Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hash Range Queries

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for luke crouch luke crouch
December 18, 2018
Technology
0
120

Hash Range Queries

For simple, privacy-preserving data-sharing.

Avatar for luke crouch

luke crouch

December 18, 2018
Tweet

More Decks by luke crouch

See All by luke crouch
Mr. Brokebot: Lethal language attacks against AI agents
Avatar for luke crouch groovecoder
0
22
Pigeons to Padlocks: 5000 years of Network Security
Avatar for luke crouch groovecoder
0
86
cryptory-up-to-https-atlas-2024.pdf
Avatar for luke crouch groovecoder
0
67
Cryptography: 500 BC to https
Avatar for luke crouch groovecoder
0
180
Mozilla Observatory First Draft
Avatar for luke crouch groovecoder
0
140
VPNs
Avatar for luke crouch groovecoder
0
140
Digital Privacy & Security
Avatar for luke crouch groovecoder
0
270
Cryptography: 500 BC to Quantum Computing
Avatar for luke crouch groovecoder
0
970
Just enough bitcoing to go cryptojacking with JavaScript
Avatar for luke crouch groovecoder
0
110

Other Decks in Technology

See All in Technology
re:Inventで見つけた「運用を捨てる」技術。
Avatar for shinji ezaki ezaki
1
130
かわいい身体と声を持つ そういうものに私はなりたい
Avatar for よしむら@データマネジメント担当 yoshimura_datam
0
340
ドキュメントからはじめる未来のソフトウェア
Avatar for PKSHA Technology pkshadeck
1
570
Agentic Coding 実践ワークショップ
Avatar for watany watany
36
25k
Zephyr RTOS の発表をOpen Source Summit Japan 2025で行った件
Avatar for misoji engineer iotengineer22
0
200
AI アクセラレータチップ AWS Trainium/Inferentia に 今こそ入門
Avatar for yoshimi0227 yoshimi0227
1
310
スクラムを一度諦めたチームにアジャイルコーチが入ってどう変化したか / A Team's Second Try at Scrum with an Agile Coach
Avatar for 株式会社カオナビ kaonavi
0
280
持続可能な開発のためのミニマリズム
Avatar for SansanTech sansantech
PRO
3
520
人はいかにして 確率的な挙動を 受け入れていくのか
Avatar for vaaaaanquish vaaaaanquish
4
2.3k
【Oracle Cloud ウェビナー】ランサムウェアが突く「侵入の隙」とバックアップの「死角」 ~ 過去の教訓に学ぶ — 侵入前提の防御とデータ保護 ~
Avatar for oracle4engineer oracle4engineer
PRO
2
190
Git Training GitHub
Avatar for Yuki Hattori yuhattor
1
260
Introduction to Sansan for Engineers / エンジニア向け会社紹介
Avatar for Sansan, Inc. sansan33
PRO
6
64k

Featured

See All Featured
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
Avatar for Irina Nazarova irinanazarova
9
1.1k
Stewardship and Sustainability of Urban and Community Forests
Avatar for Eric Wiseman pwiseman
0
100
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
38
3k
The SEO identity crisis: Don't let AI make you average
Avatar for Varn varn
0
55
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
379
71k
The Curious Case for Waylosing
Avatar for Cassini Nazir cassininazir
0
220
Side Projects
Avatar for Sacha Greif sachag
455
43k
Future Trends and Review - Lecture 12 - Web Technologies (1019888BNR)
Avatar for Beat Signer signer
PRO
0
3.2k
SEOcharity - Dark patterns in SEO and UX: How to avoid them and build a more ethical web
Avatar for Sara Fernández Carmona sarafernandez
0
110
GraphQLとの向き合い方2022年版
Avatar for Yosuke Kurami quramy
50
14k
Scaling GitHub
Avatar for Zach Holman holman
464
140k
WCS-LA-2024
Avatar for Leonardo Collado-Torres lcolladotor
0
420

Transcript

  1. Hash Range Queries For simple, privacy-preserving data-sharing

  2. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
 https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ Not my original idea

  3. https://api.pwnedpasswords.com/pwnedpassword/password A request for a single password reveals who is

    interested in this password. Maybe not that interesting for a widely-used value …

  4. https://api.pwnedpasswords.com/pwnedpassword/p1nkyp13 But how many people would use their favorite my

    little pony character with vowels replaced with numbers?

  5. Do you trust the person operating the service? • Are

    they doing something else with the data? • Are they securing the data?
  6. None

  7. How can a client get a single record from a

    server without revealing the record identifier to the server?

  8. The Easiest Way: Hashed Identifiers

  9. None
  10. None

  11. But rainbow tables exist

  12. None

  13. The Hard Way: Private Set Intersection

  14. None
  15. None

  16. The Middle Way: k-Anonymity

  17. https://en.wikipedia.org/wiki/K-anonymity Every record is unique

  18. https://en.wikipedia.org/wiki/K-anonymity k-Anonymity: 2 for any combination of Age + Gender

    + State found in any row of the table there are always at least 2 rows with those exact attributes Suppression Suppression Generalization

  19. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ By using this property, we are able to seperate

    hashes into anonymized "buckets".

  20. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ A client is able to anonymize the user-supplied hash

  21. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ … and then download all hashes in the same

    anonymized "bucket" as that hash … {

  22. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ { 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

    5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc … then do an offline check to see if the user- supplied hash is in that breached bucket.