Querying Encrypted Data

Arvind Arasu, Ken Eguro,

Ravi Ramamurthy, Raghav Kaushik

Microsoft Research
1

Cloud Computing
Well-documented benefits
Trend to move computation and
data to cloud
Database functionality
Amazon RDS
Microsoft SQL Azure

Heroku PostegreSQL
Xeround

[AF+09, NIST09]
2

Security Concerns
Data in the cloud vulnerable to:
Snooping administrators
Hackers with illegal access
Compromised servers

[CPK10, ENISA09a]

What are your main cloud computing concerns?

Survey: European Network and

Information Security Agency, Nov
2009
[ENISA09b]
4

Sensitive Data in the Cloud: Examples

Software as a Service Applications
Billing

CRM

ERP

Health

Personal Data

Aria Systems

37 Signals

Acumatica ERP

CECity

Google Docs

eVapt

Capsule

Blue Link Elite

SNO

Microsoft Office

nDEBIT

Dynamics

Epicor Express

Redi2

Intouchcrm

NetSuite

Zuora

LiveOps

OrderHarmony

Oracle CRM

Plex Online

Mint.com

Parature
Responsys

Personal data

RO|Enablement
Salesforce.com
Save My Table
Solve 360

Corporate data
Source: http://cloudtaxonomy.opencrowd.com/taxonomy/

Data Encryption

a7be1a6997ad739bd8c9ca451f618b61
b6ff744ed2c2c9bf6c590cbf0469bf41
47f7f7bc95353e03f96c32bcfd8058df

Encr

Key

The quick brown fox jumps

over the lazy dog
6

AWS Security Advice

7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be
successful at doing so, given the nature of the Internet. Accordingly, without limitation to
Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole

responsibility for adequate security, protection and backup of Your Content. We strongly
encourage you, where available and appropriate, to use encryption technology to protect
Your Content from unauthorized access and to routinely archive Your Content. We will
have no liability to you for any unauthorized access or use, corruption, deletion,

destruction or loss of any of Your Content.

Source: http://aws-portal.amazon.com/gp/aws/developer/terms-and-conditions.html
7

Encryption and DbaaS: Functionality

Example: Online Course Database

Student
StudentId

Name

Addr

Name

InstrId

GPA

CreditCard

Course
CourseId

StudentCourse
CourseId

StudentId

Grade

Encryption and DbaaS: Functionality

SELECT *
FROM courses
WHERE StudentId = 1234

Client App
10

Encryption and DbaaS: Functionality

Encrypted

SELECT *
FROM courses
WHERE StudentId = 1234

Client App
[HIL+02]
SIGMOD Test of Time Award

11

Tutorial Overview
Survey of existing work
Building blocks
End-to-end systems
Security-Performance-Generality tradeoff
Taxonomy, organization

Open problems & Challenges

Random pontifications

12

Tutorial Goals & Non-Goals

Takeaway goals:
Interesting & Important area

Lots of open (systems) problems

Multi-disciplinary

Non-goals:
Latest advances Elliptic Curve Cryptography
Related tutorial:
Secure and privacy preserving Database Services in the Cloud

13

Roadmap
Introduction
Overview
Basics of Encryption
Trusted Client based Systems
Secure In-Cloud Processing
Security
Conclusion
14

Passive Adversary
Passive
Honest but curious
Does not alter:
Database
Results
Design systems for
active adversary
15

Encryption: Fundamental Challenge

()

Select Sum (Score)

From Assignment
Where StudentId = 1

=1

StudentId

AssignId

Score

68

71

99

16

Encryption: Fundamental Challenge

()

=1

Select Sum (Score)

From Assignment
Where StudentId = 1

Assignment
a7be1a6997ad739bd8c9ca451f618b61
b6ff744ed2c2c9bf6c590cbf0469bf41
47f7f7bc95353e03f96c32bcfd8058df

17

Encryption: Fundamental Challenge

()

Select Sum (Score)

From Assignment
Where StudentId = 1

=1
Memory

Assignment
Storage

a7be1a6997ad739bd8c9ca451f618b61
b6ff744ed2c2c9bf6c590cbf0469bf41
47f7f7bc95353e03f96c32bcfd8058df

Industry state-of-the-art:
[OTDE, STDE]
18

Solution Landscape
Two fundamental techniques
Directly compute over encrypted data
Special homomorphic encryption schemes
Challenge: limited class of computations

Use a secure location

Computations on plaintext
Challenge: Expensive
19

Homomorphic Encryption
(1)
7ad5fda789ef4e272bca100b3d9ff59f

bd6e7c3df2b5779e0b61216e8b10b689

7a9f102789d5f50b2beffd9f3dca4ea7

(2)

(1)
Encryption key is not an input

20

Solution Landscape
Two fundamental techniques
Directly compute over encrypted data
Special homomorphic encryption schemes
Challenge: limited class of computations

Use a secure location

Computations on plaintext
Challenge: Expensive
21

Secure Location

Inaccessible

Inaccessible

22

Solution Landscape
Two fundamental techniques
Directly compute over encrypted data
Special homomorphic encryption schemes
Challenge: limited class of computations

Use a secure location

Computations on plaintext
Challenge: Expensive
23

Systems Landscape
Full
Homomorphic

Partial
Homomorphic

CryptDB

Monomi

TrustedDB

Cipherbase

Crypto
Coprocessor

FPGA

BlobStore

Non
Homomorphic

AWS GovCloud

No Secure
Location

Client

Secure
Server

24

Encryption == Security?

Source: http://xkcd.com/538/

25

Roadmap
Introduction
Overview
Basics of Encryption
Trusted Client based Systems
Secure In-Cloud Processing
Security
Conclusion
26

Encryption Scheme
Key:

000102030405060708090a0b0c0d0e0f

Plaintext

Ciphertext

The quick brown fox jumps

over the lazy dog

Encr

a7be1a6997ad739bd8c9ca451f618b61
b6ff744ed2c2c9bf6c590cbf0469bf41
47f7f7bc95353e03f96c32bcfd8058df

Ciphertext

Plaintext

a7be1a6997ad739bd8c9ca451f618b61
b6ff744ed2c2c9bf6c590cbf0469bf41
47f7f7bc95353e03f96c32bcfd8058df

Key:

Decr

The quick brown fox jumps

over the lazy dog

000102030405060708090a0b0c0d0e0f

Crypto Textbook: [KL 07]

27

Encryption Scheme
Public Key:

000102030405060708090a0b0c0d0e0f

Plaintext

Ciphertext

The quick brown fox jumps

over the lazy dog

Encr

a7be1a6997ad739bd8c9ca451f618b61
b6ff744ed2c2c9bf6c590cbf0469bf41
47f7f7bc95353e03f96c32bcfd8058df

Ciphertext

Plaintext

a7be1a6997ad739bd8c9ca451f618b61
b6ff744ed2c2c9bf6c590cbf0469bf41
47f7f7bc95353e03f96c32bcfd8058df

Private Key:

Decr

The quick brown fox jumps

over the lazy dog

47b6ffedc2be19bd5359c32bcfd8dff5

Crypto Textbook: [KL 07]

28

AES + CBC Mode

The quick brown

lazy dog........

fox jumps over t

Init. Vector (IV)

000000000001...

Key

AES

AES

Key

a7be1a6997a7...

b6ff744ed2c2...

Key

AES

47f7f7bc9535...

Variable IV => Non-deterministic

[AES, KL 07]
29

AES + CBC Mode

The quick brown

lazy dog........

fox jumps over t

Init. Vector (IV)

000000000002...

Key

AES

AES

Key

fa636a2825b3...

247240236966...

Key

AES

69c4e0d86a7b...

Variable IV => Non-deterministic

[AES, KL 07]
30

Nondeterministic Encryption Scheme

Key:

000102030405060708090a0b0c0d0e0f

The quick brown fox jumps

over the lazy dog

Encr

a7be1a6997ad739bd8c9ca451f618b61
b6ff744ed2c2c9bf6c590cbf0469bf41
47f7f7bc95353e03f96c32bcfd8058df

000102030405060708090a0b0c0d0e0f

The quick brown fox jumps

over the lazy dog

Encr

fa636a2825b339c940668a3157244d17
247240236966b3fa6ed2753288425b6c
69c4e0d86a7b0430d8cdb78070b4c55a

Example: AES + CBC + variable IV

31

AES + ECB Mode

The quick brown

Key

AES

a7be1a6997a7...

lazy dog........

fox jumps over t

AES

Key

b6ff744ed2c2...

Key

AES

47f7f7bc9535...

[AES, KL 07]
32

Deterministic Encryption Scheme

Key:

000102030405060708090a0b0c0d0e0f

The quick brown fox jumps

over the lazy dog

Encr

a7be1a6997ad739bd8c9ca451f618b61
b6ff744ed2c2c9bf6c590cbf0469bf41
47f7f7bc95353e03f96c32bcfd8058df

000102030405060708090a0b0c0d0e0f

The quick brown fox jumps

over the lazy dog

Encr

a7be1a6997ad739bd8c9ca451f618b61
b6ff744ed2c2c9bf6c590cbf0469bf41
47f7f7bc95353e03f96c32bcfd8058df

Example: AES + ECB

More secure deterministic encryption: [PRZ+11]

33

Strong Security => Non-Deterministic

Original

Deterministic

Non-Deterministic

Source: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
34

Deterministic Encryption
select *
from assignment
where studentid = 1

=1

StudentId

AssignId

Score

68

71

99

35

Deterministic Encryption
select *
from assignment
where studentid_det =

bd6e7c3df2b5779e0b61216e8b10b689

_=6

StudentId_DET

AssignId

Score

bd6e7c3df2b5779e0b61216e8b10b689

68

bd6e7c3df2b5779e0b61216e8b10b689

71

7ad5fda789ef4e272bca100b3d9ff59f

99

36

Homomorphic Encryption
(1)
7ad5fda789ef4e272bca100b3d9ff59f

bd6e7c3df2b5779e0b61216e8b10b689

7a9f102789d5f50b2beffd9f3dca4ea7

(2)

(1)

Encryption key is not an input

37

Order Preserving Encryption

Value

Enc (Value)

0x0001102789d5f50b2beffd9f3dca4ea7

0x0065fda789ef4e272bcf102787a93903

0x009b5708e13665a7de14d3d824ca9f15

0x04e062ff507458f9be50497656ed654c

0x08db34fb1f807678d3f833c2194a759e

< < ()
[BCN11, PLZ13]

38

Order-Preserving Encryption
select *
from assignment
where score >= 90

90

StudentId

AssignId

Score

68

71

99

39

Order-Preserving Encryption
select *
from assignment
where score_OPE >=

0x04e062ff507458f9be50497656ed654c

_ 040

StudentId

AssignId

Score_OPE

0x0065fda789ef4e272bcf102787a93903

0x009b5708e13665a7de14d3d824ca9f15

0x08db34fb1f807678d3f833c2194a759e

40

Homomorphic Encryption Schemes

Fully Homomorphic Encryption

(Any function)

[G09, G10]

Order-Preserving Encryption

()

[BCN11, PLZ13]

Paillier
(+)
Cryptosystem
[P99]

ElGamal ()
Cryptosystem
[E84]

Deterministic Encryption

(==)

Non-Deterministic ()
Encryption
41

Homomorphic Encryption Schemes

Fully Homomorphic Encryption

(Any function)

[G09, G10]

Partial Homomorphic
Encryption
Order-Preserving Encryption

()

[BCN11, PLZ13]

Paillier
(+)
Cryptosystem
[P99]

ElGamal ()
Cryptosystem
[E84]

Deterministic Encryption

(==)

Non-Deterministic ()
Encryption
42

Homomorphic Encryption Schemes

Fully Homomorphic Encryption

(Any function)

[G09, G10]

Partial Homomorphic
Encryption
Order-Preserving Encryption

()

[BCN11, PLZ13]

Paillier
(+)
Cryptosystem
[P99]

ElGamal ()
Cryptosystem
[E84]

Deterministic Encryption

(==)

Non-Deterministic ()
Encryption
43

Homomorphic Encryption Schemes:

Performance
Scheme

Space for 1 integer

(bits)

Time for 1 operation

Fully Homomorphic
Encryption

214

Cosmic time scales

Paillier
ElGamal

2048

ms

Deterministic
Order-preserving

128

44

Homomorphic Encryption Schemes:

Notation
Fully Homomorphic Encryption (FHE)

Partial Homomorphic
Encryption (PHE)
Order-Preserving Encryption
[BCN11, PLZ13]
(OPE)
Paillier
(+)
Cryptosystem
[P99]

()

ElGamal ()
Cryptosystem
[E84]

(==)
Deterministic Encryption
(DET)

Non-Deterministic ()
Encryption
(NDET)
45

How do I Encrypt a Database?

Encr

Cell granularity
Advantage:
Random access to a cell contents
Mix n Match encryption
46

Mix n Match Encryption

Plaintext
Deterministic
Non-deterministic

Id

SSN

Name

Score

Id

SSN_DET

Name_NDET

Score_OPE

Not covered: Deriving multiple keys. See [PRZ+11] for an example.

47

Example: Online Course Database

Student
StudentId

Name

Addr

Name

InstrId

GPA

CreditCard

Course
CourseId

StudentCourse
CourseId

StudentId

Grade

48

Roadmap
Introduction
Overview
Basics of Encryption
Trusted Client based Systems
Secure In-Cloud Processing
Security
Conclusion
49

Design Choices
COMPUTE ON
ENCRYPTED DATA

F.H.E

P.H.E

USE SECURE
LOCATION

Client

Server

Trusted Client based Systems

COMPUTE ON
ENCRYPTED DATA

F.H.E

USE SECURE
LOCATION

P.H.E

Client

Server

Trusted Client Architecture

Client
App
PlainText Query

PlainText Results

Client
Component

Rewritten Query

Key

Encrypted Data

Data not decrypted in DBMS

Only ciphertext seen in the DBMS
No changes to DBMS/Client App

DBMS

Systems
Minimal Client Computation
Use P.H.E (Cryptdb)

Residual Query Processing in Client

Blob Store
Use in conjunction with P.H.E (Monomi)

CryptDB Architecture
Client
App
PlainText Query

PlainText Results

Web
Proxy

Rewritten Query

Key

Encrypted Data

DBMS +
UDFs

Web proxy rewrites queries, decrypts result

Leverage P.H.E techniques
[PRZ+11]

Database Design
students(ID, grade)
Point Lookups on ID column
SELECT and AGGREGATION queries on grade

students(ID_DET, grade_OPE)
students(ID_DET, grade_OPE, grade_PAILLIER)
Need to store columns encrypted in multiple ways
Static/Dynamic design based on workload

[PRZ+11]

Query Processing
Client
App

DBMS +
UDFs

Web
Proxy
Key

students(ID_DET, grade_OPE, grade_PAILLIER)

[PRZ+11]

Dynamic Database Design

students(ID_DET, grade**)
Client
App

DBMS +
UDFs

Web
Proxy
Key

DET
ID

OPE
NDET
grade
OPE
grade

[PRZ+11]

Summary
P.H.E is not free space overheads
For Paillier, to store one integer (32 bits), the ciphertext need to use
2048 bits!
Compact representation for paillier that is updatable open problem.

P.H.E is inherently limited cannot address all of SQL

[GZ07]

Systems
No Client Computation
Leverage P.H.E

e.g., Cryptdb

Residual Query Processing on Client

e.g., Blob store
Use in conjunction with P.H.E (e.g., Monomi)

Computation in Trusted Client

Client
App
PlainText Query

PlainText Results

DBMS
Shell

DBMS
Encrypted Data

Key
Client Query Fragment
Server Query Fragment

Distributed query processing between DBMS

shell and untrusted DBMS
[HMI02]

[HIL+02]

[HMH08]

[TFM13]

Blob Store: Database Design

Encrypted data stored as blobs (No computation)
students(ID, grade_blob)

Use additional fake partitions to index blobs

students(ID, grade_blob, partition##)
grade

partition##

0 - 1.0

ccc##

1.0 2.0

aaa##

2.0 3.0

ddd##

3.0 4.0

bbb##
[HIL+02]

Blob Store: Query Processing

Client
App

DBMS

DBMS
Shell
Key

students(ID, grade_blob, partition##)

Distributed query processing

Choosing appropriate partitioning
Optimal Query Splitting
[HIL+02]

[HIM05]

[HMT04]

Trusted Client based Systems

COMPUTE
COMPUTEON
ON
ENCRYPTEDDATA
DATA
ENCRYPTED

F.H.E
F.H.E

P.H.E
P.H.E

USE
USESECURE
SECURE
SECURE
USE
LOCATION
LOCATION
LOCATION

Client
Client

Server
Server

Augmenting Blob Store

Client
App

DBMS

DBMS
Shell
Key

students(ID,
grade_blob,
partition##)
students(ID,
grade_OPE)

Use P.H.E to push more computation to DBMS

Monomi
[TFM13]

Pre-computation for complex queries

Find student submissions that have been handled in a
day late

Students(ID_DET, submissiondate_DET, deadline_DET,

deadline_PAILLIER)
deadlineplusone_DET)
Cannot Mix and Match different encryptions

[TFM13]

Trusted Client: Summary

No Server changes required to DBMS
Works well for workloads where amount of data

shipped is small
Physical Design is important for distributed queries
Pre-computation is not free

Generality of approach is unproven

Integrity constraints, Triggers etc.
Automated tools to migrate database applications

Key Limitation: Robustness

Stored procedure to find student submissions that have
been handed in late (with delay as a parameter)

Cannot pre-compute all possible input values

why store the table in the cloud!

TakeAway Quiz
The Trusted Client approach:
a) Is Dead on arrival

b) Adding BLOB() keyword to SQL

c) Is effective when most work can be
offloaded to the server
d) Is not a robust solution for
general purpose queries

Still to come
Is it possible to design a system where only the results are
shipped to the client irrespective of query complexity ?

MISSION:IMPOSSIBLE V
TRUSTED SERVER

Roadmap
Introduction
Overview
Basics of Encryption
Trusted Client based Systems
Secure In-Cloud Processing
Security
Conclusion
70

Secure In-Cloud Processing

COMPUTE ON
ENCRYPTED DATA

F.H.E

P.H.E

USE TRUSTED
MODULE

Client-End
Solution

In-Cloud
Solution

71

Secure In-Cloud Processing

COMPUTE ON
ENCRYPTED DATA

F.H.E

P.H.E

USE TRUSTED
MODULE

Client-End
Solution

In-Cloud
Solution

Traditional
Servers

Secure
Hardware

72

Secure In-Cloud Processing

COMPUTE ON
ENCRYPTED DATA

F.H.E

P.H.E

USE TRUSTED
MODULE

Client-End
Solution

In-Cloud
Solution

Traditional
Servers

Isolation

Secure
Hardware

Verification
73

Securing Traditional Servers

Isolation
Physical (location, network)
Logical (hypervisor/VM, strict policies)

Verification

Example: Amazon GovCloud [AWSGC]

74

Securing Traditional Servers

Isolation
Verification
Static (TPM authenticated boot)
Dynamic (malware detectors)

[TCGNotes, TPMSpec]

75

Secure Server Advantages

Lowest impact solution

SQL Server
Buffer Pool
Name

Use existing components,

software and policies

We can all go home!

Age

Disease

12
Flu
DBMS
Bob
51
Diabetes
(Commodity
H/W)
Alice

Chen

24

Flu

Dan

36

Cold

Name

Age

Disease

X%*!

)C

!x8J

~4Yz

##

)zFr#x

T$H2

!*

^@tG

<*fB

@$

BxU3

Securing a Server is HARD!

77

What Makes it Hard to

Secure a Server?
Built for flexibility & adaptability
General-purpose processors
A unified-memory space is a serious vulnerability
Security guarantees require 100% bug-free software

78

What Makes it Hard to

Secure a Server?
Complex software stacks make rigorous
security guarantees impossible
Largest formally verified OS kernel in literature is
8,700 lines of C and 600 lines of assembly
i.e. Why dont they make the whole plane out of
that black box stuff?
[K09]

79

What Makes it Hard to

Secure a Server?
We need to simplify the trusted computing
platform!
Better architectural isolation will also help!

80

Secure In-Cloud Processing

COMPUTE ON
ENCRYPTED DATA

F.H.E

P.H.E

USE TRUSTED
MODULE

Client-End
Solution

In-Cloud
Solution

Traditional
Servers

Secure
Hardware

Secure
Processors

Dedicated
Hardware

81

Previous Use of Secure Hardware

Secure Co-Processor
ATM, smart cards

IBM 4764 PCI-X

Cryptographic
Coprocessor

Hardware Security Modules

Tamper-proof crypto acceleration

FPGAs

Secure FPGA

Military use

Limited Resources!
[TCGNotes]
82

Trusted Client Architecture

Client Query Fragment

DBMS
Shell

Server Query Fragment

Encrypted Data

DBMS

Key
Plaintext Results

Plaintext Query

Client
App

Distributed query processing between untrusted

DBMS and client-end DBMS shell

Secure In-Cloud Compute Architecture

Untrusted Query Fragment

Query
Translation
& Splitting
Plaintext Results

Encrypted Data

DBMS

Encrypted Data

Plaintext Query

Client
App

Trusted
Compute
Key
Trusted Query Fragment

Distributed query processing between untrusted

DBMS and trusted cloud compute
Solutions differ in granularity of integration

Secure Processors
TrustedDB
Trusted compute is

IBM Secure
Co-processor

a full DBMS

Key
Embedded
Linux & SQL Lite

Client
App

Query
Results

[BS11]

Cloud
DBMS

Storage

Advantages of Loosely-Coupled Arch.

Full trusted DBMS
loosely coupled system

Simple division of labor

Simple to build

IBM Secure
Co-processor

Key
Embedded
Linux & SQL Lite

select (*) where

SSN_NDET = ad&*$jk

Client
App

Query

Cloud
DBMS

Storage

Results
select (*) where name_PT = John Doe

86

TrustedDB Hybrid Example

[BS11]

87

Limitations of Loosely-Coupled Arch.

Full trusted DBMS
loosely coupled system

How about everything

else?

Client
App

Query

Inter-query
memory
governance
IBM
Secure
Admission
control
Co-processor
Memory management
Key
Spooling
Join/sort algorithms?
GetNext calls,
Storage engine
Embedded
(buffer
locking)
Linuxpool,
& SQL
Lite

Cloud
DBMS

Storage

Results

88

Dedicated Expression Evaluation

Cipherbase
Trusted compute is

Secure
Expression Evaluation

only expression

Key
Dedicated
Stack Machine

evaluation

Client
App

Query
Results

[ABE+12, ABE+13]

Cloud
DBMS

Storage

Dedicated Expression Evaluation

Inter query memory governance
Admission control

, sum(o_totalprice)
Memory Mgmt
Spooling

Specifics of
join/sort algorithm

C_Nationkey=x

Secure
Expression Evaluation
Dec(C_Custkey1)>Dec(C_Custkey2)
Enc(Dec(O_totalprice) +
Dec(currentSum))
Hash(Dec(C_Custkey))
Hash(Dec(O_Custkey))
Dec(O_Custkey)=Dec(C_Custkey)

O_Orderdate>y
Dec(O_Orderdate)>Dec(y)

Dec(C_Nationkey)=Dec(x)

Data-flow (GetNext calls)

Storage engine (buffer pool, locking)

[ABE+12, ABE+13]

90

Dedicated Expression Evaluation

Advantages
Efficiency of trusted compute resources

Dedicated circuits virus-proof

Small footprint formal verification

Drawbacks
Fundamentally changes expression evaluation nontrivial changes to host DBMS
[ABE+12, ABE+13]

91

Summary
Secure in-cloud trusted compute resources
Open issues
Query optimization
e.g. Statistics on encrypted data, security-aware type matching

Execution engine
e.g. Data/computation reuse, masking latency to trusted computation

Physical Design
e.g. Leveraging stronger encryption

92

Roadmap
Introduction
Overview
Basics of Encryption
Trusted Client based Systems
Secure In-Cloud Processing
Security
Conclusion
93

SECURITY

Encryption and Security

Key:

000102030405060708090a0b0c0d0e0f

The quick brown fox jumps

over the lazy dog

Encr

a7be1a6997ad739bd8c9ca451f618b61
b6ff744ed2c2c9bf6c590cbf0469bf41
47f7f7bc95353e03f96c32bcfd8058df

Encryption and Security

Key:

Encr

a7be1a6997ad739bd8c9ca451f618b61
b6ff744ed2c2c9bf6c590cbf0469bf41
47f7f7bc95353e03f96c32bcfd8058df

Encryption and Security

Key:

Encr

a7be1a6997ad739bd8c9ca451f618b61
b6ff744ed2c2c9bf6c590cbf0469bf41
47f7f7bc95353e03f96c32bcfd8058df

Semantic security:
No information leakage except input length

Winner of this years Turing Award

[KL07]

Encryption and Security

Key:

Encr

a7be1a6997ad739bd8c9ca451f618b61
b6ff744ed2c2c9bf6c590cbf0469bf41
47f7f7bc95353e03f96c32bcfd8058df

Encryption schemes such as AES in CBC mode

(non-deterministic) are believed to be

semantically secure

Security of Database Encryption

Disease

Disease_NDET

Flu

!x8J

Diabetes

)zFr#x

Flu

^@tG

Cold

BxU3

Apply AES-CBC to every cell

Leaks cell lengths

Deterministic Encryption
Disease

Disease_DET

Flu

!x8J

Diabetes

)zFr#x

Flu

!x8J

Cold

BxU3

Leaks cell lengths

Also, no. of distinct values + frequency
distribution [BFO+08]

Order-Preserving Encryption
Age

Age_OPE

12

0x000a

51

0x0f12

24

0x00a1

36

0x00b2

Leaks cell lengths

Also, order of cell values [AKS+04, BCN11]
Design of orderpreserving encryption

Overall Security of Data Encryption

Name

Age

Disease

Name_NDET

Age

Disease_DET

Alice

12

Flu

X%*!

12

!x8J

Bob

51

Diabetes

~4Yz

51

)zFr#x

Chen

24

Flu

T$H2

24

!x8J

Dan

36

Cold

<*fB

36

BxU3

Name: AES-CBC non-deterministic

Age: Clear-text
Disease: AES deterministic
Total information leaked = sum of column-level leakage

Impact of Querying & Updating

Client

Update Employee
Set Salary = *&@#
Where Name = Alice

Server

Key
Name

Salary_NDET

Alice

X%*!

Bob

~4Yz

Chen

T$H2

Dan

<*fB

103

Impact of Querying & Updating

Client

Update Employee
Set Salary = *!-#
Where Name = Alice

Server

Key
Name

Salary_NDET

Alice

X%*!

Bob

~4Yz

Chen

T$H2

Dan

<*fB

104

Impact of Querying & Updating

Client

Update Employee
Set Salary = 23=$<
Where Name = Bob

Server

Key
Name

Salary_NDET

Alice

X%*!

Bob

~4Yz

Chen

T$H2

Dan

<*fB

105

Impact of Querying & Updating

Client

Update Employee
Set Salary = +=$<
Where Name = Bob

Server

Key
Name

Salary_NDET

Alice

X%*!

Bob

~4Yz

Chen

T$H2

Dan

<*fB

106

Impact of Querying & Updating

Client

Update Employee
Set Salary = #2$^
Where Name = Bob

Server

Key

Background knowledge
Full-time employees earn
more
Salaries of hourly-wage
employees updated more

Name

Salary_NDET

Alice

X%*!

Bob

~4Yz

Chen

T$H2

Dan

<*fB

Learn partial ordering

Query of
access patterns reveal
employee salary information! [OS07]
Alices salary > Bobs
107

Impact of Querying & Updating

True/False

Sort

TM
Record 1
<
Record 2

Sort leaks ordering

Encryption across the stack (disk + in-memory) does NOT imply no

information leakage
The overall query workflow reveals information
Dynamic security (different from security of data at rest)

Design Space
Cipherbase,
TrustedDB,
CryptDB,
Monomi,
BlobStore

Stop with encryption

Can we bridge this gap?

Full Leakage

Operations on
column

Leakage

Equality
(including joins)

Frequency
distribution

Indexing/Sorting Order
/range predicates

No Leakage

No Leakage
Q2
Q1
Server

Client

Result1
Result2

Reveals size of query result

Encrypted
Database

Hide query result size by making all query result sizes equal to
maximum size
Joins reduce to cross products

Impractical

Design Space
Cipherbase,
TrustedDB,
CryptDB,
Monomi,
BlobStore
Full Leakage

Stop with encryption

Output Size,
Running Time

No Leakage
Impractical

Access Patterns Leak Information

Data

CPU (program P)

Oblivious Simulation
Data

CPU (oblivious
program P)

Simulation: P equivalent to P
Theoretically Efficient: Running time of P within
polylog factor of running time of P
Oblivious: Access patterns of P look random
Information leakage: input size, output size, running
time
[GO96, W12, SS13]

Application to DBMS
Data

Oblivious
simulation of
DBMS

But
Destroys spatial and temporal locality of reference
Data
Range scan

DBMS

But
Destroys spatial and temporal locality of reference
Data
Random
seeks

Oblivious
Simulation of
DBMS

Range scan of 100M records on hard disk 100M seeks

10^5 seconds (~1 day)

Design Space
Cipherbase,
TrustedDB,
CryptDB,
Monomi,
BlobStore
Full Leakage

Stop with encryption

Output Size,
Running Time
Impractical

Is there a stronger and practically

achievable security model?

No Leakage
Impractical

Summary

DBMS

DBMS

Key

HomoEncrypted
morphic
Data
Encryption

Data
Name

Age

Disease

Name

Age

Disease

Alice

12

Flu

X%*!

)C

!x8J

Bob

51

Diabetes

~4Yz

##

)zFr#x

Chen

24

Flu

T$H2

!*

^@tG

Dan

36

Cold

<*fB

@$

BxU3

Cloud Admin
Super-user with
console access

118

Summary

Trusted
Machine

Untrusted
Machine

Key

Encrypted
Database
Name

Age

Disease

X%*!

)C

!x8J

~4Yz

##

)zFr#x

T$H2

!*

^@tG

<*fB

@$

BxU3
119

Summary

Trusted
Machine

Untrusted
Machine

Key

Encrypted
Database
Name

Age

Disease

X%*!

)C

!x8J

~4Yz

##

)zFr#x

T$H2

!*

^@tG

<*fB

@$

BxU3
120

Other Challenges
Application Security
DBMS is only a part of the overall system stack

Usability
Clients need tools and interpretable security models
to navigate security-performance tradeoff

Connections to other areas of security

Data privacy, access control, auditing

Bibliography
1.

[ABE+12] Arvind Arasu, Spyros Blanas, Ken Eguro, Manas Joglekar, Raghav Kaushik, Donald Kossmann, Ravishankar

Ramamurthy, Prasang Upadhyaya, Ramarathnam Venkatesan: Engineering Security and Performance with Cipherbase. IEEE
Data Eng. Bull. 35(4): 65-72 (2012).
2.

[ABE+13] Orthogonal Security With Cipherbase. Arvind Arasu, Spyros Blanas, Ken Eguro, Raghav Kaushik, Donald Kossmann,
Ravi Ramamurthy, and Ramaratnam Venkatesan. CIDR 2013.

3.

[AES] AES Standard. FIPS 197. http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

4.

[AF+ 09] Above the Clouds: A Berkeley View of Cloud Computing. by Michael Armbrust, Armando Fox, and others. Tech
Report EECS-2009-28, Univ. of Calif., Berkeley.

5.

[AKS+04] R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu. Order-preserving encryption for numeric data. In SIGMOD 2004.

6.

[AWSGC] Amazon GovCloud. http://aws.amazon.com/govcloud-us/.

7.

[B68] K.E. Batcher, Sorting networks and their applications, Proceedings of the AFIPS Spring Joint Computer Conference 32,
307314 (1968).

8.

[BCL09] Order-Preserving Symmetric Encryption. Alexandra Boldyreva, Nathan Chenette, Younho Lee, Adam O'Neill.
EUROCRYPT 2009.

122

Bibliography
9.

[BCN11] Order-Preserving Encryption Revisited: Improved Security Analysis and Alternative Solutions. Alexandra
Boldyreva, Nathan Chenette, Adam ONeill. CRYPTO 2011.

10.

[BFO+08] M. Bellare, M. Fischlin, A. O'Neill, T. Ristenpart: Deterministic Encryption: Definitional Equivalences and
Constructions without Random Oracles. CRYPTO 2008.

11.

[BG11] Luc Bouganim, Yanli Guo: Database Encryption. Encyclopedia of Cryptography and Security (2nd Ed.) 2011.

12.

[BOA] Buffer Overflow Attack. Lecture Notes.

http://www.cse.scu.edu/~tschwarz/coen152_05/Lectures/BufferOverflow.html

13.

[BP02] Luc Bouganim, Philippe Pucheral: Chip-Secured Data Access: Confidential Data on Untrusted Servers. VLDB 2002

14.

[BS11] Sumeet Bajaj, Radu Sion: TrustedDB: a trusted hardware based database with privacy and data confidentiality.
SIGMOD Conference 2011.

15.

[CPK 10] Whats New About Cloud Computing Security?. Yanpei Chen, Vern Paxson and Randy H. Katz. Tech Report EECS2010-5. Univ. of Calif., Berkeley.

16.

[E84] A public key cryptosystem and a signature scheme based on discrete logarithms. Taher El Gamal. CRYPTO 1984.

123

Bibliography
17.

[ENISA 09a] Cloud Computing Risk Assessment. European Network and Information Security Agency. 2009.

18.

[ENISA 09b] An SME perspective on cloud computing (survey). European Network and Information Security
Agency, 2009.

19.

[G09] Fully homomorphic encryption using ideal lattices. Craig Gentry. STOC 2009.

20.

[G10] Computing arbitrary functions of encrypted data. Craig Gentry. CACM 2010.

21.

[G11] Michael T. Goodrich. Data-oblivious external-memory algorithms for the compaction, selection, and
sorting of outsourced data. In SPAA, pages 379388, 2011.

22.

[GO96] O. Goldreich, R. Ostrovsky: Software Protection and Simulation on Oblivious RAMs. J. ACM 43(3): 431473 (1996)

23.

[GZ07] Tingjian Ge, Stanley B. Zdonik. Answering Aggregation Queries in a Secure System Model. VLDB 2007.

24.

[GZ07b] Tingjian Ge, Stanley B. Zdonik: Fast, Secure Encryption for Indexing in a Column-Oriented DBMS. ICDE
2007.

124

Bibliography
25.

[HIL+02] Executing SQL over Encrypted Data in the Database-Service-Provider Model. Hakan Hacigumus,
Balakrishna R. Iyer, Chen Li, Sharad Mehrotra, SIGMOD 2002.

26.

[HIM04] Hakan Hacigms, Balakrishna R. Iyer, Sharad Mehrotra: Efficient Execution of Aggregation Queries
over Encrypted Relational Databases. DASFAA 2004.

27.

[HIM05] Hakan Hacigms, Balakrishna R. Iyer, Sharad Mehrotra: Query Optimization in Encrypted Database
Systems. DASFAA 2005.

28.

[HIM05b] Efficient Execution of Aggregation Queries over Encrypted Relational Databases. Hakan Hacigms,
Balakrishna R. Iyer, Sharad Mehrotra. DASFAA 2005.

29.

[HMH08] Bijit Hore, Sharad Mehrotra, Hakan Hacigms: Managing and Querying Encrypted Data. Handbook of
Database Security 2008

30.

[HMI02] Providing Database as a Service. Hakan Hacigumus, Sharad Mehrotra, Balakrishna R. Iyer. ICDE 2002.

31.

[HMT04] Bijit Hore, Sharad Mehrotra, Gene Tsudik: A Privacy-Preserving Index for Range Queries. VLDB 2004.

32.

[K09] G. Klein et al, seL4: formal verification of an OS kernel SOSP 2009.

125

Bibliography
33.

[KL07] Introduction to Modern Cryptography. Jonathan Katz and Yehuda Lindell. Chapman & Hall/CRC Press. 2007.

34.

[NIST 09] P. Mell and T. Grance. NIST definition of cloud computing. National Institute of Standards and Technology.
October 7, 2009.

35.

[OTDE] Oracle Transparent Data Encryption. http://www.oracle.com/technetwork/database/options/advancedsecurity/index-099011.html

36.

[P99] Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. Pascal Paillier. EUROCRYPT 1999.

37.

[PLZ13] An Ideal-Security Protocol for Order-Preserving Encoding. Raluca Ada Popa, Frank H Li, Nickolai Zeldovich. Symp
on Security and Privacy, 2013.

38.

[PRZ+11] CryptDB: protecting confidentiality with encrypted query processing. Raluca A. Popa, Catherine M. S. Redfield,
Nickolai Zeldovich, Hari Balakrishnan. SOSP 2011.

39.

[S96] Applied Cryptography. Bruce Schneier. John Wiley & Sons, 1996.

40.

[SS05] Trusted Computing Platforms: Design and Applications. Sean W Smith. Springer. 2005.

126

Bibliography
41.

[SS13] E. Stefanov, E. Shi. ObliviStore: High Performance Oblivious Cloud Storage. IEEE S&P. 2013.

42.

[STDE] Sql Server Transparent Data Encryption.

http://technet.microsoft.com/en-us/library/bb934049.aspx

43.

[TCGNotes] Trusted Computing Architecture and its applications. CS255 Lecture Notes. Stanford University.
http://crypto.stanford.edu/cs155old/cs155-spring11/lectures/08-TCG.pdf

44.

[TFM13] Stephen Tu, M. Frans Kaashoek, Samuel Madden et al. Processing Analytical Queries over Encrypted Data. VLDB
2013.

45.

[TPMSpec] TPM Main Specification. http://www.trustedcomputinggroup.org/resources/tpm_main_specification

46.

[VYK12] Vaibhav Khadilkar, Kerim Yasin Oktay, Murat Kantarcioglu, Sharad Mehrotra: Secure Data Processing over Hybrid
Clouds. IEEE Data Eng. Bull. 35(4): 46-54 (2012).

47.

[W12] P. Williams. Oblivious Remote Data Access Made Parallel. PhD Thesis. 2012.

127