Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hash Range Queries

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for luke crouch luke crouch
December 18, 2018
Technology
140
0

Hash Range Queries

For simple, privacy-preserving data-sharing.

Avatar for luke crouch

luke crouch

December 18, 2018

More Decks by luke crouch

See All by luke crouch
Mr. Brokebot: Lethal language attacks against AI agents
Avatar for luke crouch groovecoder
0
120
Pigeons to Padlocks: 5000 years of Network Security
Avatar for luke crouch groovecoder
0
110
cryptory-up-to-https-atlas-2024.pdf
Avatar for luke crouch groovecoder
0
83
Cryptography: 500 BC to https
Avatar for luke crouch groovecoder
0
200
Mozilla Observatory First Draft
Avatar for luke crouch groovecoder
0
140
VPNs
Avatar for luke crouch groovecoder
0
160
Digital Privacy & Security
Avatar for luke crouch groovecoder
0
280
Cryptography: 500 BC to Quantum Computing
Avatar for luke crouch groovecoder
0
1k
Just enough bitcoing to go cryptojacking with JavaScript
Avatar for luke crouch groovecoder
0
120

Other Decks in Technology

See All in Technology
先取りMaven4 ~16年ぶりのメジャーアップデート、その進化とは?~
Avatar for 荻原利雄 ogiwarat
0
130
TROCCOで始めるクラウドコストを民主化するためのFinOps
Avatar for tk3fftk tk3fftk
3
550
Oracle AI Database@Azure:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
6
1.8k
Gradle×GitHub_ActionsでCI時間を約50%短縮 ジョブ分割の設計と落とし穴 / Cutting CI Time by ~50% with Gradle and GitHub Actions: Job-Splitting Design and Pitfalls
Avatar for 冨澤宝斗 takatty
0
600
個人AIからチームAIへ:開発における品質と生産性の再設計
Avatar for Atsushi Nakatsugawa moongift
PRO
0
360
電子辞書Brainをネットに繋げてみた(自力編)
Avatar for らすぴー raspython3
0
420
Java正規表現エンジン(NFA)の仕組みと パフォーマンスを維持するための最適化手法
Avatar for 竹内 雅和 takeuchi_132917
0
170
Chart.js が簡単に使えるようになっていたので OGP 画像生成に使った話
Avatar for すずとも kamekyame
0
130
実装は速くなった、レビューはどうする? ― 自身のレビューをAIで再現させるサーヴァントエンジニアリングのすゝめ / Implementation got faster. So what about reviews? — An invitation to Servant Engineering: Recreating your own code reviews with AI
Avatar for nrs nrslib
4
2.3k
Platform Engineering as a Product: Criteria for Improvement and Multi-Tenant Design
Avatar for Kumo Ishikawa kumorn5s
0
470
マーケットプレイス版Oracle WebCenter Content For OCI
Avatar for oracle4engineer oracle4engineer
PRO
5
1.8k
Ruby::Boxでできること、Refinementsでできること
Avatar for Tomohiro Hashidate joker1007
3
370

Featured

See All Featured
Navigating Algorithm Shifts & AI Overviews - #SMXNext
Avatar for Aleyda Solis aleyda
1
1.3k
Context Engineering - Making Every Token Count
Avatar for Addy Osmani addyosmani
9
930
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
21
1.5k
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
46
8.2k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
9
860
A Soul's Torment
Avatar for Nat Ma seathinner
6
2.9k
Designing for Performance
Avatar for Lara Hogan lara
611
70k
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1033
470k
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
348
40k
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
31
3.2k
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
32
2.9k
The Impact of AI in SEO - AI Overviews June 2024 Edition
Avatar for Aleyda Solis aleyda
5
1.1k

Transcript

  1. Hash Range Queries For simple, privacy-preserving data-sharing

  2. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
 https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ Not my original idea

  3. https://api.pwnedpasswords.com/pwnedpassword/password A request for a single password reveals who is

    interested in this password. Maybe not that interesting for a widely-used value …

  4. https://api.pwnedpasswords.com/pwnedpassword/p1nkyp13 But how many people would use their favorite my

    little pony character with vowels replaced with numbers?

  5. Do you trust the person operating the service? • Are

    they doing something else with the data? • Are they securing the data?
  6. None

  7. How can a client get a single record from a

    server without revealing the record identifier to the server?

  8. The Easiest Way: Hashed Identifiers

  9. None
  10. None

  11. But rainbow tables exist

  12. None

  13. The Hard Way: Private Set Intersection

  14. None
  15. None

  16. The Middle Way: k-Anonymity

  17. https://en.wikipedia.org/wiki/K-anonymity Every record is unique

  18. https://en.wikipedia.org/wiki/K-anonymity k-Anonymity: 2 for any combination of Age + Gender

    + State found in any row of the table there are always at least 2 rows with those exact attributes Suppression Suppression Generalization

  19. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ By using this property, we are able to seperate

    hashes into anonymized "buckets".

  20. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ A client is able to anonymize the user-supplied hash

  21. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ … and then download all hashes in the same

    anonymized "bucket" as that hash … {

  22. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ { 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

    5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc … then do an offline check to see if the user- supplied hash is in that breached bucket.