Chip-Secured Data Access: Confidential Data on Untrusted Servers L. Bouganim, P. Pucheral University of Versailles
The need for Open Trusted Data Stores PAGE 2 • Virtual teams – distributed among space, time and organizations – collaborative work on confidential data – e.g., cyberworkers.com … • Shared personal folders – accessible anywhere, anytime and shared by authorized persons – e.g., primadoctor.com … • Corporate DB hosted by a DSP – permanent access to travelling salesmen – e.g., caspio.com, quickbase.com ...
Attackers PAGE 3 • Intruder – tries to attack the DB footprint or usurp the identity of a regular user (or DBA) • Insider – tries to get information exceeding her own access rights • Administrator (SA or DBA) – has enough privileges to tamper the access right definition and spy the DBMS behavior Access rights can be bypassed Encryption is required
Server-based approach PAGE 4 Intruder Administrator usurpation Insider Encryption Encrypted Secured DBMS Client communications Database Decryption Database Server • DB footprint protected by encryption – Oracle Obfuscation toolkit, ... • Restrict the DBA privileges, … as far as possible – Protegrity, [Ideas’01] … Weakness = decryption occurs on the server
Client-based approach PAGE 5 Encryption Secured Encrypted Client DBMS communications Decryption Database Database Server • Decryption on the client – who owns the keys ? • Privacy (exclusive access) – the client manages the keys – efficiency is the main concern [Sigmod’02] • Confidentiality (shared access) – a security mechanism is required on the client side to manage keys and access rights Weakness = client can tamper the security mechanism
Chip-Secured Data Access (C-SDA) PAGE 6 Client C1 C-SDA Client C2 Secured Operating Environment DBMS Client C1 Client C2 C-SDA • Making the security mechanism tamper-resistant – Access right manager hosted by a Secured Operating Environment (SOE) (e.g., a smartcard) – Access right defined on views • query translation in the SOE • part of query execution in the SOE
Equi-Predicate-Only Queries PAGE 7 X.com Privacy Policy : X.com does not rent, sell, or share personal information about its customers with other people or companies Select * from Customers Select * from lqskdqs where ACCESS TRANSF° where Nation = «France» sdeef = "zarevgzd" RIGHTS Encrypted DBMS Database C-SDA Id name Nation Type sd azd sdeef zze 22 Jim France good DECRYPT zszd dedef zarevgzd Fffe 19 Joe France bad tger Sde zarevgzd zrzer • Traveling salesman asks for customers living in France • Equi-Predicate-Only query – 100% processed by the server – result decrypted by C-SDA
General Queries PAGE 8 X.com Privacy Policy : X.com vendors cannot access detailed information about customer’s orders, but can get statistic data about them. Select sum(amount) Select ygefh from iuzgs ACCESS from orders where TRANSF° where lpaszj ="euys" RIGHTS CustId = 22 Encrypted C-SDA DBMS Database ygefh Sum COMPUTE DECRYPT retz 1200 kdleo • Traveling salesman asks for the total amount of orders passed by customer #22 • Aggregation must be computed on decrypted data by C- SDA
Smartcard’s Characteristics PAGE 9 • Cheap and highly secured computer – Powerful RISC processor ( ≈ 40Mips) – Limited communication bandwidth (10 to100 Kbps) – Tiny RAM, writes in EEPROM stable storage very costly • Impact on C-SDA – internal processing must be done in pipeline – processing must be pushed down to the server – data flows must be minimized 32 bits I/O Security Blocks proc ROM RAM 4KB EEPROM
Query decomposition PAGE 10 • Q = Q term ° Q card ° Q server Equi-Predicate-Only Queries Inequi-predicates, aggregations ... Presentation SELECT C.Id, C.name, sum(O.amount) FROM Customers C, Orders O WHERE C.Id = O.CustId and O.date > 1996 GROUP BY C.Id, C.name HAVING count(*) >= 10 ORDER BY C.name
Query optimization : example PAGE 11 • Minimize the flow of irrelevant data traversing the card CustId = Id • Inequi-predicates Customers date – evaluated by a subquery Encrypt Orders – result semi-joined with the initial table σ date>1996 Decrypt π date Orders
Conclusion PAGE 12 • Other contributions exploiting smartcard’s storage – Insulate highly sensitive data – database depersonnalization – Multiple key repository • Future works – Performance assessment – Experimentation in the EDI context • founded by the French ANVAR agency • extends C-SDA towards XML databases – impact of the SOE technology on query optimization
Recommend
More recommend
