1 / 59

Managing and querying encrypted data

Managing and querying encrypted data. Trần Mỹ Giao Huỳnh Mai Thúy. 1. 3. 2. 4. Outline. Introduction. DAS - Storing and querying encrypted data. Trust, Encryption Key- Management, Integrity & Data confidentiality. References. Introduction. Two new challenges emerge:

woody
Download Presentation

Managing and querying encrypted data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing and querying encrypted data Trần Mỹ Giao Huỳnh Mai Thúy

  2. 1 3 2 4 Outline Introduction DAS - Storing and querying encrypted data Trust, Encryption Key- Management, Integrity & Data confidentiality References

  3. Introduction Two new challenges emerge: • Efficient encryption algorithms for relational data • Supporting query on the encrypted relational data. Example: secure email server.

  4. 1 3 2 4 Outline Introduction DAS - Storing and querying encrypted data Trust, Encryption Key- Management, Integrity & Data confidentiality References

  5. What is DAS ? • It is a paradigm wherein data owned by a client is hosted on a third-party server • There is significant interest in secure query evaluation over encrypted databases.

  6. DAS - Storing and querying encrypted data • DAS set up and security model • Querying encrypted relational data • Relational encryption and storage model • Keyword search on encrypted text data • Search over encrypted XML data

  7. DAS setup and security • Data-owner, clients, server • Data must be encrypted on the server and only decrypted on the client-side.

  8. Querying encrypted relational data • EMP(eid, ename, salary, addr, did) • DEPARTMENT(did, dname, mgr) • The goal in DAS is to process the query directly at the server without the need to decrypt the data.

  9. Querying encrypted relational data • Requires mechanism to support the following basic operator over encrypted data • Comparison operators • Arithmetic operators

  10. 2 categories • Approaches based on new encyption techniques • Information-hiding based Approaches

  11. Approaches based on new encryption techniques • Support either arthrimetic and/or comparison operators • PH supports basic arithmetic operations,and doesn’t allow comparison. • Order-preserving encryption: support comparison, join, selection, sorting, grouping, not support aggregation. • The limitation: • Only safe under limited situations where the adversary knowledge is limited.

  12. Information-hiding based Approaches • Store additional auxiliary information along with encrypted data • Secure indices are designed carefully exploiting information hiding mechanism .

  13. Information-hiding based Approaches • 3 basic techniques: • Pertubation :Add a random value to the true value (numeric attribute) • Generalization : Replace a numeric or categorical value by a more general value • Swapping : swap the values of a specific attribute of two records

  14. Information-hiding based Approaches • Support comparison , select – project - join , sorting ,grouping. • Cannot support aggregation at the server.

  15. Query processing architecture for DAS

  16. Relational encryption and storage model • R(A1, A2,.., An)  • Emp(etuple, eid, ename, salary, addr, did)

  17. Relational encryption and storage model • Partition functions: • Patition(emp.eid) = {[0,200], [200, 400],[400,600],[600, 800], [800, 1000]} • Identification functions: E.g. : Ident(emp.eid)([0,200]) =2

  18. Relational encryption and storage model • Mapping functions • Map(emp.eid)(395) = 7 • Storing encrypted data

  19. Relational encryption and storage model • Decyption functions • D(Rs) = R • Mapping condition • To translate query conditions to corresponding conditions over the server-side, Map (cond) is called.

  20. Translating Realtional Operator • The Selection Operator: • E.g. :C = eid < 395 & did = 140 (emp)

  21. Query Execution • Give an example:

  22. Query Execution • Give an example:

  23. Query Execution • Give an example:

  24. Query Execution • Give an example:

  25. Keyword search on encrypted text data • Answer is

  26. Private key based search scheme on encrypted text data • Secure index: reveals no imformation about its content to the adversary • However, allows the adversary to tests the presence or absence of the keyword using a trapdoor • A user search for documents containing word w, generates a trapdoor , which can be used by adversary to retieve documents.

  27. Secure index’s creation • Alice generates a sequence of pseudo-random values s1...sn, using a stream cipher. • For each string si, Alice using pseudo-random function Fk(si) to generate a random m-bit sequence • Then computes n-bit sequence ti= <si, Fk(si)> • Ciphertext ci = wi XOR ti • Secure index is a set of ci.

  28. Secure index’s creation • To prevent adversary from knowing what keyword is, pre- encrypt each word w using algorithm Ek • Instead of using w below, we using xi = Ek(wi) to replace xi.

  29. Search over encrypted XML data • There has been little work in the area of encrypted XML data management. • Two kinds of information the client may consider as sensitive: • Individual node with its content • Association between data values.

  30. Search over encrypted XML data • The notion of security constraints (SCs) that support both types of security requirements above. • Such constraints can be specified in the form of Xpath expressions and may be classified as either node-type constraints or association-type constraints.

  31. Search over encrypted XML data • Hiding individual node with its content by encrypting their content • Hiding Association between data values by encrypting any one of the nodes can enforce the SC

  32. Search over encrypted XML data • Query processing follows the typical DAS approach that we mentioned earlier • Using two indexes( is call discontinuous structural interval index(DSI)) • One is the structural index to enable tree traversal • The second one is a value index for enabling attribute value based queries like range queries.

  33. Search over encrypted XML data • Use an “order-preserving encryption” scheme to transform the values from their original domain to a new domain  Use B-trees to implement range-queries • This scheme is unsafe under known plaintext attack

  34. 1 3 2 4 Outline Introduction DAS - Storing and querying encrypted data Trust, Encryption Key- Management, Integrity & Data confidentiality References

  35. Trust, Key- management, Integrity & Data confidentiality • 3 basic models of trust that are widely studied in literature: • Complete trust : the data management issues are similar to those arising in standard DBMS systems • Partial trust : ensure the confidentiality of sensitive data • Un-trusted model :ensure authenticity of data and correctness of query results

  36. Trust, Key- management, Integrity & Data confidentiality • Encrypting relational data • Authentication and integrity issues • Key management in DAS

  37. Encrypting relational data • Three important issues to keep in mind • Encryption algorithms • Encryption granularity • Efficient storage for encrypted data

  38. 1) Encryption algorithms • Symmetric key • DES : the effective key length is 56 bits, the block size is 64 bits • AES : Each of these ciphers has a 128-bit block size, with key sizes of 128, 192 and 256 bits • Blowfish : 64-bit block size and a variable key length from 32 up to 448 bits

  39. AES DES

  40. Blowfish

  41. 1) Encryption algorithms

  42. 1) Encryption algorithms • Public-key encryption: • Avoids the problem of secure key distribution • E.g. : RSA

  43. 2) Encryption granularity • Field level • The smallest achievable granularity • Each attribute value of a tuple is encrypted separately

  44. 2) Encryption granularity • Record / row level • Each row is encrypted separately • Does not differentiate between sensitive and non-sensitive data

  45. 2) Encryption granularity • Attribute / column level: • Only sensitive attributes are encrypted

  46. 2) Encryption granularity • Page / block level : • Whenever a page/block of sensitive data is stored, the entire block is encrypted

  47. 3) Efficient storage for encrypted data • The performance issues associated with storage of encrypted data on the disk • “ Partitioned Plaintext and Cipher text” (PPC) : • Cluster the non-sensitive and sensitive data  minimize the number of encryption operations

More Related