CryptDB Protecting Confidentiality with Encrypted Query Processing - - PowerPoint PPT Presentation

CryptDB

Protecting Confidentiality with Encrypted Query Processing Katarzyna Baranowska

University of Warsaw

January 21, 2012

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Why secure data?

Medical data Contact data Payment Personal evaluation and recommendations Company data

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Posible threats

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Posible threats

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Posible threats

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Posible threats

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Other solutions

Encrypt and decrypt data at users side

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Other solutions

Encrypt and decrypt data at users side

Needs moving application logic to users

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Other solutions

Encrypt and decrypt data at users side

Needs moving application logic to users Not effective if apllication computes over large amount of data

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Other solutions

Encrypt and decrypt data at users side

Needs moving application logic to users Not effective if apllication computes over large amount of data

Use fully homomorphic encryption, which allows servers to compute functions over encrypted data

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Other solutions

Encrypt and decrypt data at users side

Needs moving application logic to users Not effective if apllication computes over large amount of data

Use fully homomorphic encryption, which allows servers to compute functions over encrypted data

Very slow

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Other solutions

Encrypt and decrypt data at users side

Needs moving application logic to users Not effective if apllication computes over large amount of data

Use fully homomorphic encryption, which allows servers to compute functions over encrypted data

Very slow Very expensive

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

CryptDB solution

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

CryptDB solution

Threat 1

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

CryptDB solution

Threat 1

SQL-aware encryption strategy (symmertic keys)

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

CryptDB solution

Threat 1

SQL-aware encryption strategy (symmertic keys) Adjustable query-based encryption (onions of encryption)

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

CryptDB solution

Threat 1

SQL-aware encryption strategy (symmertic keys) Adjustable query-based encryption (onions of encryption)

Threat 2

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

CryptDB solution

Threat 1

SQL-aware encryption strategy (symmertic keys) Adjustable query-based encryption (onions of encryption)

Threat 2

Chaining encryption keys to user passwords

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Dealing with curious DBA

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Dealing with curious DBA

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Dealing with curious DBA

UPDATE Table1 SET C2-Ord = DECRYPT RND(K, C2-ORD, C2-IV)

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Used alorithms

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Used alorithms

RND (random): AES-CBC, Blowfish (for integers) with IV

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Used alorithms

RND (random): AES-CBC, Blowfish (for integers) with IV DET (deterministic): AES-CMC, Blowfish without IV

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Used alorithms

RND (random): AES-CBC, Blowfish (for integers) with IV DET (deterministic): AES-CMC, Blowfish without IV JOIN : keyed cryptographic hash, with the additional property that hashes can be adjusted to change their keys without access to the plaintext (JOIN-ADJ)

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Used alorithms

RND (random): AES-CBC, Blowfish (for integers) with IV DET (deterministic): AES-CMC, Blowfish without IV JOIN : keyed cryptographic hash, with the additional property that hashes can be adjusted to change their keys without access to the plaintext (JOIN-ADJ) OPE (order-preserving encryption): random mapping that preserves order, never before implemented

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Used alorithms

RND (random): AES-CBC, Blowfish (for integers) with IV DET (deterministic): AES-CMC, Blowfish without IV JOIN : keyed cryptographic hash, with the additional property that hashes can be adjusted to change their keys without access to the plaintext (JOIN-ADJ) OPE (order-preserving encryption): random mapping that preserves order, never before implemented OPE-JOIN: must be known a priori, but is rare (50 out of 128,840 columns)

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Used alorithms

RND (random): AES-CBC, Blowfish (for integers) with IV DET (deterministic): AES-CMC, Blowfish without IV JOIN : keyed cryptographic hash, with the additional property that hashes can be adjusted to change their keys without access to the plaintext (JOIN-ADJ) OPE (order-preserving encryption): random mapping that preserves order, never before implemented OPE-JOIN: must be known a priori, but is rare (50 out of 128,840 columns) HOM (homomorphic encryption): Paillier cryptosystem for summation

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Used alorithms

RND (random): AES-CBC, Blowfish (for integers) with IV DET (deterministic): AES-CMC, Blowfish without IV JOIN : keyed cryptographic hash, with the additional property that hashes can be adjusted to change their keys without access to the plaintext (JOIN-ADJ) OPE (order-preserving encryption): random mapping that preserves order, never before implemented OPE-JOIN: must be known a priori, but is rare (50 out of 128,840 columns) HOM (homomorphic encryption): Paillier cryptosystem for summation SEARCH (word search): protocol of Song et al.

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Used alorithms

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Used alorithms

OPE can be speeded up by caching frequently used constants

• ver diffrent keys

HOM encryption can be speeded up by precomputing Paillier rn randomness

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

CryptDB features

Security improvements

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

CryptDB features

Security improvements

Minimum onion layers

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

CryptDB features

Security improvements

Minimum onion layers In-proxy processing

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

CryptDB features

Security improvements

Minimum onion layers In-proxy processing Training mode

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

CryptDB features

Security improvements

Minimum onion layers In-proxy processing Training mode Onion re-encryption

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

CryptDB features

Security improvements

Minimum onion layers In-proxy processing Training mode Onion re-encryption

Performance Optimizations

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

CryptDB features

Security improvements

Minimum onion layers In-proxy processing Training mode Onion re-encryption

Performance Optimizations

Developer Annotations

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

CryptDB features

Security improvements

Minimum onion layers In-proxy processing Training mode Onion re-encryption

Performance Optimizations

Developer Annotations Known query set

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

CryptDB features

Security improvements

Minimum onion layers In-proxy processing Training mode Onion re-encryption

Performance Optimizations

Developer Annotations Known query set Precomputing and caching for OPE and HOM

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

CryptDB structure

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Environment used for tests

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Environment used for tests

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Throughput 1

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Throughput 2

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Throughput 2

SUM (2x less) and UPDATE (1.6 less) requires HOM additions at server

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Processing times

Proxy* - without precomputing and caching optimization

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Processing times

CryptDB adds an average of 0.60ms to a query 24% is spent in MySQL proxy 23% is spent in encryption and decryption 53% is spent parsing and processing queries

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Threat 2

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

phpBB messages

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

phpBB posts

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

HotCRP

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Key Chaining

Each instance of each principal type has a secret, randomly choosen key (symmetric, and public/private pair)

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Key Chaining

Each instance of each principal type has a secret, randomly choosen key (symmetric, and public/private pair) If B speaks for A then A’s key (symmetric and private) is encrypred with B’s key (symmetric) and stored in access keys table

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Key Chaining

Each instance of each principal type has a secret, randomly choosen key (symmetric, and public/private pair) If B speaks for A then A’s key (symmetric and private) is encrypred with B’s key (symmetric) and stored in access keys table In case, when it is imposible to encrypt with B’s symmertic key, A’s key is encrypted with public key (stored in public keys table) for reencryption in the future

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Key Chaining

Each instance of each principal type has a secret, randomly choosen key (symmetric, and public/private pair) If B speaks for A then A’s key (symmetric and private) is encrypred with B’s key (symmetric) and stored in access keys table In case, when it is imposible to encrypt with B’s symmertic key, A’s key is encrypted with public key (stored in public keys table) for reencryption in the future External principal keys are encrypted by their passwords and stored in table external keys

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Key Chaining

Each instance of each principal type has a secret, randomly choosen key (symmetric, and public/private pair) If B speaks for A then A’s key (symmetric and private) is encrypred with B’s key (symmetric) and stored in access keys table In case, when it is imposible to encrypt with B’s symmertic key, A’s key is encrypted with public key (stored in public keys table) for reencryption in the future External principal keys are encrypted by their passwords and stored in table external keys Logging in and out the users is done by INSERTs and DELETEs on table cryptdb active with two columns username and password

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Tested applications

phpBB open souce forum

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Tested applications

phpBB open souce forum HotCRP conference review application

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Tested applications

phpBB open souce forum HotCRP conference review application grad-apply raduate admissions system used by MIT EECS

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Tested applications

phpBB open souce forum HotCRP conference review application grad-apply raduate admissions system used by MIT EECS OpenEMR electronic medical records application

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Tested applications

phpBB open souce forum HotCRP conference review application grad-apply raduate admissions system used by MIT EECS OpenEMR electronic medical records application MIT 6.02 application storing students grades

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Tested applications

phpBB open souce forum HotCRP conference review application grad-apply raduate admissions system used by MIT EECS OpenEMR electronic medical records application MIT 6.02 application storing students grades PHP-calendar - an online organizer

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Tested SQL sources

TPC-C SQL queries centered around the principal activities (transactions) of an order-entry environment (entering and delivering orders, recording payments, checking the status of orders, monitoring the level of stock at the warehouses, etc)

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Tested SQL sources

TPC-C SQL queries centered around the principal activities (transactions) of an order-entry environment (entering and delivering orders, recording payments, checking the status of orders, monitoring the level of stock at the warehouses, etc) sql.mit.edu a 10 days trace from schared database of web and MIT applications

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Tested SQL sources

TPC-C SQL queries centered around the principal activities (transactions) of an order-entry environment (entering and delivering orders, recording payments, checking the status of orders, monitoring the level of stock at the warehouses, etc) sql.mit.edu a 10 days trace from schared database of web and MIT applications

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Implementation

Lua module (150 lines of code) C++ library (18 000 lines of code)

Query parser Query encryptor/rewriter Decryption module

Test code (10 000 lines of code)

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Implementation

Lua module (150 lines of code) C++ library (18 000 lines of code)

Query parser Query encryptor/rewriter Decryption module

Test code (10 000 lines of code)

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Speed (phpBB example)

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Functionality

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Functionality

CryptDB encrypts 99.5% of columns (571 of 128 840). Of 571 columns:

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Functionality

CryptDB encrypts 99.5% of columns (571 of 128 840). Of 571 columns: 222 use bitwise operator in WHERE clause or in aggregation (mostly for checking permissions)

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Functionality

CryptDB encrypts 99.5% of columns (571 of 128 840). Of 571 columns: 222 use bitwise operator in WHERE clause or in aggregation (mostly for checking permissions) 205 use string processing in where clause (mostly for case insensitive match)

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Functionality

CryptDB encrypts 99.5% of columns (571 of 128 840). Of 571 columns: 222 use bitwise operator in WHERE clause or in aggregation (mostly for checking permissions) 205 use string processing in where clause (mostly for case insensitive match) 76 use mathematical transformations in WHERE clause (dates, times, scores, coordinates)

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Functionality

CryptDB encrypts 99.5% of columns (571 of 128 840). Of 571 columns: 222 use bitwise operator in WHERE clause or in aggregation (mostly for checking permissions) 205 use string processing in where clause (mostly for case insensitive match) 76 use mathematical transformations in WHERE clause (dates, times, scores, coordinates) 41 use LIKE to check data over a pattern (IP adresses, usernames, URLs, etc)

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Functionality

CryptDB encrypts 99.5% of columns (571 of 128 840). Of 571 columns: 222 use bitwise operator in WHERE clause or in aggregation (mostly for checking permissions) 205 use string processing in where clause (mostly for case insensitive match) 76 use mathematical transformations in WHERE clause (dates, times, scores, coordinates) 41 use LIKE to check data over a pattern (IP adresses, usernames, URLs, etc) 27 other

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Security

MinEnc from strongest to weakest: RND and HOM SEARCH DET and JOIN OPE HIGH encryption means RND, HOM and DET for columns with no repetitions

Threats Threat 1 Speed Evaluation Threat 2 More Evaluation

Source code is available for research purposes

• nly

at g.csail.mit.edu/cryptdb. It can be accesed using git. Notes on how to build CryptDB can be found in doc/BUILD, and several examples

• f how to run CryptDB in doc/README.

We are actively developing CryptDB. In particular, we are currently transitioning the code to perform more generic query parsing and rewriting, based on the native parser from the MySQL server. We will announce any significant changes to CryptDB on the cryptdbannounce mailing list css.csail.mit.edu/cryptdb/