Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hash Range Queries

Avatar for luke crouch luke crouch
December 18, 2018
Technology
0
110

Hash Range Queries

For simple, privacy-preserving data-sharing.

Avatar for luke crouch

luke crouch

December 18, 2018
Tweet

More Decks by luke crouch

See All by luke crouch
Pigeons to Padlocks: 5000 years of Network Security
Avatar for luke crouch groovecoder
0
68
cryptory-up-to-https-atlas-2024.pdf
Avatar for luke crouch groovecoder
0
54
Cryptography: 500 BC to https
Avatar for luke crouch groovecoder
0
160
Mozilla Observatory First Draft
Avatar for luke crouch groovecoder
0
120
VPNs
Avatar for luke crouch groovecoder
0
120
Digital Privacy & Security
Avatar for luke crouch groovecoder
0
250
Cryptography: 500 BC to Quantum Computing
Avatar for luke crouch groovecoder
0
690
Just enough bitcoing to go cryptojacking with JavaScript
Avatar for luke crouch groovecoder
0
98
Can we protect Privacy without breaking the web
Avatar for luke crouch groovecoder
0
160

Other Decks in Technology

See All in Technology
生成AIでセキュリティ運用を効率化する話
Avatar for Tkay sakaitakeshi
0
580
新アイテムをどう使っていくか?みんなであーだこーだ言ってみよう / 20250911-rpi-jam-tokyo
Avatar for Akira Ouchi akkiesoft
0
180
react-callを使ってダイヤログをいろんなとこで再利用しよう!
Avatar for shinaps shinaps
1
230
下手な強制、ダメ!絶対! 「ガードレール」を「檻」にさせない"ガバナンス"の取り方とは?
Avatar for Masataka Tsukamoto tsukaman
2
420
DevIO2025_継続的なサービス開発のための技術的意思決定のポイント / how-to-tech-decision-makaing-devio2025
Avatar for Logy nologyance
1
380
サラリーマンの小遣いで作るtoCサービス - Cloudflare Workersでスケールする開発戦略
Avatar for shinaps shinaps
2
410
職種の壁を溶かして開発サイクルを高速に回す~情報透明性と職種越境から考えるAIフレンドリーな職種間連携~
Avatar for daitasu daitasu
0
140
Django's GeneratedField by example - DjangoCon US 2025
Avatar for Paolo Melchiorre pauloxnet
0
120
【初心者向け】ローカルLLMの色々な動かし方まとめ
Avatar for Aratako aratako
7
3.4k
JTCにおける内製×スクラム開発への挑戦〜内製化率95%達成の舞台裏/JTC's challenge of in-house development with Scrum
Avatar for AEON aeonpeople
0
200
サンドボックス技術でAI利活用を促進する
Avatar for k-nagase koh_naga
0
200
企業の生成AIガバナンスにおけるエージェントとセキュリティ
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
2
160

Featured

See All Featured
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
368
19k
Building Flexible Design Systems
Avatar for Yesenia Perez-Cruz yeseniaperezcruz
328
39k
Practical Orchestrator
Avatar for Shlomi Noach shlominoach
190
11k
Automating Front-end Workflow
Avatar for Addy Osmani addyosmani
1370
200k
StorybookのUI Testing Handbookを読んだ
Avatar for Shingo Yamazaki zakiyama
31
6.1k
Side Projects
Avatar for Sacha Greif sachag
455
43k
Git: the NoSQL Database
Avatar for Brandon Keepers bkeepers
PRO
431
66k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
229
22k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
9
580
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
173
14k
The Success of Rails: Ensuring Growth for the Next 100 Years
Avatar for Eileen M. Uchitelle eileencodes
46
7.6k
Context Engineering - Making Every Token Count
Avatar for Addy Osmani addyosmani
1
33

Transcript

  1. Hash Range Queries For simple, privacy-preserving data-sharing

  2. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
 https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ Not my original idea

  3. https://api.pwnedpasswords.com/pwnedpassword/password A request for a single password reveals who is

    interested in this password. Maybe not that interesting for a widely-used value …

  4. https://api.pwnedpasswords.com/pwnedpassword/p1nkyp13 But how many people would use their favorite my

    little pony character with vowels replaced with numbers?

  5. Do you trust the person operating the service? • Are

    they doing something else with the data? • Are they securing the data?
  6. None

  7. How can a client get a single record from a

    server without revealing the record identifier to the server?

  8. The Easiest Way: Hashed Identifiers

  9. None
  10. None

  11. But rainbow tables exist

  12. None

  13. The Hard Way: Private Set Intersection

  14. None
  15. None

  16. The Middle Way: k-Anonymity

  17. https://en.wikipedia.org/wiki/K-anonymity Every record is unique

  18. https://en.wikipedia.org/wiki/K-anonymity k-Anonymity: 2 for any combination of Age + Gender

    + State found in any row of the table there are always at least 2 rows with those exact attributes Suppression Suppression Generalization

  19. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ By using this property, we are able to seperate

    hashes into anonymized "buckets".

  20. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ A client is able to anonymize the user-supplied hash

  21. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ … and then download all hashes in the same

    anonymized "bucket" as that hash … {

  22. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ { 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

    5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc … then do an offline check to see if the user- supplied hash is in that breached bucket.