Les systèmes embarqués comme les smartphones et les tablettes vont devenir à terme nos interfaces privilégiées avec le monde numérique. Ces systèmes n'ont cependant pas encore la puissance de calcul nécessaire pour s'acquitter de toutes les tâches exigées par un utilisateur. De plus, ils ne disposent pas forcement de toutes les connaissances nécessaires pour réaliser certaines opérations. Ceci pour divers raisons: confidentialité, propriété intellectuelle, limitation de la mémoire ou encore difficulté d'accès à l'information. Ainsi de nombreuses données et de nombreux calculs sont stockes et effectués sur des machines distantes. Il peut s'agir de serveur centralisant tous les calculs, d'une grille de calcul distribuée ou d'un cloud. Le résultat est que des entités tiers manipulent des données qui ont un caractère privée. Cette situation n’est pas acceptable en terme de protection de la vie privée sans la mise en place de dispositifs permettant de garantir aux utilisateurs la confidentialité et l'intégrité de leurs données, le respect de leur vie privée. L’objectif de cette thèse est d'analyser les méthodes existantes ainsi que de proposer d'autres mécanismes de sécurité et de protection de la vie privée pour les calculs déportés. / Hashing and hash-based data structures are ubiquitous. Apart from their role inthe design of efficient algorithms, they particularly form the core to manycritical software applications. Whether it be in authentication on theInternet, integrity/identification of files, payment using Bitcoins, webproxies, or anti-viruses, the use of hashing algorithms might only be internalbut yet very pervasive.This dissertation studies the pitfalls of employing hashing and hash-based datastructures in software applications, with a focus on their security and privacyimplications. The mainstay of this dissertation is the security and privacyanalysis of software solutions built atop Bloom filters --- a popularhash-based data structure, and Safe Browsing --- a malicious websitedetection tool developed by Google that uses hash functions. The softwaresolutions studied in this dissertation have billions of clients, which includesoftware developers and end users.For Bloom filters and their privacy, we study a novel use case, where they forman essential tool to privately query leaked databases of personal data. Whilefor security, we study Bloom filters in adversarial settings. The studyencompasses both theory and practice. From a theoretical standpoint, we defineadversary models that capture the different access privileges of an adversary onBloom filters. We put the theory into practice by identifying several securityrelated software solutions (employing Bloom filters) that are vulnerable to ourattacks. This includes: a web crawler, a web proxy, a malware filter, forensictools and an intrusion detection system. Our attacks are similar to traditionaldenial-of-service attacks capable of bringing the concerned infrastructures toknees.As for Safe Browsing, we study vulnerabilities in the architecture that anadversary can exploit. We show several attacks that can simultaneouslyincrease traffic towards both the Safe Browsing server and the client. Ourattacks are highly feasible as they essentially require inverting hash digestsof 32 bits. We also study the privacy achieved by the service by analyzing thepossibility of re-identifying websites visited by a client. Our analysis andexperimental results show that Safe Browsing can potentially be used as a toolto track specific classes of individuals.This dissertation highlights the misunderstandings related to the use of hashingand hash-based data structures in a security and privacy context. Thesemisunderstandings are the geneses of several malpractices that include the useof insecure hash functions, digest truncation among others. Motivated by ourfindings, we further explore several countermeasures to mitigate the ensuingsecurity and privacy risks.
| Identifer | oai:union.ndltd.org:theses.fr/2016GREAM093 |
| Date | 20 October 2016 |
| Creators | Kumar, Amrit |
| Contributors | Grenoble Alpes, Lafourcade, Pascal, Lauradoux, Cédric |
| Source Sets | Dépôt national des thèses électroniques françaises |
| Language | English |
| Detected Language | English |
| Type | Electronic Thesis or Dissertation, Text |
Page generated in 0.002 seconds