IBM to Provide Security w/o Sacrificing Privacy Using Hash Functions

Ryan Malayter rmalayter at bai.org
Thu May 26 18:52:28 CEST 2005


[Alex L. Mauer]

> Can you expand on this?
> 
> How could the Name/address/ssn be retrieved from a hash of the same?
> 

The data can be recovered from the hash because search space is small.
Say you are looking for the SSN of a John Smith. Every large DB is bound
to have someone named John Smith. 

If you have access to the hash DB, all you need to do is calculate the
hash of "John/Smith/000-00-0000", "John/Smith/000-00-0001", etc. until
you find a matching hash. Iterating through all the SSN possibility,
that's only a 30-bit search space, and can probably be handled by a
modern CPU in a few minutes. Once you find a match, you know James's
SSN.

Things get much easier if you know a particular person is in the DB, or
know more about them to remove certain variables that might be in the
hash. Even adding the home address to the hash isn't useful, because
there are 400 MB files that contain every street address in the US
available on the market.



More information about the Gnupg-users mailing list