Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hash Range Queries
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
luke crouch
December 18, 2018
Technology
130
0
Share
Hash Range Queries
For simple, privacy-preserving data-sharing.
luke crouch
December 18, 2018
More Decks by luke crouch
See All by luke crouch
Mr. Brokebot: Lethal language attacks against AI agents
groovecoder
0
40
Pigeons to Padlocks: 5000 years of Network Security
groovecoder
0
96
cryptory-up-to-https-atlas-2024.pdf
groovecoder
0
79
Cryptography: 500 BC to https
groovecoder
0
190
Mozilla Observatory First Draft
groovecoder
0
140
VPNs
groovecoder
0
150
Digital Privacy & Security
groovecoder
0
270
Cryptography: 500 BC to Quantum Computing
groovecoder
0
1k
Just enough bitcoing to go cryptojacking with JavaScript
groovecoder
0
120
Other Decks in Technology
See All in Technology
サイボウズフロントエンドの活動から考える探究と発信
mugi_uno
0
110
AI時代に新卒採用、はじめました/junior-engineer-never-die
dmnlk
0
120
Podcast配信で広がったアウトプットの輪~70人と音声発信してきた7年間~/outputconf_01
fortegp05
0
230
すごいぞManaged Kubernetes
harukasakihara
1
320
機能・非機能の学びを一つに!Agent Skillsで月間レポート作成始めてみた / Unifying Bug & Infra Insights — Building Monthly Quality Reports with Agent Skills
bun913
5
2.9k
TanStack Start エコシステムの現在地 / TanStack Start Ecosystem 2026
iktakahiro
1
290
主催・運営として"場をつくる” というアウトプットのススメ
_mossann_t
0
110
Cortex Code君、今日から内製化支援担当ね。
coco_se
0
270
Kubernetes基盤における開発者体験 とセキュリティの両⽴ / Balancing developer experience and security in a Kubernetes-based environment
chmikata
0
170
OCI技術資料 : ロード・バランサ 概要 - FLB・NLB共通
ocise
4
27k
Goビルドを理解し、 CI/CDの高速化に挑む
satoshin
0
130
AIドリブン開発の実践知 ― AI-DLC Unicorn Gym実施から見えた可能性と課題
mixi_engineers
PRO
0
110
Featured
See All Featured
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
128
55k
Building Experiences: Design Systems, User Experience, and Full Site Editing
marktimemedia
0
470
Exploring the relationship between traditional SERPs and Gen AI search
raygrieselhuber
PRO
2
3.8k
Building Better People: How to give real-time feedback that sticks.
wjessup
370
20k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
35
3.4k
Scaling GitHub
holman
464
140k
Discover your Explorer Soul
emna__ayadi
2
1.1k
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
madoxten
62
53k
A Soul's Torment
seathinner
5
2.6k
Amusing Abliteration
ianozsvald
1
150
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
Evolving SEO for Evolving Search Engines
ryanjones
0
170
Transcript
Hash Range Queries For simple, privacy-preserving data-sharing
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ Not my original idea
https://api.pwnedpasswords.com/pwnedpassword/password A request for a single password reveals who is
interested in this password. Maybe not that interesting for a widely-used value …
https://api.pwnedpasswords.com/pwnedpassword/p1nkyp13 But how many people would use their favorite my
little pony character with vowels replaced with numbers?
Do you trust the person operating the service? • Are
they doing something else with the data? • Are they securing the data?
None
How can a client get a single record from a
server without revealing the record identifier to the server?
The Easiest Way: Hashed Identifiers
None
None
But rainbow tables exist
None
The Hard Way: Private Set Intersection
None
None
The Middle Way: k-Anonymity
https://en.wikipedia.org/wiki/K-anonymity Every record is unique
https://en.wikipedia.org/wiki/K-anonymity k-Anonymity: 2 for any combination of Age + Gender
+ State found in any row of the table there are always at least 2 rows with those exact attributes Suppression Suppression Generalization
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ By using this property, we are able to seperate
hashes into anonymized "buckets".
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ A client is able to anonymize the user-supplied hash
…
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ … and then download all hashes in the same
anonymized "bucket" as that hash … {
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ { 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc … then do an offline check to see if the user- supplied hash is in that breached bucket.
groovecoder
mugi_uno
dmnlk
fortegp05
harukasakihara
bun913
iktakahiro
_mossann_t
coco_se
chmikata
ocise
satoshin
mixi_engineers
aki_iinuma
marktimemedia
raygrieselhuber
wjessup
rmw
holman
emna__ayadi
madoxten
seathinner
ianozsvald
caitiem20
ryanjones
