Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing and querying encrypted data Trần Mỹ Giao Huỳnh Mai Thúy.

Published byVictoria Stanley Modified over 9 years ago

Similar presentations

Presentation on theme: "Managing and querying encrypted data Trần Mỹ Giao Huỳnh Mai Thúy."— Presentation transcript:

1 Managing and querying encrypted data Trần Mỹ Giao Huỳnh Mai Thúy

2 Outline Introduction 1 DAS - Storing and querying encrypted data Trust, Encryption Key- Management, Integrity & Data confidentiality References 2 3 4

3 Introduction Two new challenges emerge: o Efficient encryption algorithms for relational data o Supporting query on the encrypted relational data. Example: secure email server.

4 Outline Introduction 1 DAS - Storing and querying encrypted data Trust, Encryption Key- Management, Integrity & Data confidentiality References 2 3 4

5 What is DAS ? It is a paradigm wherein data owned by a client is hosted on a third-party server There is significant interest in secure query evaluation over encrypted databases.

6 DAS - Storing and querying encrypted data DAS set up and security model Querying encrypted relational data Relational encryption and storage model Keyword search on encrypted text data Search over encrypted XML data

7 DAS setup and security Data-owner, clients, server Data must be encrypted on the server and only decrypted on the client-side.

8 Querying encrypted relational data EMP(eid, ename, salary, addr, did) DEPARTMENT(did, dname, mgr) The goal in DAS is to process the query directly at the server without the need to decrypt the data.

9 Querying encrypted relational data Requires mechanism to support the following basic operator over encrypted data Comparison operators Arithmetic operators

10 2 categories Approaches based on new encyption techniques Information-hiding based Approaches

11 Approaches based on new encryption techniques Support either arthrimetic and/or comparison operators – PH supports basic arithmetic operations,and doesn’t allow comparison. – Order-preserving encryption: support comparison, join, selection, sorting, grouping, not support aggregation. The limitation: – Only safe under limited situations where the adversary knowledge is limited.

12 Information-hiding based Approaches Store additional auxiliary information along with encrypted data Secure indices are designed carefully exploiting information hiding mechanism.

13 Information-hiding based Approaches 3 basic techniques: – Pertubation :Add a random value to the true value (numeric attribute) – Generalization : Replace a numeric or categorical value by a more general value – Swapping : swap the values of a specific attribute of two records

14 Information-hiding based Approaches Support comparison, select – project - join, sorting,grouping. Cannot support aggregation at the server.

15 Query processing architecture for DAS

16 Relational encryption and storage model R(A1, A2,.., An)  Emp(etuple, eid, ename, salary, addr, did)

17 Relational encryption and storage model Partition functions: – Patition(emp.eid) = {[0,200], [200, 400],[400,600],[600, 800], [800, 1000]} Identification functions: E.g. : Ident(emp.eid)([0,200]) =2

18 Relational encryption and storage model Mapping functions – Map(emp.eid)(395) = 7 Storing encrypted data

19 Relational encryption and storage model Decyption functions – D(Rs) = R Mapping condition – To translate query conditions to corresponding conditions over the server-side, Map (cond) is called.

20 Translating Realtional Operator The Selection Operator: E.g. :C = eid < 395 & did = 140 (emp)

21 Query Execution Give an example:

22 Query Execution Give an example:

23 Query Execution Give an example:

24 Query Execution Give an example:

25 Keyword search on encrypted text data Answer is

26 Private key based search scheme on encrypted text data Secure index: reveals no imformation about its content to the adversary However, allows the adversary to tests the presence or absence of the keyword using a trapdoor A user search for documents containing word w, generates a trapdoor, which can be used by adversary to retieve documents.

27 Secure index’s creation Alice generates a sequence of pseudo-random values s1...sn, using a stream cipher. For each string si, Alice using pseudo-random function Fk(si) to generate a random m-bit sequence Then computes n-bit sequence ti= Ciphertext ci = wi XOR ti Secure index is a set of ci.

28 Secure index’s creation To prevent adversary from knowing what keyword is, pre- encrypt each word w using algorithm Ek Instead of using w below, we using xi = Ek(wi) to replace xi.

29

30

31 Search over encrypted XML data There has been little work in the area of encrypted XML data management. Two kinds of information the client may consider as sensitive:  Individual node with its content  Association between data values.

32 Search over encrypted XML data The notion of security constraints (SCs) that support both types of security requirements above. Such constraints can be specified in the form of Xpath expressions and may be classified as either node-type constraints or association-type constraints.

33 Search over encrypted XML data Hiding individual node with its content by encrypting their content Hiding Association between data values by encrypting any one of the nodes can enforce the SC

34 Search over encrypted XML data Query processing follows the typical DAS approach that we mentioned earlier Using two indexes( is call discontinuous structural interval index(DSI)) – One is the structural index to enable tree traversal – The second one is a value index for enabling attribute value based queries like range queries.

35 Search over encrypted XML data Use an “order-preserving encryption” scheme to transform the values from their original domain to a new domain  Use B-trees to implement range-queries This scheme is unsafe under known plaintext attack

36 Outline Introduction 1 DAS - Storing and querying encrypted data Trust, Encryption Key- Management, Integrity & Data confidentiality References 2 3 4

37 Trust, Key- management, Integrity & Data confidentiality 3 basic models of trust that are widely studied in literature:  Complete trust : the data management issues are similar to those arising in standard DBMS systems  Partial trust : ensure the confidentiality of sensitive data  Un-trusted model:ensure authenticity of data and correctness of query results

38 Trust, Key- management, Integrity & Data confidentiality Encrypting relational data Authentication and integrity issues Key management in DAS

39 Encrypting relational data Three important issues to keep in mind 1) Encryption algorithms 2) Encryption granularity 3) Efficient storage for encrypted data

40 1) Encryption algorithms Symmetric key  DES : the effective key length is 56 bits, the block size is 64 bits  AES : Each of these ciphers has a 128-bit block size, with key sizes of 128, 192 and 256 bits  Blowfish : 64-bit block size and a variable key length from 32 up to 448 bits

41 DES AES

42 Blowfish

43 1) Encryption algorithms

44 Public-key encryption:  Avoids the problem of secure key distribution  E.g. : RSA

45

46 2) Encryption granularity Field level  The smallest achievable granularity  Each attribute value of a tuple is encrypted separately

47 2) Encryption granularity Record / row level  Each row is encrypted separately  Does not differentiate between sensitive and non-sensitive data

48 2) Encryption granularity Attribute / column level:  Only sensitive attributes are encrypted

49 2) Encryption granularity Page / block level :  Whenever a page/block of sensitive data is stored, the entire block is encrypted

50 3) Efficient storage for encrypted data The performance issues associated with storage of encrypted data on the disk “ Partitioned Plaintext and Cipher text” (PPC) : – Cluster the non-sensitive and sensitive data  minimize the number of encryption operations

51 3) Efficient storage for encrypted data – Use NSM requires only modifications to the page layout.

52 Authentication and integrity issues Data integrity and authentication can be provided at difference levels of granularity: the level of a table, a column, a row, an individual attribute value. Three flavor of database model:  U nified client model

53  Multiple clients- single owner  Multiple clients-multiple owners

54 Authentication and integrity issues One natural and intuitive solution for record-level integrity is to use message authentication codes (MAC) MAC is a keyed hash of record ‘s content, tend to be small and of constant length The MAC-s are attractive for the unified client model In multi owner and multi querier models, potentially many queriers for each client. In these settings, MAC-s are not useful (repudiation)

55 Key management in DAS The data owner first decides the key- assignment granularity:  Database level : generate a single key for the whole database  Table level : tables in database may be grouped  one key generate for each group  Row level : records in table be grouped  each group is encrypted with a separate key

56 Key management in DAS In DAS key generation can be carried out at the client-side or at a third-party trusted server. The key generation process is classified into two classes:  Pre computation :  Key is generated ahead of time  After that, be stored in the key registry(key-Id, key correspondence information, key mode, key material…) of the system  Re computation  The key generating information is stored

57 Outline Introduction 1 DAS - Storing and querying encrypted data Trust, Encryption Key- Management, Integrity & Data confidentiality References 2 3 4

58 Handbook of Database Security Applications and Trends 2007 www.google.com.vn www.en.wikipedia.org

59 THANK YOU FOR LISTENING

Download ppt "Managing and querying encrypted data Trần Mỹ Giao Huỳnh Mai Thúy."

Similar presentations

Tuning: overview Rewrite SQL (Leccotech)Leccotech Create Index Redefine Main memory structures (SGA in Oracle) Change the Block Size Materialized Views,

Tuning: overview Rewrite SQL (Leccotech)Leccotech Create Index Redefine Main memory structures (SGA in Oracle) Change the Block Size Materialized Views,
Outline  Introduction  Background  Distributed DBMS Architecture  Distributed Database Design  Semantic Data Control ➠ View Management ➠ Data Security.

Outline  Introduction  Background  Distributed DBMS Architecture  Distributed Database Design  Semantic Data Control ➠ View Management ➠ Data Security.
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Xyleme A Dynamic Warehouse for XML Data of the Web.

Xyleme A Dynamic Warehouse for XML Data of the Web.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
Database Systems: A Practical Approach to Design, Implementation and Management International Computer Science S. Carolyn Begg, Thomas Connolly Lecture.

Database Systems: A Practical Approach to Design, Implementation and Management International Computer Science S. Carolyn Begg, Thomas Connolly Lecture.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.

Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Chapter 17 Methodology – Physical Database Design for Relational Databases Transparencies © Pearson Education Limited 1995, 2005.

Chapter 17 Methodology – Physical Database Design for Relational Databases Transparencies © Pearson Education Limited 1995, 2005.
Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.

Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.
Team Dosen UMN Physical DB Design Connolly Book Chapter 18.

Team Dosen UMN Physical DB Design Connolly Book Chapter 18.
Encryption Schemes Second Pass Brice Toth 21 November 2001.

Encryption Schemes Second Pass Brice Toth 21 November 2001.

Similar presentations

Ads by Google