Post on 27-Jan-2017
transcript
CryptDB: ProtectingConfidentiality with
Encrypted Query Processing
Raluca Ada Popa, Catherine M. S. Redfield,Nickolai Zeldovich, and Hari Balakrishnan
23rd ACM Symposium on Operating Systems Principles (SOSP)Cascais, Portugal, October 2011
KDE SeminarMay 11th, 2015Mateus Cruz
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
OUTLINE
1 Introduction
2 SQL-Aware Encryption
3 Adjustable Encryption
4 Experiments
5 Conclusion
2 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
OUTLINE
1 Introduction
2 SQL-Aware Encryption
3 Adjustable Encryption
4 Experiments
5 Conclusion
3 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
OVERVIEW
SQL queries over encrypted dataI SecurityI Performance (low overhead)
Dynamic encryption levelsProtection against security threats
1 Curious DBA2 Adversary compromises application or server
4 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
MAIN IDEAS
SQL-Aware encryptionI Execute queries over encrypted data
Adjustable query-based encryptionI Change encryption for data items at runtime
5 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
LIMITATIONS
Does not ensureI IntegrityI FreshnessI Completeness
Does not cover attacks on user machines
6 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
ARCHITECTURE
7 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
OUTLINE
1 Introduction
2 SQL-Aware Encryption
3 Adjustable Encryption
4 Experiments
5 Conclusion
8 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
INTUITION
Many cryptosystems availableDifferent security levels
I IND-CPAI IND-CCA
Different allowed computationsI Equality comparisonI OrderingI Summation
Use the most secure cryptosystem thatallows the desired computation over thedata item
9 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
RANDOM (RND)
Different ciphertexts for the same plaintextMaximum security in CryptDB
I IND-CPA
Does not allow computationsConstructed using AES/Blowfish with arandom initialization vector (IV)
10 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
DETERMINISTIC (DET)
Same ciphertext for the same plaintextLeaks which items are repeated
I But not the valuesAllows equality checks
I SELECT with equality predicates, GROUP BY,COUNT, DISTINCT, etc
Constructed using AES/Blowfish
11 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
ORDER-PRESERVING ENCRYPTION(OPE)
Random mapping that preserves orderI If x < y, then OPEK(x) < OPEK(y)
Allows range queries and orderingI ORDER BY, MIN, MAX, etc
Leaks order between data items
12 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
HOMOMORPHIC ENCRYPTION(HOM)
IND-CPA that allows computationsFully HOM is very slow
I Slowdowns on the order of 109
Constructed using Paillier cryptosystemI HOMK(x)×HOMK(y) = HOMK(x + y)I Allows SUM aggregates
13 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
ADJUSTABLE JOIN (JOIN-ADJ)
Join columns with the same encryptionPrevent join without requestJOIN(x) = JOIN-ADJ(x)||DET(x)
I JOIN-ADJ is non-invertibleI Can obtain x by decrypting DET(x)I Can join columns by using JOIN-ADJ(x)
14 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
WORD SEARCH (SEARCH)
Searches on encrypted textI Allows LIKE operationsI Does not support regular expressions
Nearly as secure as RNDI Leaks the number of duplicated words
15 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
OUTLINE
1 Introduction
2 SQL-Aware Encryption
3 Adjustable Encryption
4 Experiments
5 Conclusion
16 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
INTUITION
Different encryption modelsI Different security levelsI Allow different computations
Balance between security and functionalityAdjust the encryption at runtime
17 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
ONION MODEL
Each data item has layers of encryptionI Layers form an onion
18 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
DATA LAYOUT
Multiple onions for one data item
19 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
DECRYPTION OF ONIONSThe proxy issues a decryption using UDFs
I User Defined Functions
Speeds up subsequent queries
Example
Decrypt onion Ord of column 2 in Table1:UPDATE Table1 SET C2-ORD =
DECRYPT RND(K,C2-ORD,C2-IV)20 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
DECRYPTION OF ONIONSThe proxy issues a decryption using UDFs
I User Defined Functions
Speeds up subsequent queries
Example
Decrypt onion Ord of column 2 in Table1:UPDATE Table1 SET C2-ORD =
DECRYPT RND(K,C2-ORD,C2-IV
Decryption from RNDrequires the initializa-tion vector (IV)
)20 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
QUERY EXECUTION
Example
Initial query:SELECT ID FROM EmployeesWHERE Name = ’Alice’
1 - Lower encryption of Name to DET:UPDATE Table1 SET C2-Eq =DECRYPT RND(KT1,C2,Eq,RND,C2-Eq,C2-IV)
21 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
QUERY EXECUTION
Example
Initial query:SELECT ID FROM EmployeesWHERE Name = ’Alice’
1 - Lower encryption of Name to DET:UPDATE Table1 SET C2-Eq =DECRYPT RND(KT1,C2,Eq,RND
Key for decryptinglayer RND, of onionEq, of column C2, ontable T1
,C2-Eq,C2-IV)
21 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
QUERY EXECUTION
Example
Initial query:SELECT ID FROM EmployeesWHERE Name = ’Alice’
1 - Lower encryption of Name to DET:UPDATE Table1 SET C2-Eq =DECRYPT RND(KT1,C2,Eq,RND,C2-Eq,C2-IV)
21 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
QUERY EXECUTION
Example (Cont.)
2 - Perform the selection:SELECT C1-Eq, C1-IV FROM Table1WHERE C2-Eq = ’x7..d’
3 - Decrypt results using keys KT1,C1,Eq,RND,KT1,C1,Eq,DET, KT1,C1,Eq,JOIN and obtain the finalresult: 23.
21 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
QUERY EXECUTION
Example (Cont.)
2 - Perform the selection:SELECT C1-Eq, C1-IV
Requires the initializa-tion vector (IV) to de-crypt layer RND
FROM Table1WHERE C2-Eq = ’x7..d’
3 - Decrypt results using keys KT1,C1,Eq,RND,KT1,C1,Eq,DET, KT1,C1,Eq,JOIN and obtain the finalresult: 23.
21 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
QUERY EXECUTION
Example (Cont.)
2 - Perform the selection:SELECT C1-Eq, C1-IV FROM Table1WHERE C2-Eq = ’x7..d’
Encryption of thevalue ’Alice’ withlayers JOIN and DET
3 - Decrypt results using keys KT1,C1,Eq,RND,KT1,C1,Eq,DET, KT1,C1,Eq,JOIN and obtain the finalresult: 23.
21 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
QUERY EXECUTION
Example (Cont.)
2 - Perform the selection:SELECT C1-Eq, C1-IV FROM Table1WHERE C2-Eq = ’x7..d’
3 - Decrypt results using keys KT1,C1,Eq,RND,KT1,C1,Eq,DET, KT1,C1,Eq,JOIN and obtain the finalresult: 23
Decrypts three layersto obtain the plaintext
.
21 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
IMPROVING SECURITY
Minimum number of layersI Specify the lowest layer revealed
Onion re-encryptionI Re-encrypt onions after infrequent queries
22 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
IMPROVING PERFORMANCE
Training modeI Obtain correctly adjusted layers
Cyphertext pre-computing and cachingI Encryption of HOM and OPE are expensiveI Pre-computes and caches frequent constants
for HOM and OPE under different keys
23 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
OUTLINE
1 Introduction
2 SQL-Aware Encryption
3 Adjustable Encryption
4 Experiments
5 Conclusion
24 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
IMPLEMENTATION
C++ library: 18.000 linesLua module: 150 linesMySQL 5.1NTL library
I Cryptographic implementation
25 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
ENVIRONMENT
ServerI Node with two 2.46Ghz Intel Xeon E5620
4-coresI 12GB RAM
Proxy and clientsI Node with eight 2.4Ghz AMD Opteron 8431
6-coresI 64GB RAM
All workloads fit in the server’s RAM
26 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
PERFORMANCE
Using TPC-C workload21% to 26% slower than plaintext MySQL
27 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
PERFORMANCE PER QUERY TYPE
Slower for queries involving HOM (SUM)
28 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
LATENCYOverall server latency increased by 20%Proxy adds 0.6ms
I 23% in encryption and decryptionI 24% in MySQL proxyI 53% in parsing and processing
29 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
STORAGE
Increased required storageI Multiple onions per fieldI Some ciphertexts are larger than plaintexts
– HOM maps 32 bits integer to 2048 bits
Increased size by 3.76 times using TPC-C
30 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
OUTLINE
1 Introduction
2 SQL-Aware Encryption
3 Adjustable Encryption
4 Experiments
5 Conclusion
31 / 32
Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
CONCLUSION
Provide practical confidentialityDeal with two threat models
I Curious DBAsI Compromise of DBMS server
Main pointsI SQL-Aware encryptionI Adjustable encryption
Modest performance penaltyI 14.5% to 26%
32 / 32