Skip to content

Youbey/encrypted-salary-attack

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

1 Commit
README.md
README.md
Β 
Β 
attack_notebook.ipynb
attack_notebook.ipynb
Β 
Β 
attack_simulation.py
attack_simulation.py
Β 
Β 
requirement.txt
requirement.txt
Β 
Β 

Repository files navigation

πŸ”“ Attack Simulation on an Encrypted Database

Databases β€” relational or not β€” are a fundamental component of modern software systems. They often store sensitive data like personal information, salaries, or medical records.

To protect against malicious administrators or attackers who gain access to a database server, one common countermeasure is data encryption. However, even encrypted databases may leak information through indirect channels. One of the most common leakages is order leakage, where the encrypted values preserve the same order as the plaintexts.

In this project, we demonstrate a statistical attack that exploits this order leakage to approximate the original data β€” specifically, employee salaries.

⚠️ Disclaimer: This project is for educational and research purposes only.

πŸ“Œ Steps

βœ… Step 1: Data Generation

We simulate a realistic dataset of 100 random salaries using a normal distribution centered around 2500€/month.

πŸ” Step 2: "Encryption"

We simulate order-preserving encryption by:

  • Sorting the salaries
  • Applying a SHA-256 hash on each one

Note: This is not real encryption but simulates how an attacker might see encrypted ordered values.

🎯 Step 3: Attack

The attacker:

  • Assumes salaries follow a known public distribution (like INSEE data)
  • Generates a sorted sample from this known distribution
  • Matches the known ranks of the ciphertexts to the estimated ranks

πŸ“Š Step 4: Evaluation

We compare the estimated salaries with the original ones. Since the order is preserved, the attacker gets a surprisingly accurate estimation.

πŸ“ˆ Step 5: Error Analysis (Optional)

We compute the average absolute error between the real and estimated salaries, which in our simulation is around 83 €.

🧠 Conclusion

This simulation shows how order leakage β€” even without direct access to plaintexts β€” can significantly reduce the security of an encrypted database.

Knowing just the ranking of the encrypted values and the public distribution of the data, an attacker can perform a surprisingly effective inference attack.

To mitigate this, consider:

  • Using fully homomorphic encryption (at cost)
  • Avoiding order-revealing structures unless absolutely needed
  • Adding noise or padding to make order inference harder

πŸ“Ž Files

  • attack_simulation.py: Runs the full simulation with graphs.
  • attack_notebook.ipynb: Visual Jupyter notebook version of the attack.

Helpful Blog -> Attack of the week

Built with ❀️ for security awareness.

About

Statistical attack simulation on order-preserving encrypted salary data

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages