nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
How do you securely exchange encrypted-decrypted-recrypted data? Ask Microsoft

Holmes

There are already companies with products using Multi-Party Computation to allow computation on data without seeing the data. Examples include Cybernetica, Partisia and DyadicSecurity.

1
1
Silver badge

And Microsoft.

http://www.theregister.co.uk/2016/02/09/researchers_break_homomorphic_encryption/

1
0

Re: And Microsoft.

Microsoft do not have a product. Its a Microsoft Labs project. You cannot go buy it from MS

1
0

Homomorphic encryption

There is also that: https://en.wikipedia.org/wiki/Homomorphic_encryption

0
0
Silver badge

Re: Homomorphic encryption

Except it's way too slow, especially for complex calculations, IIRC. Plus we have no assurance the homomorphic system doesn't have potential holes in it.

0
0
FAIL

Magic encryption dust

From the blog:

“Instead, we want to use the keys to decrypt the data inside a multiparty computation,” says paper co-author Kim Laine [...]. Doing so unencrypts the data for a computation “without actually revealing anything to anyone except the result” of the computation.

And the key. Which can then be conveniently stored somewhere, because.

If the data is properly encrypted, it's pure random noise and no insights into it should be possible (other than it exists and is of size X). If it is decrypted anywhere outside of the organisational boundaries then that means keys have to be sent... at which point all that data outside the organisation sharing that key has the potential to be exposed.

From the whitepaper itself:

> In short, the protocol is secure as long as the cloud is semi-honest and no evaluator cooperates with the cloud. This holds even if the parties are otherwise malicious (simultaneous with the cloud being semi-honest).

However, in this case, if the malicious actor sits in *both* 'cloud' and 'evaluator', as agencies and organised criminals tend to for extended periods, then the protocol is not secure.

So, if you have no adversaries (of size and technical capability) then the cloud is safe anyway. If you do have them, then no amount of 'cleverness' like this is going to make any difference.

7
0

Re: Magic encryption dust

Indeed the MS protocol is pretty basic, it assumes a "semi-honest" cloud and a single cloud actor. The key to MPC to have different mutually mistrusting actors and to use protocols which are secure against "active" actors. So using multiple clouds, or a hybrid cloud, makes much more sense.

MPC also makes a lot of sense when trying to remove single points of security failure, you can take a sensitive piece of information and then distribute it around an organization; knowing you can use the data without it ever having to reside in a single place.

1
0

Re: Magic encryption dust

> If it is decrypted anywhere outside of the organisational boundaries then that

> means keys have to be sent...

Nope. Thats the point. The key is held in a split form and decryption is performed without anyone ever knowing the key.

0
0

Re: Magic encryption dust

Nope. Can't decrypt without the key. Splitting the key, sending the bits via different routes etc - won't make a difference. At the point where you decrypt you need the key. That's the point of attack.

0
1

Re: Magic encryption dust

You can decrypt without holding the key anywhere. The key is split into pieces, the pieces stored in different locations and they are never brought back together. There is no one point where you decrypt, the plaintext pops out of a decryption "protocol".

I have loads of scientific papers on this. It sounds like magic, but it is actually quite simple.

Currently record is to do about 1 million AES encryptions per second using a key which is shared and never placed in one place (paper by Lindell and others to appear at ACM CCS in late October).

Suggest you look up the products produced by the company Lindell and I founded (Dyadic Security), or maybe some of mine and others papers on this topic...

http://dblp.uni-trier.de/pers/hd/s/Smart:Nigel_P=

2
0
Silver badge

Re: Magic encryption dust

Why not just explain things in a way the average computer user can understand, because we frankly can't take your word for it (not that we can actually FIND your word on the matter, you show a list of works with your link but not a SPECIFIC link that explains how you can do part of the work with part of the key and still not know enough to decrypt the rest, sort of like how one can manage to open a door partway with only part of a key and yet not use the crack you open to get it the rest of the way.

0
2

Re: Magic encryption dust

How about Wikipedia as a place to start...

https://en.wikipedia.org/wiki/Secure_multi-party_computation

And for the latest work with the current best performance there is this...

http://eprint.iacr.org/2016/768

0
0
Coat

re: the photo

There is no Data only Tool

3
0
Silver badge

Another oxymoron...

"Secure Cloud".

Look, if you want something secure, you have to control it from birth to death. Once it is in the "cloud", it is out of your control no matter how hard you try, so don't.

We have a presidential candidate (in the USA) that tried but failed at this.

4
0
Silver badge
Happy

Re: Another oxymoron...

The "Secure" in MS' "Secure Cloud" must be the same "Secure" as the "Secure" in MS' "Secure Boot".

1
0

Fuck Off!!1!!

Such secure data exchange open to door to all sorts of applications including the ability to train algorithms, perform market research, conduct auctions and enable new business opportunities.

I HAVE ALREADY BOUGHT SOME FUCKING SOCKS SO YOU DO NOT HAVE TO ALGORITHMICALLY ADVERTISE THEM TO ME AGAIN IN ORDER TO IMPROVE MY BROWSING EXPERIENCE. DO YOU HAVE ANY IDEA HOW LONG SOCKS LAST ME OR ARE YOU GOING TO ALGORITHMICALLY DETERMINE THAT. STOP TRYING TO FUCK WITH MY SOCK PURCHASING PROCESS.. THERE ARE CERTAIN DECISIONS I CAN MAKE FOR MYSELF WITHOUT TWATS SUCH AS YOURSELF TRYING TO MAKE A CENT FROM ME SHITTING IN A LEFT ONE BECAUSE THE TOILET WAS NOT AVAILABLE AND NOT MENTIONING IT ON SOCIAL MEDIA. FUCK, YOU COULD NOT EVEN ALGORITHMICALLY SELL ME WASHING POWDER FOR MY FUCKING SOCKS. WHAT THE FUCK DO I CARE IF YOU OR SOME OTHER TWAT TRIES TO ALGORITHMICALLY SELL ME SOME SOCKS I ALREADY HAVE?

TWATS... THAT IS ALL.

3
2
Silver badge
Joke

Re: Fuck Off!!1!!

Camilla,

Take a deep breath

now hold it for a few seconds....

breathe out....

breathe in again....

hold it......

breathe out......

Better???

Now you can take that Linux Live CD and nuke that fucked up WindblowZE 10 machine that has caused you so much stress.

2
0

Re: Fuck Off!!1!!

Better???

Erm.. not really. All I see is some concept whereby Microsoft thinks it can keep its 'Walled Garden' safe from the prying eyes of others who own similar 'Walled Gardens' whilst being able to peer into 'their' 'Walled Garden' in a manner that will allow them to sell me SOCKS I have already bought without supposedly knowing I was the purchaser. Beyond the guff I spy no difference.

In respect of Windows 10 I think my box may have been constructed..

# dmidecode 2.12

SMBIOS 2.5 present.

40 structures occupying 1133 bytes.

Table at 0x000F0000.

Handle 0x0000, DMI type 0, 24 bytes

BIOS Information

Vendor: Phoenix Technologies, LTD

Version: PBSANFMB.0800

Release Date: 07/06/2007

Strange to say I looked that up on Google as the first hit and did not have to trog through to page 18 in order to discover another page asking me to install "Windows Best Bios Version Finder" cruftware...

Sometime after 2007 and came with Vista installed but that got scrubbed for various flavours of Linux, which I also randomly scream at. I suppose I just shout from the outside out of concern for those who are not Reg Readers who are quite happy in their blissful ignorance. GT85..

Plus, Microsoft might decide to add a Microsoft eXtra Like button to as many websites that they can and...

.gov likes to store all of your 'personal data' on azure so given Microsoft is developing their algyorythms to hervist your dita wivout knewing abbot yu then that is all kool. <- Appli ROT13

"Hi. Having used our algorithms to look through the .gov data we hold about you we do not know who you are but it looks like you need a truss for that hernia and some new FUCKING SOCKS."

3
0
Anonymous Coward

Re: Fuck Off!!1!!

"Now you can take that Linux Live CD and nuke that fucked up WindblowZE 10 machine that has caused you so much stress."

But can it play Crysis 3 or Fallout 4?

0
0
Silver badge

Re: Fuck Off!!1!!

>But can it play Crysis 3 or Fallout 4?

Wrong question. Does Camilla want to play Crysis 3 or Fallout 4? Does Camilla playing either of those games lead to something better than the current situation? What OS wrapper does the application require.

Requirements first, strategy second, tactical solutions third.

Steam on Windows is unlikely to be that different than on Linux. Click the icon, off you go. The main reason I only buy games which run on Linux is so I don't have to reboot.

0
0
Bronze badge
Joke

Re: Fuck Off!!1!!

"I HAVE ALREADY BOUGHT SOME FUCKING SOCKS"

Here in NZ we generally call them condoms, or even, if you're Catholic, a sleeping bag for a mouse - but I guess that 'fucking socks' is a good descriptive term.

3
0
Anonymous Coward

lol

you made me drop my chicken tendies

0
0
Silver badge

Having seen their software development skill

I am not letting them anywhere any data of mine that needs encryption. The one thing they are trustworthy for is failed security.

2
2
Anonymous Coward

Re: Having seen their software development skill

You can say that about just about EVERYONE these days.

Not even Linux is immune.

If it can happen once, it can happen again. What now? Unplug and go to the mountains?

1
0
N2
Devil

What about Volkswagen

They seem to be in the news over crypto?

0
0

All this about encryption when we don't trust MS anyway !!

How can we now trust a company that we completely distrust for all its antics over the last 20+ years culminating to a climax when trying to leverage every user on Win 7 or Win 8 onto a data mining OS that doesn't even deserve to be on a ZX81.

MS might have some fabulous idea's but its all just smoke and mirrors, so that they will have access (they meaning NSA, MI5 etc) to all the data in one location or by one entity to sift through without a warrant of any kind using analytics !

Nope, a proper company keeps its data in its own location and uses firewalls etc to keep every fucker that shouldn't have access OUT or better still no access to the data unless you are on the premises !

Any company that puts its data in the cloud should be help responsible directly for any leakage or lost data with imprisonment for all directors and managements for at least 5 years !

I doubt they would risk using the cloud then especially if i was their own balls at risk rather than their clients and companies private data !

1
2
Silver badge

Re: All this about encryption when we don't trust MS anyway !!

Its just theatre for cloud security.

"Oooh look at our effort to plug tiny risks"

"Oi, stop looking at the big risks."

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing