revisiting leakage abuse attacks
play

Revisiting Leakage Abuse Attacks Laura Blackstone Seny Kamara - PowerPoint PPT Presentation

Nov 15, 2023 •367 likes •983 views

Revisiting Leakage Abuse Attacks Laura Blackstone Seny Kamara Tarik Moataz AROKI SYSTEMS Encrypted Search Trusted client Untrusted server Cat Fish Cat Dog Dog 2 Encrypted Search Cat Fish Encrypted Trusted client Cat Untrusted

  1. Revisiting Leakage Abuse Attacks Laura Blackstone Seny Kamara Tarik Moataz AROKI 
 SYSTEMS

  2. Encrypted Search Trusted client Untrusted server Cat Fish Cat Dog Dog 2

  3. Encrypted Search Cat Fish Encrypted Trusted client Cat Untrusted server Index Dog Dog Secret key 3

  4. Encrypted Search Cat Fish Encrypted Trusted client Cat Untrusted server Index Dog Dog Cat Secret key 3

  5. Encrypted Search Cat Fish Encrypted Trusted client Cat Untrusted server Index Dog Dog Cat Secret key Cat Cat Dog 3

  6. Encrypted Search Cat Fish Encrypted Trusted client Cat Untrusted server Index Dog Dog Cat Secret key Cat Cat Dog 4

  7. Encrypted Search Setup Leakage 
 L S Cat Fish Encrypted Trusted client Cat Untrusted server Index Dog Dog Cat Secret key Cat Cat Dog 4

  8. Encrypted Search Setup Leakage 
 L S Cat Fish Encrypted Trusted client Cat Untrusted server Index Dog Dog Cat Secret key Query Leakage 
 Cat Cat L Q Dog 4

  9. Query Leakage Terminology • Query equality pattern (qeq) • If and when the search is the same (search pattern) • Response identity pattern (rid) • The file identifiers matching the query (access pattern) • Co-occurrence pattern (co-occ) • The number of files shared by any two queries • Response length pattern (rlen) • The number of files matching a query • Volume pattern (vol) / Total volume pattern (tvol) • The number of bits of each file / the sum of file sizes in bits 5

  10. Q : do we leak all of these patterns “at once”? 6

  11. Encrypted Search Primitives Property-Preserving Functional Structured Encryption Encryption (PPE) Encryption (STE) Oblivious RAM Fully-Homomorphic (ORAM) Encryption (FHE) 7

  12. Encrypted Search Primitives Property-Preserving Functional Structured Encryption Encryption (PPE) Encryption (STE) Oblivious RAM Fully-Homomorphic (ORAM) Encryption (FHE) 7

  13. Encrypted Search STE- & ORAM- based schemes co-occ qeq vol rid rlen tvol 8

  14. Encrypted Search Baseline STE STE- & ORAM- based schemes co-occ qeq vol rid rlen tvol 8

  15. Encrypted Search Baseline STE STE- & ORAM- based schemes Semi-ORAM co-occ qeq vol rid rlen tvol 8

  16. Encrypted Search Baseline STE STE- & ORAM- based schemes Semi-ORAM co-occ qeq OPQ STE [this work] vol rid rlen tvol 8

  17. Encrypted Search Baseline STE STE- & ORAM- based schemes Semi-ORAM co-occ qeq OPQ STE [this work] vol rid rlen Full ORAM tvol 8

  18. Q : can we use the disclosed leakage to recover user’s data? 9

  19. Leakage Attacks Input Output Leakage Attack One or more User’s query or leakage pattern data recovery • Type of adversary Assumptions • Type of auxiliary data • Type of actions • … 10

  20. Leakage Attacks Assumptions 11

  21. Leakage Attacks Assumptions • Adversarial model • persistent: needs encrypted index, documents and queries • snapshot: needs encrypted index and documents 11

  22. Leakage Attacks Assumptions • Adversarial model • persistent: needs encrypted index, documents and queries • snapshot: needs encrypted index and documents • Auxiliary information • known sample: needs sample from same distribution • known data: needs actual data or/and user queries • δ : fraction of adversarially-known data 11

  23. Leakage Attacks Assumptions • Adversarial model • persistent: needs encrypted index, documents and queries • snapshot: needs encrypted index and documents • Auxiliary information • known sample: needs sample from same distribution • known data: needs actual data or/and user queries • δ : fraction of adversarially-known data • Passive vs. active • injection (chosen-data): needs to inject data 11

  24. Leakage Attacks IKK Attack [Islam-Kuzu-Kantarcioglu12] Input Output IKK Attack Query recovery co-occ 12

  25. Leakage Attacks IKK Attack [Islam-Kuzu-Kantarcioglu12] Input Output IKK Attack Query recovery co-occ • Persistent adversary Assumptions • Passive • Known sample * • Known queries 12

  26. Leakage Attacks IKK Attack [Islam-Kuzu-Kantarcioglu12] Input Output IKK Attack Query recovery co-occ Vulnerable • Persistent adversary Assumptions schemes • Passive • Baseline STE • Known sample * • Semi-ORAM • Known queries 12

  27. Leakage Attacks Count Attack [Cash-Grubbs-Perry-Ristenpart15] Input Output Count Attack Query recovery co-occ + rlen 13

  28. Leakage Attacks Count Attack [Cash-Grubbs-Perry-Ristenpart15] Input Output Count Attack Query recovery co-occ + rlen Assumptions • Persistent adversary • Passive • Known data 13

  29. Leakage Attacks Count Attack [Cash-Grubbs-Perry-Ristenpart15] Input Output Count Attack Query recovery co-occ + rlen Vulnerable Assumptions • Persistent adversary schemes • Baseline STE • Passive • Semi-ORAM • Known data 13

  30. Impact of IKK & Count • “For example, IKK demonstrated that by observing accesses to an encrypted email repository, an adversary can infer as much as 80% of the search queries” • “It is known that access patterns, to even encrypted data, can leak sensitive information such as encryption keys [IKK]” • “A recent line of attacks […,Count,…] has demonstrated that such access pattern leakage can be used to recover significant information about data in encrypted indices. For example, some attacks can recover all search queries [Count,…] …” 14

  31. A closer look at IKK & Count attacks 15

  32. Non-trivial limitations 0.2 • High known-data rates 0.15 • Count v1 requires more than 80% and 5% of the queries Frequency • IKK requires more than 95% and 5% of the queries 0.1 SU dataset • Count v2 requires more than 60% M-MU dataset L-MU dataset • Practical vs. Theoretical? 0.05 • Low-vs. high selectivity keywords • Experiments all run on high-selectivity keywords 0 0 2000 4000 6000 8000 10000 • Keywords that are frequent in the user’s data Keywords rank • Re-ran on low-selectivity keywords and failed High- Pseudo-low Low • Both exploit co-occurrence selectivity selectivity selectivity ( ≥ 13) • relatively easy to hide (using OPQ SSE) (10-13) (1-2) 16

  33. Q : can we de better than IKK & Count? 17

  34. Summary of our Attacks Known-Data attacks 18

  35. Summary of our Attacks Known-Data attacks Subgrap ID rid Query recovery Attack 18

  36. Summary of our Attacks Vulnerable schemes Known-Data attacks • Baseline STE • Semi-ORAM Subgrap ID rid Query recovery Attack 18

  37. Summary of our Attacks Vulnerable schemes Known-Data attacks • Baseline STE • Semi-ORAM Subgrap ID rid Query recovery Attack • Baseline STE • Semi-ORAM Subgraph VL vol Query recovery Attack 18

  38. Summary of our Attacks Vulnerable schemes Known-Data attacks • Baseline STE • Semi-ORAM Subgrap ID rid Query recovery Attack • Baseline STE • Semi-ORAM Subgraph VL vol Query recovery Attack • Baseline STE • Semi-ORAM VolAn & • OPQ STE tvol Query recovery SelVolAn • Full ORAM Attacks 18

  39. Summary of our Attacks Injection attacks Vulnerable schemes • Baseline STE • Semi-ORAM Decoding & • OPQ STE tvol Query recovery Binary • Full ORAM attacks First injection attack was by [Zhang-Katz-Papamanthou16] and 
 works against Baseline STE and Semi-ORAM 19

  40. The Subgraph VL Attack 20

  41. The Subgraph VL Attack • Let K ⊆ D be set of known documents • K = (K 2 , K 4 ) and D = (D 1 , …, D 4 ) 21

  42. The Subgraph VL Attack • Let K ⊆ D be set of known documents • K = (K 2 , K 4 ) and D = (D 1 , …, D 4 ) Known Graph vol(K 4 ) vol(K 2 ) w 1 w 4 w 5 21

  43. The Subgraph VL Attack • Let K ⊆ D be set of known documents • K = (K 2 , K 4 ) and D = (D 1 , …, D 4 ) Observed Graph Known Graph vol(K 4 ) vol(D 1 ) vol(D 2 ) vol(D 3 ) vol(D 4 ) vol(K 2 ) w 1 w 4 q 1 q 4 w 5 q 2 q 3 q 5 21

  44. The Subgraph VL Attack • We need to match q i to some w j • The volumes are the ground of truth Observed Graph Known Graph vol(D 1 ) vol(D 2 ) vol(D 3 ) vol(D 4 ) vol(K 4 ) vol(K 2 ) q 1 q 4 w 1 w 4 q 2 q 3 q 5 w 5 22

  45. The Subgraph VL Attack • Observations : if q i = w j then • N(w j ) ⊆ N(q i ) and #N(w j ) ≈ δ . #N(q i ) Observed Graph Known Graph vol(D 1 ) vol(D 2 ) vol(D 3 ) vol(D 4 ) vol(K 4 ) vol(K 2 ) q 1 q 4 w 1 w 4 q 2 q 3 q 5 w 5 23

  46. The Subgraph VL Attack • Each query q starts with a candidate set C q = 𝕏 remove all words s.t. either N(w j ) ⊈ N(q i ) or #N(w j ) ≉ δ . N(q i ) • N(q 1 ) = C(q 1 ) ={w 4 ,w 5 ,w 1 } N(w 4 ) = N(q 2 ) = N(w 5 ) = N(q 3 ) = C(q 4 ) = {w 4 ,w 5 ,w 1 } N(w 1 ) = N(q 4 ) = C(q 5 ) ={w 4 ,w 5 ,w 1 } N(q 5 ) = Known Graph 24 Candidate Sets Observed Graph

  47. The Subgraph VL Attack • Each query q starts with a candidate set C q = 𝕏 remove all words s.t. either N(w j ) ⊈ N(q i ) or #N(w j ) ≉ δ . N(q i ) • N(q 1 ) = C(q 1 ) ={w 4 ,w 5 ,w 1 } C(q 1 ) ={w 1 } N(w 4 ) = N(q 2 ) = N(w 5 ) = N(q 3 ) = C(q 4 ) = {w 4 ,w 5 ,w 1 } N(w 1 ) = N(q 4 ) = C(q 5 ) ={w 4 ,w 5 ,w 1 } N(q 5 ) = Known Graph 24 Candidate Sets Observed Graph

Recommend

Understanding and Mitigating Leakage-Abuse Attacks against Searchable Encryption Raphael Bost 1 ,

Understanding and Mitigating Leakage-Abuse Attacks against Searchable Encryption Raphael Bost 1 ,

Understanding and Mitigating Leakage-Abuse Attacks against Searchable Encryption Raphael Bost 1 , Pierre-Alain Fouque 2 , Brice Minaud 3 1 Direction Gnrale de lArmement - Matrise de lInformation 2 Universit de Rennes 1 3 INRIA &

836 views • 45 slides
Searchable Encryption, Leakage-Abuse Attacks, and Statistical Learning Theory Paul Grubbs,

Searchable Encryption, Leakage-Abuse Attacks, and Statistical Learning Theory Paul Grubbs,

Searchable Encryption, Leakage-Abuse Attacks, and Statistical Learning Theory Paul Grubbs, Marie-Sarah Lacharit, Brice Minaud, Kenny Paterson eprint 2019/011 and IEEE S&P 2019. (also eprint 2018/965, CCS 2018.) AriC crypto seminar, ENS

651 views • 48 slides
Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

SAC Summer School 2019 Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions allow us to prove that our schemes achieve a certain leakage profile but doesnt tell us if a leakage profile is

477 views • 22 slides
Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque

Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque

Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque Universit de Rennes 1, France EUROCRYPT 2017 05/01/17 1 Plan 1. Background on NTRU and Previous Attacks 2. A New Subring Attack 3.

697 views • 40 slides
Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks? Chen-Dong Ye and Tian Tian . . . . . . Chen-Dong Ye and Tian

734 views • 58 slides
Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control Marcus Vlp,

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control Marcus Vlp,

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control Marcus Vlp, Adam Lackorzynski * , Jrmie Decouchant, Vincent Rahli, Francisco Rocha, and Paulo Esteves-Verssimo * Kernkonzept GmbH and University of

289 views • 28 slides
Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj

Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj

Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj Singh Gaur 1 , Vijay Laxmi 1 , Tushar Singhal 1 , Mauro Conti 2 1 Malaviya National Institute of Technology, Jaipur, India 2 University of Padua, Italy

882 views • 58 slides
Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer, Mario Werner, and Stefan Mangard, IAIK, Graz University of Technology 30. March 2017 Content Differential power analysis for key recovery Re-keying

284 views • 24 slides
Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP Introduction Deral

Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP Introduction Deral

Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP Introduction Deral Heiland Matthew Kienow deral_heiland@rapid7.com mkienow@inokii.com dh@layereddefense.com @HacksForProfit @Percent_X Why ? Add value ?

939 views • 66 slides
Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj Somorovsky Ruhr University Bochum 3curity GmbH juraj.somorovsky@3curity.de About me Security Researcher at: Chair for Network and Data Security,

818 views • 53 slides
Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah

Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah

Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah Lacharit, Brice Minaud , Kenny Paterson Information Security Group IEEE Symposium on Security and Privacy, May 21, 2018 Outsourcing Data with Search

654 views • 62 slides
Improved reconstruction attacks using range query leakage Marie-Sarah Lacharit Brice Minaud

Improved reconstruction attacks using range query leakage Marie-Sarah Lacharit Brice Minaud

Improved reconstruction attacks using range query leakage Marie-Sarah Lacharit Brice Minaud Kenny Paterson Information Security Group Application Setting Storing Records in the Cloud value of record ( N possible values) record identifier

615 views • 59 slides
How to Compute under AC 0 Leakage without Secure Hardware Guy Rothblum Microsoft Research

How to Compute under AC 0 Leakage without Secure Hardware Guy Rothblum Microsoft Research

How to Compute under AC 0 Leakage without Secure Hardware Guy Rothblum Microsoft Research Silicon Valley Protecting Sensitive Computations from Leakage/Side-Channel Attacks Sensitive computations: Cryptographic Algorithms Secret Key

232 views • 20 slides
Revisiting SOHO Router Attacks DeepSec 2015 About us.. ... Meet our research group lvaro

Revisiting SOHO Router Attacks DeepSec 2015 About us.. ... Meet our research group lvaro

Revisiting SOHO Router Attacks DeepSec 2015 About us.. ... Meet our research group lvaro Folgado Rueda Independent Researcher Jos Antonio Rodrguez Garca Independent Researcher Ivn Sanz de Castro Security Analyst at Wise Security

1.03k views • 72 slides
Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional

Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional

Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional Account Director Arcom Digital < HOME Digital Leakage Outline Digital Leakage Traditional Leakage LTE Ingress and Egress issues

877 views • 68 slides
On the Local Leakage Resilience of Linear Secret Sharing Schemes Linear Secret Sharing Schemes

On the Local Leakage Resilience of Linear Secret Sharing Schemes Linear Secret Sharing Schemes

On the Local Leakage Resilience of Linear Secret Sharing Schemes Linear Secret Sharing Schemes Akshay Degwekar (MIT) Joint with Fabrice Benhamouda (IBM Research), Yuval Ishai (Technion) and Tal Rabin (IBM Research) Leakage attacks can be

547 views • 30 slides
Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World Crypto & Privacy ibenik , Croatia Outline Why physical attacks matter Implementation attacks and power analysis Leakage Detection

972 views • 52 slides
Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1:

Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1:

SAC Summer School 2019 Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1: ORAM simulation Store and simulate data structure with ORAM General-purpose Zero-leakage (if data is transformed

1.29k views • 60 slides
Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on

Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on

Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on Physical Attacks, Graz, November 28, 2012 Krzysztof Pietrzak Challenges in Leakage-ResilientSymmetric Cryptography Krzysztof Pietrzak Challenges

994 views • 96 slides
The Water Detective Q-Leak is a sensitive leakage detector which can be placed anywhere water

The Water Detective Q-Leak is a sensitive leakage detector which can be placed anywhere water

The Water Detective Q-Leak is a sensitive leakage detector which can be placed anywhere water leakage can occur . To prevent leakage-related damages it sends an alert whenever water is detected. The device also visualizes its status on the online

234 views • 10 slides
Carbon leakage: theory, evidence and policy PMR Webinar on Carbon Leakage John Ward November 24

Carbon leakage: theory, evidence and policy PMR Webinar on Carbon Leakage John Ward November 24

Carbon leakage: theory, evidence and policy PMR Webinar on Carbon Leakage John Ward November 24 and December 3, 2015 Vivid Economics Overview Definition Theory Evidence Addressing leakage Why? Which sectors? How? 2

408 views • 29 slides
LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov Gordon, Feng-Hao Lui, Adam, ONeill, and Hong-Sheng Zhou O UTLINE OF T ALK Leakage Models for PKE Bounded, Continual, and Continual w/ Leakage on

1.05k views • 102 slides
Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider

Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider

Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi Friday, September 11 th , 2015 Motivation Physical Attacks & Countermeasures input output input output Timing, Power, EM,

746 views • 47 slides
Design of Mixed Gates for Design of Mixed Gates for Leakage Reduction Leakage Reduction Frank

Design of Mixed Gates for Design of Mixed Gates for Leakage Reduction Leakage Reduction Frank

GLSVLSI 2007 17th edition of ACM Great Lakes Symposium on VLSI Design of Mixed Gates for Design of Mixed Gates for Leakage Reduction Leakage Reduction Frank Sill, Jiaxi You, Dirk Timmermann Institute of Applied Microelectronics and Computer

738 views • 32 slides

More recommend