Chinese researchers develop fuzzy search algorithm for encrypted cloud data Chinese researchers from Nanjing University have developed an encrypted search mechanism which they say is both more productive and secure than existing systems. Existing systems can search encrypted data only for exact keyword matches and nothing similar. Authors of such systems can employ fuzziness to detect phrases (such as …
To turn the question on its head, what is the point in having data if you cannot find anything in it? Encryption helps ensure that only authorized users can access the data, not that no-one can. Too, consider that search values themselves are metadata and relate that to the tracking of telecon metadata by various government organizations. There might be a reason to develop this sort of thing based on that alone.
What is the point of encrypting your stuff if people can still search to see what is in it.
Threat model. The point of information security is not to ensure that there is no possibility of your data being misused. There's a well-known protocol for that: discard the data in an irretrievable manner.1
Oh, you need that data for your own purposes? Then you have to decide what types of attack you're going to worry about, and what their cost factors should be for the attackers, and what costs you can bear to achieve those factors, and what remediation steps you'll implement to realize that model.
For a great many applications, a perfectly reasonable threat model is: "We'll encrypt the data, so it can't just be stolen in bulk. But we need it to be searchable, so we'll create an index first. We'll throttle access to the index so it's infeasible to use it as an oracle to reconstruct significant portions of the data, and we'll use an IDS to try to detect attempts to do so. Anyone who can get past all of that probably has resources to suborn or coerce a legitimate user, so there's little benefit to raising the cost factor beyond that."
Security is never about absolutes.
(Is it just me?)
No. Lots of people don't understand information security.
1Implementation is left as an exercise for the reader.
I doubt these researchers have "dubbed their system Latent Semantic Analysis", since LSA is a well-known algorithm invented1 at Bell Labs in the '80s and patented by Deerwester et al.
Indeed, it's pretty clear just from the abstract of their paper that they've combined LSA with k-Nearest Neighbor (kNN), another algorithm of ancient and widespread fame, to precompute a fuzzy index for data that is then encrypted. Incremental refinement of established tools, applied in a slightly different domain. Good work, but not revolutionary.
1"Discovered", for the Platonists.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
