Security and privacy for outsourced computations.

Abstract : Hashing and hash-based data structures are ubiquitous. Apart from their role inthe design of efficient algorithms, they particularly form the core to manycritical software applications. Whether it be in authentication on theInternet, integrity/identification of files, payment using Bitcoins, webproxies, or anti-viruses, the use of hashing algorithms might only be internalbut yet very pervasive.This dissertation studies the pitfalls of employing hashing and hash-based datastructures in software applications, with a focus on their security and privacyimplications. The mainstay of this dissertation is the security and privacyanalysis of software solutions built atop Bloom filters --- a popularhash-based data structure, and Safe Browsing --- a malicious websitedetection tool developed by Google that uses hash functions. The softwaresolutions studied in this dissertation have billions of clients, which includesoftware developers and end users.For Bloom filters and their privacy, we study a novel use case, where they forman essential tool to privately query leaked databases of personal data. Whilefor security, we study Bloom filters in adversarial settings. The studyencompasses both theory and practice. From a theoretical standpoint, we defineadversary models that capture the different access privileges of an adversary onBloom filters. We put the theory into practice by identifying several securityrelated software solutions (employing Bloom filters) that are vulnerable to ourattacks. This includes: a web crawler, a web proxy, a malware filter, forensictools and an intrusion detection system. Our attacks are similar to traditionaldenial-of-service attacks capable of bringing the concerned infrastructures toknees.As for Safe Browsing, we study vulnerabilities in the architecture that anadversary can exploit. We show several attacks that can simultaneouslyincrease traffic towards both the Safe Browsing server and the client. Ourattacks are highly feasible as they essentially require inverting hash digestsof 32 bits. We also study the privacy achieved by the service by analyzing thepossibility of re-identifying websites visited by a client. Our analysis andexperimental results show that Safe Browsing can potentially be used as a toolto track specific classes of individuals.This dissertation highlights the misunderstandings related to the use of hashingand hash-based data structures in a security and privacy context. Thesemisunderstandings are the geneses of several malpractices that include the useof insecure hash functions, digest truncation among others. Motivated by ourfindings, we further explore several countermeasures to mitigate the ensuingsecurity and privacy risks.
Document type :
Theses
Liste complète des métadonnées

Cited literature [171 references]  Display  Hide  Download

https://tel.archives-ouvertes.fr/tel-01687732
Contributor : Abes Star <>
Submitted on : Thursday, January 18, 2018 - 4:52:06 PM
Last modification on : Wednesday, October 3, 2018 - 1:17:23 AM
Document(s) archivé(s) le : Thursday, May 24, 2018 - 1:58:08 AM

File

KUMAR_2016_archivage.pdf
Version validated by the jury (STAR)

Identifiers

  • HAL Id : tel-01687732, version 1

Collections

Citation

Amrit Kumar. Security and privacy for outsourced computations.. Cryptography and Security [cs.CR]. Université Grenoble Alpes, 2016. English. ⟨NNT : 2016GREAM093⟩. ⟨tel-01687732⟩

Share

Metrics

Record views

281

Files downloads

629