Encrypted search?

Dave Howe DaveHowe at gmx.co.uk
Mon Sep 22 02:11:10 PDT 2003


Tyler Durden wrote:
> When the search is performed, the "stupid" thing to do (I
> think...someone correct me) is to take the user's ID, encrypt it, and
> then determine if matches an encypted member of the list (and I don't
> see encrypted each entry individually as a desirable thing). I am
> assuming that this allows a savvy user to reverse-engineer the
> encryption.
What you do is hash the ID, then compare it to the list of hashed entries,
using the ID as the key to decrypt the data associated with that entry
while that isn't subject to reverse engineering, the abuse it *is* open to
is random guessing of IDs (every "success" gives someone else's record,
with failures having no penalty)
Adding a password (and combining it with the ID to give your key) will
address some of that, but really you need to encrypt each entry
individually to prevent someone simply decompiling your code and obtaining
your full data list.

> Another option is one I don't have the background at this stage to
> understand. Let's assume the entire list has been encrypted in one
> shot. Is there some function such that when this encrypted list is
> convolved with the user ID a "Yes" or "no" can be obtained
> (indicating presence or absence from the list)?
no.
if you trial encrypt the sample ID for comparison, you hand them the key
to the whole list.





More information about the cypherpunks-legacy mailing list