[dns-operations] IP address encryption: pseudonymization

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Feb 26 18:13:17 UTC 2018

> On Feb 25, 2018, at 10:59 AM, Paul Hoffman <phoffman at proper.com> wrote:
> The easiest one to describe is truncate_to_32_bits(aes_128(message=padded_ipv4, key=128_bit_random)). You cannot determine the key even with a huge number of known pairs. However, you get collisions in the output. So, if you have 4 million unique input addresses, about .1% of the output addresses will look like one source of input when in fact they are two sources mixed together.

Another easy to describe approach, be it at a higher memory cost, is a
random permutation of 2^32 4 byte elements requires just 16GB of storage.
This can be an array of unsigned 32-bit values with an unsigned 32-bit
lookup key.  There are many adequately secure ways of generating the array.

If the system doing the anonymizing has lots of RAM (mid-range servers with
256GB of RAM are fairly common now) and can mmap a 16GB file, the algorithm
is rather simple: table lookup.

For IPv6, as already mentioned, the permutation can be keyed AES.


More information about the dns-operations mailing list