what is off-line keyword guessing attack?

1Secure Data Management 2006, COEX, Korea

Off-line Keyword Guessing Attacks on Recent keyword Search Schemes Over Encrypted Data

Authors : Jin Wook Byun, Hyun Suk Rhee, Hyun-A Park, and Dong Hoon Lee

Center for Information Security Technologies (CIST)

Graduate School of Information Security (GSIS)

Korea University, Korea

Sep. 11. 2006PM 17:00 – 17:30


Organization

BackgroundWhat is Off-line keyword guessing attack?

Attack Scenario Reviews of two schemes

Security Vulnerability of two schemes

Conclusion


Background

Sensitive dataSensitive data to be stored on database is rapidly increased !!

How to prevent it from outsider/insider attacker

Information HighwayInformation Highway

PCPC TVTV PhonePhoness

MerchantMerchant

KiosksKiosks

HealthHealthCareCare

ApplicationApplicationSererSerer

Financial Financial InstituteInstitute

PublicPublicServiceService

…

Server platformServer platform


Background

Simple Solution ?Encryption of sensitive data

Secure management of encryption/decryption keysBut, it makes data be random and unreadable to anyone other than the users holding the encrypted keys.

Q : How can original documents be efficiently searched includingthe user specific keywords over the encrypted documents ?

Love, Bob, Alice

Encrypted results


Background

Web-based Personal Storage System : Web-hard

….

Encrypted Data

Uploading Phase

Love, Bob, AliceSearch Phase

Searcher

(= user)

server

Encrypted resultsTest Phase


Background

E-mail based Public Storage System : E-mail Storage system

Server (e-mail)

Encrypted results

Uploading Phase

uploader Searcher(=user)

Title, To, From, Date, Contents

Encrypted Results

Test Phase

Love, Bob, Alice, 7/6, 7/7, I love you

Search Phase


Motivation & Contributions

What user wants to search keywords might be guessed by anyone in an off-line manner

From : supervisor, lover, boss ..To : lover, professor, acquaintance ..Title : exam, urgent meeting, love ..

For example, in case of title, users usually use simple representative sentences to make receivers easily grasp of mail contents

Keyword guessing attacks where an malicious attacker can guess some candidates, and verify his guess is correct or not in an off-line manner !!


Motivation & Contributions

Keywords vs Passwords

keywords passwords

Merriam-Webster’s dictionary

225000 = 216

628 = 248

Passwords : 8 characters

A ~ Z, a ~ z : 52

0 ~9 : 10


Protocols

Email-based storage systemsThree entities are involved

Data supplier uploads encrypted data, then server searches data containing keywords, and sent the corresponding results.

Boneh et al. [13]In 2002, they first suggest efficient and provably secure keyword search scheme by public key cryptography

Park [8]In 2004, Park extends the Boneh’s scheme to conjunctive keyword search scheme


Attack Scenario

Email-based storage systemsGuess, and just verify in search phase

Server (e-mail)

Uploading

Encrypted data

E(m) || S

Uploading Phase

Trapdoor Q

Search Phase


Security vulnerability !!

Trapdoor Q = Q’

Encrypted Results

Test Phase


Boneh et al.’s Protocol and It’s Security Vulnerability

Single Keyword Search

Server (e-mail)uploader Searcher(=user)

[ , ],pub privA g h g Aα α= = =

Uploading

Encrypted data

E(m) || S

Uploading Phase

2

1

[ , ] [ , ( )]

( ( ), )

r

r

S A B g H t

t e H w h

= =

=Test Phase

2 ( ( , ))wH e T A B=

Encrypted Results

Search Phase

1( )wT H W α=

Security vulnerability !!

1 1( , ( ')) ( , ( ) )e y H W e g H W α=

( , ) ( , ) ( , )a b b a abe g g e g g e g g= =


Park et al.’s Protocol and It’s Security Vulnerability

Conjunctive keyword search

Server (e-mail)

Encrypted Results


Search Phase

1 2,T T

dateBirthAddressNameuT

WHWHWHus

sT

,,

))()()()((

2

3,12,11,12

11

=

+++

=Test Phase

1

1 2

,...,

( , )fA A

e T B T C

× ×

= +

Uploading

Encrypted data

E(m) || S

Uploading Phase

1

2 ,1 1 , 1

, , ,..,, , ( ( ), ),.., ( ( ), )

m

i i m

B C A ArY rP e rH W Y e rH W Y

1 1 2 2 1 2[ , , ], [ , ]pub privA y s P y s P P A s s= = = =


Park et al.’s Protocol and It’s Security Vulnerability

Security Vulnerability

Captures

Guesses

Computes

Checks the equality as

11 2

2

( )( ( )),sT H W T us u

= =+

( ')H W

2 2 1( ) , ( , ( '))y uP s u P e y H Wλ⋅ = + =

12 1 2

2

1

1

1

(( ) , ) ( ( ) , ( ) ( ))

( , ( ))( , ( ))( , ( ))

se s u P T e s u P H Ws u

e P s H We s P H We y H Wλ

+ = ++

===≈


Countermeasure

Strengthen the keywords by symmetric keyUsing keyed hash function FK

FK (W) : key K strengthen “weak keywords”– It is not suitable for the environments of e-mail

» It requires pre-shared key K for both uploader and user (If so, the setting would be personal storage system)

Other ways ?Remains future work !!

BasicSecurity

(indistinguishabilitybetween keywords)

Unlinkability

Off-line keywordguessing

attack

Ongoing ..


Concluding Remarks

ConclusionVulnerability against off-line keyword guessing attacks

Future WorksEfficient design of keyword search scheme secure against off-line keyword guessing attacks

Security ModelHow to formalize behavior of off-line guessing attackFormal security Proof


Thank you very much !!

Q & A

E-mail address : [email protected] : http://cist.korea.ac.kr/~byunstar

what is off-line keyword guessing attack?

Documents