improved security analysis and alternative solutions
play

Improved Security Analysis and Alternative Solutions Alexandra - PowerPoint PPT Presentation

Oct 15, 2023 •171 likes •456 views

Improved Security Analysis and Alternative Solutions Alexandra Boldyreva Nathan Chenette Adam ONeill Georgia Tech Georgia Tech UT Austin 8/22/2011 9:26:56 PM Order-Preserving Encryption Revisited 1 8/22/2011 9:26:58 PM Order-Preserving

  1. Improved Security Analysis and Alternative Solutions Alexandra Boldyreva Nathan Chenette Adam O’Neill Georgia Tech Georgia Tech UT Austin 8/22/2011 9:26:56 PM Order-Preserving Encryption Revisited 1

  2. 8/22/2011 9:26:58 PM Order-Preserving Encryption Revisited 2

  3. A symmetric encryption scheme is order-preserving if encryption is deterministic and strictly increasing Example OPE function for : ciphertexts plaintexts 8/22/2011 9:26:58 PM Order-Preserving Encryption Revisited 3

  4. A symmetric encryption scheme is order-preserving if encryption is deterministic and strictly increasing Example OPE function for : 8/22/2011 9:26:58 PM Order-Preserving Encryption Revisited 4

  5. [AKSX04] suggested OPE as a protocol to support efficient range queries for outsourced databases I’d like records of people with salaries between $60k and $80k… Client Server (encrypted database) 8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 5

  6.  [BCLO09] defined a secure OPE to be a pseudorandom order-preserving function (POPF)  Experiment: OPE with random key A queries or Random ? OPF  They designed a B POPF-secure scheme Ideal object 8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 6

  7.  Practitioners want to implement the OPE scheme right away as it has been proven POPF-secure and is in any case better than no encryption  But, as emphasized by [BCLO09], we must first establish security guarantees of the ideal object, a random OPF  What information is necessarily leaked?  What information is secure?  To elaborate… 8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 7

  8.  The security properties of a random OPF are unclear  Compare to the case of PRF/random function Random Random function OPF Output leaks… GUARANTEE:  order Output leaks  approx. only equality location  approx. distance  more? Input Input 8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 8

  9. 8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 9

  10.  We suggest several notions of one-wayness to analyze OPE security  We analyze the one-wayness of a random OPF (and thus by extension the POPF-secure scheme of [BLCO09])  We introduce two generalizations/modifications of the OPE primitive that support range queries in (only) particular circumstances with improved one-wayness  Modular order-preserving encryption (modular range queries)  Committed order-preserving encryption (static database) 8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 10

  11. 8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 11

  12.  Central concern: what do ROPF ciphertexts reveal/hide about…  location of plaintexts?  distance between plaintexts?  We propose several varieties of one-wayness 8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 12

  13.  = window size  = challenge set size Adversary Adversary’s advantage is the probability of the event that 8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 13

  14.  = distance window size  = challenge set size Adversary Adversary’s advantage is the probability of the event that 8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 14

  15. 8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 15

  16. Small Window Large window Size of message space Window “Secure” “Insecure” One-wayness (upper bound on any (lower bound on constructed adversary’s advantage) adversary’s advantage) Distance “Secure” “Insecure” Window (upper bound on any (lower bound on constructed One-wayness adversary’s advantage) adversary’s advantage) 8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 16

  17.  We prove an upper bound on -WOW advantage against ROPF = Size of message space  Theorem: If for , = Size of ciphertext space  Interpretation:  Any adversary’s probability of inverting one of encryptions of random plaintexts is bounded by (approx) a constant times  For reasonable , this is small. 8/22/2011 9:27:00 PM Order-Preserving Encryption Revisited 17

  18.  Reduce to problem of bounding -WOW-advantage  Each ciphertext has a most likely plaintext (m.l.p.) given that encryption is a random OPF  Given , adversary’s best option is to output m.l.p. probabilities  Upper bound on advantage: the average m.l.p. probability  = (area under curve) / (#ciphertexts) 8/22/2011 9:27:01 PM Order-Preserving Encryption Revisited 18

  19. Let For general , , write Start with 1 2 as a function of for , small and fixed Integrate this function over the For , write 4 3 ciphertext range and divide by as a function of to find the approx. avg. m.l.p. prob. 8/22/2011 9:27:01 PM Order-Preserving Encryption Revisited 19

  20.  We prove a lower bound on an adversary’s - WOW advantage against ROPF = Size of message space = Size of ciphertext space  Theorem: For any there exists an adversary such that for ,  Interpretation:  Given encryptions of random plaintexts, adversary can (with high probability) invert one of them to within a size window, where is a medium-sized constant (say, 8) 8/22/2011 9:27:01 PM Order-Preserving Encryption Revisited 20

  21.  Analogous to the WOW case, we show:  Upper bound on -DWOW advantage of any adversary  Lower bound on an adversary’s -DWOW advantage for  Interpretation:  Guessing the exact distance between encryptions of two random plaintexts is hard.  Guessing the approximate distance is easy. 8/22/2011 9:27:02 PM Order-Preserving Encryption Revisited 21

  22.  If some plaintext/ciphertext pairs are known, the adversary’s view (and our analysis) applies to the subspaces between these points  Choosing ciphertext space size : should be sufficient for analysis to hold  Assumption alert! Known  Our analysis is limited to uniformly plaintext/ ciphertext random challenge messages pairs  Open problem to extend otherwise 8/22/2011 9:27:02 PM Order-Preserving Encryption Revisited 22

  23. 8/22/2011 9:27:02 PM Order-Preserving Encryption Revisited 23

  24.  Generalization of OPE in which “modular order” is preserved, supports modular range queries  The OPE scheme of [BCLO09] can be extended to an MOPE scheme by prepending a random (secret) shift  Now optimally -WOW secure  -DWOW security is equivalent to that of the OPE scheme  Knowledge of a single plaintext/ciphertext pair essentially reduces the MOPE to an OPE 8/22/2011 9:27:02 PM Order-Preserving Encryption Revisited 24

  25.  Past results [AKSZ04] have implemented schemes for range queries on predetermined static databases  Key generation takes database as input, all ciphertexts revealed  OP version of secure searchable index schemes ([CGKO06], etc.)  We straightforwardly construct an optimally-secure OPE tagging scheme using monotone minimal perfect hash functions (MMPHFs) [BBPV09] = message space (static database) Outputs a key corresponding to the MMPHF sending the i th element of to i 8/22/2011 9:27:02 PM Order-Preserving Encryption Revisited 25

  26. 8/22/2011 9:27:02 PM Order-Preserving Encryption Revisited 26

  27.  We made significant progress in addressing the [BCLO09] open question of analyzing the security of a random OPF  Introduced new security models using one-wayness notions  Analyzed ROPF under those models  We introduced two variations of OPE that could be useful in some settings  Taken with certain precautions, we hope our results will help practitioners determine whether the security vs. functionality tradeoff of OPE is acceptable for their applications 8/22/2011 9:27:02 PM Order-Preserving Encryption Revisited 27

  28. 8/22/2011 9:27:02 PM Order-Preserving Encryption Revisited 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

EAP-SIM Security Analysis Mobility Solutions Keyspace and Mutual Authentication Weaknesses Uri

EAP-SIM Security Analysis Mobility Solutions Keyspace and Mutual Authentication Weaknesses Uri

EAP-SIM Security Analysis Mobility Solutions Keyspace and Mutual Authentication Weaknesses Uri Blumenthal (analysis done by Sarvar Patel) Member of Technical Staff EAP-SIM Draft and its Security Claims Current EAP-SIM provides

342 views • 7 slides
Xpanda security gates Security solutions Retail security gate solutions Industrial

Xpanda security gates Security solutions Retail security gate solutions Industrial

STOREFRONT PROTECTION Xpanda security gates Security solutions Retail security gate solutions Industrial security gate solutions Institutional security gate solutions Access control security gate solutions Office building

406 views • 13 slides
Retail security gate solutions Industrial security gate solutions Institutional

Retail security gate solutions Industrial security gate solutions Institutional

PHYSICAL SECURITY SOLUTIONS Quantum security gates can help you improve security quickly. Before or after a break-in. Retail security gate solutions Industrial security gate solutions Institutional security gate solutions Office

215 views • 18 slides
An Analysis of Wireless Security at U of M Dearborn: Found Problems and Proposed Solutions

An Analysis of Wireless Security at U of M Dearborn: Found Problems and Proposed Solutions

An Analysis of Wireless Security at U of M Dearborn: Found Problems and Proposed Solutions (CASL Only) Summary Basic Networking Concepts Description of vulnerabilities Demonstration Possible solutions Networking Addresses 3

288 views • 24 slides
CGA as alternative security credentials with IKEv2: implementation and analysis SAR-SSI 2012

CGA as alternative security credentials with IKEv2: implementation and analysis SAR-SSI 2012

CGA as alternative security credentials with IKEv2: implementation and analysis SAR-SSI 2012 Orange Labs Jean-Michel Combes (France Telecom - Orange) Aurlien Wailly (France Telecom - Orange) Maryline Laurent (Telecom Sud Paris)

580 views • 26 slides
CORPORATE SECURITY IMPROVED SECURITY FOR THE MID-MARKET 1 SYNERGIES ACROSS SEGMENTS Privacy

CORPORATE SECURITY IMPROVED SECURITY FOR THE MID-MARKET 1 SYNERGIES ACROSS SEGMENTS Privacy

Jens Thonke, EVP, Cyber Security Services Jyrki Rosenberg, EVP, Corporate Cyber Security CORPORATE SECURITY IMPROVED SECURITY FOR THE MID-MARKET 1 SYNERGIES ACROSS SEGMENTS Privacy Family Connected home 2 F-Secure Capital Markets Day 2017

736 views • 19 slides
Deserialization of untrusted data in Java Analysis, current solutions & a new approach

Deserialization of untrusted data in Java Analysis, current solutions & a new approach

Deserialization of untrusted data in Java Analysis, current solutions & a new approach Apostolos Giannakidis OWASP London Meetup @apgiannakidis 18th May 2017 1 Whois Security Architect at Waratek Application security

587 views • 46 slides
Security vs Means of Escape Locked out Locked in Origin Fire Consultants, October 9, 2018

Security vs Means of Escape Locked out Locked in Origin Fire Consultants, October 9, 2018

Security vs Means of Escape Locked out Locked in Origin Fire Consultants, October 9, 2018 CONTENTS Introduction Regulatory regime Compliance Schedule Handbook Acceptable Solutions Verification Method Alternative Solutions

593 views • 31 slides
Radiological Security through Alternative Technology: the DOE/NNSA Approach Lance Garrison

Radiological Security through Alternative Technology: the DOE/NNSA Approach Lance Garrison

Radiological Security through Alternative Technology: the DOE/NNSA Approach Lance Garrison September 2019 Outline The risk of radiological terrorism The Office of Radiological Security (ORS) Alternative technologies U.S.

580 views • 19 slides
EUROfusion Assessment of Alternative Divertor Solutions for DEMO Holger Reimerdes For the

EUROfusion Assessment of Alternative Divertor Solutions for DEMO Holger Reimerdes For the

EUROfusion Assessment of Alternative Divertor Solutions for DEMO Holger Reimerdes For the WPDTT1 project In close collaboration with WPPMI, WPPFC and WPDTT2 EUROfusion Assessment of Alternative Divertor Solutions for DEMO H. Reimerdes 1 , L.

645 views • 39 slides
Xpanda security products The gate way to peace of mind Retail security gate solutions

Xpanda security products The gate way to peace of mind Retail security gate solutions

Xpanda Security Products Presentation Xpanda security products The gate way to peace of mind Retail security gate solutions Industrial security gate solutions Institutional security gate solutions Access control security gate

491 views • 13 slides
Nature Based Solutions (NBS) for improved public health EFUF, 2017, Matilda van den Bosch

Nature Based Solutions (NBS) for improved public health EFUF, 2017, Matilda van den Bosch

Urban natural environments as Nature Based Solutions (NBS) for improved public health EFUF, 2017, Matilda van den Bosch Scientific literature on Nature based solutions Nature based solutions: 27 Nature based solutions AND

343 views • 11 slides
Road Security Solutions Experience, Creativity and Execution Services and Solutions

Road Security Solutions Experience, Creativity and Execution Services and Solutions

Traffic and Road Safety Solutions Extending System Integration Globally Road Security Solutions Experience, Creativity and Execution Services and Solutions Communication Services We are a leading Systems Integrator and

645 views • 26 slides
Some Security Notes on Notes on Cisco Enterprise WLAN Solutions WLAN Solutions Daniel Mende,

Some Security Notes on Notes on Cisco Enterprise WLAN Solutions WLAN Solutions Daniel Mende,

Some Security Notes on Notes on Cisco Enterprise WLAN Solutions WLAN Solutions Daniel Mende, Enno Rey Rey {dmende, oroeschke, erey}@ernw.de Who we are Old-school network geeks, working as security researchers for Germany based

832 views • 42 slides
Alternative Fuels and Repair Facilities Introduction: Gas Technology Institute Independent,

Alternative Fuels and Repair Facilities Introduction: Gas Technology Institute Independent,

Alternative Fuels and Repair Facilities Introduction: Gas Technology Institute Independent, not-for-profit established to tackle tough energy challenges, turning raw technology into practical solutions. Idea Market Analysis Technology

280 views • 27 slides
On Track to Improved Reliability: From Rules to Predictions Joe Becker Director, Rail Solutions

On Track to Improved Reliability: From Rules to Predictions Joe Becker Director, Rail Solutions

On Track to Improved Reliability: From Rules to Predictions Joe Becker Director, Rail Solutions Proprietary + Confidential ABOUT US Uptake is the predictive analytics partner for industrial businesses. We deliver actionable intelligence that

276 views • 12 slides
following circumcision Tuesday, October 20, 2020 Continuing Medical Education Announcement

following circumcision Tuesday, October 20, 2020 Continuing Medical Education Announcement

Managing HIV and Cancer Care: A 38-year old man with non-healing wound following circumcision Tuesday, October 20, 2020 Continuing Medical Education Announcement Harvard Medical School RSS 3081: Monthly BOTSOGO Tumor Board; 2020 - 2021

680 views • 31 slides
CS 7643: Deep Learning Topics: Computational Graphs Notation + example Computing

CS 7643: Deep Learning Topics: Computational Graphs Notation + example Computing

CS 7643: Deep Learning Topics: Computational Graphs Notation + example Computing Gradients Forward mode vs Reverse mode AD Dhruv Batra Georgia Tech Administrativia HW1 Released Due: 09/22 PS1 Solutions

1.13k views • 91 slides
Main Memory by J. Nelson Amaral Types of Memories

Main Memory by J. Nelson Amaral Types of Memories

Main Memory by J. Nelson Amaral Types of Memories Read/Write Memory (RWM): we can store and retrieve data. the time required to read or Random Access Memory (RAM): write a bit of memory is independent of

847 views • 43 slides
Apache Spark CS240A T Yang Some of them are based on P. Wendells Spark slides Parallel

Apache Spark CS240A T Yang Some of them are based on P. Wendells Spark slides Parallel

Apache Spark CS240A T Yang Some of them are based on P. Wendells Spark slides Parallel Processing using Spark+Hadoop Hadoop: Distributed file system that connects machines. Mapreduce: parallel programming style built on a Hadoop

840 views • 36 slides
WoW ! Lets Investigate Ms Lim Meow Hwee, Senior Specialist, Pre-school Education Ms Laurice

WoW ! Lets Investigate Ms Lim Meow Hwee, Senior Specialist, Pre-school Education Ms Laurice

WoW ! Lets Investigate Ms Lim Meow Hwee, Senior Specialist, Pre-school Education Ms Laurice Ong, Pre-school Education Officer Ms Ronal Chua, Centre Head, MOE Kindergarten @ Farrer Park Ms Khoo Ai Hoon, Teacher, MOE Kindergarten @ Farrer Park

1.02k views • 14 slides
24/7 Nursing WoWs every minute counts!" But first what is a 24/7 Nursing

24/7 Nursing WoWs every minute counts!" But first what is a 24/7 Nursing

24/7 Nursing WoWs every minute counts!" But first what is a 24/7 Nursing WoW?" 24/7 Nursing WoW- A Mobile Workstation on Wheels which is Non Powered and has an All in One PC with Hot Swappable Batteries. Batteries are

194 views • 6 slides
IPv6 over Low power WPAN WG (6lowpan) Chairs: Geoff Mulligan <geoff@mulligan.com> Carsten

IPv6 over Low power WPAN WG (6lowpan) Chairs: Geoff Mulligan <geoff@mulligan.com> Carsten

IPv6 over Low power WPAN WG (6lowpan) Chairs: Geoff Mulligan <geoff@mulligan.com> Carsten Bormann <cabo@tzi.org> Mailing List: 6lowpan@ietf.org Jabber: 6lowpan@jabber.ietf.org http://6lowpan.tzi.org 6lowpan@IETF74, 2009-03-23

776 views • 46 slides
IP Telephony Telephony and and IP Multimedia services Multimedia services architectures

IP Telephony Telephony and and IP Multimedia services Multimedia services architectures

IP Telephony Telephony and and IP Multimedia services Multimedia services architectures architectures 21-9-2004, Nol Crespi, noel.crespi@int-evry.fr / +33160764623 SIP & IMS Architecture SIP & IMS Architecture HSS HSS

319 views • 9 slides

More recommend