1. 1 SECURE DATABASE OUTSOURCING ALLA LANOVENKO ADVISIOR: DR. HUIPING GUO CALIFORNIA STATE UNIVERSITY LOS ANGELES 03-19-2007

2. 2 Outline Database-As-A-Service Model (DAS) – Overview of the DAS Model – Advantages and Disadvantages of DAS Model Related Work on Secure Database Outsourcing Suggested Dynamic Group Key Management Schema for Outsourced Databases Conclusion

3. 3 Database-As-A-Service Model (DAS) Data owner: an organization that produces data to be made available for controlled external release. User: an organization or human entity that presents requests (queries) to the system and transforms this queries into queries on the encrypted data stored on the server. Server: an organization that receives the encrypted data from a data owner and makes them available for distribution to users.

4. 4 Advantages of DAS Model Saves organizations hardware and software resources Reduce database cost A way for organizations to share the expertise of the database professionals Promises higher availability and more effective disaster protection plan.

5. 5 Disadvantages of the DAS Model Security – Data confidentiality : outsiders and the server cannot see the owner’s database contents in any case. Users of the database have only partial access to the outsourced data, they can only access the permitted data by the owner. – Owner privacy : database owner does not want the server to know about the queries and the returned results. – Authentication and data integrity : users must be ensured that data returned from the untrusted server is originated from the data owner and has not been tampered with.

6. 6 Outline Database-As-A-Service Model Related Work on Secure Database Outsourcing – Query Execution Techniques for Outsourced Databases – Access Control Mechanism for Outsourced Databases Suggested Dynamic Group Key Management Schema for Outsourced Databases Conclusion

7. 7 Query Execution Techniques for Outsourced Databases To store only encrypted data do not work because it would enable external service provider to support selective access. Since confidentiality demands that data decryption must be possible only at the client side different techniques were presented to enable external servers to execute queries on encrypted data. Proposed query execution techniques to select the data to be return in responds to a query without the need of decrypting the data themselves based on storing together with the encrypted data additional indexing information [1, 2,13, 16, 17].

8. 8 Query Execution Techniques for Outsourced Databases index of range technique proposed by Mehrotra, Li and Iyer for both equality and range predicate query.

9. 9 Query Execution Techniques for Outsourced Databases Basic idea of how index of range technique works: – Employee(eid, ename, salary, addr, did) – Employee S (etuple, eid S, ename S, salary S, addr S, did S ) on server side – Partition of attribute eid Employee [0, 200] = 2, [200, 400] = 7, [400, 600] = 5, [600, 800] = 1 and [800, 1000] = 4 – To retrieve record of the employee whose employee id = 320 SELECT * from Employee map to SELECT * from Employee WHERE eid = “320” WHERE eid = 7

10. 10 Query Execution Techniques for Outsourced Databases The Other Query Execution Techniques : – in [1, 13] proposed a hash-based method suitable for selection queries – in [3] order preserving encryption schema (OPES) is presented to support equality and range query. This approach operates only on integer value – in [10] proposed techniques for performing arithmetic operations ( +, -, *, / ) on encrypted data and do not consider comparison operations. – [4, 5] proposed execution of aggregation queries over encrypted data Limitation of the proposed techniques: they are protecting data at the server side, and provides complete access to the database contents on the client side.

11. 11 Access Control Mechanism for Outsourced Databases Proposed by Damiani, Foresti, Samarati and others prof. of University of Milan, access control mechanism exploit data encryption by including authorization in the encrypted data themselves. In this way it is enforce access restriction to deferent users, sets of users, or applications. Access Control Mechanism for outsourced databases proposed a different method that consists in grouping users with the same access privileges and in encrypting each groupof tuples with the key associated with the set of users that can access it. Mechnism limited to the static groups. Can not be directly applied to the dynamic groups. In this case outsourced database has to be re-encrypted each time group membership changes.

12. 12 Outline Database-As-A-Service Model Related Work on Secure Database Outsourcing Suggested Dynamic Group Key Management Schema for Outsourced Databases – System Description – System Architecture – Group Key Distribution Model – Query Processing – Experiment Conclusion

13. 13 Suggested Dynamic Group Key Management Schema for Outsourced Databases The thesis proposes a dynamic group key management schema for outsourced databases. The proposed schema is performing scalable encryption/decryption algorithm at the server side and the client side using key pair generated from the group keys based on most widely used Rivest-Shamir-Adelman (RSA) cryptographic algorithm. In case of dynamic group, proposed schema solves database re-encryption problem in the event when group membership changes dynamically. It efficiently solves the security problems: data confidentiality and owner privacy.

14. 14 System Description All the users of the outsourced database are divided into different groups based on access privilege. Users with the same access privilege can access the same part of the outsourced data. Each group of database users has pair of keys: – Encryption key K GRe – Decryption key key K GRd – Mod n which are generated by the database owner using RSA algorithm, K GRe and K GRd are secret to the group members.

15. 15 System Description Group encryption key K GRe is used by the database owner to encrypt tuples in the database. – C = E KGRe [ Data ] mod n Group decryption key K GRd is used by the owner to randomly generate a pair of group subkeys K GRd1 and K GRd2 such that – Data = D KGRd [ C ] mod n – Data ’ = D KGRd1 [ D KGRd2 [ C ] ] mod n Data = Data ’

16. 16 System Architecture Proposed group key distribution schema uses centralized setting. Includes tree entities: – Database owner: is responsible for producing, distributing, managing and updating group keys. – Group User: decrypts the result from the server using the first part of the group decryption subkey K GRd1 in the decryption algorithm in order to get the plaintext result. – Server: is responsible for producing the query result on the encrypted database, decrypting the result with the second part of the group decryption subkey K GRd2 and sending encrypted result to the group user.

17. 17 Group Key Distribution Model Three phases in the system: initialization, adding new group member, and evicting existing group member. Initialization Phase: – Establishes group keys. – Performed by the database owner: uses RSA cryptographic algorithm to generate two keys: group encryption key (K GRe, mod n) and group decryption key (K GRd, mod n). splits decryption key K GRd on two parts and produces two group subkeys K GRd1 and K GRd2.

18. 18 Group Key Distribution Model db owner sends to each user U i  GR i a subkey K GRd1 and modulus n. Group members hold a group subkey K GRd1 and mod n as their secret key. db owner sends to the server a group subkey K GRd2. The Server holds a group subkey K GRd2 as group GR i secret key. db owner encrypts set of tuples with group GR i encryption key (K GRe, mod n) and store them in the outsourced database.

19. 19 Group Key Distribution Model Adding a Group Member

20. 20 Group Key Distribution Model Evicting a Group Member

21. 21 Query Processing

22. 22 Experiment For the experiment we used the programming language Java with the following characteristics: java version 1.4.2 Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_02-b09). We also used Microsoft Access database for the data storage. Customer k {etuple, CustomerInd, AccountInd, AmountInd, Subkey} CustomerAccountAmount$ Alice56783 Bob219095 Donna3456740 Elvis901756 Alla832410,712 Sal0153839 Original data Encrypted table

23. 23 Experiment Key distribution schema Group 1 member retrieve the Customer table – Select * from the Customer map to Select etuple from the Customer Group 2 member query result Group number Encryption keyDecryption key Subkey 1 (user side) Subkey 2 (server side) Modulus 1905448258965511021 2593107699791123701 Query Result Received by the Group 1 Member

24. 24 Experiment Group 1 Member Eviction Group numberEncryption key Decryption key Subkey 1 (user side) Subkey 2 (server side) Modulus 1 (before member eviction) 905 44825 8965 5 11021 1 (after member eviction) 905 44825 4075 11 11021 The test shows that on the select query existing group 1 users receive the same result as it shown in previous slide. However, evicted member can not access the tuples. Since Data = C KGRd mod n and Data ’ = (C KGRd1’ ) KGRd2 mod n, Data  Data ’ Evicted Group 1 Member Query Result

25. 25 Conclusion Thesis investigates a solution for implementing through cryptography a selective access policy. Based on the modification of the RSA cryptographic algorithm, the thesis proposed key management schema for outsourced databases. This schema is suitable for the dynamic environment where authorizations, users, and objects can dynamically change. We also performed implementation of our schema and presented experimental result.

26. 26 References [1] Ernesto Damiani, S. De Capitani di Vimercati, Sara Foresti, Sushil Jajodia, Stefano Paraboschi, Pierangela Samarati, Key Management for Multi-User Encrypted Databases, Proceedings of the 2005 ACM workshop on Storage security and survivability, November 2005. [2] H. Hacig¨um¨us, B. Iyer, S. Mehrotra, and C. Li. Executing SQL over encrypted data in the database-service-provider model. In Proc. of the ACM SIGMOD’2002, Madison, WI, USA, June 2002. [3] R. Agrawal, J. Kierman, R. Srikant, and Y. Xu. Order preserving encryption for numeric data. In Proc. of ACM SIGMOD 2004, Paris, France, June 2004. [4] S. Akl and P. Taylor. Cryptographic solution to a problem of access control in a hierarchy. ACM Transactions on Computer System, 1(3):239–248, August 1983. [5] D. Boneh, G. D. Crescenzo, R. Ostrovsky, and G. Persiano. Public-key encryption with keyword search. In Proc. of Eurocrypt 2004, Interlaken, Switzerland, May 2004. [6] D. Boneh and M. Franklin. Identity-based encryption from the weil pairing. In Proc. CRYPTO 01, pages 213–229, 2001. [ 7] C. Boyens and O. Gunter. Using online services in untrusted environments – a privacy- preserving architecture. In Proc. of the 11th European Conference on Information Systems (ECIS ’03), Naples, Italy, June 2003. [8] R. Brinkman, J. Doumen, and W. Jonker. Using secret sharing for searching in encrypted data. In Proc. of the Secure Data Management Workshop, Toronto, Canada, August 2004. [9] A. Ceselli, E. Damiani, S. De Capitani di Vimercati, S. Jajodia, S.Paraboschi, and P. Samarati. Modeling and assessing inference exposure in encrypted databases. ACM Transactions

27. 27 References on Information and System Security (TISSEC), 8(1):119–152, February 2005. [10] E. Damiani, S. De Capitani di Vimercati, M. Finetti, S. Paraboschi, P. Samarati, and S. Jajodia. Implementation of a storage mechanism for untrusted DBMSs. In Proc. of the Second International IEEE Security in Storage Workshop, Washington DC, USA, May 2003. [11] E. Damiani, S. De Capitani di Vimercati, S. Foresti,. Jajodia, S.Paraboschi, and P.Samarati. Metadata management in outsourced encrypted databases. In Proc. of the 2nd VLDB Workshop on Secure Data Management (SDM’05), Trondheim, Norway, September 2005. [12] E. Damiani, S. De Capitani di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and P. Samarati. Selective release of information in outsourced encrypted databases. Technical report, University of Milan, 2005. [13] E. Damiani, S. De Capitani di Vimercati, S. Jajodia, S. Paraboschi, and P. Samarati. Balancing confidentiality and efficiency in untrusted relational DBMSs. In Proc. of the 10th ACM Conference on Computer and Communications Security, Washington, DC, USA, October 27-31 2003. [14] G. Davida, D. Wells, and J. Kam. A database encryption system with subkeys. ACM Transactions on Database Systems, 6(2):312–328, June 1981. [15] E. Goh. Secure indexes. http:// eprint.iacr.org/2003/216/. [16] H. Hacig¨um¨us, B. Iyer, and S. Mehrotra. Providing database as a service. In Proc. of 18th International Conference on Data Engineering, San Jose, CA, USA, February 2002. [17] H. Hacig¨um¨us, B. Iyer, and S. Mehrotra. Ensuring the integrity of encrypted databases in the database-as-a-service model. In DBSec, pages 61–74, 2003.

28. 28 References [18] H. Hacig¨um¨us, B. Iyer, and S. Mehrotra. Efficient execution of aggregation queries over encrypted relational databases. In Proc. of the 9th International Conference on Database Systems for Advanced Applications, Jeju Island, Korea, March 2004. [19] H. Hacig¨um¨us and S. Mehrotra. Performance-conscious key management in encrypted databases. In DBSec, pages 95–109, 2004. [20] L. Harn and H. Lin. A cryptographic key generation scheme for multilevel data security. Computers and Security, 9(6):539–546, October 1990. 21] B. Hore, S. Mehrotra, and G. Tsudik. A privacy-preserving index for range queries. In Proc. of the 30th VLDB Conference, Toronto, Canada, 2004. [22] M. Hwang and W. Yang. Controlling access in large partially ordered hierarchies using cryptographic keys. The Journal of Systems and Software, 67(2):99–107, July 2003. [23] S. MacKinnon, P.Taylor, H. Meijer, and S.Akl. An optimal algorithm for assigning cryptographic keys to control access in a hierarchy. IEEE Transactions on Computers, 34(9):797–802, September 1985. [24] E. Mykletun, M. Narasimha, and G. Tsudik. Authentication and integrity in outsourced database. In Proc. of the 11th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, February 2004. [25] R. Sandhu. Cryptographic implementation of a tree hierarchy for access control. Information Processing Letters, 27(2):95–98, April 1988.

29. 29 References [26] B. R. Waters, D. Balfanz, G. Durfee, and D. K. Smetters. Building an encrypted and searchable audit log. In Proc. of the 11th Annual Network and Distributed System Security Symposium, San Diego, CA, February 2004. [27] M. Winslett and J. D. Ullman. Jeffrey D. Ullman speaks out on the future of higher education, startups, database theory, and more. SIGMOD Record, 30(3), 2001. [28] Alan T. Sherman and David A. McGrew. Key Establishment in Large Dynamic Groups Using One-Way Function Trees. IEEE Transactions on Software Eng., 29(5):444–458, 2003. [29] S. Castano, M.G. Fugini, G. Martella, P. Samarati. Database Security. Addison-Wesley and ACM Press 1994, ISBN 0-201-59375-0 [30] A. Umar. Information Security and Auditing in the Digital Age - A Managerial and Practical Perspective. NGE Solutions, December 2003 (e-book version) [31] E. Mykletun, M. Narasimha, G. Tsudik. Authentication and Integrity in Outsourced Databases. The 11th Annual Network and Distributed System Security Symposium – NDSS2004, San Diego, California, USA, February 5- 6, 2004 [32] RSA laboratories. http://www.rsasecurity.com/rsalabs [33] Whitfield Diffie and Martin Hellman. New Directions In Cryptography. IEEE Transactions on Information Theory, 22(6):644–645, Nov. 1976. [34] P. Atzeni, S. Ceri, S. Paraboschi, and R. Torlone. Database Systems: Concepts, Languages, and Architecture. McGraw Hill, 1999.

30. 30 Thank you!!