Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Similar documents
Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

MACs Message authentication and integrity. Table of contents

1 Message Authentication

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc Theoretical Computer Science Konstantinos Vamvourellis

Message Authentication Code

Message Authentication Codes 133

Verifiable Outsourced Computations Outsourcing Computations to Untrusted Servers

Lecture 9 - Message Authentication Codes

Lecture 5 - CPA security, Pseudorandom functions

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

Victor Shoup Avi Rubin. Abstract

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Privacy and Security in Cloud Computing

Yale University Department of Computer Science

Talk announcement please consider attending!

SECURITY ENHANCEMENT OF GROUP SHARING AND PUBLIC AUDITING FOR DATA STORAGE IN CLOUD

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Provable-Security Analysis of Authenticated Encryption in Kerberos

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment

Verifiable Symmetric Searchable Encryption for Multiple Groups of Users

Post-Quantum Cryptography #4

An Efficiency Keyword Search Scheme to improve user experience for Encrypted Data in Cloud

Sharing Of Multi Owner Data in Dynamic Groups Securely In Cloud Environment

1 Construction of CCA-secure encryption

Network Security Technology Network Management

VERIFIABLE SEARCHABLE SYMMETRIC ENCRYPTION

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Computational Soundness of Symbolic Security and Implicit Complexity

Security Analysis of DRBG Using HMAC in NIST SP

Simulation-Based Security with Inexhaustible Interactive Turing Machines

Department Informatik. Privacy-Preserving Forensics. Technical Reports / ISSN Frederik Armknecht, Andreas Dewald

On the Security of CTR + CBC-MAC

Security Analysis for Order Preserving Encryption Schemes

New Efficient Searchable Encryption Schemes from Bilinear Pairings

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre


Introduction. Digital Signature

CS 758: Cryptography / Network Security

Public Key Cryptography and RSA. Review: Number Theory Basics

Symmetric Crypto MAC. Pierre-Alain Fouque

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Lecture 2: Complexity Theory Review and Interactive Proofs

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Lecture 13: Message Authentication Codes

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Advanced Cryptography

How To Understand And Understand The History Of Cryptography

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud

A Secure RFID Ticket System For Public Transport

Improved Online/Offline Signature Schemes

A Survey and Analysis of Solutions to the. Oblivious Memory Access Problem. Erin Elizabeth Chapman

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Efficient Unlinkable Secret Handshakes for Anonymous Communications

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

CIS433/533 - Computer and Network Security Cryptography

Secure and privacy-preserving DRM scheme using homomorphic encryption in cloud computing

A NOVEL APPROACH FOR MULTI-KEYWORD SEARCH WITH ANONYMOUS ID ASSIGNMENT OVER ENCRYPTED CLOUD DATA

Electronic Voting Protocol Analysis with the Inductive Method

Message Authentication Codes

Lecture 17: Re-encryption

HASH CODE BASED SECURITY IN CLOUD COMPUTING

Private Inference Control

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory 1 / 53

EXAM questions for the course TTM Information Security May Part 1

MTAT Cryptology II. Digital Signatures. Sven Laur University of Tartu

Secure Deduplication of Encrypted Data without Additional Independent Servers

Master s Thesis. Secure Indexes for Keyword Search in Cloud Storage. Supervisor Professor Hitoshi Aida ( ) !!!

Fundamentals of Computer Security

Verifiable Delegation of Computation over Large Datasets

Tutorial 3. June 8, 2015

Authentication and Encryption: How to order them? Motivation

Secure Data Exchange: A Marketplace in the Cloud

Guaranteed Slowdown, Generalized Encryption Scheme, and Function Sharing

Evaluation of the RC4 Algorithm for Data Encryption

3-6 Toward Realizing Privacy-Preserving IP-Traceback

Transcription:

Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi

Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2

Outline Introduction to Database Outsourcing Query Correctness Secure Database Server Security Issues in Querying Encrypted Data Encryption Policies for Regulating Access to Outsourced Data Proxy Re-Encryption Search on Encrypted Data Security Aspects of Database Outsourcing 3

Database Outsourcing Database Outsourcing - Database As a Service: The external service provider provides mechanisms for clients to access the outsourced databases. Security Aspects of Database Outsourcing 4

Database Outsourcing Advantages: the high costs of in-house versus outsourced hosting. Outsourcing provides significant cost savings higher availability Fault Tolerance more effective disaster protection Challenges: Security: Confidentiality Integrity (=Correctness) Privacy Preserving Security Aspects of Database Outsourcing 5

DBO Model Informal: Data owner Users Service provider (server) Security Aspects of Database Outsourcing 6

DBO Model Formally: Represent client and server as interactive polynomial time Turing Machine. A client can interact with the server and issue a sequence of (Q 1,...,Q i ) that we call trace T. After executing a query Q, the client Turing Machine either outputs or, indicating whether the client accepts or rejects the server s response (denoted as D T,Q ). We write CLI T, Q, D T,Q, to denote output of the client as a result of the server s execution of trace T and query Q yielding the result D T,Q. Security Aspects of Database Outsourcing 7

Query Correctness -1 A server s response D is consistent(t, Q) if an honest server, after starting with an empty database and executing trace T honestly, would reply with D to the query Q. T, T is similar with respect to Q, (T Q T ) if the query Q yields the same answer when queried after a trace T or T (D T,Q = D T,Q ). Security Aspects of Database Outsourcing 8

Query Correctness - 2 A query mechanism is correct if the server is bound to the sequence of update requests performed by the client. Either the server responds correctly to a query or its malicious behavior is immediately detected by the client. Definition - Query Correctness A query protocol is correct, if for all traces T and T with T Q T, any query Q and server response D T,Q we have CLI T, Q, D T,Q =. Security Aspects of Database Outsourcing 9

Secure Database Server [Kantarc et al. 2005] shows how results from cryptography prove the impossibility of developing a server that meets cryptographic-style definitions of security and is still efficient enough to be practical. So, [Kantarc et al. 2005] propose a definition of a secure database server that provides probabilistic security guarantees. Security Aspects of Database Outsourcing 10

Secure Database Server - 1 Definition - Indistinguishability of Encryptions An encryption scheme with efficient key generation algorithm G, efficient encryption algorithm E and decryption algorithm D where D k (E k (x)) = x for secret key k has indistinguishable private key encryption if for every polynomial-size circuit family {C n }, every polynomial p, all sufficiently large n and every a; b 0; 1 poly(n) with equal length. Pr C n E G 1 n a = 1 Pr C n E G 1 n b = 1 < negl(n) Security Aspects of Database Outsourcing 11

Secure Database Server - 2 Any two pairs of ciphertexts and plaintexts of the same length, it must be infeasible to figure out which ciphertext goes with which plaintext. This means that any two database tables with the same schema and the same number of tuples must have indistinguishable encryptions. To be more precise, we now give a database-specific adaptation of the definitions as below: Security Aspects of Database Outsourcing 12

Secure Database Server - 3 Definition - Secure Database Server An encryption scheme (G, E, D) for database tables; consisting of key generation scheme G, encryption function E, and decryption function D; has indistinguishable encryptions if for every polynomialsize circuit family {C n }, every polynomial p, and all suciently large n, every database R 1 and R 2 {0, 1} poly(n) with the same schema and the same number of tuples (i.e., R 1 = R 2 ): Pr C n E G 1 n R 1 = 1 Pr C n E G 1 n R 2 = 1 < negl(n) Security Aspects of Database Outsourcing 13

Secure Database Server - 4 Definition - Correctness Assume database D is stored securely on a server w.r.t previous Definition. Let E(D) be the securely encrypted database and let Q be a query issued on the database. A query execution is said to be correct if given (Q, E(D)), an honest server provides a result enabling the query issuer to learn Q(D). Security Aspects of Database Outsourcing 14

Secure Database Server - 5 Definition - Privacy For every query pair Qi, Qj that run on the same set of tables over D and have the same size results, the messages m Qi, m Qj sent for executing the queries are computationally indistinguishable if for every polynomial-size circuit family {C n }, every polynomial p, all sufficiently large n, m Qi and m Qj {0, 1} poly(n), Pr C n E G 1 n m Qi = 1 Pr C n E G 1 n m Qj = 1 < negl(n) Security Aspects of Database Outsourcing 15

Security Aspects of Database Outsourcing 16

Policies Authorization Policies Encryption Policies Encryption Policies: which data are encrypted with which key which keys are released to which users Assign one key to each user Encrypting each resource at most once. we propose a formal model for representing an authorization policy. We also introduce the definition of minimum encryption policy. Security Aspects of Database Outsourcing 17

Authorization Policies - 1 Authorization Policy: Let U and R be the set of users and resources in the system. An authorization policy over U and R, denoted A, is a triple U, R, P, where P is a set of permissions of the form u, r, with u U and r R, stating the accesses to be allowed. The set of permissions (P) can be represented through an access matrix M A. acl(r) denotes the access control list of r (i.e., the set of users that can access r). Security Aspects of Database Outsourcing 18

Authorization Policies - 2 Authorization Policy Graph: Informally: We model an authorization policy as a directed and bipartite graph G A having a vertex for each user u U and for each resource r R, and an edge from u to r for each permission u, r P to be enforced. Formally: let A = U, R, P be an authorization policy. The authorization policy graph over A, denoted G A is a graph V A, E A, where V A = U R and E A = u, r u, r P. Security Aspects of Database Outsourcing 19

Authorization Policies - 3 Security Aspects of Database Outsourcing 20

Encryption Policies - 1 Key and Token Graph: k i, k j K, a token t i,j = k j h(k i, l j ). Informally: We model the relationships between keys through tokens allowing derivation of one key from another, via a graph. The graph has a vertex for each pair k, l. There is an edge from a vertex k i, l i to a vertex k j, l j if there exists a token t i,j allowing the derivation of k j from k i. Formally: Let K be a set of keys, L be a set of publicly available labels, and T be a set of tokens, a key and token graph over K, L, and T, denoted G K,T, is a graph V K,T, E K,T, where V K,T = k i, l i k i K, l i L and E K,T = k i, l i, k j, l j t i,j T. Security Aspects of Database Outsourcing 21

Encryption Policies - 2 Security Aspects of Database Outsourcing 22

Encryption Policies - 3 Key assignment and encryption schema: Let U, R, K, L be the set of users, resources, keys, and labels in the system, respectively. A key assignment and encryption schema over U, R, K, L is a function φ : U R L that returns for each user u U the label l L associated with the (single) key k in K released to the user and for each resource r R the label l L associated with the (single) key k in K with which the resource is encrypted. Security Aspects of Database Outsourcing 23

Encryption Policies - 4 Encryption policy: Let U and R be the set of users and resources in the system, respectively. An encryption policy over U and R, denoted E, is a 6-tuple U, R, K, L, φ, T, where K is the set of keys defined in the system, L is the set of corresponding labels, φ is a key assignment and encryption schema, and T is a set of tokens defined on K and L. Security Aspects of Database Outsourcing 24

Encryption Policies - 5 Encryption policy graph Let E = U, R, K, L, φ, T be an encryption policy. The encryption policy graph over E, denoted G E, is the graph V E, E E where: V E = V K,T U R; E E = E K,T u, k, l u U l = φ(u) k, l, r r R l = φ(r). Security Aspects of Database Outsourcing 25

Encryption Policies - 6 Security Aspects of Database Outsourcing 26

Policies Our goal is then to translate an authorization policy A into an equivalent encryption policy E, meaning that A and E allow exactly the same accesses. Policy equivalence: Let A = U, R, P be an authorization policy and E = U, R, K, L, φ, T be an encryption policy. A and E are Equivalent, denoted A E, iff 1. u U, r R: u E r u A r 2. u U, r R: u A r u E r Security Aspects of Database Outsourcing 27

Proxy Re-Encryption We have not Time! Security Aspects of Database Outsourcing 28

Search on Encrypted Data - 1 Song et al. (2000) search for the word w on encrypted data returns all the positions where w occurs Encryption: Plain text Wi E(Wi) Alg-0: K i is constant. + Cipher text Alg-1: K i is Trapdoor of Wi: Si S i K i = f k (E wi ) k is constant key Security Aspects of S Database i = F Ki Outsourcing (Si) 29

Search on Encrypted Data - 2 Search send E(w) and trapdoor to server XOR cipher text and E(w) and generate <Si,S i> if S i = F Ki (Si) then return i. Decrypt: W = D(E(w)). Security Aspects of Database Outsourcing 30

Search on Encrypted Data - 3 Def: R-break and R-secure an attack R-breaks a cryptographic primitive if the attack algorithm succeeds in breaking the primitive with resources specified by R, and we say that a crypto primitive is R-secure if there is no algorithm that can R-break it. Def: Distinguishing Probability or Advantage Let A: {0,1} n 0,1 be an arbitrary alg. Let X, Y is Random var. on{0,1} n Advantage of A: Adv A = Pr A X = 1 Pr [A Y = 1] Security Aspects of Database Outsourcing 31

Search on Encrypted Data - 4 A pseudorandom generator G: ie, stream cipher We say that G: K g S is a (t,e)-secure pg if every algorithm A with running time at most t has advantage < e (Adv(A) < e). A pseudorandom function F: ie, HMAC We say that F: K f X Y is a (t,q,e)-secure pf if every algorithm A making at most q queries and with running time at most t has advantage < e (Adv(A) < e). Security Aspects of Database Outsourcing 32

Search on Encrypted Data - 5 A pseudorandom permutation E i.e., a block cipher We say that E: K E X Y is a (t,q,e)-secure pp if every algorithm A making at most q queries and with running time at most t has advantage < e (Adv(a) < e). In general, the (t,q,e)-security represents resistance to attacks that use at most t offline work and at most q adaptive chosen-text queries. Security Aspects of Database Outsourcing 33

Theorems - 1 1. if F is a (t,l,e F )-secure pf and G is a (t,e G )-secure pg, then the algorithm-0 for generating the <Si, S i> (S i=f Ki (si)) is a (t-ε,e)-secure pg, where e = l e f + e G + l (l 1) 2 X and ε is negl(t). 2. suppose F is a (t,l,e F )-secure pf, f is a (t,l,e f )-secure pf, and G is a (t,e G )-secure pg., then the algorithm-1 for generating the <Si, S i> will be a (t-ε, e H )-secure pg, where l (l 1) e H = l e F + e f + e G + 2 X Security Aspects of Database Outsourcing 34

Theorems - 2 3. Suppose E is a (t,l,e E )-secure pp, F is a (t,l,e F )-secure pf, f is a (t,l,e f )-secure pf, G is a (t,e G )-secure pg. Then the algorithm-2 for generating the <Si, S i> will be a (t-ε,e H )-secure pseudorandom generator, where e H = l e F + e f + e G + l (l 1) 2 X Security Aspects of Database Outsourcing 35

References 1. Sion, Radu. "Towards secure data outsourcing." Handbook of Database Security (2008): 137-161. 2. Vimercati, Sabrina De Capitani Di, et al. "Encryption policies for regulating access to outsourced data." ACM Transactions on Database Systems (TODS) 35.2 (2010): 12. 3. Song, Dawn Xiaoding, David Wagner, and Adrian Perrig. "Practical techniques for searches on encrypted data." Security and Privacy, 2000. S&P 2000. Proceedings. 2000 IEEE Symposium on. IEEE, 2000. 4. Ivan, Anca, and Yevgeniy Dodis. "Proxy cryptography revisited." Proceedings of the Network and Distributed System Security Symposium (NDSS). 2003. 5. Kantarcıoǧlu, Murat, and Chris Clifton. "Security issues in querying encrypted data." Data and Applications Security XIX (2005): 924-924. 6. Dong, Changyu, Giovanni Russello, and Naranker Dulay. "Shared and searchable encrypted data for untrusted servers." Data and Applications Security XXII (2008): 127-143. Security Aspects of Database Outsourcing 36

Proof of Theorem-1 Define H : K F K G (X Y) l by H k, k j = s 1, F k s 1,, s l, F k (s l ) Lemma-1. if F is a (t,l,e F )-secure pf and G is a (t,e G )-secure pg, then H is a (t-ε,e H )-secure pg, where e H = e F + e G + l (l 1) 2 X and ε is negl(t). Security Aspects of Database Outsourcing 37

Proof of Theorem-1 Define H: (K F ) l K G (X Y) l by H k, k j = s 1, F k s 1,, s l, F k (s l ) that k = k 1,, k l Lemma-2. if F is a (t,l,e F )-secure pf and G is a (t,e G )-secure pg, then H is a (t-ε,e H )-secure pg, where e H = l e F + e G and ε is negl(t). Security Aspects of Database Outsourcing 38

Proof of Theorem-1 proof of lemma-1: Define ψ k = u 1, F k u 1,, u l, F k (u l ) u i are independent random var. from uniform distribution X. Let U be a random var. with uniform distribution on (X Y) l. The goal is to show that H and U are indistinguishable to any computationally-bounded adversary. first show that H and ψ are indistinguishable, and second show that ψ and U are indistinguishable. First, we show that no algorithm with running time t- ε can distinguish between H and ψ with advantage better than e G. Security Aspects of Database Outsourcing 39

Proof of Theorem-1 Suppose not, i.e., there exists an algorithm A with running time at most t-ε and Adv A = Pr A H = 1 Pr [A ψ = 1] e G. Then we exhibit an algorithm B with running time at most t which distinguishes the output of G from a truly random bit string with advantage at least e G. The algorithm B: Input: s = s 1,, s l X l Run A on input I = s 1, F k s 1,, s l, F k (s l ) Output: A(I) Adv(B) = Pr B G k G = 1 Pr [B U = 1] = Pr A H = 1 Pr [A ψ = 1] = Adv(A) e G U is a uniformly-distributed random variable on X l. Security Aspects of Database Outsourcing 40

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information