Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hash Range Queries

Avatar for luke crouch luke crouch
December 18, 2018
Technology
0
100

Hash Range Queries

For simple, privacy-preserving data-sharing.

Avatar for luke crouch

luke crouch

December 18, 2018
Tweet

More Decks by luke crouch

See All by luke crouch
Pigeons to Padlocks: 5000 years of Network Security
Avatar for luke crouch groovecoder
0
62
cryptory-up-to-https-atlas-2024.pdf
Avatar for luke crouch groovecoder
0
53
Cryptography: 500 BC to https
Avatar for luke crouch groovecoder
0
160
Mozilla Observatory First Draft
Avatar for luke crouch groovecoder
0
120
VPNs
Avatar for luke crouch groovecoder
0
110
Digital Privacy & Security
Avatar for luke crouch groovecoder
0
250
Cryptography: 500 BC to Quantum Computing
Avatar for luke crouch groovecoder
0
670
Just enough bitcoing to go cryptojacking with JavaScript
Avatar for luke crouch groovecoder
0
94
Can we protect Privacy without breaking the web
Avatar for luke crouch groovecoder
0
150

Other Decks in Technology

See All in Technology
Microsoft Fabric ガバナンス設計の一歩目を考える
Avatar for Ryoma Nagata ryomaru0825
1
160
All About Sansan – for New Global Engineers
Avatar for Sansan, Inc. sansan33
PRO
1
1.2k
LLM拡張解体新書/llm-extension-deep-dive
Avatar for oracle4engineer oracle4engineer
PRO
27
7.6k
複数のGemini CLIが同時開発する狂気 - Jujutsuが実現するAIエージェント協調の新世界
Avatar for Gunther Brunner gunta
5
1.3k
PHPでResult型やってみよう
Avatar for higaki higaki_program
0
170
RapidPen: AIエージェントによる高度なペネトレーションテスト自動化の研究開発
Avatar for Sho Nakatani laysakura
1
340
AIコードアシスタントとiOS開発
Avatar for jollyjoester jollyjoester
1
210
セキュアなAI活用のためのLiteLLMの可能性
Avatar for Hiroki Takatsuka tk3fftk
1
530
Contract One Engineering Unit 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
6.9k
Shadow DOM & Security - Exploring the boundary between light and shadow
Avatar for Masato Kinugawa masatokinugawa
0
610
研究開発部メンバーの働き⽅ / Sansan R&D Profile
Avatar for Sansan, Inc. sansan33
PRO
3
18k
公開初日に Gemini CLI を試した話や FFmpeg と組み合わせてみた話など / Gemini CLI 初学者勉強会(#AI道場)
Avatar for you(@youtoy) you
PRO
0
1.6k

Featured

See All Featured
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
229
22k
Fashionably flexible responsive web design (full day workshop)
Avatar for Andy Clarke malarkey
407
66k
Music & Morning Musume
Avatar for Bryan Veloso bryan
46
6.7k
Six Lessons from altMBA
Avatar for Skipper Chong Warson skipperchong
28
3.9k
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
79
6.5k
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
248
1.3M
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
667
120k
Building Adaptive Systems
Avatar for Chris Keathley keathley
43
2.7k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
507
140k
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
278
23k
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
5.6k
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
411
22k

Transcript

  1. Hash Range Queries For simple, privacy-preserving data-sharing

  2. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
 https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ Not my original idea

  3. https://api.pwnedpasswords.com/pwnedpassword/password A request for a single password reveals who is

    interested in this password. Maybe not that interesting for a widely-used value …

  4. https://api.pwnedpasswords.com/pwnedpassword/p1nkyp13 But how many people would use their favorite my

    little pony character with vowels replaced with numbers?

  5. Do you trust the person operating the service? • Are

    they doing something else with the data? • Are they securing the data?
  6. None

  7. How can a client get a single record from a

    server without revealing the record identifier to the server?

  8. The Easiest Way: Hashed Identifiers

  9. None
  10. None

  11. But rainbow tables exist

  12. None

  13. The Hard Way: Private Set Intersection

  14. None
  15. None

  16. The Middle Way: k-Anonymity

  17. https://en.wikipedia.org/wiki/K-anonymity Every record is unique

  18. https://en.wikipedia.org/wiki/K-anonymity k-Anonymity: 2 for any combination of Age + Gender

    + State found in any row of the table there are always at least 2 rows with those exact attributes Suppression Suppression Generalization

  19. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ By using this property, we are able to seperate

    hashes into anonymized "buckets".

  20. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ A client is able to anonymize the user-supplied hash

  21. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ … and then download all hashes in the same

    anonymized "bucket" as that hash … {

  22. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ { 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

    5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc … then do an offline check to see if the user- supplied hash is in that breached bucket.