12 research outputs found
Leakage-Abuse Attacks Against Forward and Backward Private Searchable Symmetric Encryption
Dynamic searchable symmetric encryption (DSSE) enables a server to
efficiently search and update over encrypted files. To minimize the leakage
during updates, a security notion named forward and backward privacy is
expected for newly proposed DSSE schemes. Those schemes are generally
constructed in a way to break the linkability across search and update queries
to a given keyword. However, it remains underexplored whether forward and
backward private DSSE is resilient against practical leakage-abuse attacks
(LAAs), where an attacker attempts to recover query keywords from the leakage
passively collected during queries.
In this paper, we aim to be the first to answer this question firmly through
two non-trivial efforts. First, we revisit the spectrum of forward and backward
private DSSE schemes over the past few years, and unveil some inherent
constructional limitations in most schemes. Those limitations allow attackers
to exploit query equality and establish a guaranteed linkage among different
(refreshed) query tokens surjective to a candidate keyword. Second, we refine
volumetric leakage profiles of updates and queries by associating each with a
specific operation. By further exploiting update volume and query response
volume, we demonstrate that all forward and backward private DSSE schemes can
leak the same volumetric information (e.g., insertion volume, deletion volume)
as those without such security guarantees. To testify our findings, we realize
two generic LAAs, i.e., frequency matching attack and volumetric inference
attack, and we evaluate them over various experimental settings in the dynamic
context. Finally, we call for new efficient schemes to protect query equality
and volumetric information across search and update queries.Comment: A short version of this paper has been accepted to the 30th ACM
Conference on Computer and Communications Security (CCS'23
Interpreting and Mitigating Leakage-abuse Attacks in Searchable Symmetric Encryption
Searchable symmetric encryption (SSE) enables users to make confidential queries over always encrypted data while confining information disclosure to pre-defined leakage profiles. Despite the well-understood performance and potentially broad applications of SSE, recent leakage-abuse attacks (LAAs) are questioning its real-world security implications. They show that a passive adversary with certain prior information of a database can recover queries by exploiting the legitimately admitted leakage. While several countermeasures have been proposed, they are insufficient for either security, i.e., handling only specific leakage like query volume, or efficiency, i.e., incurring large storage and bandwidth overhead.
We aim to fill this gap by advancing the understanding of LAAs from a fundamental algebraic perspective. Our investigation starts by revealing that the index matrices of a plaintext database and its encrypted image can be linked by linear transformation. The invariant characteristics preserved under the transformation encompass and surpass the information exploited by previous LAAs. They allow one to unambiguously link encrypted queries with corresponding keywords, even with only partial knowledge of the database. Accordingly, we devise a new powerful attack and conduct a series of experiments to show its effectiveness. In response, we propose a new security notion to thwart LAAs in general, inspired by the principle of local differential privacy (LDP). Under the notion, we further develop a practical countermeasure with tunable privacy and efficiency guarantee. Experiment results on representative real-world datasets show that our countermeasure can reduce the query recovery rate of LAAs, including our own
GraphSE: An Encrypted Graph Database for Privacy-Preserving Social Search
In this paper, we propose GraphSE, an encrypted graph database for online
social network services to address massive data breaches. GraphSE preserves
the functionality of social search, a key enabler for quality social network
services, where social search queries are conducted on a large-scale social
graph and meanwhile perform set and computational operations on user-generated
contents. To enable efficient privacy-preserving social search, GraphSE
provides an encrypted structural data model to facilitate parallel and
encrypted graph data access. It is also designed to decompose complex social
search queries into atomic operations and realise them via interchangeable
protocols in a fast and scalable manner. We build GraphSE with various
queries supported in the Facebook graph search engine and implement a
full-fledged prototype. Extensive evaluations on Azure Cloud demonstrate that
GraphSE is practical for querying a social graph with a million of users.Comment: This is the full version of our AsiaCCS paper "GraphSE: An
Encrypted Graph Database for Privacy-Preserving Social Search". It includes
the security proof of the proposed scheme. If you want to cite our work,
please cite the conference version of i
A Highly Accurate Query-Recovery Attack against Searchable Encryption using Non-Indexed Documents
Cloud data storage solutions offer customers cost-effective and reduced data
management. While attractive, data security issues remain to be a core concern.
Traditional encryption protects stored documents, but hinders simple
functionalities such as keyword search. Therefore, searchable encryption
schemes have been proposed to allow for the search on encrypted data. Efficient
schemes leak at least the access pattern (the accessed documents per keyword
search), which is known to be exploitable in query recovery attacks assuming
the attacker has a significant amount of background knowledge on the stored
documents. Existing attacks can only achieve decent results with strong
adversary models (e.g. at least 20% of previously known documents or require
additional knowledge such as on query frequencies) and they give no metric to
evaluate the certainty of recovered queries. This hampers their practical
utility and questions their relevance in the real-world.
We propose a refined score attack which achieves query recovery rates of
around 85% without requiring exact background knowledge on stored documents; a
distributionally similar, but otherwise different (i.e., non-indexed), dataset
suffices. The attack starts with very few known queries (around 10 known
queries in our experiments over different datasets of varying size) and then
iteratively recovers further queries with confidence scores by adding
previously recovered queries that had high confidence scores to the set of
known queries. Additional to high recovery rates, our approach yields
interpretable results in terms of confidence scores.Comment: Published in USENIX 2021. Full version with extended appendices and
removed some typo
Toward Full Accounting for Leakage Exploitation and Mitigation in Dynamic Encrypted Databases
Encrypted database draws much attention as it provides privacy-protection services for sensitive data outsourced to a third party. Recent studies show that the security guarantee of encrypted databases are challenged by several leakage-abuse attacks on its search module, and corresponding countermeasures are also proposed. Most of these studies focus on static databases, yet the case for dynamic has not been well investigated. To fill this gap, in this paper, we focus on exploring privacy risks in dynamic encrypted databases and devising effective mitigation techniques. To begin with, we systematically study the exploitable information disclosed during the database querying process, and consider two types of attacks that can recover encrypted queries. The first active attack works by injecting encoded files and correlating file volume information. The second passive attack works by identifying queries’ unique relational characteristics across updates, assuming certain background knowledge of plaintext databases. To mitigate these attacks, we propose a two-layer encrypted database hardening approach, which obfuscates both search indexes and files in a continuous way. As a result, the unique characteristics emerging after data updates can be eliminated constantly. We conduct a series of experiments to confirm the severity of our attacks and the effectiveness of our countermeasures
Revisiting Leakage Abuse Attacks
Encrypted search algorithms (ESA) are cryptographic algorithms that support search over encrypted data. ESAs can be designed with various primitives including searchable/structured symmetric encryption (SSE/STE) and oblivious RAM (ORAM). Leakage abuse attacks attempt to recover client queries using knowledge of the client’s data. An important parameter for any leakage-abuse attack is its known-data rate; that is, the fraction of client data that must be known to the adversary.
In this work, we revisit leakage abuse attacks in several ways. We first highlight some practical limitations and assumptions underlying the well-known IKK (Islam et al. NDSS ’12) and Count (Cash et al., CCS ’15) attacks. We then design four new leakage-abuse attacks that rely on much weaker assumptions. Three of these attacks are volumetric in the sense that they only exploit leakage related to document sizes. In particular, this means that they work not only on SSE/STE-based ESAs but also against ORAM-based solutions. We also introduce two volumetric injection attack which use adversarial file additions to recover queries even from ORAM-based solutions. As far as we know, these are the first attacks of their kind.
We evaluated all our attacks empirically and considered many experimental settings including different data collections, query selectivities, known-data rates, query space size and composition. From our experiments, we observed that the only setting that resulted in reasonable recovery rates under practical assumptions was the case of high-selectivity queries with a leakage profile that includes the response identity pattern (i.e., the identifiers of the matching documents) and the volume pattern (i.e., the size of the matching documents). All other attack scenarios either failed or relied on unrealistic assumptions (e.g., very high known-data rates). For this specific setting, we propose several suggestions and countermeasures including the use of schemes like PBS (Kamara et al, CRYPTO ’18), VLH/AVLH (Kamara and Moataz, Eurocrypt ’19 ), or the use of padding techniques like the ones recently proposed by Bost and Fouque (Bost and Fouque, IACR ePrint 2017/1060)
Practical Isolated Searchable Encryption in a Trusted Computing Environment
Cloud computing has become a standard computational paradigm due its numerous
advantages, including high availability, elasticity, and ubiquity. Both individual users and
companies are adopting more of its services, but not without loss of privacy and control.
Outsourcing data and computations to a remote server implies trusting its owners, a
problem many end-users are aware. Recent news have proven data stored on Cloud
servers is susceptible to leaks from the provider, third-party attackers, or even from
government surveillance programs, exposing users’ private data.
Different approaches to tackle these problems have surfaced throughout the years.
NaĂŻve solutions involve storing data encrypted on the server, decrypting it only on the
client-side. Yet, this imposes a high overhead on the client, rendering such schemes
impractical. Searchable Symmetric Encryption (SSE) has emerged as a novel research
topic in recent years, allowing efficient querying and updating over encrypted datastores
in Cloud servers, while retaining privacy guarantees. Still, despite relevant recent advances,
existing SSE schemes still make a critical trade-off between efficiency, security,
and query expressiveness, thus limiting their adoption as a viable technology, particularly
in large-scale scenarios.
New technologies providing Isolated Execution Environments (IEEs) may help improve
SSE literature. These technologies allow applications to be run remotely with
privacy guarantees, in isolation from other, possibly privileged, processes inside the CPU,
such as the operating system kernel. Prominent example technologies are Intel SGX and
ARM TrustZone, which are being made available in today’s commodity CPUs.
In this thesis we study these new trusted hardware technologies in depth, while exploring
their application to the problem of searching over encrypted data, primarily focusing
in SGX. In more detail, we study the application of IEEs in SSE schemes, improving their
efficiency, security, and query expressiveness.
We design, implement, and evaluate three new SSE schemes for different query types,
namely Boolean queries over text, similarity queries over image datastores, and multimodal
queries over text and images. These schemes can support queries combining different
media formats simultaneously, envisaging applications such as privacy-enhanced medical diagnosis and management of electronic-healthcare records, or confidential photograph
catalogues, running without the danger of privacy breaks in Cloud-based provisioned
services
Improving Efficiency, Expressiveness and Security of Searchable Encryption
A large part of our personal data, ranging from medical and financial records to our social activity, is stored online in cloud servers. Frequent data breaches threaten to expose these data to malicious third parties, often with catastrophic consequences (estimated to several billion of US dollars annually). In this thesis, we use, extend and improve Searchable Encryption (SE) in order to build the next generation encrypted databases/systems that will prevent such undesirable situations. Our goal is to build systems that are both practical and provably secure, while allowing expressive search and computation on encrypted data. Towards this goal, we have proposed new SE schemes that achieve the following: (i) have better search/computation time, (ii) allow expressive queries such as range, join, group-by, as well as dynamic query workloads, and (iii) provide new adjustable security-efficiency trade-offs---leading to robust and efficient schemes even against very powerful adversaries