Secure Database in cloud
description
Transcript of Secure Database in cloud
![Page 1: Secure Database in cloud](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815754550346895dc4fb59/html5/thumbnails/1.jpg)
Secure Database in cloud
Mohammad Ahmadian [email protected]
COP-6087University of Central Florida
PART 2
![Page 2: Secure Database in cloud](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815754550346895dc4fb59/html5/thumbnails/2.jpg)
DbCrypt Goal: protect confidentiality and Integrity of data
ApplicationDB ServerSQL
Threat 1: passive attacks on DB
server
Threat 2: active/passive attacks on all servers
User 1
User 2
User 3
Proxy
1. Process SQL queries on encrypted data
2. Capture and enforce cryptographically access control in SQL: chain keys from user passwords to data item (Keygen)
user password
![Page 3: Secure Database in cloud](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815754550346895dc4fb59/html5/thumbnails/3.jpg)
ApplicationDB Server
curious DB administrators
hackers curious cloud/employees physical attacks
SQL
User 1
User 2
User 3
Threat Model
Consider attacks on any part of the servers, Consider passive attack like modification of information in database by
malicious cloud insider
![Page 4: Secure Database in cloud](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815754550346895dc4fb59/html5/thumbnails/4.jpg)
Threat 1: Active attack to connection the cloud
DB ServerSQL
Trusted
All queries are encrypted
Proxy
application queries unencrypted
Client & server side both are trustedThe session between client and db server is compromised
Under attack
The benefit of attackers are very low
Trusted
![Page 5: Secure Database in cloud](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815754550346895dc4fb59/html5/thumbnails/5.jpg)
Threat 2: Passive attacks to DB Server
DB ServerSQL
Trusted
Perform SQL query processing on encrypted data
Proxy
application queries unencrypted
Client side enjoys issuing query without concerning about underlying security mechanisms in proxy DB server is unchanged It is impossible to attacker to change data without revealing to user
Under attack
1. Support standard SQL queries on encrypted data
2. Process queries completely at the DB server3. No change to existing DBMS
![Page 6: Secure Database in cloud](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815754550346895dc4fb59/html5/thumbnails/6.jpg)
1. RND-Advanced Encryption Standard◦ Obs.: set of SQL operators is limited◦ Different encryption schemes provide different
functionality
2. OPE-Order Preserving Encryption◦ Enable to comparison, order by, join, sort, MAX,
MIN.
3. MAC –Message authentication code◦ Provides integrity for data element
Solution: Cryptographic techniques
![Page 7: Secure Database in cloud](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815754550346895dc4fb59/html5/thumbnails/7.jpg)
?
Example
col1/rank col2/name
table1 (cinfo)
SELECT * FROM cinfo WHERE income= 100
x5a8c34
x934bc1x5a8c34
x5a8c34
x84a21c
x5a8c34
≥
x638e54
x638e54x922eb4
x1eab81
SELECT * FROM cinfo WHERE income= x5a8c34≥
Proxy
60100800100
?x5a8c34x5a8c34x5a8c34
x638e54x922eb4x638e54
X4be219x95c623
x2ea887
x17cea7
x638e54col3/salary
Application
![Page 8: Secure Database in cloud](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815754550346895dc4fb59/html5/thumbnails/8.jpg)
Encryption Technics comparison
e.g., =, !=, GROUP BY, IN, COUNT, DISTINCT
Highest Scheme Operation Detail
RND None AES
HOM +, *
AES in CTR DET equality
e.g., Paillier
OPE orderBoldyreva et
al.’09
e.g., >, <, ORDER BY, SORT, MAX, MIN
first practical implementation
Security
![Page 9: Secure Database in cloud](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815754550346895dc4fb59/html5/thumbnails/9.jpg)
AES
The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. Rijndael is a family of ciphers with different key and block sizes. For AES, NIST selected three members of the Rijndael family, each with a block size of 128 bits, but three different key lengths: 128, 192 and 256 bits.
![Page 10: Secure Database in cloud](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815754550346895dc4fb59/html5/thumbnails/10.jpg)
AES is one of secure block cipher for digital information. I adapt it with key size 128 bit for this project for encrypting text columns. One of negative point of AES is it’s speed, actually it’s key generation is not so fast.
AES
![Page 11: Secure Database in cloud](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815754550346895dc4fb59/html5/thumbnails/11.jpg)
Order Preserving Encryption(OPE)Order Preserving encryption(OPE) is an encryption scheme whose deterministically preserves numerical order of plaintext in the ciphertext. For quick start, consider a random order-preserving function from M to N, so that |M|<|N|. Without loss of generality, we can consider M the set {1,2,...,M} and N likewise {1,2,...,N}. Now, pick M elements of N randomly and put them in order. Our function f:M → N is simply this ordered set. To encrypt i in M, just output the ith element of this list. Consider f is an order-preserving function which maps elements in domain to ordered list of elements of the range. Obviously, the elements of range can be divided in two categories of marked and unmarked. If an element is selected by f then it is member of marked otherwise it is member of unmarked category. Thus elements of the range are partitioned into the marked and unmarked subsets, as being balls in a bin. If we draw balls without replacement, the number x of marked balls we've drawn after y samples can be described by the Hyper Geometric Distribution(HGD)
![Page 12: Secure Database in cloud](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815754550346895dc4fb59/html5/thumbnails/12.jpg)
OPE-Encryption
![Page 13: Secure Database in cloud](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815754550346895dc4fb59/html5/thumbnails/13.jpg)
OPE-Decryption
![Page 14: Secure Database in cloud](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815754550346895dc4fb59/html5/thumbnails/14.jpg)
Multi-user
![Page 15: Secure Database in cloud](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815754550346895dc4fb59/html5/thumbnails/15.jpg)
What I did in this project I spend 3 weeks to install open source cryptdb
It failed because it is depended to lots of packages and libraries and there isn’t any documentation.
I spend 3 weeks to writing my own mysql-proxy It is almost 1200 lines of code in c++ and easy to
install. It needs to add some features to handle all type of datbases
![Page 16: Secure Database in cloud](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815754550346895dc4fb59/html5/thumbnails/16.jpg)
Acknowledgment & Reference
John Singleton Salih Safa
Reference:1- CryptDB: Confidentiality for Database Applications with Encrypted Query ProcessingRaluca Ada Popa, Catherine Redfield, Nickolai Zeldovich, and Hari Balakrishnan MIT CSAIL
2-Order-Preserving Symmetric EncryptionAlexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O'NeillGeorgia Institute of Technology, Atlanta, GA, USA
![Page 17: Secure Database in cloud](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815754550346895dc4fb59/html5/thumbnails/17.jpg)
Questions & Demo