Date post: | 15-Jul-2015 |
Category: |
Software |
Upload: | nu-the-open-security-community |
View: | 261 times |
Download: | 3 times |
Secure databases in the cloud
Vasily Sidorov
@bazzilic
http://bazzilic.me/
Benefits of the Cloud
Price
Cloud could be significantly cheaper.
Consumed AvailableConsumed AvailableConsumed Available
Benefits of the Cloud
Flexibility
Quick adaptation to growth or peaks.
Consumed AvailableConsumed Available
Problems of the Cloud
Information Security
Machines and services are out of our control
– Configuration, isolation, firewalls, etc.
– What security policies are in place?
– Is the cloud service provider telling the truth?
– Cloud service provider itself is a threat!
What is “Security” of Data Security?
CIA– Confidentiality
Authorized reading of data.
– Integrity
• Authorized writing of data
• Data is not corrupted
– Accessibility
• Data is not deleted
• Connectivity issues, servers downtime, etc.
What is “Data” of Data Security?
The three states of digital data:
– Data at Rest
• Disk encryption
• Crypto containers
– Data in Use
– Data in Motion
• SSL/TLS
Database Security SotA
Data at Rest Data in Motion Data in Use
Confidentiality
Integrity
Accessibility
Encryption of database files (TDE)
– SQL Server, Oracle, 3rd party solutions
– Data is decrypted when loaded
– The DBMS knows the key!
Processing of Encrypted Data
• Decrypt the data
• Deterministic encryption for search and simple joins
• What if we can do something with encrypted data itself?
Homomorphic Encryption
Homomorphic encryption preserves at least one operation: addition, multiplication, etc.
For addition:∃𝑔 ⋅ such that ∀𝑎, 𝑏 ∈ ℕ:
𝑎 + 𝑏 = 𝐷 𝑔 𝐸 𝑎 , 𝐸 𝑏
Examples: Paillier, ElGamal, BGN, RSA.
Fully Homomorphic Scheme
Has been a holy grail of cryptography for decades – an encryption scheme that preserves both addition and multiplication.
In 2009 Craig Gentry has developed a fully homomorphic scheme while doing PhD at Stanford University.
It still appears to be completely impractical.
Order-Preserving Encryption
Similar in concept to homomorphic encryption, OPE allows us to say which ciphertext keeps a greater (lesser) number.
Allows us to do range queries.
Searching through Encrypted Data
One of the most developed directions in the field with multiple different approaches.
CryptDB
Has been in development in MIT since 2011.
Invented “onion” encryption
Directions of Research
• Support full SQL over encrypted data
• Multiple users with separate access scopes
– Separation/scoping of access by encryption
• Performance
– General performance improvements
– Task- or scope-specific performance (OLTP, OLAP, specific query types)
• Accessibility and Integrity
References1. The three states of digital data:
http://aspg.com/three-states-digital-data/
2. Oracle database file encryption:http://www.oracle.com/technetwork/database/options/advanced-security/index-099011.html
3. SQL Server database file encryption:https://msdn.microsoft.com/en-us/library/bb934049.aspx
4. Homomorphic encryption:http://en.wikipedia.org/wiki/Homomorphic_encryption
5. Craig Gentry’s fully homomorphic encryption:http://crypto.stanford.edu/craig/craig-thesis.pdf
6. Implementation of Craig Gentry’s scheme in C:https://github.com/shaih/HElib
7. Executing SQL over Encrypted Data in the Database-Service-Provider Model:http://www.ics.uci.edu/~chenli/pub/sigmod02.pdf
8. CryptDB:https://css.csail.mit.edu/cryptdb/