Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hash Range Queries
Search
luke crouch
December 18, 2018
Technology
0
68
Hash Range Queries
For simple, privacy-preserving data-sharing.
luke crouch
December 18, 2018
Tweet
Share
More Decks by luke crouch
See All by luke crouch
cryptory-up-to-https-atlas-2024.pdf
groovecoder
0
22
Cryptography: 500 BC to https
groovecoder
0
75
Mozilla Observatory First Draft
groovecoder
0
77
VPNs
groovecoder
0
64
Digital Privacy & Security
groovecoder
0
220
Cryptography: 500 BC to Quantum Computing
groovecoder
0
350
Just enough bitcoing to go cryptojacking with JavaScript
groovecoder
0
56
Can we protect Privacy without breaking the web
groovecoder
0
110
Google Safe Browsing (High Level)
groovecoder
0
58
Other Decks in Technology
See All in Technology
web-application-security
matsuihidetoshi
0
140
FrontDoorとWebAppsを組み合わせた際のリダイレクト処理の注意点
kenichirokimura
1
490
コードを書く隙間を見つけて生きていく技術/Findy 思考の現在地
fujiwara3
27
5.8k
Tableau事例紹介 / Tableau Case Study of Eureka
kazuya_araki_tokyo
1
190
SPI原点回帰論:事業課題とFour Keysの結節点を見出す実践的ソフトウェアプロセス改善 / DevOpsDays Tokyo 2024
visional_engineering_and_design
4
1.9k
MapLibreとAmazon Location Service
dayjournal
1
150
一生覚えておきたい「システム開発=コミュニケーション」〜初めての実務案件振り返りLT〜
maimyyym
0
100
Janus
bkuhlmann
1
490
Compose Compiler Metricsを使った実践的なコードレビュー
tomorrowkey
1
220
Kernel MemoryでAzure OpenAI Serviceとお手軽データソース連携
mitsuzono
1
190
Google Cloud の AI を支える裏側のインフラを垣間見る!
maroon1st
0
340
ServiceNow Knowledge 24の歩き方 EYストラテジー・アンド・コンサルティング
manarobot
0
180
Featured
See All Featured
Reflections from 52 weeks, 52 projects
jeffersonlam
345
19k
What the flash - Photography Introduction
edds
64
11k
Designing with Data
zakiwarfel
96
4.8k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
30
6k
Testing 201, or: Great Expectations
jmmastey
28
6.3k
Building Applications with DynamoDB
mza
88
5.6k
A Philosophy of Restraint
colly
197
16k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
A better future with KSS
kneath
231
16k
Into the Great Unknown - MozCon
thekraken
10
990
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
Transcript
Hash Range Queries For simple, privacy-preserving data-sharing
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ Not my original idea
https://api.pwnedpasswords.com/pwnedpassword/password A request for a single password reveals who is
interested in this password. Maybe not that interesting for a widely-used value …
https://api.pwnedpasswords.com/pwnedpassword/p1nkyp13 But how many people would use their favorite my
little pony character with vowels replaced with numbers?
Do you trust the person operating the service? • Are
they doing something else with the data? • Are they securing the data?
None
How can a client get a single record from a
server without revealing the record identifier to the server?
The Easiest Way: Hashed Identifiers
None
None
But rainbow tables exist
None
The Hard Way: Private Set Intersection
None
None
The Middle Way: k-Anonymity
https://en.wikipedia.org/wiki/K-anonymity Every record is unique
https://en.wikipedia.org/wiki/K-anonymity k-Anonymity: 2 for any combination of Age + Gender
+ State found in any row of the table there are always at least 2 rows with those exact attributes Suppression Suppression Generalization
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ By using this property, we are able to seperate
hashes into anonymized "buckets".
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ A client is able to anonymize the user-supplied hash
…
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ … and then download all hashes in the same
anonymized "bucket" as that hash … {
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ { 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc … then do an offline check to see if the user- supplied hash is in that breached bucket.