Chip-Secured Data Access: Confidential Data on Untrusted Servers L. - - PowerPoint PPT Presentation

Chip-Secured Data Access:

Confidential Data on Untrusted Servers

• L. Bouganim, P. Pucheral

University of Versailles

PAGE 2

The need for Open Trusted Data Stores

• Virtual teams

– distributed among space, time and organizations – collaborative work on confidential data – e.g., cyberworkers.com …

• Shared personal folders

– accessible anywhere, anytime and shared by authorized persons – e.g., primadoctor.com …

• Corporate DB hosted by a DSP

– permanent access to travelling salesmen – e.g., caspio.com, quickbase.com ...

PAGE 3

Attackers

• Intruder

– tries to attack the DB footprint or usurp the identity of a regular user (or DBA)

• Insider

– tries to get information exceeding her own access rights

• Administrator (SA or DBA)

– has enough privileges to tamper the access right definition and spy the DBMS behavior

Encryption is required Access rights can be bypassed

PAGE 4

Server-based approach

• DB footprint protected by encryption

– Oracle Obfuscation toolkit, ...

• Restrict the DBA privileges, … as far as possible

– Protegrity, [Ideas’01] …

Weakness = decryption occurs on the server

Database Server

DBMS

Client

Secured communications

Encryption Decryption usurpation Insider Intruder Administrator

Encrypted Database

PAGE 5

Client-based approach

• Decryption on the client

– who owns the keys ?

• Privacy (exclusive access)

– the client manages the keys – efficiency is the main concern [Sigmod’02]

• Confidentiality (shared access)

– a security mechanism is required on the client side to manage keys and access rights Weakness = client can tamper the security mechanism

Database Server

Client Encryption Decryption DBMS

Secured communications

Encrypted Database

PAGE 6

Chip-Secured Data Access (C-SDA)

• Making the security mechanism tamper-resistant

– Access right manager hosted by a Secured Operating Environment (SOE) (e.g., a smartcard) – Access right defined on views

• query translation in the SOE
• part of query execution in the SOE

Client C1 Client C2

Secured Operating Environment

C-SDA C-SDA

DBMS Client C1 Client C2

PAGE 7

Equi-Predicate-Only Queries

• Traveling salesman asks for customers living in France
• Equi-Predicate-Only query

– 100% processed by the server – result decrypted by C-SDA X.com Privacy Policy : X.com does not rent, sell, or share personal information about its customers with other people or companies C-SDA

Encrypted Database

zrzer zarevgzd Sde tger Fffe zarevgzd dedef zszd

zze sdeef azd sd

bad France Joe 19 good France Jim 22

Type Nation name Id

DECRYPT ACCESS RIGHTS TRANSF°

Select * from lqskdqs where sdeef = "zarevgzd"

DBMS

Select * from Customers where Nation = «France»

PAGE 8

C-SDA

General Queries

• Traveling salesman asks for the total amount of orders

passed by customer #22

• Aggregation must be computed on decrypted data by C-

SDA

1200

Sum

X.com Privacy Policy : X.com vendors cannot access detailed information about customer’s orders, but can get statistic data about them.

Select sum(amount) from orders where CustId = 22

ACCESS RIGHTS TRANSF° DECRYPT COMPUTE

Select ygefh from iuzgs where lpaszj ="euys"

kdleo retz

ygefh

Encrypted Database DBMS

PAGE 9

Smartcard’s Characteristics

• Cheap and highly secured computer

– Powerful RISC processor (≈ 40Mips) – Limited communication bandwidth (10 to100 Kbps) – Tiny RAM, writes in EEPROM stable storage very costly

• Impact on C-SDA

– internal processing must be done in pipeline – processing must be pushed down to the server – data flows must be minimized

RAM 4KB I/O EEPROM Security Blocks ROM 32 bits proc

PAGE 10

Query decomposition

• Q = Qterm° Qcard° Qserver

Equi-Predicate-Only Queries Inequi-predicates, aggregations ... Presentation SELECT C.Id, C.name, sum(O.amount) FROM Customers C, Orders O WHERE C.Id = O.CustId and O.date > 1996 GROUP BY C.Id, C.name HAVING count(*) >= 10 ORDER BY C.name

PAGE 11

Query optimization : example

• Minimize the flow of

irrelevant data traversing the card

• Inequi-predicates

– evaluated by a subquery – result semi-joined with the initial table

date>1996

date date

Orders Orders

CustId = Id

π σ

Decrypt Encrypt

Customers

PAGE 12

Conclusion

• Other contributions exploiting smartcard’s storage

– Insulate highly sensitive data – database depersonnalization – Multiple key repository

• Future works

– Performance assessment – Experimentation in the EDI context

• founded by the French ANVAR agency
• extends C-SDA towards XML databases

– impact of the SOE technology on query optimization