Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hash Range Queries

Avatar for luke crouch luke crouch
December 18, 2018
Technology
0
98

Hash Range Queries

For simple, privacy-preserving data-sharing.
Avatar for luke crouch

luke crouch

December 18, 2018
Tweet

More Decks by luke crouch

See All by luke crouch
Pigeons to Padlocks: 5000 years of Network Security
Avatar for luke crouch groovecoder
0
56
cryptory-up-to-https-atlas-2024.pdf
Avatar for luke crouch groovecoder
0
53
Cryptography: 500 BC to https
Avatar for luke crouch groovecoder
0
150
Mozilla Observatory First Draft
Avatar for luke crouch groovecoder
0
110
VPNs
Avatar for luke crouch groovecoder
0
110
Digital Privacy & Security
Avatar for luke crouch groovecoder
0
240
Cryptography: 500 BC to Quantum Computing
Avatar for luke crouch groovecoder
0
660
Just enough bitcoing to go cryptojacking with JavaScript
Avatar for luke crouch groovecoder
0
88
Can we protect Privacy without breaking the web
Avatar for luke crouch groovecoder
0
150

Other Decks in Technology

See All in Technology
GigaViewerにおけるMackerel APM導入の裏側
Avatar for koudenpa 7474
0
460
Contract One Dev Group 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
6k
Introduction to Bill One Development Engineer
Avatar for Sansan, Inc. sansan33
PRO
0
240
ソフトウェアテストのAI活用_ver1.10
Avatar for fumisuke fumisuke
0
240
Introduction to Sansan for Engineers / エンジニア向け会社紹介
Avatar for Sansan, Inc. sansan33
PRO
5
38k
会社紹介資料 / Sansan Company Profile
Avatar for Sansan, Inc. sansan33
PRO
6
360k
JNation 2025 - Quarkus for Spring Developers
Avatar for Eric Deandrea edeandrea
PRO
0
110
テストを実施する前に考えるべきテストの話 / Thinking About Testing Before You Test
Avatar for nihonbuson nihonbuson
PRO
14
2.1k
Bill One 開発エンジニア 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
4
12k
令和最新版TypeScriptでのnpmパッケージ開発
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
110
DevOpsDays Taipei 2025 -- Creating Awesome Change in SmartNews!
Avatar for Ikuo Suyama martin_lover
0
160
What's Next in OpenShift Q2 CY2025
Avatar for Red Hat Livestreaming redhatlivestreaming
1
830

Featured

See All Featured
Making Projects Easy
Avatar for Brett Harned brettharned
116
6.2k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
123
52k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
614
210k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
35
2.7k
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
51
3.2k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
32
5.8k
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
7
590
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
349
20k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
52
2.8k
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
223
9.6k
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
378
70k
What’s in a name? Adding method to the madness
Avatar for Product Marketing Alliance productmarketing
PRO
22
3.5k

Transcript

  1. Hash Range Queries For simple, privacy-preserving data-sharing

  2. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
 https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ Not my original idea

  3. https://api.pwnedpasswords.com/pwnedpassword/password A request for a single password reveals who is

    interested in this password. Maybe not that interesting for a widely-used value …

  4. https://api.pwnedpasswords.com/pwnedpassword/p1nkyp13 But how many people would use their favorite my

    little pony character with vowels replaced with numbers?

  5. Do you trust the person operating the service? • Are

    they doing something else with the data? • Are they securing the data?
  6. None

  7. How can a client get a single record from a

    server without revealing the record identifier to the server?

  8. The Easiest Way: Hashed Identifiers

  9. None
  10. None

  11. But rainbow tables exist

  12. None

  13. The Hard Way: Private Set Intersection

  14. None
  15. None

  16. The Middle Way: k-Anonymity

  17. https://en.wikipedia.org/wiki/K-anonymity Every record is unique

  18. https://en.wikipedia.org/wiki/K-anonymity k-Anonymity: 2 for any combination of Age + Gender

    + State found in any row of the table there are always at least 2 rows with those exact attributes Suppression Suppression Generalization

  19. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ By using this property, we are able to seperate

    hashes into anonymized "buckets".

  20. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ A client is able to anonymize the user-supplied hash

  21. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ … and then download all hashes in the same

    anonymized "bucket" as that hash … {

  22. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ { 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

    5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc … then do an offline check to see if the user- supplied hash is in that breached bucket.