Using cryptography in databases and web applications

Slides:



Advertisements
Similar presentations
Monomi: Practical Analytical Query Processing over Encrypted Data
Advertisements

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
CryptDB: Protecting Confidentiality with Encrypted Query Processing by Raluca Ada Popa Catherine M. S. Redfield Nickolai Zeldovich Hari Balakrishnan MIT.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Sam Madden With a cast of many….
11 Section D: SQL  SQL Basics  Adding Records  Searching for Information  Updating Fields  Joining Tables Chapter 11: Databases1.
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
CryptDB: Protecting Confidentiality with Encrypted Query Processing
CryptDB: Confidentiality for Database Applications with Encrypted Query Processing Raluca Ada Popa, Catherine Redfield, Nickolai Zeldovich, and Hari Balakrishnan.
CryptDB: A Practical Encrypted Relational DBMS Raluca Ada Popa, Nickolai Zeldovich, and Hari Balakrishnan MIT CSAIL New England Database Summit 2011.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Overview and Roadmap for Microsoft SQL Server Security
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
 Relational Cloud: A Database-as-a-Service for the Cloud Carlo Curino, Evan Jones, Raluca Ada Popa, Nirmesh Malaviya, Eugene Wu, Sam Madden, Hari Balakrishnan,
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Adversaries in Clouds: Protecting Data in Cloud-Based Applications Nick Feamster Georgia Tech.
SERVER Betül ŞAHİN What is this? Betül ŞAHİN
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
By Mihir Joshi Nikhil Dixit Limaye Pallavi Bhide Payal Godse.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Mohammad Ahmadian COP-6087 University of Central Florida.
Database Laboratory TaeHoon Kim. /25 Work Progress(Range Query) 2.
HPCC 2015, August , New York, USA Wei Chang c Joint work with Qin Liu a, Guojun Wang b, and Jie Wu c a. Hunan University, P. R. China b. Central.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
SEC835 Practical aspects of security implementation Part 1.
Chapter 8 Safeguarding the Internet. Firewalls Firewalls: hardware & software that are built using routers, servers and other software A point between.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Protection of outsourced data MARIA ANGEL MARQUEZ ANDRADE.
Elmasri and Navathe, Fundamentals of Database Systems, Fourth Edition Copyright © 2004 Pearson Education, Inc. Slide 2-1 Data Models Data Model: A set.
COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.
Network Security & Accounting
1 Secure Peer-to-Peer File Sharing Frans Kaashoek, David Karger, Robert Morris, Ion Stoica, Hari Balakrishnan MIT Laboratory.
Chap1: Is there a Security Problem in Computing?.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
CryptDB: Protecting Confidentiality with Encrypted Query Processing
Secure Data Outsourcing
1 Secure Peer-to-Peer File Sharing Frans Kaashoek, David Karger, Robert Morris, Ion Stoica, Hari Balakrishnan MIT Laboratory.
Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.
Web Database Security Session 12 & 13 Matakuliah: Web Database Tahun: 2008.
Computer Security Sample security policy Dr Alexei Vernitski.
Big Data Security Issues in Cloud Management. BDWG Big Data Working Group Researchers 1: Data analytics for security 2: Privacy preserving 3: Big data-scale.
SQL Server 2016 Security Features Marek Chmel Microsoft MVP: Data Platform Microsoft MCT: Regional Lead MCSE: Data Platform Certified Ethical Hacker.
1 Network Security. 2 Security Services Confidentiality: protection of any information from being exposed to unintended entities. –Information content.
Clouding with Microsoft Azure
Data in the Cloud: Data-as-a-Service for the Cloud
Chapter 40 Internet Security.
Database and Cloud Security
Practical Private Range Search Revisited
Securing Your Data With SQL 2016 (An overview of Always Encrypted)
Big Data Analytics over Encrypted Datasets with Seabed
Application Security Lecture 27 Aditya Akella.
Searchable Encryption in Cloud
Introduction to Operating Systems
Security Outline Encryption Algorithms Authentication Protocols
Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.
Cloud Computing By P.Mahesh
Security.
Introduction to Operating Systems
Security Enhancements in SQL Server 2016
Secure Database in cloud
RKL Remote key loading.
بررسی معماری های امن پایگاه داده از جنبه رمزنگاری
Security.
CS 5412/Lecture 17 Leave No Trace Behind
SQL Server 2016 Security Features
Web Application Development Using PHP
Presentation transcript:

Using cryptography in databases and web applications Nickolai Zeldovich MIT CSAIL Joint work with Raluca Ada Popa, Stephen Tu, Emily Stark, Jonas Helfer, Steven Valdez, Hari Balakrishnan, Frans Kaashoek, Sam Madden

Problem: private data breaches server clients Secret Secret Secret no computation computation storage databases, web applications, mobile applications, machine learning, etc. ?? encryption (encrypted files, email)

Common approach: prevent break-ins server clients Secret Secret Enforced at many levels: operating system, hardware, network, programming language, …

Bad guys find ways to break in Complex software has bugs Attackers find and exploit vulnerabilities Many people have access to infrastructure Server administrators Cloud / data center employees Anyone that breaks into their accounts Compromises are inevitable

New approach: practical processing of encrypted data server client ?? Strawman: Secret Result Secret Result Secret

CryptDB setup trusted client-side under attack Database server Proxy transformed query Database server plain query Proxy Application encrypted DB decrypted results Secret encrypted results Secret Stores schema and master key Minimal or no query execution

Randomized encryption (RND) - semantic Example Application Randomized encryption (RND) - semantic x2ea887 x95c623 x4be219 x17cea7 SELECT * FROM emp table1/emp col1/rank col2/name col3/salary Proxy SELECT * FROM table1 x4be219 60 x95c623 100 x2ea887 800 x17cea7 100

Example Randomized encryption (RND) Deterministic encryption (DET) Application Randomized encryption (RND) Deterministic encryption (DET) SELECT * FROM emp WHERE salary = 100 table1/emp col1/rank col2/name col3/salary SELECT * FROM table1 WHERE col3 = x5a8c34 Proxy x4be219 x934bc1 60 x5a8c34 x95c623 100 x2ea887 x84a21c 800 ? x5a8c34 x5a8c34 x17cea7 100

Example “Summable” encryption (HOM) - semantic Application “Summable” encryption (HOM) - semantic Deterministic encryption (DET) SELECT sum(salary) FROM emp table1 (emp) Proxy SELECT cdb_sum(col3) FROM table1 col1/rank col2/name col3/salary x9eab81 x934bc1 60 x638e54 x5a8c34 100 x122eb4 x84a21c 800 x578b34 x5a8c34 1060 x72295a 100

Example Application Proxy SELECT sqrt(sum(salary)) FROM emp table1 (emp) Proxy SELECT cdb_sum(col3) FROM table1 col1/rank col2/name col3/salary x9eab81 x934bc1 60 x638e54 x5a8c34 100 x122eb4 x84a21c 800 x578b34 x5a8c34 1060 x72295a 100

Example Application Proxy SELECT sqrt(sum(salary)) FROM emp 32.55 table1 (emp) Proxy SELECT cdb_sum(col3) FROM table1 col1/rank col2/name col3/salary x9eab81 x934bc1 60 x638e54 x5a8c34 100 x122eb4 x84a21c 800 x578b34 x5a8c34 1060 x72295a 100

Techniques Compute on encrypted data at the server Use SQL-aware set of efficient encryption schemes Adjust encryption of data based on queries Compute on decrypted data at the proxy Can decrypt  can perform any computation Choose optimal split to reduce bandwidth, proxy load

SQL-aware encryption schemes Security Scheme Construction Function SQL operations: e.g., SELECT, UPDATE, DELETE, INSERT, COUNT RND AES in UFE data moving ≈ semantic security HOM Paillier addition e.g., SUM, + word search SEARCH Song et al.,‘00 restricted ILIKE e.g., =, !=, IN, GROUP BY, DISTINCT reveals only repeat pattern DET equality AES in CMC JOIN our new scheme join e.g., >, <, ORDER BY, ASC, DESC, MAX, MIN, GREATEST, LEAST reveals only order OPE order our new scheme

Onion of encryptions + + security + RND DET OPE value + functionality Adjust encryption: strip off layer of the onion

CryptDB works well in practice Supports many database applications Web sites, transactional processing, data analytics Never reveals plaintext data on database server Modest performance overheads 20-30% throughput loss for typical benchmarks Approach now used by Google (among others) Encrypted BigQuery service

Compromised app. server? users CryptDB proxy DB server application Secret CryptDB SQL queries on encrypted DB

Compromised app. server? CryptDB proxy users CryptDB proxy DB server Secret Secret application Secret Secret CryptDB proxy

Mylar: browser-side encryption Secret Secret Secret web application DB server Secret Secret Secret Secret Decrypted data exists only in users’ browsers

Challenge: computation in web applications Client-side application framework Most computation happens in client’s web browser (Javascript code) 2. Non client-side computation: Data sharing – need a way to manage keys Keyword search – need new cryptosystem: documents encrypted with many keys

Mylar supports many applications Ported 6 applications to Mylar Performance overheads are modest Data privacy despite server compromises

Future research directions Practical cryptography Computing on data encrypted w/ many keys Delegating limited functions over encrypted data Practical systems Auditing for data disclosures Protecting end-user computers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.