as a result of hacking. These stolen accounts can be used to maliciously log into the victim’s application, which is also known as credential stuffing attacks. Recently, to resist these attacks, several compromised credential checking (C3) services have been deployed to provide users with APIs to check whether their accounts have been exposed. However, these C3 services provide the security at the cost of high latency and bandwidth. There is also the problem implicitly trusting the server to properly handle the hash prefixes containing passwords. To solve these problems, we present an efficient C3 protocol for account protection, which enables a client to check whether its account appears in a database storing the compromised credentials, without disclosing the queried account to the server. Compared to existing C3 services, the proposed C3 protocol has and improvement in computational time for both the client and server during the online phase, respectively, while maintaining the same computational time for server during the preprocessing phase. Meanwhile, the proposed C3 protocol improves the communication cost of client-to-server by while maintaining the same communication cost of server-to-client.
期刊介绍:
The quality of software, well-defined interfaces (hardware and software), the process of digitalisation, and accepted standards in these fields are essential for building and exploiting complex computing, communication, multimedia and measuring systems. Standards can simplify the design and construction of individual hardware and software components and help to ensure satisfactory interworking.
Computer Standards & Interfaces is an international journal dealing specifically with these topics.
The journal
• Provides information about activities and progress on the definition of computer standards, software quality, interfaces and methods, at national, European and international levels
• Publishes critical comments on standards and standards activities
• Disseminates user''s experiences and case studies in the application and exploitation of established or emerging standards, interfaces and methods
• Offers a forum for discussion on actual projects, standards, interfaces and methods by recognised experts
• Stimulates relevant research by providing a specialised refereed medium.