Breaking Encrypted Databases: Generic Attacks on Range Queries

Channel:
United States All Hacking Cons
Subscribers:
5,970
Published on ● Video Link: https://www.youtube.com/watch?v=1DL7Lx5kuXQ


Category:
Guide
Duration: 44:04
3 views
0

Breaking Encrypted Databases: Generic Attacks on Range Queries
Marie-Sarah Lacharite | PhD Candidate, Royal Holloway, University of London
Location: Lagoon GHI
Date: Thursday, August 8 | 11:00am-11:50am
Format: 50-Minute Briefings
Track: Cryptography

Security researchers and practitioners have proposed many techniques for securely storing and querying outsourced data. I'll start this talk with an overview of common building blocks and the latest commercial and academic solutions, focusing on those that support range queries (e.g., selecting all records where the age attribute is between 18 and 65). These techniques are tailored to specific threat models. For example, if the database server is trusted but not the network, connections can be encrypted with TLS. If the database server is trusted but there is a risk of disk theft, full-disk encryption or page-level encryption of database files and logs (e.g., Transparent Data Encryption) can be enabled. If the database server isn't trusted at all, a system that encrypts all data before uploading it (e.g., via a CipherCloud gateway or CryptDB proxy server) could be employed.

All of these solutions, however, leak some information when a query is processed -- like the set of records matching the query, or the size of this set. This information leaks even to an observer who doesn't have any cryptographic keys. The source of the leakage can vary; it could be network traffic, observed memory accesses, or database logs recovered by forensic analysis. I'll explain how this leakage can be exploited by an attacker to break the encryption and recover values in the database. These attacks are entirely generic and don't depend on the database implementation. They have connections to graph theory, Golomb rulers, and machine learning. I'll discuss proposed countermeasures, and finish by offering guidelines that practitioners can use when assessing the security claims of the latest and greatest database encryption solutions.




Black Hat - USA - 2019 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security



Other Videos By All Hacking Cons


2022-01-07Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD)
2022-01-07GDPArrrrr: Using Privacy Laws to Steal Identities
2022-01-07Finding Our Path: How We're Trying to Improve Active Directory Security
2022-01-07Ghidra - Journey from Classified NSA Tool to Open Source
2022-01-07Bounty Operations: Best Practices and Common Pitfalls to Avoid in the First 6-12 Months
2022-01-07Attacking Electric Motors for Fun and Profit
2022-01-07Death to the IOC What's Next in Threat Intelligence
2022-01-07Going Beyond Coverage-Guided Fuzzing with Structured Fuzzing
2022-01-07Debug for Bug Crack and Hack Apple Core by Itself
2022-01-07Hacking Ten Million Useful Idiots: Online Propaganda as a Socio-Technical Security Project
2022-01-07Breaking Encrypted Databases: Generic Attacks on Range Queries
2022-01-07Hacking Your Non Compete
2022-01-07Breaking Samsung's ARM TrustZone
2022-01-07Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller
2022-01-07No Royal Road … Notes on Dangerous Game
2022-01-07So I became a Domain Controller
2022-01-07Understanding and Exploiting Implanted Medical Devices
2022-01-07Your Voice is My Passport
2022-01-07None of My Pixel is Your Business Active Watermarking Cancellation Against Video Streaming Service
2022-01-07Unpacking the Packed Unpacker Reverse Engineering an Android Anti Analysis Native Library
2022-01-07Outsmarting the Smart City


Tags:
data
hacker
security
computer
cyber
internet
technology
hacking
attack
digital
virus
information
hack
online
crime
password
code
web
concept
thief
protection
network
scam
fraud
malware
secure
identity
criminal
phishing
software
access
safety
theft
system
firewall
communication
privacy
binary
account
spy
programmer
spyware
hacked
hacking conference
learn
how to
2022
2021
cybersecurity
owned
break in
google
securing
exploit
exploitation
recon
social engineering
Marie-Sarah Lacharite