Abstract
We develop a systematic approach for analyzing client-server applications that aim to hide sensitive user data from untrusted servers. We then apply it to Mylar, a framework that uses multi-key searchable encryption (MKSE) to build Web applications on top of encrypted data. We demonstrate that (1) the Popa-Zeldovich model for MKSE does not imply security against either passive or active attacks; (2) Mylar-based Web applications reveal users' data and queries to passive and active adversarial servers; and (3) Mylar is generically insecure against active attacks due to system design aws. Our results show that the problem of securing client-server applications against actively malicious servers is challenging and still unsolved. We conclude with general lessons for the designers of systems that rely on property-preserving or searchable encryption to protect data from untrusted servers.
Cite
CITATION STYLE
Grubbs, P., McPherson, R., Naveed, M., Ristenpart, T., & Shmatikov, V. (2016). Breaking Web applications built on top of encrypted data. In Proceedings of the ACM Conference on Computer and Communications Security (Vol. 24-28-October-2016, pp. 1353–1364). Association for Computing Machinery. https://doi.org/10.1145/2976749.2978351
Register to see more suggestions
Mendeley helps you to discover research relevant for your work.
