Marx, Matthias ; Zimmer, Ephraim ; Mueller, Tobias ; Blochberger, Maximilian ; Federrath, Hannes
Hrsg.: Langweg, Hanno ; Meier, Michael ; Witt, Bernhard C. ; Reinhardt, Delphine (2018)
Hashing of personally identifiable information is not sufficient.
9. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V.. Konstanz, Germany (25.-27.4.2018)
doi: 10.18420/sicherheit2018_04
Konferenzveröffentlichung, Bibliographie
Kurzbeschreibung (Abstract)
It is common practice of web tracking services to hash personally identifiable information (PII), e. g., e-mail or IP addresses, in order to avoid linkability between collected data sets of web tracking services and the corresponding users while still preserving the ability to update and merge data sets associated to the very same user over time. Consequently, these services argue to be complying with existing privacy laws as the data sets allegedly have been pseudonymised. In this paper, we show that the finite pre-image space of PII is bounded in such a way, that an attack on these hashes is significantly eased both theoretically as well as in practice. As a result, the inference from PII hashes to the corresponding PII is intrinsically faster than by performing a naive brute-force attack. We support this statement by an empirical study of breaking PII hashes in order to show that hashing of PII is not a sufficient pseudonymisation technique.
| Typ des Eintrags: | Konferenzveröffentlichung |
|---|---|
| Erschienen: | 2018 |
| Herausgeber: | Langweg, Hanno ; Meier, Michael ; Witt, Bernhard C. ; Reinhardt, Delphine |
| Autor(en): | Marx, Matthias ; Zimmer, Ephraim ; Mueller, Tobias ; Blochberger, Maximilian ; Federrath, Hannes |
| Art des Eintrags: | Bibliographie |
| Titel: | Hashing of personally identifiable information is not sufficient |
| Sprache: | Englisch |
| Publikationsjahr: | 2018 |
| Verlag: | Gesellschaft für Informatik e.V. |
| Buchtitel: | SICHERHEIT 2018 : Sicherheit, Schutz und Zuverlässigkeit : Beiträge der 9. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI) |
| Reihe: | LNI-Proceedings |
| Band einer Reihe: | P-281 |
| Veranstaltungstitel: | 9. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. |
| Veranstaltungsort: | Konstanz, Germany |
| Veranstaltungsdatum: | 25.-27.4.2018 |
| DOI: | 10.18420/sicherheit2018_04 |
| Kurzbeschreibung (Abstract): | It is common practice of web tracking services to hash personally identifiable information (PII), e. g., e-mail or IP addresses, in order to avoid linkability between collected data sets of web tracking services and the corresponding users while still preserving the ability to update and merge data sets associated to the very same user over time. Consequently, these services argue to be complying with existing privacy laws as the data sets allegedly have been pseudonymised. In this paper, we show that the finite pre-image space of PII is bounded in such a way, that an attack on these hashes is significantly eased both theoretically as well as in practice. As a result, the inference from PII hashes to the corresponding PII is intrinsically faster than by performing a naive brute-force attack. We support this statement by an empirical study of breaking PII hashes in order to show that hashing of PII is not a sufficient pseudonymisation technique. |
| Fachbereich(e)/-gebiet(e): | 20 Fachbereich Informatik 20 Fachbereich Informatik > Telekooperation |
| Hinterlegungsdatum: | 05 Feb 2021 09:03 |
| Letzte Änderung: | 05 Feb 2021 09:03 |
| PPN: | |
| Export: | |
| Suche nach Titel in: | TUfind oder in Google |
 |
Frage zum Eintrag |
Optionen (nur für Redakteure)
 |
Redaktionelle Details anzeigen |
Drucken
Impressum