An efficient privacy-preserving scheme for weak password collection in Internet of Things against perpetual leakage

Author

Changsong JIANG
Chunxiang XU
Xinfeng DONG
Kefei CHEN
Guomin YANG, Singapore Management UniversityFollow

Publication Type

Journal Article

Publication Date

1-2025

Abstract

Password-based authentication is widely applied in Internet of Things (IoT). It allows IoT devices to identify users with passwords to resist unauthorized access. However, choices of weak passwords, especially popular ones, might violate users’ privacy and lead to large-scale network attacks. Collection of popular passwords among IoT devices to establish blocklists via a service provider can prevent use of weak passwords. To protect unpopular passwords during collection, existing privacy-preserving schemes rely on expensive cryptographic primitives (e.g., garbled circuits and zero-knowledge proofs), which would impose heavy communication and computation burdens on constrained devices and hinder wide deployment of these schemes. In this paper, we propose EAGER+, an efficient privacy-preserving scheme for weak password collection in IoT against perpetual leakage. EAGER+ is mainly built on secret sharing and symmetric encryption, thereby enabling lightweight computation and communication on IoT devices. In EAGER+, we conceive a password-locked encryption with conditional decryption mechanism to efficiently identify popular passwords, where a password is essentially locked under itself in the encryption to guarantee its security, and the password can be revealed from the ciphertext by the service provider only if a sufficient number of devices exploit it. The mechanism is integrated with a servers-aided password-hardening mechanism to resist offline dictionary guessing attacks. Moreover, EAGER+ uses a key renewal mechanism to periodically update secrets for password hardening on key servers to thwart perpetual leakage towards the secrets. We formally analyze the security of EAGER+, and conduct experimental evaluations to show that EAGER+ is more efficient than existing schemes.

Discipline

Information Security

Publication

IEEE Transactions on Information Forensics and Security

Volume

20

First Page

1405

Last Page

1420

ISSN

1556-6013

Identifier

10.1109/TIFS.2024.3523202

Publisher

Institute of Electrical and Electronics Engineers

Citation

JIANG, Changsong; XU, Chunxiang; DONG, Xinfeng; CHEN, Kefei; and YANG, Guomin. An efficient privacy-preserving scheme for weak password collection in Internet of Things against perpetual leakage. (2025). IEEE Transactions on Information Forensics and Security. 20, 1405-1420.
Available at: https://ink.library.smu.edu.sg/sis_research/10813

Additional URL

https://doi.org/10.1109/TIFS.2024.3523202