A New Distribution-Sensitive Secure Sketch and Popularity-Proportional Hashing

Woodage, Joanne; Chatterjee, Rahul; Dodis, Yevgeniy; Juels, Ari; Ristenpart, Thomas

doi:10.1007/978-3-319-63697-9_23

Cited by 15 publications

(7 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our FSB protocol uses an estimate of the distribution of human chosen passwords, making it an example of distribution-sensitive cryptography, in which constructions use contextual information about distributions in order to improve security. Previous distribution-sensitive approaches include Woodage et al [48], who introduced a new type of secure sketch [25] for password typos, and Lacharite et al 's [32] frequencysmoothing encryption. While similar in that they use distributional knowledge, their constructions do not apply in our setting.…”

Section: Related Workmentioning

confidence: 99%

Protocols for Checking Compromised Credentials

Pal

Ali³

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

To prevent credential stuffing attacks, industry best practice now proactively checks if user credentials are present in known data breaches. Recently, some web services, such as HaveIBeenPwned (HIBP) and Google Password Checkup (GPC), have started providing APIs to check for breached passwords. We refer to such services as compromised credential checking (C3) services. We give the first formal description of C3 services, detailing different settings and operational requirements, and we give relevant threat models.One key security requirement is the secrecy of a user's passwords that are being checked. Current widely deployed C3 services have the user share a small prefix of a hash computed over the user's password. We provide a framework for empirically analyzing the leakage of such protocols, showing that in some contexts knowing the hash prefixes leads to a 12x increase in the efficacy of remote guessing attacks. We propose two new protocols that provide stronger protection for users' passwords, implement them, and show experimentally that they remain practical to deploy.

show abstract

Section: Related Workmentioning

confidence: 99%

Protocols for Checking Compromised Credentials

Pal

Ali³

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…Existing secure sketch constructions have shown limitation in providing security for sources with low entropy, i.e., lower than half of its input size. To overcome such limitation, recent approaches [9], [10] suggested to construct a secure sketch where its security property only holds for computationally bounded attacker. Such computational construction relies on fuzzy min-entropy measurement, accompanies with stringent requirement s.t.…”

Section: Discussionmentioning

confidence: 99%

“…∈ W rather than single distribution. Viewed this way, H fuzz t,∞ (W ) measurement is only sufficient for computational secure sketch construction [9], [10], which means that the security property of such construction only hold for computationally bounded attacker (i.e., polynomial time bounded) accompanies with strong assumption on the user has a precise knowledge over W. However, it is unrealistic to assume every sources distribution can be modelled precisely, especially for high entropy sources like human biometric.…”

Section: Issues In Existing Secure Sketch Constructionmentioning

confidence: 99%

Secure Sketch for All Noisy Sources (Noisy)

Lai

2019

Preprint

View full text Add to dashboard Cite

Secure sketch produces public information of its input w without revealing it, yet, allows the exact recovery of w given another value w ′ that is close to w. Therefore, it can be used to reliably reproduce any error-prone secret (i.e., biometrics) stored in secret storage. However, some sources have lower entropy compared to the error itself, formally called "more error than entropy", a standard secure sketch cannot show its security promise perfectly to this kind of sources. This paper focuses on secure sketch. We propose an explicit construction for secure sketch. We show correctness and security to all sources with meaningful min-entropy at least a single bit. Besides, our construction comes with efficient recovery algorithm operates in polynomial time in the sketch size, which can tolerate high number of error rate arbitrary close to 1/2 for random error. The above result offers polynomial time solution to two NP-complete coding problems, suggesting P=NP.

show abstract

“…Using a different approach, Blanchard also proposed a simple theoretical method based on homomorphic encryption that is too computationally expensive to be usable in practice [23]. Finally, Woodage and some of the original authors created a new distribution-sensitive scheme that adjusted the error rate and hashing time, improving the resistance to certain attacks and providing better time/security trade-offs [24].…”

Section: Introductionmentioning

confidence: 99%

Making More Extensive and Efficient Typo-Tolerant Password Checkers

Blanchard

2020

2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC)

View full text Add to dashboard Cite

As passwords remain the main online authentication method, focus has shifted from naive entropy to how usability improvements can increase security. Chatterjee et al. recently introduced the first two typo-tolerant password checkers, their second being usable in practice while being able to correct up to 32% of typos, with no real security cost. We propose an alternative framework which corrects up to 57% of typos without affecting user experience, at no computational cost to the server.

show abstract

A New Distribution-Sensitive Secure Sketch and Popularity-Proportional Hashing

Cited by 15 publications

References 22 publications

Protocols for Checking Compromised Credentials

Protocols for Checking Compromised Credentials

Secure Sketch for All Noisy Sources (Noisy)

Making More Extensive and Efficient Typo-Tolerant Password Checkers

Contact Info

Product

Resources

About