CryptDB: ProtectingConfidentiality with

Encrypted Query Processing

Raluca Ada Popa, Catherine M. S. Redfield,Nickolai Zeldovich, and Hari Balakrishnan

23rd ACM Symposium on Operating Systems Principles (SOSP)Cascais, Portugal, October 2011

KDE SeminarMay 11th, 2015Mateus Cruz

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

OUTLINE

1 Introduction

2 SQL-Aware Encryption

3 Adjustable Encryption

4 Experiments

5 Conclusion

2 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

OUTLINE

1 Introduction

2 SQL-Aware Encryption

3 Adjustable Encryption

4 Experiments

5 Conclusion

3 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

OVERVIEW

SQL queries over encrypted dataI SecurityI Performance (low overhead)

Dynamic encryption levelsProtection against security threats

1 Curious DBA2 Adversary compromises application or server

4 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

MAIN IDEAS

SQL-Aware encryptionI Execute queries over encrypted data

Adjustable query-based encryptionI Change encryption for data items at runtime

5 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

LIMITATIONS

Does not ensureI IntegrityI FreshnessI Completeness

Does not cover attacks on user machines

6 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

ARCHITECTURE

7 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

OUTLINE

1 Introduction

2 SQL-Aware Encryption

3 Adjustable Encryption

4 Experiments

5 Conclusion

8 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

INTUITION

Many cryptosystems availableDifferent security levels

I IND-CPAI IND-CCA

Different allowed computationsI Equality comparisonI OrderingI Summation

Use the most secure cryptosystem thatallows the desired computation over thedata item

9 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

RANDOM (RND)

Different ciphertexts for the same plaintextMaximum security in CryptDB

I IND-CPA

Does not allow computationsConstructed using AES/Blowfish with arandom initialization vector (IV)

10 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

DETERMINISTIC (DET)

Same ciphertext for the same plaintextLeaks which items are repeated

I But not the valuesAllows equality checks

I SELECT with equality predicates, GROUP BY,COUNT, DISTINCT, etc

Constructed using AES/Blowfish

11 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

ORDER-PRESERVING ENCRYPTION(OPE)

Random mapping that preserves orderI If x < y, then OPEK(x) < OPEK(y)

Allows range queries and orderingI ORDER BY, MIN, MAX, etc

Leaks order between data items

12 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

HOMOMORPHIC ENCRYPTION(HOM)

IND-CPA that allows computationsFully HOM is very slow

I Slowdowns on the order of 109

Constructed using Paillier cryptosystemI HOMK(x)×HOMK(y) = HOMK(x + y)I Allows SUM aggregates

13 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

ADJUSTABLE JOIN (JOIN-ADJ)

Join columns with the same encryptionPrevent join without requestJOIN(x) = JOIN-ADJ(x)||DET(x)

I JOIN-ADJ is non-invertibleI Can obtain x by decrypting DET(x)I Can join columns by using JOIN-ADJ(x)

14 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

WORD SEARCH (SEARCH)

Searches on encrypted textI Allows LIKE operationsI Does not support regular expressions

Nearly as secure as RNDI Leaks the number of duplicated words

15 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

OUTLINE

1 Introduction

2 SQL-Aware Encryption

3 Adjustable Encryption

4 Experiments

5 Conclusion

16 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

INTUITION

Different encryption modelsI Different security levelsI Allow different computations

Balance between security and functionalityAdjust the encryption at runtime

17 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

ONION MODEL

Each data item has layers of encryptionI Layers form an onion

18 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

DATA LAYOUT

Multiple onions for one data item

19 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

DECRYPTION OF ONIONSThe proxy issues a decryption using UDFs

I User Defined Functions

Speeds up subsequent queries

Example

Decrypt onion Ord of column 2 in Table1:UPDATE Table1 SET C2-ORD =

DECRYPT RND(K,C2-ORD,C2-IV)20 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

DECRYPTION OF ONIONSThe proxy issues a decryption using UDFs

I User Defined Functions

Speeds up subsequent queries

Example

Decrypt onion Ord of column 2 in Table1:UPDATE Table1 SET C2-ORD =

DECRYPT RND(K,C2-ORD,C2-IV

Decryption from RNDrequires the initializa-tion vector (IV)

)20 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

QUERY EXECUTION

Example

Initial query:SELECT ID FROM EmployeesWHERE Name = ’Alice’

1 - Lower encryption of Name to DET:UPDATE Table1 SET C2-Eq =DECRYPT RND(KT1,C2,Eq,RND,C2-Eq,C2-IV)

21 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

QUERY EXECUTION

Example

Initial query:SELECT ID FROM EmployeesWHERE Name = ’Alice’

1 - Lower encryption of Name to DET:UPDATE Table1 SET C2-Eq =DECRYPT RND(KT1,C2,Eq,RND

Key for decryptinglayer RND, of onionEq, of column C2, ontable T1

,C2-Eq,C2-IV)

21 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

QUERY EXECUTION

Example

Initial query:SELECT ID FROM EmployeesWHERE Name = ’Alice’

1 - Lower encryption of Name to DET:UPDATE Table1 SET C2-Eq =DECRYPT RND(KT1,C2,Eq,RND,C2-Eq,C2-IV)

21 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

QUERY EXECUTION

Example (Cont.)

2 - Perform the selection:SELECT C1-Eq, C1-IV FROM Table1WHERE C2-Eq = ’x7..d’

3 - Decrypt results using keys KT1,C1,Eq,RND,KT1,C1,Eq,DET, KT1,C1,Eq,JOIN and obtain the finalresult: 23.

21 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

QUERY EXECUTION

Example (Cont.)

2 - Perform the selection:SELECT C1-Eq, C1-IV

Requires the initializa-tion vector (IV) to de-crypt layer RND

FROM Table1WHERE C2-Eq = ’x7..d’

3 - Decrypt results using keys KT1,C1,Eq,RND,KT1,C1,Eq,DET, KT1,C1,Eq,JOIN and obtain the finalresult: 23.

21 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

QUERY EXECUTION

Example (Cont.)

2 - Perform the selection:SELECT C1-Eq, C1-IV FROM Table1WHERE C2-Eq = ’x7..d’

Encryption of thevalue ’Alice’ withlayers JOIN and DET

3 - Decrypt results using keys KT1,C1,Eq,RND,KT1,C1,Eq,DET, KT1,C1,Eq,JOIN and obtain the finalresult: 23.

21 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

QUERY EXECUTION

Example (Cont.)

2 - Perform the selection:SELECT C1-Eq, C1-IV FROM Table1WHERE C2-Eq = ’x7..d’

3 - Decrypt results using keys KT1,C1,Eq,RND,KT1,C1,Eq,DET, KT1,C1,Eq,JOIN and obtain the finalresult: 23

Decrypts three layersto obtain the plaintext

.

21 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

IMPROVING SECURITY

Minimum number of layersI Specify the lowest layer revealed

Onion re-encryptionI Re-encrypt onions after infrequent queries

22 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

IMPROVING PERFORMANCE

Training modeI Obtain correctly adjusted layers

Cyphertext pre-computing and cachingI Encryption of HOM and OPE are expensiveI Pre-computes and caches frequent constants

for HOM and OPE under different keys

23 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

OUTLINE

1 Introduction

2 SQL-Aware Encryption

3 Adjustable Encryption

4 Experiments

5 Conclusion

24 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

IMPLEMENTATION

C++ library: 18.000 linesLua module: 150 linesMySQL 5.1NTL library

I Cryptographic implementation

25 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

ENVIRONMENT

ServerI Node with two 2.46Ghz Intel Xeon E5620

4-coresI 12GB RAM

Proxy and clientsI Node with eight 2.4Ghz AMD Opteron 8431

6-coresI 64GB RAM

All workloads fit in the server’s RAM

26 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

PERFORMANCE

Using TPC-C workload21% to 26% slower than plaintext MySQL

27 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

PERFORMANCE PER QUERY TYPE

Slower for queries involving HOM (SUM)

28 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

LATENCYOverall server latency increased by 20%Proxy adds 0.6ms

I 23% in encryption and decryptionI 24% in MySQL proxyI 53% in parsing and processing

29 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

STORAGE

Increased required storageI Multiple onions per fieldI Some ciphertexts are larger than plaintexts

– HOM maps 32 bits integer to 2048 bits

Increased size by 3.76 times using TPC-C

30 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

OUTLINE

1 Introduction

2 SQL-Aware Encryption

3 Adjustable Encryption

4 Experiments

5 Conclusion

31 / 32

Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion

CONCLUSION

Provide practical confidentialityDeal with two threat models

I Curious DBAsI Compromise of DBMS server

Main pointsI SQL-Aware encryptionI Adjustable encryption

Modest performance penaltyI 14.5% to 26%

32 / 32