This description generally relates to online cryptography, and more particularly to securing online account creation and verifying account logins.
User accounts maintained by an online computer servers are generally vulnerable to passive and active attacks by third parties. If such a server is breached, information associated with an account may be accessible to a malicious actor. To prevent breaches, account creation and login systems have grown more secure over time. One tool in breach prevention is using one or more cryptographic primitives to securely store passwords. Cryptographic primitives include using salts, one way functions (e.g., hash function), cryptographic operations (e.g., encryption, decryption), symmetric cryptography schemes, and asymmetric (or public key) cryptography schemes. Another major tool in breach prevention is using physically distinct security hardware modules to perform various parts of the account creation and login verification processes, including applying cryptographic primitives as mentioned above. For example, the term hardware security module (HSM) specifically refers to a specially designed server that securely stores digital keys and perform cryptographic processing.
However, despite advances in cryptographic primitives and security hardware, many account and login servers are still vulnerable to breach. For example, an account login system may include a login server where passwords are stored in a password database, and where cryptographic processing is performed on a separate HSM remotely coupled to the login server. In this system, it is possible for a malicious actor to obtain a data dump of the password database, and synchronously or asynchronously temporarily obtain the ability to make encryption/decryption calls to the HSM. In this instance, despite having only temporary access to the HSM, it is possible for the malicious actor to use brute force to crack the password database offline based on the decryptions performed during the temporary access to the HSM.