Privacy-preserving compromised credential checking protocol for account protection

Abstract

Hundreds of millions of accounts are sold on the Dark Web as a result of hacking. These stolen accounts can be used to maliciously log into the victim’s application, which is also known as credential stuffing attacks. Recently, to resist these attacks, several compromised credential checking (C3) services have been deployed to provide users with APIs to check whether their accounts have been exposed. However, these C3 services provide the security at the cost of high latency and bandwidth. There is also the problem implicitly trusting the server to properly handle the hash prefixes containing passwords. To solve these problems, we present an efficient C3 protocol for account protection, which enables a client to check whether its account appears in a database storing the compromised credentials, without disclosing the queried account to the server. Compared to existing C3 services, the proposed C3 protocol has $10\sim 20\times$ and $17.8\sim 20.7\text{\%}$ improvement in computational time for both the client and server during the online phase, respectively, while maintaining the same computational time for server during the preprocessing phase. Meanwhile, the proposed C3 protocol improves the communication cost of client-to-server by $17\sim 33\times$ while maintaining the same communication cost of server-to-client.