security and privacy of hash based software applications
play

Security and Privacy of Hash-Based Software Applications This work - PowerPoint PPT Presentation

Security and Privacy of Hash-Based Software Applications This work has been partially supported by the LabEx PERSYVAL-Lab (ANR-11-LABX-0025-01) funded by the French program Investissement davenir. Amrit Kumar January 6, 2017 Privatics team,


  1. Security and Privacy of Hash-Based Software Applications This work has been partially supported by the LabEx PERSYVAL-Lab (ANR-11-LABX-0025-01) funded by the French program Investissement d’avenir. Amrit Kumar January 6, 2017 Privatics team, Inria Université Grenoble Alpes

  2. Hashing • A function h : { 0 , 1 } ∗ → { 0 , 1 } ℓ , where ℓ is the digest size. • Cryptographic: (second) pre-image and collision resistant. 2

  3. Hashing • A function h : { 0 , 1 } ∗ → { 0 , 1 } ℓ , where ℓ is the digest size. • Cryptographic: (second) pre-image and collision resistant. 2 nd pre-image pre-image collision resistance resistance resistance � = � = ? x ? ? ? h h h h h h ( x ) h ( x ) = h ( x ′ ) h ( x ) = h ( x ′ ) Best generic 2 ℓ 2 ℓ 2 ℓ/ 2 attack 2

  4. Are collisions always bad? (I) A simple use case: • Instead of storing n (large) data items, store their digests. • If ℓ is large, collisions are hard to find ⇒ space required = n × ℓ bits. 3

  5. Are collisions always bad? (I) A simple use case: • Instead of storing n (large) data items, store their digests. • If ℓ is large, collisions are hard to find ⇒ space required = n × ℓ bits. Collisions for further space savings: x 1 x 2 d 1 x 3 d i x n d m Data Digests • d i now substitutes both x 1 and x 2 ⇒ space required < n × ℓ bits. • Caveat: May introduce some unexpected behavior. 3

  6. Are collisions always bad? (I) A simple use case: • Instead of storing n (large) data items, store their digests. • If ℓ is large, collisions are hard to find ⇒ space required = n × ℓ bits. Collisions for further space savings: x 1 x 2 d 1 x 3 d i x n d m Data Digests • d i now substitutes both x 1 and x 2 ⇒ space required < n × ℓ bits. • Caveat: May introduce some unexpected behavior. • Core of several efficient (probabilistic) data structures: • Bloom filters for membership testing 3 • Sketches for data stream analysis

  7. Are collisions always bad? (II) Use case in privacy: • Hashing as a pseudonymization technique. • If ℓ is large, but #identifiers n is enumerable (in reasonable time) • Exhaustive search breaks pseudonymization. ℓ is large d 1 h h d 2 4

  8. Are collisions always bad? (II) Use case in privacy: • Hashing as a pseudonymization technique. • If ℓ is large, but #identifiers n is enumerable (in reasonable time) • Exhaustive search breaks pseudonymization. ℓ is large ℓ is small d 1 h h d h h d 2 • If ℓ is sufficiently small: • On average n / 2 ℓ identifiers share the same pseudonym. • Notion of anonymity-set. • Caveat: Provides weak anonymity guarantees. 4 • Employed in Google Safe Browsing: a malicious URL detection tool.

  9. Contrasting perspectives and outline Contrasting perspectives • Collisions have to be absolutely avoided in cryptography. • Somewhat welcome in algorithms and data structures. • Useful to some extent in the context of privacy. 5

  10. Contrasting perspectives and outline Contrasting perspectives • Collisions have to be absolutely avoided in cryptography. • Somewhat welcome in algorithms and data structures. • Useful to some extent in the context of privacy. Goal: Investigate the security and privacy implications of hash collisions. Focus for today: • Security: Bloom Filters 1. The Power of Evil Choices in Bloom Filters. DSN’15 Joint work with T. Gerbet and C. Lauradoux 2. Bloom Filters in Adversarial Settings. Under submission Joint work with C. Lauradoux and P. Lafourcade • Privacy: Safe Browsing 1. A Privacy Analysis of Google and Yandex Safe Browsing. DSN’16 Joint work with T. Gerbet and C. Lauradoux 5

  11. Security: Bloom Filters

  12. Bloom filters [Bloom 1970] Setup( m , n , k ): • A binary vector � z of size m compressing a set of n items. • k uniform and independent hash functions: h i : { 0 , 1 } ∗ → [ 0 , m − 1 ] z initialized to � • � 0. Operations: • Insert( x ) : Set bits of � z at h 1 ( x ) , . . . , h k ( x ) to 1. S = { x 1 , x 2 , x 3 } k = 2 0 0 0 0 0 0 0 0 0 0 7

  13. Bloom filters [Bloom 1970] Setup( m , n , k ): • A binary vector � z of size m compressing a set of n items. • k uniform and independent hash functions: h i : { 0 , 1 } ∗ → [ 0 , m − 1 ] z initialized to � • � 0. Operations: • Insert( x ) : Set bits of � z at h 1 ( x ) , . . . , h k ( x ) to 1. S = { x 1 , x 2 , x 3 } k = 2 0 0 0 1 0 0 0 0 0 0 7

  14. Bloom filters [Bloom 1970] Setup( m , n , k ): • A binary vector � z of size m compressing a set of n items. • k uniform and independent hash functions: h i : { 0 , 1 } ∗ → [ 0 , m − 1 ] z initialized to � • � 0. Operations: • Insert( x ) : Set bits of � z at h 1 ( x ) , . . . , h k ( x ) to 1. S = { x 1 , x 2 , x 3 } k = 2 0 0 0 1 0 0 1 0 0 0 7

  15. Bloom filters [Bloom 1970] Setup( m , n , k ): • A binary vector � z of size m compressing a set of n items. • k uniform and independent hash functions: h i : { 0 , 1 } ∗ → [ 0 , m − 1 ] z initialized to � • � 0. Operations: • Insert( x ) : Set bits of � z at h 1 ( x ) , . . . , h k ( x ) to 1. S = { x 1 , x 2 , x 3 } k = 2 0 0 0 1 1 0 1 1 0 1 7

  16. Bloom filters [Bloom 1970] Setup( m , n , k ): • A binary vector � z of size m compressing a set of n items. • k uniform and independent hash functions: h i : { 0 , 1 } ∗ → [ 0 , m − 1 ] z initialized to � • � 0. Operations: • Insert( x ) : Set bits of � z at h 1 ( x ) , . . . , h k ( x ) to 1. S = { x 1 , x 2 , x 3 } k = 2 0 0 0 1 1 0 1 1 0 1 y 1 • Query( y ) : Return True if bits of � z at h 1 ( y ) , . . . , h k ( y ) are all 1. 7

  17. Bloom filters [Bloom 1970] Setup( m , n , k ): • A binary vector � z of size m compressing a set of n items. • k uniform and independent hash functions: h i : { 0 , 1 } ∗ → [ 0 , m − 1 ] z initialized to � • � 0. Operations: • Insert( x ) : Set bits of � z at h 1 ( x ) , . . . , h k ( x ) to 1. S = { x 1 , x 2 , x 3 } k = 2 0 0 0 1 1 0 1 1 0 1 y 1 • Query( y ) : Return True if bits of � z at h 1 ( y ) , . . . , h k ( y ) are all 1. 7

  18. Bloom filters [Bloom 1970] Setup( m , n , k ): • A binary vector � z of size m compressing a set of n items. • k uniform and independent hash functions: h i : { 0 , 1 } ∗ → [ 0 , m − 1 ] z initialized to � • � 0. Operations: • Insert( x ) : Set bits of � z at h 1 ( x ) , . . . , h k ( x ) to 1. S = { x 1 , x 2 , x 3 } k = 2 0 0 0 1 1 0 1 1 0 1 y 1 / ∈ S • Query( y ) : Return True if bits of � z at h 1 ( y ) , . . . , h k ( y ) are all 1. 7

  19. Bloom filters [Bloom 1970] Setup( m , n , k ): • A binary vector � z of size m compressing a set of n items. • k uniform and independent hash functions: h i : { 0 , 1 } ∗ → [ 0 , m − 1 ] z initialized to � • � 0. Operations: • Insert( x ) : Set bits of � z at h 1 ( x ) , . . . , h k ( x ) to 1. S = { x 1 , x 2 , x 3 } k = 2 0 0 0 1 1 0 1 1 0 1 y 2 = x 2 y 1 / ∈ S • Query( y ) : Return True if bits of � z at h 1 ( y ) , . . . , h k ( y ) are all 1. 7

  20. Bloom filters [Bloom 1970] Setup( m , n , k ): • A binary vector � z of size m compressing a set of n items. • k uniform and independent hash functions: h i : { 0 , 1 } ∗ → [ 0 , m − 1 ] z initialized to � • � 0. Operations: • Insert( x ) : Set bits of � z at h 1 ( x ) , . . . , h k ( x ) to 1. S = { x 1 , x 2 , x 3 } k = 2 0 0 0 1 1 0 1 1 0 1 y 2 = x 2 y 1 / ∈ S • Query( y ) : Return True if bits of � z at h 1 ( y ) , . . . , h k ( y ) are all 1. 7

  21. Bloom filters [Bloom 1970] Setup( m , n , k ): • A binary vector � z of size m compressing a set of n items. • k uniform and independent hash functions: h i : { 0 , 1 } ∗ → [ 0 , m − 1 ] z initialized to � • � 0. Operations: • Insert( x ) : Set bits of � z at h 1 ( x ) , . . . , h k ( x ) to 1. S = { x 1 , x 2 , x 3 } k = 2 0 0 0 1 1 0 1 1 0 1 y 2 = x 2 y 1 / ∈ S y 3 / ∈ S • Query( y ) : Return True if bits of � z at h 1 ( y ) , . . . , h k ( y ) are all 1. 7

  22. Bloom filters [Bloom 1970] Setup( m , n , k ): • A binary vector � z of size m compressing a set of n items. • k uniform and independent hash functions: h i : { 0 , 1 } ∗ → [ 0 , m − 1 ] z initialized to � • � 0. Operations: • Insert( x ) : Set bits of � z at h 1 ( x ) , . . . , h k ( x ) to 1. S = { x 1 , x 2 , x 3 } k = 2 0 0 0 1 1 0 1 1 0 1 y 2 = x 2 y 1 / ∈ S y 3 / ∈ S • Query( y ) : Return True if bits of � z at h 1 ( y ) , . . . , h k ( y ) are all 1. 7

  23. Bloom filters [Bloom 1970] Setup( m , n , k ): • A binary vector � z of size m compressing a set of n items. • k uniform and independent hash functions: h i : { 0 , 1 } ∗ → [ 0 , m − 1 ] z initialized to � • � 0. Operations: • Insert( x ) : Set bits of � z at h 1 ( x ) , . . . , h k ( x ) to 1. S = { x 1 , x 2 , x 3 } k = 2 0 0 0 1 1 0 1 1 0 1 y 2 = x 2 y 1 / ∈ S y 3 / ∈ S ( false positive ) • Query( y ) : Return True if bits of � z at h 1 ( y ) , . . . , h k ( y ) are all 1. 7

Recommend


More recommend