In this work, we introduce CryptNyx, a Password Hardening (PH) framework that enhances the security of stored password records through collaboration between the authentication server and an external server, also known as rater. PH mitigates offline password brute force attacks on stolen databases by involving the rater in the password verification process, enabling it to impose limits on password decryption attempts. However, this means that the remote server can track user login requests, raising concerns about potential compromises to user privacy. Consequently, achieving effective rate-limiting while preserving user anonymity has remained an unresolved challenge. CryptNyx ensures anonymity without sacrificing rate-limiting. Essentially, the user pseudonym, which allows the rater to track login requests, can be refreshed any number of times in a controlled but unlinkable manner, offering complete anonymity while still mitigating offline guessing attempts. Furthermore, CryptNyx allows for password-hardened encryption capabilities, which enable users to securely encrypt sensitive data using their strengthened password records. Additional features include an “Opt-out” protocol that facilitates client withdrawal, and an “Anonymous Opt-in” protocol designed for efficient batch registration. Experimental results demonstrate the effectiveness and practicality of our approach, highlighting the balance between user privacy, security, and system functionality.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

CryptNyx: Password-Hardened Encryption with Strong Anonymity Guarantees

  • Tassos Dimitriou,
  • Shahad Alshaher

摘要

In this work, we introduce CryptNyx, a Password Hardening (PH) framework that enhances the security of stored password records through collaboration between the authentication server and an external server, also known as rater. PH mitigates offline password brute force attacks on stolen databases by involving the rater in the password verification process, enabling it to impose limits on password decryption attempts. However, this means that the remote server can track user login requests, raising concerns about potential compromises to user privacy. Consequently, achieving effective rate-limiting while preserving user anonymity has remained an unresolved challenge. CryptNyx ensures anonymity without sacrificing rate-limiting. Essentially, the user pseudonym, which allows the rater to track login requests, can be refreshed any number of times in a controlled but unlinkable manner, offering complete anonymity while still mitigating offline guessing attempts. Furthermore, CryptNyx allows for password-hardened encryption capabilities, which enable users to securely encrypt sensitive data using their strengthened password records. Additional features include an “Opt-out” protocol that facilitates client withdrawal, and an “Anonymous Opt-in” protocol designed for efficient batch registration. Experimental results demonstrate the effectiveness and practicality of our approach, highlighting the balance between user privacy, security, and system functionality.