[Owasp-singapore] [security-77] IBM Researcher Solves Longstanding Cryptographic Challenge,Discovers Method to Fully Process Encrypted Data Without Knowing its Content; Could Greatly Further Data Privacy and Strengthen Cloud Computing Security

Wong Onn Chee ocwong at usa.net
Tue Jun 30 11:32:46 EDT 2009


Hi Andrew,

Thanks for the layman explanation. Appreciate it a lot.
Good for ignorants like me. :-)

I still see some challenges with this approach, so feel free to shot 
them down if you disagree:

a) I understand y*30% is a simplified example.
However, most cloud apps are much more complex than the above example.
Hence, to obtain the entire chain of calculations may be a problem.
In addition, there is also the question whether the cloud app provider 
will expose their own algorithms to their customers.


b) Assuming the output of the calculations (in this case, the result of 
y*30%) is measured against some thresholds.
If the output exceeds the threshold, further actions may be triggered.

However, if x*30% is within the threshold, but y*30% exceeds the 
threshold, won't that result in false triggers or unnecessary further 
actions? And the reverse may also occur.

Imagine that the business mgt missed out critical business intelligence 
information becos y is used, instead of the real x?
Won't the reliability of cloud computing be questioned?

I have brought this up to in my discussion with you-know-who in MHA 
about this gap in cloud computing.
Using encryption makes sense only if you use the cloud to host emails 
and store files, but that is not cloud computing to me.
Existing services, such co-location, dedicated servers, managed 
services, can already address the needs of email hosting and file archival.
Cloud computing is about sharing the compute load, not just for storage 
or email purposes.

Also, it does not make sense to ask for dedicated machines from the 
cloud to avoid this encryption loophole, as the basis of cloud is about 
sharing of resources.
Dedicated machines from the cloud is no different from dedicated hosting.
As Shakespeare said, a rose smells as nice by any other name.
So dedicated machines from cloud is equal to dedicated hosting to me. ;-)

Just my 2-cent worth on this topic.
Pardon my non-mathematical view of the problem.
Me more realist lah. :-)




On 06/30/2009 01:25 PM, andrew wrote:
> i just realize i didn't explain a little about the crypto as i
> understand it so far (without digesting the paper yet):
>
> I have a function
>
> f(x) = y
>
> I send y to my accountant
>
> accountant does tax for me
>
> y * 30%
>
> accountant has no knowledge of x, which is my actual pay
>
> so I do a
>
> f(y*30%)-1 = x*30%
>
> if you are familiar with RSA, you know that the 3 boys were finding a
> function that fulfills certain criteria using large primes which are
> infinitely available and difficult to factorise which is a one way
> function unless a trapdoor is provided. So what this function has to
> fulfill is to match all required mathematical function while
> encrypting to the decrypted form and fulfilling encryption
> requirements at the same time. Hope that makes sense.
>
>
> -1 in that formula shd b superscript which means a reverse function.
> sorry i'm lazy to clean up but that pretty much explains it.
>
> P.S. I gotta do my tax tomorrow that's why the example.
>
> On Tue, Jun 30, 2009 at 2:15 PM, andrew<quickt at gmail.com>  wrote:
>    
>> A more detailed article:
>> http://www.forbes.com/forbes/2009/0713/breakthroughs-privacy-super-secret-encryption.html
>>
>> His paper:
>>
>> http://delivery.acm.org/10.1145/1540000/1536440/p169-gentry.pdf?key1=1536440&key2=8197236421&coll=GUIDE&dl=&CFID=37558608&CFTOKEN=60907897
>>
>> Still trying to digest it.
>>
>>
>> On Tue, Jun 30, 2009 at 12:27 PM, Johnny Wong<johnnywkm at gmail.com>  wrote:
>>      
>>> Maybe can send a note to Bruce Schneier and ask him for his assessment.
>>>
>>> At 09:41 AM 30-06-09, Wong Onn Chee wrote:
>>>        
>>>> Anyone who can shed some more light on this?
>>>>
>>>> http://www-03.ibm.com/press/us/en/pressrelease/27840.wss
>>>>
>>>> Sounds like the missing link for cloud security. :-)
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Please Note: If you hit "REPLY", your message will be sent to everyone on
>>>> this mailing list (security-77 at meetup.com)
>>>> http://security.meetup.com/77/
>>>> This message was sent by Wong Onn Chee (ocwong at usa.net) from The Singapore
>>>> Security Meetup Group.
>>>> To learn more about Wong Onn Chee, visit his/her member profile:
>>>> http://security.meetup.com/77/members/1756147/
>>>> To unsubscribe or to update your mailing list settings, click here:
>>>> http://www.meetup.com/account/comm/
>>>> Meetup Support: support at meetup.com
>>>> 632 Broadway, New York, NY 10012 USA
>>>>          
>>>
>>>
>>> --
>>> Please Note: If you hit "REPLY", your message will be sent to everyone on
>>> this mailing list (security-77 at meetup.com)
>>> http://security.meetup.com/77/
>>> This message was sent by Johnny Wong (johnnywkm at gmail.com) from The
>>> Singapore Security Meetup Group.
>>> To learn more about Johnny Wong, visit his/her member profile:
>>> http://security.meetup.com/77/members/5695170/
>>> To unsubscribe or to update your mailing list settings, click here:
>>> http://www.meetup.com/account/comm/
>>> Meetup Support: support at meetup.com
>>> 632 Broadway, New York, NY 10012 USA
>>>
>>>
>>>        
>>
>> --
>> Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list (security-77 at meetup.com)
>> http://security.meetup.com/77/
>> This message was sent by andrew (quickt at gmail.com) from The Singapore Security Meetup Group.
>> To learn more about andrew, visit his/her member profile: http://security.meetup.com/77/members/8358574/
>> To unsubscribe or to update your mailing list settings, click here: http://www.meetup.com/account/comm/
>> Meetup Support: support at meetup.com
>> 632 Broadway, New York, NY 10012 USA
>>
>>
>>      
>
>
>
> --
> Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list (security-77 at meetup.com)
> http://security.meetup.com/77/
> This message was sent by andrew (quickt at gmail.com) from The Singapore Security Meetup Group.
> To learn more about andrew, visit his/her member profile: http://security.meetup.com/77/members/8358574/
> To unsubscribe or to update your mailing list settings, click here: http://www.meetup.com/account/comm/
> Meetup Support: support at meetup.com
> 632 Broadway, New York, NY 10012 USA
>
>
>
>    
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20090630/58ac8bc6/attachment.html 


More information about the Owasp-singapore mailing list