building systems that compute on encrypted data n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Building systems that compute on encrypted data PowerPoint Presentation
Download Presentation
Building systems that compute on encrypted data

Loading in 2 Seconds...

play fullscreen
1 / 53

Building systems that compute on encrypted data - PowerPoint PPT Presentation


  • 153 Views
  • Uploaded on

?. Building systems that compute on encrypted data. xe891a1 X32e1dc xdd0135 x63ab12. xd51db5 X9ce568 xab2356 x453a32. Raluca Ada Popa MIT. Compromise of confidential data is prevalent. S ecret. S ecret. S ecret. Problem setup. s erver. c lients. n o computation. computation.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Building systems that compute on encrypted data' - paige


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
building systems that compute on encrypted data

?

Building systems that compute on encrypted data

xe891a1

X32e1dc

xdd0135

x63ab12

xd51db5

X9ce568

xab2356

x453a32

Raluca Ada Popa

MIT

problem setup

Secret

Secret

Secret

Problem setup

server

clients

no computation

computation

(encrypted FS/email)

databases, web applications, mobile applications, machine learning, etc.

storage

??

encryption

current systems strategy

Secret

Secret

Current systems strategy

server

clients

Prevent attackers from breaking into servers

lots of existing work
Lots of existing work
  • Checks at the operating-system level
  • Language-based enforcement of a security policy
  • Static or dynamic analysis of application code
  • Checks at the network level
  • Trusted hardware

slide6

Data still leaks even with these mechanisms

because

attackers eventually break in!

slide7

Attacker examples

Attacker:

Reason they succeed:

hackers

software is complex

cloud employees

insiders: legitimate server access!

increasingly many companies store data on external clouds

government

e.g., physical access

accessed private data according to

my work
My work

Systems that protect confidentiality even against attackers with access to all server data

my approach

Result

Secret

Secret

My approach

Servers store, process, and compute on

encrypted data

in a practical way

server

client

??

Strawman:

Secret

Secret

Result

computing on encrypted data in cryptography
Computing on encrypted data in cryptography

[Rivest-Adleman-Dertouzos’78]

Fully homomorphic encryption (FHE) [Gentry’09]

prohibitively slow, e.g., slowdown

X 1,000,000,000

My work: practicalsystems

practical systems

large class of real applications

meaningful security

+

+

real-world performance

my contributions
My contributions

Server under attack:

System:

Databases:

CryptDB

[SOSP’11][CACM’12]

DB server

mOPE, adjJOIN

[Oakland’13]

Web apps:

Mylar

[NSDI’14]

DB server

web app server

multi-key search

Mobile

apps:

PrivStats

[CCS’11]

VPriv

mobile app server

[Usenix Security’09]

Theory:

In general:

[STOC’13] [CRYPTO’13]

Functional encryption

Functional encryption

combine systems and cryptography
Combine systems and cryptography

1. identify core operations needed

strawman:

systems

one generic scheme (FHE)

crypto

3. Design and build system

2. multiple specialized encryption schemes

  • New schemes:
  • mOPE, adjJOIN for CryptDB
  • multi-key search for Mylar
my contributions1
My contributions

Server under attack:

System:

Databases:

CryptDB

DB server

Web apps:

Mylar

DB server

web app server

Mobile

apps:

PrivStats

VPriv

mobile app server

Theory:

In general:

Functional encryption

Functional encryption

cryptdb
CryptDB

[SOSP’11: Popa-Redfield-Zeldovich-Balakrishnan]

  • CDB is really awesome, make sure you emphasize all the cool points

First practical database system (DBMS) to process most SQL queries on encrypted data

related work
Related work
  • Systems work:
    • no formal confidentiality guarantees
    • restricted functionality
    • client-side filtering

[Hacigumus et al.’02][Damiani et al.’03][Ciriani et al’09]

  • Theory work:
    • General computation: FHE
      • very strong security: forces slowdown - many queries must always scan and return the whole DB
      • prohibitively slow (109x)

[Gentry’09]

  • Specialized schemes

[Amanatidis et al.’07][Song et al.’00][Boldyreva et al.’09]

setup
Setup

trusted client-side

under passive attack

DB server

Application

  • Use cases:
  • Outsource DB to the cloud (DBaaS)
    • e.g. Encrypted BigQuery
  • Local cluster: hide DB content from sys. admins.
setup1

Related work is not achieving my purpose, plus robert did not like the yellow box

Setup

trusted client-side

under passive attack

transformed query

DB server

  • process queries to completion on encrypted
  • DB
  • Active later and app
  • Not disclaimers

plain query

Proxy

encrypted DB

Application

decrypted results

encrypted results

  • Stores schema
  • and master key
  • No query execution

computation on encrypted data ≈

regular computation

Secret

Secret

example
Example

Application

Randomized encryption (RND) - semantic

SELECT * FROM emp

table1/emp

col1/rank

col2/name

col3/salary

Proxy

SELECT * FROM table1

x4be219

60

100

x95c623

x4be219

x2ea887

800

x95c623

x17cea7

100

x2ea887

x17cea7

example1
Example

Application

Randomized encryption (RND)

Deterministic encryption (DET)

SELECT * FROM emp WHERE salary = 100

table1/emp

col1/rank

col2/name

col3/salary

SELECT * FROM table1 WHERE col3 = x5a8c34

Proxy

x934bc1

x4be219

60

x5a8c34

100

x95c623

x5a8c34

?

?

x5a8c34

x84a21c

x2ea887

x5a8c34

800

x5a8c34

x5a8c34

x17cea7

100

example2
Example

Application

“Summable”

encryption (HOM) - semantic

Deterministic encryption (DET)

SELECT sum(salary) FROM emp

table1 (emp)

Proxy

SELECT cdb_sum(col3) FROM table1

col2/name

col1/rank

col3/salary

x934bc1

60

x5a8c34

100

x84a21c

800

x5a8c34

x638e54

1060

x72295a

100

x578b34

x9eab81

x122eb4

slide21

Techniques

  • Use SQL-aware set of efficient encryption schemes

(meta technique!)

  • Most SQL can be implemented with a few core operations
  • Adjust encryption of data based on queries
  • Query rewriting algorithm
1 sql aware e ncryption schemes
1. SQL-aware encryption schemes

Security

SQL operations:

Function

Construction

Scheme

e.g., SELECT, UPDATE, DELETE, INSERT, COUNT

AES in UFE

RND

data moving

≈ semantic security

HOM

addition

Paillier

e.g., SUM, +

word search

Song et al.,‘00

restricted ILIKE

SEARCH

e.g., =, !=, IN, GROUP BY, DISTINCT

reveals only repeat pattern

equality

DET

AES in CMC

our new scheme

join

JOIN

e.g., >, <, ORDER BY, ASC, DESC, MAX, MIN, GREATEST,LEAST

reveals only order

our new scheme

[Oakland’13]

OPE

order

  • x < y Enc(x) < Enc(y)
slide23

How to encrypt each data item?

Goals:

Support queries

Use most secure encryption schemes

Challenge: may not know queries ahead of time

col1-RND

col1-HOM

col1-SEARCH

col1-DET

col1-JOIN

col1-OPE

rank

ALL?

‘CEO’

‘worker’

Leaks order!

slide25

Onion of encryptions

security

+

RND

DET

OPE

value

+

functionality

Adjust encryption: strip off layer of the onion

slide26

Onions of encryptions

1 column

3 columns

HOM

int value

RND

Onion Add

RND

DET

each value

OR

OPE

JOIN

value

value

SEARCH

text value

Onion Equality

Onion Order

Onion Search

Same key for all items in a column for same onion layer

onion evolution
Onion evolution
  • Start out the database with the most secure encryption scheme
  • If needed, adjust onion level
    • Proxy gives decryption key to server
    • Proxy remembers onion layer for columns

Lowest onion level is never removed

example3
Example

emp:

Logical table:

rank

name

salary

SELECT * FROM emp WHERE rank = ‘CEO’

‘CEO’

‘worker’

Physical table:

table 1:

RND

RND

col1-OnionEq

col1-OnionOrder

col1-OnionSearch

col2-OnionEq

DET

JOIN

‘CEO’

Onion Equality

example cont d
Example (cont’d)

table 1

SELECT * FROM emp WHERE rank = ‘CEO’

RND

col1-OnionEq

col1-OnionOrder

col2-OnionEq

col1-OnionSearch

DET

DET

JOIN

‘CEO’

Onion Equality

UPDATE table1 SET col1-OnionEq =

Decrypt_RND(key, col1-OnionEq)

SELECT * FROM table1 WHERE col1-OnionEq = xda5c0407

security threshold
Security threshold

Data owner can specify minimum level of security

CREATE TABLE emp (…, credit_cardSENSITIVE integer, …)

RND, HOM, DET for unique fields

≈ semantic security

security guarantee
Security guarantee

Columns annotated as sensitive have semantic security (or similar).

Encryption schemes exposed for each column are the most secure enabling queries.

no filter semantic

equality repeats

sum semantic

common in practice

  • Never reveals plaintext
limitations workarounds
Limitations & Workarounds

Queries not supported:

  • More complex operators, e.g., trigonometry
  • Certain combinations of encryption schemes:
    • e.g., salary + raise > 100K

HOM

  • use query splitting, query rewriting
implementation
Implementation

No change to the DBMS!

SQL Interface

unmodified DBMS

CryptDB

SQL UDFs

(user-defined functions)

query

CryptDB

Proxy

Application

results

Largely no change to apps!

evaluation
Evaluation
  • Does it support real queries/applications?
  • What is the resulting confidentiality level?
  • What is the performance overhead?
real queries applications
Real queries/applications

apps with sensitive columns

tens of thousands of apps

SELECT 1/log(series_no+1.2) …

… WHERE sin(latitude + PI()) …

confidentiality level
Confidentiality level

Final onion state

Most columns at semantic

Most columns at OPE were less sensitive

performance
Performance

DB server throughput

MySQL:

Application 1

Plain database

Application 2

Latency

CryptDB:

CryptDB Proxy

Application 1

Encrypted DB

CryptDB Proxy

Application 2

  • Hardware:2.4 GHz Intel Xeon E5620 – 8 cores, 12 GB RAM
tpc c performance
TPC-C performance
  • Latency (per query):0.10ms MySQL vs.0.72ms CryptDB

Throughput loss over MySQL: 26%

Homomorphic addition

No cryptography at the DB server in the steady state!

adoption
Adoption

http://css.csail.mit.edu/cryptdb/

Encrypted BigQuery

[http://code.google.com/p/encrypted-bigquery-client/]

“CryptDBwas really eye-opening in establishing the practicality of providing a SQL-like query interface to an encrypted database”

“CryptDB was [..] directly influential on the design and implementation of Encrypted BigQuery.”

ÚlfarErlingsson, head of security research, Google

SEEED implemented on top of the SAP HANA DBMS

Encrypted version of the D4M AccumuloNoSQL engine

sql.mit.edu

Users opted-in to run Wordpress over our CryptDBsource code

attack to all servers
Attack to all servers?

users

DB

server

CryptDB proxy

application

CryptDB

SQL queries on encrypted DB

Secret

slide42

Attack to all servers?

CryptDB proxy

users

CryptDB proxy

DB

server

application

CryptDB proxy

Secret

Secret

Secret

Secret

Secret

Secret

mylar

[NSDI’14: Popa-Stark-Valdez-Helfer-Zeldovich-Kaashoek-Balakrishnan]

Mylar

users

active

  • Framework for building web applications
  • Protects confidentiality against attacks to all servers

DB

server

web application

overview
Overview

browser

Plaintext data exists only in browsers

DB

server

web application

Secret

Secret

Secret

Secret

Secret

Secret

Secret

computation in web applications
Computation in web applications

1. Mylar is a client-side application framework

2. Non client-side computation:

metatechnique!

  • data sharing
  • search

Challenges

  • Active attacker
  • Multiple keys
  • key certification
  • multi-key search
applications
Applications

http://css.csail.mit.edu/mylar/

chat medical class website forum calendar photo sharing

Few developer annotations to secure an application, modest overhead

my contributions2
My contributions

System:

Server under attack:

Databases:

CryptDB

[SOSP’11][CACM’12]

DB server

mOPE, adjJOIN

[Oakland’13]

Web apps:

Mylar

[NSDI’14]

DB server

web app server

multi-key search

Mobile

apps:

PrivStats

[CCS’11]

VPriv

mobile app server

[Usenix Security’09]

Theory:

[STOC’13] [CRYPTO’13]

Functional encryption

  • Proof of concept for general functions
  • Solved old open problem: reusable garbled circuits
system d esign principles
System design principles

Clients

Server

Assume all server data will leak!

Store, process, and compute on encrypted data.

Technique for practicality:

identify core operations

use an efficient encryption scheme for each

Secret

slide49

Future work

Other systems computing on encrypted data:

Genomics analytics and machine learning

slide50

Future work

Other systems computing on encrypted data:

Genomics analytics and machine learning

Big data & compression

big data

compressed big data

encrypted big data

compressed big data

encrypted

How to compute on it??

slide51

Future work

Other systems computing on encrypted data:

Genomics analytics and machine learning

Big data & compression

Security beyond confidentiality:

Correctness of computation

Client-side security

crypto

systems

collaborators
Collaborators

CryptDB:

Catherine Redfield, NickolaiZeldovich, HariBalakrishan, Aaron Burrows

Mylar:

Steven Valdez, Jonas Helfer, NickolaiZeldovich, Frans M. Kaashoek, HariBalakrishnan

PrivStats, VPriv:

Andrew Blumberg, HariBalakrishnan, Frank H. Li

Functional encryption:

ShafiGoldwasser, Yael Kalai,VinodVaikuntanathan, NickolaiZeldovich

and others for other projects.

slide53

Future work

Other systems computing on encrypted data:

Genomics analytics and machine learning

Big data & compression

Security beyond confidentiality:

Correctness of computation

Client-side security

THANK YOU!

crypto

systems