保护隐私的加密账户凭证检查协议

IF 4.1 2区 计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE Computer Standards & Interfaces Pub Date : 2023-12-16 DOI:10.1016/j.csi.2023.103823
Xiaopeng Yu , Dianhua Tang , Zhen Zhao , Wei Zhao
{"title":"保护隐私的加密账户凭证检查协议","authors":"Xiaopeng Yu ,&nbsp;Dianhua Tang ,&nbsp;Zhen Zhao ,&nbsp;Wei Zhao","doi":"10.1016/j.csi.2023.103823","DOIUrl":null,"url":null,"abstract":"<div><p>Hundreds of millions of accounts are sold on the Dark Web as a result of hacking. These stolen accounts can be used to maliciously log into the victim’s application, which is also known as credential stuffing attacks. Recently, to resist these attacks, several compromised credential checking (C3) services have been deployed to provide users with APIs to check whether their accounts have been exposed. However, these C3 services provide the security at the cost of high latency and bandwidth. There is also the problem implicitly trusting the server to properly handle the hash prefixes containing passwords. To solve these problems, we present an efficient C3 protocol for account protection, which enables a client to check whether its account appears in a database storing the compromised credentials, without disclosing the queried account to the server. Compared to existing C3 services, the proposed C3 protocol has <span><math><mrow><mn>10</mn><mo>∼</mo><mn>20</mn><mo>×</mo></mrow></math></span> and <span><math><mrow><mn>17</mn><mo>.</mo><mn>8</mn><mo>∼</mo><mn>20</mn><mo>.</mo><mn>7</mn><mtext>%</mtext></mrow></math></span><span> improvement in computational time for both the client and server during the online phase, respectively, while maintaining the same computational time for server during the preprocessing phase. Meanwhile, the proposed C3 protocol improves the communication cost of client-to-server by </span><span><math><mrow><mn>17</mn><mo>∼</mo><mn>33</mn><mo>×</mo></mrow></math></span> while maintaining the same communication cost of server-to-client.</p></div>","PeriodicalId":50635,"journal":{"name":"Computer Standards & Interfaces","volume":"89 ","pages":"Article 103823"},"PeriodicalIF":4.1000,"publicationDate":"2023-12-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Privacy-preserving compromised credential checking protocol for account protection\",\"authors\":\"Xiaopeng Yu ,&nbsp;Dianhua Tang ,&nbsp;Zhen Zhao ,&nbsp;Wei Zhao\",\"doi\":\"10.1016/j.csi.2023.103823\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>Hundreds of millions of accounts are sold on the Dark Web as a result of hacking. These stolen accounts can be used to maliciously log into the victim’s application, which is also known as credential stuffing attacks. Recently, to resist these attacks, several compromised credential checking (C3) services have been deployed to provide users with APIs to check whether their accounts have been exposed. However, these C3 services provide the security at the cost of high latency and bandwidth. There is also the problem implicitly trusting the server to properly handle the hash prefixes containing passwords. To solve these problems, we present an efficient C3 protocol for account protection, which enables a client to check whether its account appears in a database storing the compromised credentials, without disclosing the queried account to the server. Compared to existing C3 services, the proposed C3 protocol has <span><math><mrow><mn>10</mn><mo>∼</mo><mn>20</mn><mo>×</mo></mrow></math></span> and <span><math><mrow><mn>17</mn><mo>.</mo><mn>8</mn><mo>∼</mo><mn>20</mn><mo>.</mo><mn>7</mn><mtext>%</mtext></mrow></math></span><span> improvement in computational time for both the client and server during the online phase, respectively, while maintaining the same computational time for server during the preprocessing phase. Meanwhile, the proposed C3 protocol improves the communication cost of client-to-server by </span><span><math><mrow><mn>17</mn><mo>∼</mo><mn>33</mn><mo>×</mo></mrow></math></span> while maintaining the same communication cost of server-to-client.</p></div>\",\"PeriodicalId\":50635,\"journal\":{\"name\":\"Computer Standards & Interfaces\",\"volume\":\"89 \",\"pages\":\"Article 103823\"},\"PeriodicalIF\":4.1000,\"publicationDate\":\"2023-12-16\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computer Standards & Interfaces\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0920548923001046\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Standards & Interfaces","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0920548923001046","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}
引用次数: 0

摘要

由于黑客攻击,数以亿计的账户在暗网上被出售。这些被盗账户可用于恶意登录受害者的应用程序,也就是所谓的凭证填充攻击。最近,为了抵御这些攻击,人们部署了几种被泄露的凭据检查(C3)服务,为用户提供应用程序接口,以检查他们的账户是否已被暴露。然而,这些 C3 服务在提供安全性的同时也付出了高延迟和高带宽的代价。此外,还有一个问题是隐式信任服务器会正确处理包含密码的哈希前缀。为了解决这些问题,我们提出了一种用于账户保护的高效 C3 协议,它能让客户端检查其账户是否出现在存储被泄露凭据的数据库中,而无需向服务器披露所查询的账户。与现有的 C3 服务相比,所提出的 C3 协议在联机阶段对客户端和服务器的计算时间分别有 10∼20 倍和 17.8∼20.7% 的改进,而在预处理阶段对服务器的计算时间保持不变。同时,拟议的 C3 协议将客户端到服务器的通信成本提高了 17∼33 倍,而服务器到客户端的通信成本保持不变。
本文章由计算机程序翻译,如有差异,请以英文原文为准。

摘要图片

摘要图片

查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
Privacy-preserving compromised credential checking protocol for account protection

Hundreds of millions of accounts are sold on the Dark Web as a result of hacking. These stolen accounts can be used to maliciously log into the victim’s application, which is also known as credential stuffing attacks. Recently, to resist these attacks, several compromised credential checking (C3) services have been deployed to provide users with APIs to check whether their accounts have been exposed. However, these C3 services provide the security at the cost of high latency and bandwidth. There is also the problem implicitly trusting the server to properly handle the hash prefixes containing passwords. To solve these problems, we present an efficient C3 protocol for account protection, which enables a client to check whether its account appears in a database storing the compromised credentials, without disclosing the queried account to the server. Compared to existing C3 services, the proposed C3 protocol has 1020× and 17.820.7% improvement in computational time for both the client and server during the online phase, respectively, while maintaining the same computational time for server during the preprocessing phase. Meanwhile, the proposed C3 protocol improves the communication cost of client-to-server by 1733× while maintaining the same communication cost of server-to-client.

求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Computer Standards & Interfaces
Computer Standards & Interfaces 工程技术-计算机:软件工程
CiteScore
11.90
自引率
16.00%
发文量
67
审稿时长
6 months
期刊介绍: The quality of software, well-defined interfaces (hardware and software), the process of digitalisation, and accepted standards in these fields are essential for building and exploiting complex computing, communication, multimedia and measuring systems. Standards can simplify the design and construction of individual hardware and software components and help to ensure satisfactory interworking. Computer Standards & Interfaces is an international journal dealing specifically with these topics. The journal • Provides information about activities and progress on the definition of computer standards, software quality, interfaces and methods, at national, European and international levels • Publishes critical comments on standards and standards activities • Disseminates user''s experiences and case studies in the application and exploitation of established or emerging standards, interfaces and methods • Offers a forum for discussion on actual projects, standards, interfaces and methods by recognised experts • Stimulates relevant research by providing a specialised refereed medium.
期刊最新文献
Grammar-obeying program synthesis: A novel approach using large language models and many-objective genetic programming LAMB: An open-source software framework to create artificial intelligence assistants deployed and integrated into learning management systems A lightweight finger multimodal recognition model based on detail optimization and perceptual compensation embedding Developing a behavioural cybersecurity strategy: A five-step approach for organisations A traceable and revocable decentralized attribute-based encryption scheme with fully hidden access policy for cloud-based smart healthcare
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1