Campus Event Calendar
Event Entry
What and Who
Privacy Preserving Personal Health Record against Brute-Force Attack
Saharnaz E. Dilmaghani
Bilkent University - Turkey
PhD Application Talk
Master student
AG 1, AG 2, AG 3, AG 4, AG 5, SWS, RG1, MMCI
Public Audience
English
Note: We use this to send email in the morning.
Date, Time and Location
Monday, 19 June 2017
10:00
90 Minutes
E1 4
0.24
Saarbrücken
Abstract
Personal health records (PHRs) of individuals carry significant privacy-sensitive information about
them. Due to this nature of PHRs, there is a crucial need to protect them from unauthorized users,
especially considering cyber-attacks are dramatically increased during the last couple of years. Cryp-
tography (i.e., encrypting PHRs) is typically a good solution to store PHRs resilient against such
attacks. However, cryptographic solutions are shown to be vulnerable against brute-force attacks,
especially considering weak passwords selected by the users for encryption. Although using high en-
tropy (i.e., complex) passwords for the encryption may decrease the success of such an adversarial
attack, it is not popular among the users to choose such passwords. Towards this end, we present a
new framework as a solution for a secure storage of PHR data against brute-force attacks (even when
users select low entropy passwords for encryption).
Our system utilizes Honey Encryption (HE), a new cryptographic tool that provides security be-
yond brute-force bound, as a building block. The previous applications of HE are mainly on the static
datasets that do not change over time. We design a HE-based model on a highly dynamic dataset of
PHRs. For construction and evaluation, we collected almost 10k patients information from various
datasets (e.g., PatientsLikeMe, TCGA) in order to construct a precise encoder/decoder model as a
core element for HE. Proposed model ensures that the decryption of an encrypted PHR record with
incorrect keys yields a valid-looking but incorrect PHR record to an adversary. To the best of our
knowledge, we are the rst to provide a robust password-based framework against brute-force attacks
of health records regardless of the entropy of the password. Comparison of our proposed method with
the direct application of the password-based encryption scheme shows that it is almost impossible
for an adversary to eliminate any wrong password. We also consider real-life scenarios for di erent
attacks with side information about a patient's health-related attributes.
them. Due to this nature of PHRs, there is a crucial need to protect them from unauthorized users,
especially considering cyber-attacks are dramatically increased during the last couple of years. Cryp-
tography (i.e., encrypting PHRs) is typically a good solution to store PHRs resilient against such
attacks. However, cryptographic solutions are shown to be vulnerable against brute-force attacks,
especially considering weak passwords selected by the users for encryption. Although using high en-
tropy (i.e., complex) passwords for the encryption may decrease the success of such an adversarial
attack, it is not popular among the users to choose such passwords. Towards this end, we present a
new framework as a solution for a secure storage of PHR data against brute-force attacks (even when
users select low entropy passwords for encryption).
Our system utilizes Honey Encryption (HE), a new cryptographic tool that provides security be-
yond brute-force bound, as a building block. The previous applications of HE are mainly on the static
datasets that do not change over time. We design a HE-based model on a highly dynamic dataset of
PHRs. For construction and evaluation, we collected almost 10k patients information from various
datasets (e.g., PatientsLikeMe, TCGA) in order to construct a precise encoder/decoder model as a
core element for HE. Proposed model ensures that the decryption of an encrypted PHR record with
incorrect keys yields a valid-looking but incorrect PHR record to an adversary. To the best of our
knowledge, we are the rst to provide a robust password-based framework against brute-force attacks
of health records regardless of the entropy of the password. Comparison of our proposed method with
the direct application of the password-based encryption scheme shows that it is almost impossible
for an adversary to eliminate any wrong password. We also consider real-life scenarios for di erent
attacks with side information about a patient's health-related attributes.
Contact
imprs office team
+49 681 - 93 25 1800
--email hidden
passcode not visible
logged in users only
Tags, Category, Keywords and additional notes
Caroline Brill, 06/14/2017 13:44 -- Created document.