Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hash Range Queries

Avatar for luke crouch luke crouch
December 18, 2018
Technology
0
100

Hash Range Queries

For simple, privacy-preserving data-sharing.

Avatar for luke crouch

luke crouch

December 18, 2018
Tweet

More Decks by luke crouch

See All by luke crouch
Pigeons to Padlocks: 5000 years of Network Security
Avatar for luke crouch groovecoder
0
62
cryptory-up-to-https-atlas-2024.pdf
Avatar for luke crouch groovecoder
0
53
Cryptography: 500 BC to https
Avatar for luke crouch groovecoder
0
160
Mozilla Observatory First Draft
Avatar for luke crouch groovecoder
0
120
VPNs
Avatar for luke crouch groovecoder
0
110
Digital Privacy & Security
Avatar for luke crouch groovecoder
0
250
Cryptography: 500 BC to Quantum Computing
Avatar for luke crouch groovecoder
0
680
Just enough bitcoing to go cryptojacking with JavaScript
Avatar for luke crouch groovecoder
0
94
Can we protect Privacy without breaking the web
Avatar for luke crouch groovecoder
0
150

Other Decks in Technology

See All in Technology
メモ整理が苦手な者による頑張らないObsidian活用術
Avatar for OPTiM optim
1
190
Power Automate のパフォーマンス改善レシピ / Power Automate Performance Improvement Recipes
Avatar for Takashi Shinohara karamem0
0
280
専門分化が進む分業下でもユーザーが本当に欲しかったものを追求するプロダクトマネジメント/Focus on real user needs despite deep specialization and division of labor
Avatar for moriyuya moriyuya
0
350
TypeScript 上達の道
Avatar for Kanon ysknsid25
23
5.2k
【CEDEC2025】『ウマ娘 プリティーダービー』における映像制作のさらなる高品質化へ!~ 豊富な素材出力と制作フローの改善を実現するツールについて~
Avatar for Cygames cygames
PRO
0
210
Mambaで物体検出 完全に理解した
Avatar for Reiki Shirasawa shirarei24
2
200
AI人生苦節10年で会得したAIがやること_人間がやること.pdf
Avatar for shibuiwilliam shibuiwilliam
1
260
クマ×共生 HACKATHON - 熊対策を『特別な行動」から「生活の一部」に -
Avatar for ふぁらお加藤 pharaohkj
0
280
経理出身PdMがAIプロダクト開発を_ハンズオンで学んだ話.pdf
Avatar for Shunsuke Narita shunsukenarita
1
300
多様なニーズに応える Movable Type ラインナップ 全紹介
Avatar for hayase masakah
0
120
猫でもわかるQ_CLI(CDK開発編)+ちょっとだけKiro
Avatar for Hiroo Katoh kentapapa
0
2.6k
GMOペパボのデータ基盤とデータ活用の現在地 / Current State of GMO Pepabo's Data Infrastructure and Data Utilization
Avatar for Hiroka Zaitsu zaimy
3
180

Featured

See All Featured
Visualization
Avatar for Eitan Lees eitanlees
146
16k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
267
13k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
50
5.5k
Automating Front-end Workflow
Avatar for Addy Osmani addyosmani
1370
200k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
229
22k
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
44
2.4k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
140
7k
Rails Girls Zürich Keynote
Avatar for Gregor Martynus gr2m
95
14k
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
126
17k
How to train your dragon (web standard)
Avatar for Monica Dinculescu notwaldorf
96
6.1k
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
173
14k
Adopting Sorbet at Scale
Avatar for Ufuk Kayserilioglu ufuk
77
9.5k

Transcript

  1. Hash Range Queries For simple, privacy-preserving data-sharing

  2. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
 https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ Not my original idea

  3. https://api.pwnedpasswords.com/pwnedpassword/password A request for a single password reveals who is

    interested in this password. Maybe not that interesting for a widely-used value …

  4. https://api.pwnedpasswords.com/pwnedpassword/p1nkyp13 But how many people would use their favorite my

    little pony character with vowels replaced with numbers?

  5. Do you trust the person operating the service? • Are

    they doing something else with the data? • Are they securing the data?
  6. None

  7. How can a client get a single record from a

    server without revealing the record identifier to the server?

  8. The Easiest Way: Hashed Identifiers

  9. None
  10. None

  11. But rainbow tables exist

  12. None

  13. The Hard Way: Private Set Intersection

  14. None
  15. None

  16. The Middle Way: k-Anonymity

  17. https://en.wikipedia.org/wiki/K-anonymity Every record is unique

  18. https://en.wikipedia.org/wiki/K-anonymity k-Anonymity: 2 for any combination of Age + Gender

    + State found in any row of the table there are always at least 2 rows with those exact attributes Suppression Suppression Generalization

  19. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ By using this property, we are able to seperate

    hashes into anonymized "buckets".

  20. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ A client is able to anonymize the user-supplied hash

  21. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ … and then download all hashes in the same

    anonymized "bucket" as that hash … {

  22. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ { 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 5baa61f4c0b12f0a6691121c7de9420c8ff12c1f 5baa61aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

    5baa61bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 5baa61cccccccccccccccccccccccccccccccccc … then do an offline check to see if the user- supplied hash is in that breached bucket.