reducing metadata leakage from encrypted files and
play

Reducing Metadata Leakage from Encrypted Files and Communication - PowerPoint PPT Presentation

Dec 01, 2023 •319 likes •992 views

Reducing Metadata Leakage from Encrypted Files and Communication with PURBs Kirill Nikitin * , Ludovic Barman * , Wouter Lueks, Matthew Underwood, Jean-Pierre Hubaux, and Bryan Ford cole polytechnique fdrale de Lausanne (EPFL) @ni_kirill

  1. Reducing Metadata Leakage from Encrypted Files and Communication with PURBs Kirill Nikitin * , Ludovic Barman * , Wouter Lueks, Matthew Underwood, Jean-Pierre Hubaux, and Bryan Ford École polytechnique fédérale de Lausanne (EPFL) @ni_kirill *Shared first authorship @lbarman_ch

  2. ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 [Dog video] Kirill Nikitin ! 2

  3. ! 3 Ciphertexts Expose Metadata in Clear Kirill Nikitin ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 Ciphertext To whom Message size Metadata " Algorithms used ⚙ … ⚙ Encrypted Payload !

  4. ! 5 OpenPGP Packet Format Kirill Nikitin Packet Type Format version Recipient Key ID Public-Key Algorithm ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 Session Key Part 8502 0c01 9497 608d d051 8f79 010f ff46 bd7f 1821 27a9 42c4 01b4 7ecd 433e 7f90 . . . . . 74b8 139c a802 6678 ba0d 1abd d264 014b 6a5a f586 e3fa b98e 92d1 6759 Data Part 7186 2ccc ac50 3db7 fa03 4f31 dcd7 fa40 Encrypted Data . . . . . 4b09 d9b4 1654 972d 5c22 47db Credit for the picture of the attacker here and graphics afterwards is to Vecteezy.com

  5. ! 5 OpenPGP Packet Format Kirill Nikitin Packet Type Format version Recipient Key ID Public-Key Algorithm ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 Session Key Part 8502 0c01 9497 608d d051 8f79 010f ff46 bd7f 1821 27a9 42c4 01b4 7ecd 433e 7f90 . . . . . 74b8 139c a802 6678 ba0d 1abd d264 014b 6a5a f586 e3fa b98e 92d1 6759 Data Part 7186 2ccc ac50 3db7 fa03 4f31 dcd7 fa40 Encrypted Data . . . . . 4b09 d9b4 1654 972d 5c22 47db A message to the King of Sweden encrypted with RSA-512 using an outdated OpenPGP format?? Small key? Outdated format? I might crack it! Credit for the picture of the attacker here and graphics afterwards is to Vecteezy.com

  6. ! 5 OpenPGP Packet Format Kirill Nikitin Packet Type Format version Recipient Key ID Public-Key Algorithm ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 Session Key Part 8502 0c01 9497 608d d051 8f79 010f ff46 bd7f 1821 27a9 42c4 01b4 7ecd 433e 7f90 . . . . . 74b8 139c a802 6678 ba0d 1abd Is exposing metadata necessary? d264 014b 6a5a f586 e3fa b98e 92d1 6759 Data Part 7186 2ccc ac50 3db7 fa03 4f31 dcd7 fa40 Encrypted Data . . . . . 4b09 d9b4 1654 972d 5c22 47db A message to the King of Sweden encrypted with RSA-512 using an outdated OpenPGP format?? Small key? Outdated format? I might crack it! Credit for the picture of the attacker here and graphics afterwards is to Vecteezy.com

  7. ! 6 What If We Stripped Off All the Metadata? Kirill Nikitin ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 “Black Square”, 1915, by Kazimir Malevich

  8. ! 7 It Is Possible But Challenging Kirill Nikitin 1. Efficient decoding ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 $ 2. When addressing multiple recipients & 3. Using different cryptographic algorithms $ %

  9. ! 8 Padded Uniform Random Blobs (PURBs) Kirill Nikitin • A novel format for encrypted data without any metadata in clear. ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 • The properties (informally): Content Metadata — PURB — 1001…01 PURB PURB ?! PURB PURB PURB PURB PURB PURB — PURB — Content and metadata protection Indistinguishability from random bits Minimized length leakage

  10. ! 9 Padded Uniform Random Blobs (PURBs) Kirill Nikitin • Two core components ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 - Encoding scheme ( Multi-Suite PURB or MsPURB) - Padding scheme (Padmé)

  11. ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 Encoding scheme (MsPURB) Kirill Nikitin ! 10

  12. ! 11 Roadmap to MsPURB Kirill Nikitin ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 Multiple Single Recipient Multiple Suites Non-malleability Recipients

  13. ! 12 Single Recipient: Model Kirill Nikitin Honest Sender Honest Recipient ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 — PURB — Insecure channel Is it a PURB or a random bit string?! Active Adversary Non- Single Multiple Multiple malleability Recipient Recipients Suites

  14. ! 13 Single Recipient Kirill Nikitin Recipient – public key G y ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 Similar to the Integrated Encryption Scheme (IES) [ABR01] Non- Single Multiple Multiple malleability Recipient Recipients Suites

  15. ! 13 Single Recipient Kirill Nikitin Recipient – public key G y ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 Similar to the Integrated Encryption Scheme (IES) [ABR01] Sender: 1. Generates an ephemeral key pair x, G x ; Non- Single Multiple Multiple malleability Recipient Recipients Suites

  16. ! 13 Single Recipient Kirill Nikitin Recipient – public key G y ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 Similar to the Integrated Encryption Scheme (IES) [ABR01] Sender: 1. Generates an ephemeral key pair x, G x ; 2. Computes a shared secret G yx ; Non- Single Multiple Multiple malleability Recipient Recipients Suites

  17. ! 13 Single Recipient Kirill Nikitin Recipient – public key G y ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 Similar to the Integrated Encryption Scheme (IES) [ABR01] Enc K (data) Payload Sender: 1. Generates an ephemeral key pair x, G x ; 2. Computes a shared secret G yx ; 3. Encrypts the data with one-time session key K; Non- Single Multiple Multiple malleability Recipient Recipients Suites

  18. ! 13 Single Recipient Kirill Nikitin Recipient – public key G y ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 Similar to the Integrated Encryption Scheme (IES) [ABR01] AE Gyx ( K || meta ) Enc K (data) Entry point Payload Sender: 1. Generates an ephemeral key pair x, G x ; 2. Computes a shared secret G yx ; 3. Encrypts the data with one-time session key K; 4. Creates an entry point with K and other metadata, encrypted with G yx ; Non- Single Multiple Multiple malleability Recipient Recipients Suites

  19. ! 13 Single Recipient Kirill Nikitin Recipient – public key G y ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 Similar to the Integrated Encryption Scheme (IES) [ABR01] Hide(G x ) AE Gyx ( K || meta ) Enc K (data) Encoded public key Entry point Payload Sender: 1. Generates an ephemeral key pair x, G x ; 2. Computes a shared secret G yx ; 3. Encrypts the data with one-time session key K; 4. Creates an entry point with K and other metadata, encrypted with G yx ; 5. Encodes G x as a uniform bit string, e.g. , with Elligator [BHKL13]. Non- Single Multiple Multiple malleability Recipient Recipients Suites

  20. ! 14 Multiple Recipients Kirill Nikitin ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 — PURB — Non- Single Multiple Multiple malleability Recipient Recipients Suites

  21. ! 15 Multiple Recipients Kirill Nikitin Recipients – public keys G y1 , G y2 , G y3 . ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 We create an entry point per recipient, each with K and metadata but encrypted with G y1x , G y2x , G y3x respectively. AE Gy3x (K||meta) AE Gy1x (K||meta) AE Gy2x (K||meta) Non- Single Multiple Multiple malleability Recipient Recipients Suites

  22. ! 15 Multiple Recipients Kirill Nikitin Recipients – public keys G y1 , G y2 , G y3 . ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 We create an entry point per recipient, each with K and metadata but encrypted with G y1x , G y2x , G y3x respectively. AE Gy3x (K||meta) AE Gy1x (K||meta) AE Gy2x (K||meta) But how do we organize these entry points in the PURB? Non- Single Multiple Multiple malleability Recipient Recipients Suites

  23. ! 16 Linear Approach Strawman Kirill Nikitin Recipients – public keys G y1 , G y2 , G y3 . ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 Hide(G x ) Enc K (data) We create an entry point per recipient, each with K and metadata but encrypted with G y1x , G y2x , G y3x respectively. Non- Single Multiple Multiple malleability Recipient Recipients Suites

  24. ! 16 Linear Approach Strawman Kirill Nikitin Recipients – public keys G y1 , G y2 , G y3 . ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 Hide(G x ) AE Gy1x (K||meta) AE Gy2x (K||meta) AE Gy3x (K||meta) Enc K (data) We create an entry point per recipient, each with K and metadata but encrypted with G y1x , G y2x , G y3x respectively. Non- Single Multiple Multiple malleability Recipient Recipients Suites

  25. ! 16 Linear Approach Strawman Kirill Nikitin Recipients – public keys G y1 , G y2 , G y3 . ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 Inefficient to decode Hide(G x ) AE Gy1x (K||meta) AE Gy2x (K||meta) AE Gy3x (K||meta) Enc K (data) We create an entry point per recipient, each with K and metadata but encrypted with G y1x , G y2x , G y3x respectively. Non- Single Multiple Multiple malleability Recipient Recipients Suites

  26. ! 17 Single Hash-Table Strawman Kirill Nikitin Recipients – public keys G y1 , G y2 , G y3 . ❖ Reducing Metadata Leakage with PURBs @ PETS 2019 Hide(G x ) Enc K (data) Entry points are placed in a hash table, indexed by G yx Hash Table Non- Single Multiple Multiple malleability Recipient Recipients Suites

Recommend

Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

SAC Summer School 2019 Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions allow us to prove that our schemes achieve a certain leakage profile but doesnt tell us if a leakage profile is

477 views • 22 slides
Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1:

Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1:

SAC Summer School 2019 Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1: ORAM simulation Store and simulate data structure with ORAM General-purpose Zero-leakage (if data is transformed

1.29k views • 60 slides
AnalysingAccess Pattern and Volume Leakage from Range Queries on Encrypted Data Kenny Paterson

AnalysingAccess Pattern and Volume Leakage from Range Queries on Encrypted Data Kenny Paterson

AnalysingAccess Pattern and Volume Leakage from Range Queries on Encrypted Data Kenny Paterson @kennyog based on joint work with Paul Grubbs, Marie-Sarah Lacharit, Brice Minaud Information Security Group SuRI EPFL June 18, 2018

859 views • 49 slides
Lower Bounds for Encrypted Multi-Maps and Searchable Encryption in the Leakage Cell Probe Model

Lower Bounds for Encrypted Multi-Maps and Searchable Encryption in the Leakage Cell Probe Model

Lower Bounds for Encrypted Multi-Maps and Searchable Encryption in the Leakage Cell Probe Model Sarvar Patel*, Giuseppe Persiano** and Kevin Yeo* *Google **University of Salerno Key k i was queried. Privacy-Preserving Storage Protocols Key k i

1.11k views • 81 slides
Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah

Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah

Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah Lacharit, Brice Minaud , Kenny Paterson Information Security Group IEEE Symposium on Security and Privacy, May 21, 2018 Outsourcing Data with Search

654 views • 62 slides
Reconstructing Encrypted Data Using Range Query Leakage Marie-Sarah Lacharit, Brice Minaud,

Reconstructing Encrypted Data Using Range Query Leakage Marie-Sarah Lacharit, Brice Minaud,

Reconstructing Encrypted Data Using Range Query Leakage Marie-Sarah Lacharit, Brice Minaud, Kenny Paterson ePrint 2017/701, to appear S&P 2018. Information Security Group Workshop IoT+Cloud, Bochum, 7 Nov 2017. Outsourcing Data to the

699 views • 22 slides
Leakage in the Cell Probe Model Lower Bounds for Response Hiding Encrypted Multi-Maps Giuseppe

Leakage in the Cell Probe Model Lower Bounds for Response Hiding Encrypted Multi-Maps Giuseppe

Leakage in the Cell Probe Model Lower Bounds for Response Hiding Encrypted Multi-Maps Giuseppe Persiano Universit` a di Salerno June, 2019 Describing joint work with: Sarvar Patel and Kevin Yeo (Google LLC) Giuseppe Persiano (UNISA) June

1.15k views • 87 slides
Revisiting Leakage Abuse Attacks Laura Blackstone Seny Kamara Tarik Moataz AROKI SYSTEMS

Revisiting Leakage Abuse Attacks Laura Blackstone Seny Kamara Tarik Moataz AROKI SYSTEMS

Revisiting Leakage Abuse Attacks Laura Blackstone Seny Kamara Tarik Moataz AROKI SYSTEMS Encrypted Search Trusted client Untrusted server Cat Fish Cat Dog Dog 2 Encrypted Search Cat Fish Encrypted Trusted client Cat Untrusted

983 views • 60 slides
Known plaintext attack on encrypted ZIP files Barosan Dragos Laurentiu Supervisor: Armijn Hemel

Known plaintext attack on encrypted ZIP files Barosan Dragos Laurentiu Supervisor: Armijn Hemel

University of Amsterdam System and Network Engineering Known plaintext attack on encrypted ZIP files Barosan Dragos Laurentiu Supervisor: Armijn Hemel Why? There is no open source implementation Source Code available for PkCrack by

837 views • 19 slides
DATA RECOVERY Reconstructed Values 400 ON ENCRYPTED DATABASES 350 WITH 300 k-NEAREST

DATA RECOVERY Reconstructed Values 400 ON ENCRYPTED DATABASES 350 WITH 300 k-NEAREST

DATA RECOVERY Reconstructed Values 400 ON ENCRYPTED DATABASES 350 WITH 300 k-NEAREST NEIGHBOR 250 QUERY LEAKAGE 200 EVGENIOS M. KORNAROPOULOS 150 CHARALAMPOS PAPAMANTHOU ROBERTO TAMASSIA 100 50 0 0 100 200 300 400 Full

777 views • 52 slides
Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional

Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional

Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional Account Director Arcom Digital < HOME Digital Leakage Outline Digital Leakage Traditional Leakage LTE Ingress and Egress issues

877 views • 68 slides
Metal A Metadata-Hiding File-Sharing System Weikeng Chen Raluca Ada Popa UC Berkeley

Metal A Metadata-Hiding File-Sharing System Weikeng Chen Raluca Ada Popa UC Berkeley

Metal A Metadata-Hiding File-Sharing System Weikeng Chen Raluca Ada Popa UC Berkeley End-to-end encrypted file sharing Academia: DepSky, M-Aegis, Mylar, Plutus, ShadowCrypt, Sieve, SiRiUS Industry: Encryption is not enough: Metadata still

1.17k views • 45 slides
TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1 DISCLAIMER: THIS IS NOT FULLY-BAKED We just fleshed out this idea yesterday, so its hand-wavy. Insufficient analysis has been done. IETF 94 TLS 1.3

886 views • 11 slides
Yodel: Strong Metadata Security for Real-Time Voice Calls David Lazar , Yossi Gilad, Nickolai

Yodel: Strong Metadata Security for Real-Time Voice Calls David Lazar , Yossi Gilad, Nickolai

Yodel: Strong Metadata Security for Real-Time Voice Calls David Lazar , Yossi Gilad, Nickolai Zeldovich MIT CSAIL 1 Metadata is data that cant be encrypted src/dst msg size Chat Service sent time 2 What can you learn from

689 views • 19 slides
M-Files OCR Presented By: Syed Raza What is OCR? OCR - Optical Character Recognition

M-Files OCR Presented By: Syed Raza What is OCR? OCR - Optical Character Recognition

M-Files OCR Presented By: Syed Raza What is OCR? OCR - Optical Character Recognition Method of recognizing text in image METADATA-POWERED INFORMATION MANAGEMENT Key features Conversion to Searchable PDF For existing image files

641 views • 16 slides
Asymmetric Message Franking Content Moderation for Metadata-Private End-to-End Encryption Nirvan

Asymmetric Message Franking Content Moderation for Metadata-Private End-to-End Encryption Nirvan

Asymmetric Message Franking Content Moderation for Metadata-Private End-to-End Encryption Nirvan Tyagi Paul Grubbs Julia Len Ian Miers Tom Ristenpart CRYPTO 2019 1 Setting: End-to-end encrypted messaging Hello From: Alice To: Bob

1k views • 75 slides
m e t a d a t a how much of a difference does metadata really make to your bottom line?

m e t a d a t a how much of a difference does metadata really make to your bottom line?

it might be the giant in the room, but it doesnt ha ve t o be scary l e t s t a l k a b o u t What is metadata? What differentiates great metadata from merely good? Do you really need to worry about it? As a publisher, m

253 views • 6 slides
File Systems: Fundamentals File operations Files Create, Open, Read, Write, Seek, Delete,

File Systems: Fundamentals File operations Files Create, Open, Read, Write, Seek, Delete,

Files Fundamental Ontology of File Systems What is a file? Metadata A named collection of related information recorded on secondary The index node (inode) is the fundamental data structure storage (e.g., disks) The superblock also has

448 views • 5 slides
The Water Detective Q-Leak is a sensitive leakage detector which can be placed anywhere water

The Water Detective Q-Leak is a sensitive leakage detector which can be placed anywhere water

The Water Detective Q-Leak is a sensitive leakage detector which can be placed anywhere water leakage can occur . To prevent leakage-related damages it sends an alert whenever water is detected. The device also visualizes its status on the online

234 views • 10 slides
From SDTM to displays, through ADaM & Analyses Results Metadata, a flight on board METADATA

From SDTM to displays, through ADaM & Analyses Results Metadata, a flight on board METADATA

From SDTM to displays, through ADaM & Analyses Results Metadata, a flight on board METADATA Airlines Omar SEFIANI - Stphane BOUGET, Boehringer Ingelheim DH13, PhUSE Barcelona 2016, October, 12 th Outline Background Metadata Driven

683 views • 19 slides
Metadata In ArcGIS 10.0 Jason Cupp Whats New In ArcGIS 10.0 New Metadata Editor for

Metadata In ArcGIS 10.0 Jason Cupp Whats New In ArcGIS 10.0 New Metadata Editor for

Esri International User Conference | San Diego, CA Technical Workshops | 2011-07-12 Metadata In ArcGIS 10.0 Jason Cupp Whats New In ArcGIS 10.0 New Metadata Editor for Multiple Standards New Tools and Workflows Metadata Editor

332 views • 22 slides
UNSD metadata template / SDMX Metadata Structure Definition Elena De Jess, UNSD Standardized

UNSD metadata template / SDMX Metadata Structure Definition Elena De Jess, UNSD Standardized

UNSD metadata template / SDMX Metadata Structure Definition Elena De Jess, UNSD Standardized metadata improves usability and comparability Metadata (and data) that follow specific standardized patterns: are easier for users to interpret

991 views • 19 slides
Carbon leakage: theory, evidence and policy PMR Webinar on Carbon Leakage John Ward November 24

Carbon leakage: theory, evidence and policy PMR Webinar on Carbon Leakage John Ward November 24

Carbon leakage: theory, evidence and policy PMR Webinar on Carbon Leakage John Ward November 24 and December 3, 2015 Vivid Economics Overview Definition Theory Evidence Addressing leakage Why? Which sectors? How? 2

408 views • 29 slides
LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov Gordon, Feng-Hao Lui, Adam, ONeill, and Hong-Sheng Zhou O UTLINE OF T ALK Leakage Models for PKE Bounded, Continual, and Continual w/ Leakage on

1.05k views • 102 slides

More recommend