what is off-line keyword guessing attack?
TRANSCRIPT
1Secure Data Management 2006, COEX, Korea
Off-line Keyword Guessing Attacks on Recent keyword Search Schemes Over Encrypted Data
Authors : Jin Wook Byun, Hyun Suk Rhee, Hyun-A Park, and Dong Hoon Lee
Center for Information Security Technologies (CIST)
Graduate School of Information Security (GSIS)
Korea University, Korea
Sep. 11. 2006PM 17:00 – 17:30
2Secure Data Management 2006, COEX, Korea
Organization
BackgroundWhat is Off-line keyword guessing attack?
Attack Scenario Reviews of two schemes
Security Vulnerability of two schemes
Conclusion
3Secure Data Management 2006, COEX, Korea
Background
Sensitive dataSensitive data to be stored on database is rapidly increased !!
How to prevent it from outsider/insider attacker
Information HighwayInformation Highway
PCPC TVTV PhonePhoness
MerchantMerchant
KiosksKiosks
HealthHealthCareCare
ApplicationApplicationSererSerer
Financial Financial InstituteInstitute
PublicPublicServiceService
…
Server platformServer platform
4Secure Data Management 2006, COEX, Korea
Background
Simple Solution ?Encryption of sensitive data
Secure management of encryption/decryption keysBut, it makes data be random and unreadable to anyone other than the users holding the encrypted keys.
Q : How can original documents be efficiently searched includingthe user specific keywords over the encrypted documents ?
Love, Bob, Alice
Encrypted results
5Secure Data Management 2006, COEX, Korea
Background
Web-based Personal Storage System : Web-hard
….
Encrypted Data
Uploading Phase
Love, Bob, AliceSearch Phase
Searcher
(= user)
server
Encrypted resultsTest Phase
6Secure Data Management 2006, COEX, Korea
Background
E-mail based Public Storage System : E-mail Storage system
Server (e-mail)
Encrypted results
Uploading Phase
uploader Searcher(=user)
Title, To, From, Date, Contents
Encrypted Results
Test Phase
Love, Bob, Alice, 7/6, 7/7, I love you
Search Phase
7Secure Data Management 2006, COEX, Korea
Motivation & Contributions
What user wants to search keywords might be guessed by anyone in an off-line manner
From : supervisor, lover, boss ..To : lover, professor, acquaintance ..Title : exam, urgent meeting, love ..
For example, in case of title, users usually use simple representative sentences to make receivers easily grasp of mail contents
Keyword guessing attacks where an malicious attacker can guess some candidates, and verify his guess is correct or not in an off-line manner !!
8Secure Data Management 2006, COEX, Korea
Motivation & Contributions
Keywords vs Passwords
keywords passwords
Merriam-Webster’s dictionary
225000 = 216
628 = 248
Passwords : 8 characters
A ~ Z, a ~ z : 52
0 ~9 : 10
9Secure Data Management 2006, COEX, Korea
Protocols
Email-based storage systemsThree entities are involved
Data supplier uploads encrypted data, then server searches data containing keywords, and sent the corresponding results.
Boneh et al. [13]In 2002, they first suggest efficient and provably secure keyword search scheme by public key cryptography
Park [8]In 2004, Park extends the Boneh’s scheme to conjunctive keyword search scheme
10Secure Data Management 2006, COEX, Korea
Attack Scenario
Email-based storage systemsGuess, and just verify in search phase
Server (e-mail)
Uploading
Encrypted data
E(m) || S
Uploading Phase
Trapdoor Q
Search Phase
uploader Searcher(=user)
Security vulnerability !!
Trapdoor Q = Q’
Encrypted Results
Test Phase
11Secure Data Management 2006, COEX, Korea
Boneh et al.’s Protocol and It’s Security Vulnerability
Single Keyword Search
Server (e-mail)uploader Searcher(=user)
[ , ],pub privA g h g Aα α= = =
Uploading
Encrypted data
E(m) || S
Uploading Phase
2
1
[ , ] [ , ( )]
( ( ), )
r
r
S A B g H t
t e H w h
= =
=Test Phase
2 ( ( , ))wH e T A B=
Encrypted Results
Search Phase
1( )wT H W α=
Security vulnerability !!
1 1( , ( ')) ( , ( ) )e y H W e g H W α=
( , ) ( , ) ( , )a b b a abe g g e g g e g g= =
12Secure Data Management 2006, COEX, Korea
Park et al.’s Protocol and It’s Security Vulnerability
Conjunctive keyword search
Server (e-mail)
Encrypted Results
uploader Searcher(=user)
Search Phase
1 2,T T
dateBirthAddressNameuT
WHWHWHus
sT
,,
))()()()((
2
3,12,11,12
11
=
+++
=Test Phase
1
1 2
,...,
( , )fA A
e T B T C
× ×
= +
Uploading
Encrypted data
E(m) || S
Uploading Phase
1
2 ,1 1 , 1
, , ,..,, , ( ( ), ),.., ( ( ), )
m
i i m
B C A ArY rP e rH W Y e rH W Y
1 1 2 2 1 2[ , , ], [ , ]pub privA y s P y s P P A s s= = = =
13Secure Data Management 2006, COEX, Korea
Park et al.’s Protocol and It’s Security Vulnerability
Security Vulnerability
Captures
Guesses
Computes
Checks the equality as
11 2
2
( )( ( )),sT H W T us u
= =+
( ')H W
2 2 1( ) , ( , ( '))y uP s u P e y H Wλ⋅ = + =
12 1 2
2
1
1
1
(( ) , ) ( ( ) , ( ) ( ))
( , ( ))( , ( ))( , ( ))
se s u P T e s u P H Ws u
e P s H We s P H We y H Wλ
+ = ++
===≈
14Secure Data Management 2006, COEX, Korea
Countermeasure
Strengthen the keywords by symmetric keyUsing keyed hash function FK
FK (W) : key K strengthen “weak keywords”– It is not suitable for the environments of e-mail
» It requires pre-shared key K for both uploader and user (If so, the setting would be personal storage system)
Other ways ?Remains future work !!
BasicSecurity
(indistinguishabilitybetween keywords)
Unlinkability
Off-line keywordguessing
attack
Ongoing ..
15Secure Data Management 2006, COEX, Korea
Concluding Remarks
ConclusionVulnerability against off-line keyword guessing attacks
Future WorksEfficient design of keyword search scheme secure against off-line keyword guessing attacks
Security ModelHow to formalize behavior of off-line guessing attackFormal security Proof
16Secure Data Management 2006, COEX, Korea
Thank you very much !!
Q & A
E-mail address : [email protected] : http://cist.korea.ac.kr/~byunstar