practical solutions for format preserving encryption
play

Practical Solutions for Format- Preserving Encryption Mor Weiss - PowerPoint PPT Presentation

Nov 13, 2023 •263 likes •653 views

Practical Solutions for Format- Preserving Encryption Mor Weiss Joint work with Boris Rozenberg and Muhammad Barham Research conducted while all authors were at IBM Research Labs, Haifa Why Format Preserving Encryption? Why Format Preserving

  1. Practical Solutions for Format- Preserving Encryption Mor Weiss Joint work with Boris Rozenberg and Muhammad Barham Research conducted while all authors were at IBM Research Labs, Haifa

  2. Why Format Preserving Encryption?

  3. Why Format Preserving Encryption?

  4. Why Format Preserving Encryption? Problem (1): encrypted entry incompatible with database entry structure Non-solution (1): generate new tables

  5. Why Format Preserving Encryption?

  6. Why Format Preserving Encryption?

  7. Why Format Preserving Encryption? Problem (2): encrypted entry incompatible with applications using data Non-solution (2): re-write applications

  8. Talk Outline • Definitions • Methodology for format-preserving encryption of general formats • Analysis of known constructions • GFPE • Optimizations for large formats

  9. Format-Preserving Encryption: Definition • A deterministic private-key Encryption Scheme Π : – Message space ℳ – Randomized 𝐿𝑓𝑧𝐻𝑓𝑜: ℕ → 𝒧 – Deterministic 𝐹𝑜𝑑: 𝒧 × ℳ → 𝒟 – Deterministic 𝐸𝑓𝑑: 𝒧 × 𝒟 → ℳ • Notation: 𝐹𝑜𝑑 𝑙 = 𝐹𝑜𝑑 𝑙,⋅ , 𝐸𝑓𝑑 𝑙 = 𝐸𝑓𝑑 𝑙,⋅ • Encryption key random and secret ⇒ encryption “ hides ” plaintext • Standard encryption: ciphertexts usually “ look like garbage ” , possibly causing – Applications using data to crash – Tables designed to store data unsuitable for storing encrypted data • ⇒ Sometimes plaintext properties should be preserved • Format-Preserving Encryption (FPE): ℳ = 𝒟 – 𝐹𝑜𝑑 𝑙 is a permutation over plaintext space ℳ – Ciphertexts have same format as plaintexts!

  10. FPE: Definition (cont.) • Correctness: for every 𝑙 ∈ 𝒧 and every 𝑛 ∈ ℳ 𝐸𝑓𝑑 𝑙 𝐹𝑜𝑑 𝑙 𝑛 = 𝑛 • Secrecy: – For secret and random 𝑙 ∈ 𝒧 – Hierarchy of security notions [BRRS`09] – Strongest: random 𝑙 ⇒ 𝐹𝑜𝑑 𝑙 close to pseudorandom permutation • An “ overkill ” for many typical applications – Guaranteed security against (improbable) attacks incurs expensive overhead – Weakest: Message Recovery • Only require that adversary cannot completely recover message – Even given advantageous distribution over ℳ • Very weak: adversary may learn some message properties

  11. What We Know About FPE • Term coined by Terence Spies, Voltage Security ’ s CTO • First formal definitions due to [BRRS`09] • Constructions for specific formats – Social Security Numbers (SSNs) [Hoo`11] – Credit Card Numbers (CCNs) – Dates [LJLC`10] – … • Drawbacks: – Designed for specific formats (different scheme for every format) – New encryption techniques, little (if any) security analysis Useful for • Integral domains 1, … , 𝑁 [BR`02,BRRS`09] general- • “ Almost integral ” domains ℳ = 1, … , 𝑛 𝑜 for 𝑜, 𝑛 ∈ ℕ format FPE – Methods described as early as 1981 – FFX [BRS`10], BPS [BPS`10] submitted to NIST for consideration

  12. Format-Preserving Encryption for General (Complex) Formats

  13. Techniques for General-Format FPE (Part 2) • Rank-then-Encipher (RtE) [BRRS`09]: general-format FPEs from int -FPE – Order ℳ arbitrarily: 𝐬𝐛𝐨𝐥: ℳ → 1, . . , 𝑁

  14. Techniques for General-Format FPE (Part 2) • Rank-then-Encipher (RtE) [BRRS`09]: general-format FPEs from int -FPE – Order ℳ arbitrarily: 𝐬𝐛𝐨𝐥: ℳ → 1, . . , 𝑁 1 2 3 4 5 6 7 8

  15. Techniques for General-Format FPE (Part 2) • Rank-then-Encipher (RtE) [BRRS`09]: general-format FPEs from int -FPE – Order ℳ arbitrarily: 𝐬𝐛𝐨𝐥: ℳ → 1, . . , 𝑁 – To encrypt message 𝑛 : • Rank 𝒏 : 𝑗 = rank 𝑛 • Encipher 𝒋 : 𝑘 = 𝑗𝑜𝑢𝐹 𝐿, 𝑗 • Unrank 𝒌 : 𝑑 = rank −1 𝑘 1 2 3 4 5 6 7 8

  16. Techniques for General-Format FPE (Part 2) • Rank-then-Encipher (RtE) [BRRS`09]: general-format FPEs from int -FPE – Order ℳ arbitrarily: 𝐬𝐛𝐨𝐥: ℳ → 1, . . , 𝑁 – To encrypt message 𝑛 : • Rank 𝒏 : 𝑗 = rank 𝑛 • Encipher 𝒋 : 𝑘 = 𝑗𝑜𝑢𝐹 𝐿, 𝑗 • Unrank 𝒌 : 𝑑 = rank −1 𝑘 1 2 3 4 5 6 7 8

  17. Techniques for General-Format FPE • Rank-then-Encipher (RtE) [BRRS`09]: general-format FPE from integer -FPE – Order ℳ arbitrarily: 𝐬𝐛𝐨𝐥: ℳ → 1, . . , 𝑁 – To encrypt plaintext 𝑛 : • Rank 𝒏 : 𝑗 = rank 𝑛 • Encipher 𝒋 : 𝑘 = 𝑗𝑜𝑢𝑓𝑕𝑓𝑠𝐹𝑜𝑑 𝑙 𝑗 • Unrank 𝒌 : 𝑑 = rank −1 𝑘 • Security: from security of integer-FPE – rank not meant to, and does not, add security • Efficiency: only if rank, unrank are efficient • Main challenge (1): design efficient rank procedure – “ Meta ” ranking technique for regular languages [BRRS`09] • Main challenge (2): representing formats

  18. FPEs for General Formats: Previous solutions

  19. Simplification-Based FPE [MYHC`11,MSP`11] • Represent formats as union of simpler sub-formats – Plaintexts interpreted as strings – ℳ divided into subsets ℳ 1 , … , ℳ 𝑙 defined by • Length • Index-specific character sets • Encrypt each ℳ 𝑗 separately using Rank-then-Encipher – Ranking computed using generalized lexicographic ordering ℱ 𝑜𝑏𝑛𝑓 : format of valid names Name: 1-4 space-separated words Word: upper case letter followed by 1-15 lower case letters Subsets: ℳ 1 contains Al ℳ 2 contains Tal … ℳ 15 contains Muthuramakrishna ℳ 16 contains El Al

  20. Simplification-Based FPE: Security Concerns • The problem: encryption preserves plaintext-specific properties – Reason: each sub-format ℳ 𝑗 encrypted separately – “ John Doe ” can encrypt “ Jane Roe ” but not “ Johnnie Dee ” – If only one of them is possible, adversary knows plaintext for sure • Simplification-based FPE is Message-Recovery insecure [WRB`15] – MR (message recovery) is the weakest notion – Implies insecurity according to other FPE security notions • Reason: ciphertext length reveals plaintext length, can be used to recover message

  21. Simplification-Based FPE: Experimental Results • Our experiments performed on 1M records of the Federal Election Commission (FEC) reports of 2008-2012 – Regulates campaign finance legislation in the US – Report lists all donors over $200: • Name • Town • Employer • Job title • Attack model reflects typical threat – Data stored at remote server – Attacker has access to all or part of database – No access to secret encryption key – 𝒝 may have prior knowledge

  22. Simplification-Based FPE: Experimental Results (Cont.) When 𝓑 recovers only name column 2% 𝑶 ≤ 𝟐𝟏 5% 𝟐𝟏 < 𝑶 ≤ 𝟐𝟏𝟏 93% 𝟐𝟏𝟏 < 𝑶 < 𝟑𝟐, 𝟘𝟒𝟏 • If we ’ re lucky – Bar in 7% of donors whose encryptions match only 100 entries

  23. Simplification-Based FPE: Experimental Results (Cont.) When 𝓑 recovers name and town columns 𝟐 ≤ 𝑶 ≤ 𝟑 7% 9% 𝟑 < 𝑶 ≤ 𝟐𝟏 56% 𝟐𝟏𝟏 < 𝑶 ≤ 𝟒𝟒𝟒𝟓 28% 𝟐𝟏 < 𝑶 ≤ 𝟐𝟏𝟏 • If we ’ re lucky, Bar in 7% of donors whose encryptions match only 2 entries • Pretty likely that Bar in 44% of donors whose encryptions match only 100 entries

  24. Simplification-Based FPE: Experimental Results (Cont.) When 𝓑 recovers entire database 𝑶 = 𝟐 3% 𝟐𝟏 < 𝑶 ≤ 𝟑𝟔𝟏 14% 15% 𝟑 < 𝑶 ≤ 𝟐𝟏 68% 𝑶 = 𝟑 • For all donors: encryptions match ≤ 250 entries! • Most likely Bar in 71% of donors whose encryption matches only 2 entries!

  25. GFPE

  26. GFPE [WRB`15] FPE “ Wish List ” • Functionality, efficiency: – Simple method of representing formats – Efficient rank, unrank procedures • Security: preserve only format-specific properties – Hide all plaintext-specific properties The Scheme: • Encryption\decryption using Rank-then-Encipher – Support integer-FPEs for integral and almost integral domains • Main challenge: user-friendly format representation – Scheme is user-oriented • Structure: formats represented using bottom-up framework – “ Basic ” building-blocks (primitives) • Usually “ rigid ” formats (e.g., SSNs, CCNs, dates, fixed-length strings … ) • Also “ less rigid ” formats (e.g., variable-length strings) – Operations used to construct complex formats

  27. GFPE: Representing Formats • “ Basic ” building-blocks (primitives): – ℱ 𝑣𝑞𝑞𝑓𝑠 = {A,B, … ,Z} – ℱ 𝑚𝑝𝑥𝑓𝑠 = length- 𝑙 lower-case letter strings, 1 ≤ 𝑙 ≤ 15 – ℱ 𝑡𝑡𝑜 = social-security numbers (SSNs) • Operations: – Concatenation: • ℱ = ℱ 1 ⋅ … ⋅ ℱ 𝑙 – Words: ℱ 𝑥𝑝𝑠𝑒 = ℱ 𝑣𝑞𝑞𝑓𝑠 ⋅ ℱ 𝑚𝑝𝑥𝑓𝑠 • ℱ = ℱ 1 ⋅ 𝑒 1 ⋅ ℱ 2 ⋅ … ⋅ 𝑒 𝑜−1 ⋅ ℱ 𝑜 ( 𝑒 1 , … , 𝑒 𝑜−1 are delimiters) – Range: ℱ = ℱ 1 ⋅ 𝑒 𝑙 , 𝑛𝑗𝑜 ≤ 𝑙 ≤ 𝑛𝑏𝑦 𝑜𝑏𝑛𝑓 = ℱ 𝑥𝑝𝑠𝑒 ⋅ 𝑡𝑞𝑏𝑑𝑓 𝑙 for 1 ≤ 𝑙 ≤ 4 • Names: ℱ – Union: ℱ = ℱ 1 ∪ ⋯ ∪ ℱ 𝑙 • “ Names or SSNs ” : ℱ = ℱ 𝑜𝑏𝑛𝑓 ∪ ℱ 𝑡𝑡𝑜

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Novel Encryption Method of GPS Information in Image File Using Format-preserving Encryption

Novel Encryption Method of GPS Information in Image File Using Format-preserving Encryption

Novel Encryption Method of GPS Information in Image File Using Format-preserving Encryption Changhyun Lee, Yeonju Choi, Hyeongmin Park, Kangbin Yim, and Sun-Young Lee Soonchunhyang University IMIS 2019 Presenter: Brandon Falk (

645 views • 21 slides
Format-Preserving Encryption Somitra Kumar Sanadhya Indian Institute of Technology Ropar August

Format-Preserving Encryption Somitra Kumar Sanadhya Indian Institute of Technology Ropar August

Format-Preserving Encryption Somitra Kumar Sanadhya Indian Institute of Technology Ropar August 27, 2020 Somitra Format-Preserving Encryption 1 / 68 Credits Credits for the work described: Co-authors (Designs): Donghoon Chang, Mohona Ghosh,

838 views • 68 slides
The Curse of Small Domains New Attacks on Format-Preserving Encryption Viet Tung Hoang Stefano

The Curse of Small Domains New Attacks on Format-Preserving Encryption Viet Tung Hoang Stefano

The Curse of Small Domains New Attacks on Format-Preserving Encryption Viet Tung Hoang Stefano Tessaro Ni Trieu Florida State University UC Santa Barbara Oregon State University CRYPTO 2018 August 20, 2018 1 Format-Preserving Encryption

373 views • 24 slides
Breaking The FF3 Format- Preserving Encryption Standard Over Small Domains F. Betl Durak

Breaking The FF3 Format- Preserving Encryption Standard Over Small Domains F. Betl Durak

Breaking The FF3 Format- Preserving Encryption Standard Over Small Domains F. Betl Durak Serge Vaudenay 1 Block Ciphers {0,1} 128 0x149E00A50F0F00D6 K AES {0,1} 128 0xA4F22C1B78HE90A9 2 Block Ciphers {0,1} 128

1.32k views • 91 slides
Secure storage in the cloud using property preserving encryption Kenny Paterson Information

Secure storage in the cloud using property preserving encryption Kenny Paterson Information

Secure storage in the cloud using property preserving encryption Kenny Paterson Information Security Group Overview 1. Application scenarios. 2. Deterministic encryption and search. 3. OPE/ORE and range queries. 4. Analysing access pattern

877 views • 48 slides
Approximate Homomorphic Encryption and Privacy Preserving Machine Learning Jung Hee Cheon (SNU,

Approximate Homomorphic Encryption and Privacy Preserving Machine Learning Jung Hee Cheon (SNU,

Approximate Homomorphic Encryption and Privacy Preserving Machine Learning Jung Hee Cheon (SNU, CryptoLab) Thanks to YongSoo Song, Kiwoo Lee, Andrey KIM Outline 1. Homomorphic Encryption 2. HEAAN 3. Bootstrapping of HEAAN 4. Toolkit for

981 views • 50 slides
Format - Tra ransform rming Encryption (more than meets the DPI) Tom om S Shrimpton on

Format - Tra ransform rming Encryption (more than meets the DPI) Tom om S Shrimpton on

Format - Tra ransform rming Encryption (more than meets the DPI) Tom om S Shrimpton on Florida Institute for Cybersecurity Research University of Florida Monday In-place encryption of CC database Encrypt 4417 1234 5678 9112 1234 5678

805 views • 51 slides
Frequency-hiding Dependency-preserving Encryption for Outsourced Databases ICDE17 Boxiang

Frequency-hiding Dependency-preserving Encryption for Outsourced Databases ICDE17 Boxiang

Frequency-hiding Dependency-preserving Encryption for Outsourced Databases ICDE17 Boxiang Dong 1 Wendy Wang 2 1 Montclair State University Montclair, NJ 2 Stevens Institute of Technology Hoboken, NJ April 20, 2017

1.01k views • 47 slides
Improved Security Analysis and Alternative Solutions Alexandra Boldyreva Nathan Chenette Adam

Improved Security Analysis and Alternative Solutions Alexandra Boldyreva Nathan Chenette Adam

Improved Security Analysis and Alternative Solutions Alexandra Boldyreva Nathan Chenette Adam ONeill Georgia Tech Georgia Tech UT Austin 8/22/2011 9:26:56 PM Order-Preserving Encryption Revisited 1 8/22/2011 9:26:58 PM Order-Preserving

456 views • 28 slides
MOBICEAL: TOWARDS SECURE AND PRACTICAL PLAUSIBLY DENIABLE ENCRYPTION ON MOBILE DEVICES Bing

MOBICEAL: TOWARDS SECURE AND PRACTICAL PLAUSIBLY DENIABLE ENCRYPTION ON MOBILE DEVICES Bing

MOBICEAL: TOWARDS SECURE AND PRACTICAL PLAUSIBLY DENIABLE ENCRYPTION ON MOBILE DEVICES Bing Chang, Fengwei Zhang, Bo Chen, Yingjiu Li, Wen- Tao Zhu, Yangguang Tian, Zhan Wang and Albert Ching OVERVIEW 1. What is Plausibly Deniable Encryption

657 views • 28 slides
Network Privacy Mostly issues of preserving privacy of data flowing through network Start

Network Privacy Mostly issues of preserving privacy of data flowing through network Start

Network Privacy Mostly issues of preserving privacy of data flowing through network Start with encryption With good encryption, data values not readable So whats the problem? Lecture 17 Page 1 CS 236 Online Traffic Analysis

532 views • 21 slides
PROPERTY-PRESERVING ENCRYPTION GRAD SEC NOV 07 2017 TODAYS PAPERS CRYPTDB BUILDING

PROPERTY-PRESERVING ENCRYPTION GRAD SEC NOV 07 2017 TODAYS PAPERS CRYPTDB BUILDING

PROPERTY-PRESERVING ENCRYPTION GRAD SEC NOV 07 2017 TODAYS PAPERS CRYPTDB BUILDING BLOCKS RND AES+CBC+random IV DET AES+CBC+fixed IV OPE x &lt; y OPE K (x) &lt; OPE K (y) HOM HOM K (x) * HOM K (y) = HOM K (x+y) Fully

793 views • 24 slides
Adiantum: length-preserving encryption for entry-level processors Paul Crowley and Eric Biggers

Adiantum: length-preserving encryption for entry-level processors Paul Crowley and Eric Biggers

Adiantum: length-preserving encryption for entry-level processors Paul Crowley and Eric Biggers Google LLC March 28, 2019 Overview The problem The solution Section 1 The problem The problem Hardware (eg ARM CE) makes AES fast

801 views • 24 slides
Your Partner for: Practical solutions for training programs Business development solutions

Your Partner for: Practical solutions for training programs Business development solutions

Your Partner for: Practical solutions for training programs Business development solutions Cross-cultural communication International mindset and experiences Based in Brazil, but working worldwide! www.occasioias.com Mr. Rafael

659 views • 11 slides
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic 1 TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption 2

956 views • 28 slides
Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model

Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model

Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model encryption as a key alternating cipher: k 1 k 2 k 3 m c F 1 F 2 F 3 2 / 17 Symmetric Encryption (2) Two main constructions for practical

603 views • 17 slides
Investor Presentation November 2014 Disclaimer The information in this presentation has been

Investor Presentation November 2014 Disclaimer The information in this presentation has been

Investor Presentation November 2014 Disclaimer The information in this presentation has been prepared by CEAT Limited (the Company) and has not been independently verified. No representation or warranty expressed or implied is made as to,

366 views • 18 slides
Londons Road Network Garrett Emmerson Chief Operating Officer: London Streets TfLs Traffic

Londons Road Network Garrett Emmerson Chief Operating Officer: London Streets TfLs Traffic

Getting More From Londons Road Network Garrett Emmerson Chief Operating Officer: London Streets TfLs Traffic Responsibilities Full operational responsibility for the Transport For London Road Network (TLRN the Red Routes),

567 views • 21 slides
1 Minister Minister As it relates to the planning for the electrical needs of the Northwest we

1 Minister Minister As it relates to the planning for the electrical needs of the Northwest we

1 Minister Minister As it relates to the planning for the electrical needs of the Northwest we have identified three separate ti tiers in the current level of service i th t l l f i The first tier represents the area with the greatest level

694 views • 30 slides
Benchmark gas distribution network for cross-sectoral applications Christian Brosig M.Sc. Prof.

Benchmark gas distribution network for cross-sectoral applications Christian Brosig M.Sc. Prof.

Benchmark gas distribution network for cross-sectoral applications Christian Brosig M.Sc. Prof. Dr. Eberhard Waffenschmidt Silvan Fassbender M.Sc. Dr. Bernhard Klaassen ES-FLEX-INFRA [1] Benchmark systems General validity for

319 views • 18 slides
CHEROKEE HIGH SCHOOL SENIOR PARENT COLLEGE APPLICATION NIGHT S E P T E M B E R 1 8 , 2 0 1 4

CHEROKEE HIGH SCHOOL SENIOR PARENT COLLEGE APPLICATION NIGHT S E P T E M B E R 1 8 , 2 0 1 4

CHEROKEE HIGH SCHOOL SENIOR PARENT COLLEGE APPLICATION NIGHT S E P T E M B E R 1 8 , 2 0 1 4 PURPOSE RPOSE OF F SENI NIOR R PARENT RENT COLLEGE EGE APPLICA PLICATION TION NI NIGHT HT Assist you and your senior with the application

284 views • 27 slides
JOHNSON COUNSELING STAFF Courtney Tarbox (Lead Counselor) A-BL Becky Hudkins BN-EC Patti

JOHNSON COUNSELING STAFF Courtney Tarbox (Lead Counselor) A-BL Becky Hudkins BN-EC Patti

JOHNSON COUNSELING STAFF Courtney Tarbox (Lead Counselor) A-BL Becky Hudkins BN-EC Patti Snider ED-HEP Julie Metcalf HER-MAK Richard Boeger MAL-PAS Mary Solis-Martinez PAT-SM Desi Meza SN-Z Lisa Williams STAN-Intervention Counselor

835 views • 44 slides
Class of 2019 CSF Academic Letter Filing Periods: October 1 st 31 st March 1 st 31 st

Class of 2019 CSF Academic Letter Filing Periods: October 1 st 31 st March 1 st 31 st

W2019 Seniors 2019 Class of 2019 CSF Academic Letter Filing Periods: October 1 st 31 st March 1 st 31 st Criteria: 3.4 GPA or above in specific classes (see application) $3.00 application fee Reading Your Transcript

476 views • 32 slides
Forum post classification to support forensic investigations of illegal trade on the Dark Web

Forum post classification to support forensic investigations of illegal trade on the Dark Web

Forum post classification to support forensic investigations of illegal trade on the Dark Web System &amp; Network Engineering (MSc) Research Project 2 Supervisors: Diana Rusu Martijn Spitters diana.rusu@os3.nl Stefan Verbruggen Motivation

378 views • 19 slides

More recommend