Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hash Range Queries
Search
luke crouch
December 18, 2018
Technology
0
87
Hash Range Queries
For simple, privacy-preserving data-sharing.
luke crouch
December 18, 2018
Tweet
Share
More Decks by luke crouch
See All by luke crouch
Pigeons to Padlocks: 5000 years of Network Security
groovecoder
0
41
cryptory-up-to-https-atlas-2024.pdf
groovecoder
0
44
Cryptography: 500 BC to https
groovecoder
0
120
Mozilla Observatory First Draft
groovecoder
0
98
VPNs
groovecoder
0
97
Digital Privacy & Security
groovecoder
0
220
Cryptography: 500 BC to Quantum Computing
groovecoder
0
540
Just enough bitcoing to go cryptojacking with JavaScript
groovecoder
0
68
Can we protect Privacy without breaking the web
groovecoder
0
120
Other Decks in Technology
See All in Technology
デジタルアイデンティティ人材育成推進ワーキンググループ 翻訳サブワーキンググループ 活動報告 / 20250114-OIDF-J-EduWG-TranslationSWG
oidfj
0
530
Accessibility Inspectorを活用した アプリのアクセシビリティ向上方法
hinakko
0
180
Unsafe.BitCast のすゝめ。
nenonaninu
0
200
[IBM TechXchange Dojo]Watson Discoveryとwatsonx.aiでRAGを実現!事例のご紹介+座学②
siyuanzh09
0
110
FODにおけるホーム画面編成のレコメンド
watarukudo
PRO
2
270
Formal Development of Operating Systems in Rust
riru
1
420
Amazon Route 53, 待ちに待った TLSAレコードのサポート開始
kenichinakamura
0
170
Kotlin Multiplatformのポテンシャル
recruitengineers
PRO
2
150
東京Ruby会議12 Ruby と Rust と私 / Tokyo RubyKaigi 12 Ruby, Rust and me
eagletmt
3
870
【JAWS-UG大阪 reInvent reCap LT大会 サンバが始まったら強制終了】“1分”で初めてのソロ参戦reInventを数字で振り返りながら反省する
ttelltte
0
140
コロプラのオンボーディングを採用から語りたい
colopl
5
1.2k
.NET AspireでAzure Functionsやクラウドリソースを統合する
tsubakimoto_s
0
190
Featured
See All Featured
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.6k
Statistics for Hackers
jakevdp
797
220k
Raft: Consensus for Rubyists
vanstee
137
6.7k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
45
2.3k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
26
1.9k
The Cost Of JavaScript in 2023
addyosmani
46
7.2k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
3
180
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
3
240
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
7k
Building a Scalable Design System with Sketch
lauravandoore
460
33k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.2k
Transcript
Hash Range Queries For simple, privacy-preserving data-sharing
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ Not my original idea
https://api.pwnedpasswords.com/pwnedpassword/password A request for a single password reveals who is
interested in this password. Maybe not that interesting for a widely-used value …
https://api.pwnedpasswords.com/pwnedpassword/p1nkyp13 But how many people would use their favorite my
little pony character with vowels replaced with numbers?
Do you trust the person operating the service? • Are
they doing something else with the data? • Are they securing the data?
None
How can a client get a single record from a
server without revealing the record identifier to the server?
The Easiest Way: Hashed Identifiers
None
None
But rainbow tables exist
None
The Hard Way: Private Set Intersection
None
None
The Middle Way: k-Anonymity
https://en.wikipedia.org/wiki/K-anonymity Every record is unique
https://en.wikipedia.org/wiki/K-anonymity k-Anonymity: 2 for any combination of Age + Gender
+ State found in any row of the table there are always at least 2 rows with those exact attributes Suppression Suppression Generalization
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ By using this property, we are able to seperate
hashes into anonymized "buckets".
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ A client is able to anonymize the user-supplied hash
…
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ … and then download all hashes in the same
anonymized "bucket" as that hash … {
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ { 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc … then do an offline check to see if the user- supplied hash is in that breached bucket.
groovecoder
oidfj
hinakko
nenonaninu
siyuanzh09
watarukudo
riru
kenichinakamura
recruitengineers
eagletmt
ttelltte
colopl
tsubakimoto_s
kastner
jakevdp
vanstee
tammyeverts
marcduiker
addyosmani
sstephenson
sergeychernyshev
eileencodes
lauravandoore
