DBMask: Fine-Grained Access Control on Encrypted Relational Databases

DBMask: Fine-Grained
Access Control on
Encrypted Relational Databases
Mohamed Nabeel, Muhammad I. Sarfraz,
Jianneng Cao, Elisa Bertino
5th ACM Conference on Data and Application Security and Privacy
San Antonio, Texas, USA, March 2015
SWIM Seminar
July 29th, 2015
Mateus Cruz

Introduction Access Control Model Cryptographic Constructs Secure Query Evaluation Experiments Conclusion
OUTLINE
1 Introduction
2 Access Control Model
3 Cryptographic Constructs
4 Secure Query Evaluation
5 Experiments
6 Conclusion

OVERVIEW
SQL queries over encrypted data
Inspired by CryptDB1
Fine-grained access control
Attribute-based group key management
1
Popa et al., CryptDB: Protecting Conﬁdentiality with Encrypted
Query Processing, SOSP 2011
1 / 28

REVIEW: CRYPTDB
SQL queries over encrypted data
Proxy controls access
Limitations
Column-level as minimum granularity
Onions of encryption
– Decreasing security
– Storage overhead
2 / 28

ARCHITECTURE
Adversary model
Trusted and invulnerable data owner
Trusted and vulnerable proxy
Passive vulnerable server
3 / 28

ATTRIBUTE-BASED ACCESS CONTROL (ABAC)
Users have a set of identity attributes
Job, age, location
Data is associated with policies
“Only managers older than 30 years old living
in Tokyo can access the data item X”
Users’ attributes have to satisfy the policies
4 / 28

DEFINITIONS
Attribute Condition: nameA op l
Attribute A
Comparison operator op
Value l
Policy: tuple (s, o)
Boolean expression s
Set of rows o
Group
Users that satisfy the conditions in a policy
5 / 28

DEFINITIONS
role = doctor
Attribute A
Value l
Set of rows o
Group
5 / 28

DEFINITIONS
Attribute A
Value l
role = doctor
OR
role = nurse
Set of rows o
Group
5 / 28

IDENTIFYING GROUPS
Example
Two access control policies (ACP) with attribute
conditions:
ACP1 = C1 ∧( C2 ∨ C3)
ACP2 = C2
Using the disjunctive normal form (DNF):
ACP1 = (C1 ∧ C2) ∨ (C1 ∧ C3)
ACP2 = C2
Groups given by disjunctive clauses:
G1 : C1 ∧ C2
G2 : C1 ∧ C3
G3 : C2
6 / 28

IDENTIFYING GROUPS
Example
conditions:
ACP1 = C1
level > 3
∧( C2 ∨ C3)
ACP2 = C2
ACP1 = (C1 ∧ C2) ∨ (C1 ∧ C3)
ACP2 = C2
G1 : C1 ∧ C2
G2 : C1 ∧ C3
G3 : C2
6 / 28

IDENTIFYING GROUPS
Example
conditions:
ACP1 = C1 ∧( C2
role = doctor
∨ C3)
ACP2 = C2
ACP1 = (C1 ∧ C2) ∨ (C1 ∧ C3)
ACP2 = C2
G1 : C1 ∧ C2
G2 : C1 ∧ C3
G3 : C2
6 / 28

IDENTIFYING GROUPS
Example
conditions:
ACP1 = C1 ∧( C2 ∨ C3
role = nurse
)
ACP2 = C2
ACP1 = (C1 ∧ C2) ∨ (C1 ∧ C3)
ACP2 = C2
G1 : C1 ∧ C2
G2 : C1 ∧ C3
G3 : C2
6 / 28

GROUP POSET
Partially ordered set (⊆)
Hierarchical key management
Parents can access children’s keys
Example
Conditions:
G1: Doctors AND level > 3
G2: Nurses AND level > 3
G3: Doctors
7 / 28

KEY MANAGEMENT APPROACH
Combines broadcast and hierarchical key
management
Efﬁciently handles user dynamics
Granting or revoking access
8 / 28

KEY MANAGEMENT
Attribute-based Group Key Management
Easier re-keying
Users do not receive private keys
Secret sharing used to derive keys
9 / 28

AB-GKM
Attribute-based Group Key Management
Policies are embedded in access trees
Internal nodes represent threshold gates
– “d-out-of-m” policies (threshold d)
Leaves represent attributes
Example
Policy:
( type = premium ∨
( type = regular ∧
region = indiana ),
{new movie})
10 / 28

NUMERICAL MATCHING
Compares encrypted numeric values
Allows different approaches
Deterministic
Order-preserving
Semantically secure
– Use trapdoors to make comparisons
11 / 28

KEYWORD SEARCH
Looks for words in an encrypted string
Can check for more than one word
Can check if two words are close
12 / 28

JOINS
Cannot match semantically secure values
JOIN-SEM
New column for blinded trapdoor values
JOIN-DET
Encrypts with deterministic encryption
13 / 28

DBMASK EXECUTION FLOW
1 System initialization
2 User registration
3 Data encryption
4 Query execution
14 / 28

SYSTEM INITIALIZATION
1 Data owner sets up the system
Makes available public parameters
Allows proxy to generate trapdoors
Identify and create groups of users
15 / 28

USER REGISTRATION
1 Users get their identity certiﬁed
Done by a trusted identity provider
2 Data owner distributes secrets
Only for valid and identiﬁed users
Maintains a database of user-secret values
– Shared with proxy to allow decryption
– Secrets are encrypted with users’ passwords
16 / 28

HANDLING USER DYNAMICS
Users can be added or deleted
Update the user-secret database
No need for re-keying
The encrypted data remains the same
Example
1 New user having the attribute role = doctor
2 Data owner generates new secrets and
public information related to G2
Updates proxy and cloud server
No effect on other groups
17 / 28

DATA ENCRYPTION
1 Encrypts each cell twice
Privacy-preserving matching
2 Each column is expanded to two
data-col
match-col
18 / 28

TABLE ENCRYPTION
19 / 28

QUERY EXECUTION
1 User sends query to proxy
2 Proxy parses query
Removes certain clauses
– ORDER BY, GROUP BY, HAVING, SUM
Replaces columns’ names
Computes trapdoors for secure
3 Cloud server executes query
Sends encrypted results to proxy
4 Proxy process results
Generate keys for decryption
Filters and aggregates results
Decrypts results
Send plaintext results to user
20 / 28

QUERY EXECUTION - EXAMPLE 1
Example
Initial query made by a doctor (G3):
SELECT ID, Age, Diag
FROM Patient
Processed query:
SELECT ID-enc, Age-enc, Diag-enc
FROM Patient
WHERE Groups LIKE ’%G3%’
21 / 28

Example
Initial query made by a doctor level 4 (G1, G3):
SELECT ID, Age, Diag
FROM Patient
WHERE Age > 35
ORDER BY Age ASC
22 / 28

Example
Processed query:
SELECT ID-enc, Age-enc, Diag-enc
FROM Patient
WHERE UDF Compare Num(Age-com,
PPNC.GenTrapdoor(35), ’>’)
AND (Groups LIKE ’%G1%’ OR
Groups LIKE ’%G3%’)
22 / 28

ENVIRONMENT
C++, NTL and OpenSSL
Postgres 9.1 extended with UDFs
Machine
3.40GHz Intel i7-3770
8GB RAM
Ubuntu 12.04
Dataset
TCP-C
23 / 28

IMPLEMENTATIONS
DBMask-SEC
Maximum security
Semantically secure encryption
– AES with blinding factor
– Adds one more column for joins
DBMask-PER
Best performance
Deterministic encryption
OPE scheme for numerical comparison
– Order-preserving encryption
24 / 28

THROUGHPUT
30% overhead
Trade-off: performance and security
25 / 28

LATENCY
44% increase on server side
Proxy adds 4.3ms
24% for encryption and decryption
67% for query rewriting, parsing, processing
26 / 28

STORAGE
Increases space requirements by 3.2x
27 / 28

CONCLUSION
Evaluates SQL queries on encrypted data
Security level does not change
Unlike CryptDB
Future work
Support more relational operations
Optimization
28 / 28

Detailed Execution Flow ACV-BGKM Extra Examples
EXTRA SLIDES

QUERY EVALUATION FLOW
System initialization
User registration
Data encryption and upload
Data querying and retrieval

SYSTEM INITIALIZATION
1 The data owner (DO) runs the setup
Generation of security parameters
2 The DO send the parameters to the proxy
The proxy can generate trapdoors
3 The DO converts ACP into DNF
Create groups of users

USER REGISTRATION
1 Users get certiﬁed by an identity provider
Certiﬁed identity attributes are cryptographic
commitments
2 Users register with DO using OCBE
3 The DO generates and distributes secretes
Users only decrypt secrets with valid identities
4 The DO has a database of user-secret values
Shared with the proxy
Needs synchronization when changed

DATA ENCRYPTION
Each cell is expanded into three
Fine-grained access control (data-col)
Privacy-preserving matching (match-col)
Assigned group labels (label-col)

label-col
Each cell is assigned group labels
Groups connected in the poset
Assign the label of the less privileged group

data-col
Encrypt data with masterkey K
Generated from the keys of groups and public
information
Prevents multiple encryptions

match-col
Encryption depends on the data type
String (for keyword search)
Numerical

CELL-LEVEL ACCESS CONTROL

QUERYING
1 The user sends a query to the proxy
Plaintext query
2 The proxy parses and ﬁlters the query
Remove certain clauses and aggregations
– E.g.: ORDER BY, SUM
3 Replace columns’ names
Use data-col encrypted names
4 Add predicate to the WHERE clause that
determines the groups of the user
5 Send query to server for execution

RETRIEVAL
1 The server returns the results to the proxy
The results are encrypted
The public information is also transferred
2 The proxy applies the removed clauses
Performs aggregation using an in-memory
database of decrypted results
3 The ﬁnal plaintext result is sent to the user

BGKM
Broadcast Group Key Management
Users have secrets to derive keys
Rekeying uses broadcast
Public information (PI) changes
Secrets of existing users remain the same
No need for private comm. channels
Except during the ﬁrst phase
Combination of secrets and PI gives keys

ACV-BGKM
Access Control Vector BGKM
Executed by a trusted key server
Group of n users
Usri, i = 1, 2, ..., n
Algorithms
1 Setup( )
2 SecGen()
3 KeyGen(S)
4 KeyDer(si, PI)
5 Update(S)

SETUP( )
Initialization of parameters
-bit prime number q
Keyspace KS = Fq
– Fq is a ﬁnite ﬁeld with q elements
Maximum group size N (N ≥ n)
Cryptographic hash function
– H(·) : {0, 1}∗
→ Fq
Secret space SS = {0, 1}
Set of issued secrets S = ∅

SECGEN()
1 Choose a secret si ∈ SS
si /∈ S
2 Add si to S
3 Output si

KEYGEN(S)
Pick a random k ∈ KS
Choose N random bit strings
z1, z2, ..., zN ∈ {0, 1}
Create an n × (N + 1) Fq-matrix
A =




1 a1,1 a1,2 · · · a1,N
1 a2,1 a2,2 · · · a2,N
...
...
... ... ...
1 an,1 an,2 · · · an,N




ai,j = H(si||zj), 1 ≤ i ≤ n, 1 ≤ j ≤ N, si ∈ S

KEYGEN(S)
Solve AY = 0
Y is a nonzero (N + 1)-dimensional Fq-vector
Y is chosen from the nullspace of A
Construct the access control vector (ACV)
ACV = k · eT
1 + Y
– k is the group key
– e1 = (1, 0, ..., 0)
Deﬁnes the public information
PI = ACV, (z1, z2, ..., zn)
Outputs PI and k

KEYDER(si, PI)
Usri computes a key extraction vector
vi = (1, ai,1, ai,2, ..., ai,N)
Unique row in the access matrix A
Usri derives key k
k = vi · ACV

UPDATE(S)
Run the KeyGen(S) algorithm
Output the new PI and the new key k

EXAMPLE: ACCESS CONTROL MATRIX
Example
Users: U1, U2, U3
Access control matrix:
A =


1 1 1 1 1
1 1 2 3 4
1 4 3 2 1


Nullspace of A:
N(A) = span{(1, −2, 1, 0), (2, −3, 0, 1)}

EXAMPLE: GENERATING PI
Example
ACV = k · eT
1 + Y, where AY = 0, e1 = (1, 0, ..., 0)
and k is the group key
Using Y = (0, 1, −2, 1, 0) and k = 2:
ACV = 2 · (1, 0, 0, 0, 0) + (0, 1, −2, 1, 0)
ACV = (2, 1, −2, 1, 0)
Output the public information PI:
PI = ACV, (z1, z2, ..., zn)

EXAMPLE: DERIVING THE KEY
Example
k = vi · ACV
For user U1: k = (1, 1, 1, 1, 1) · (2, 1, −2, 1, 0) = 2
For user U2: k = (1, 1, 2, 3, 4) · (2, 1, −2, 1, 0) = 2
For user U3: k = (1, 4, 3, 2, 1) · (2, 1, −2, 1, 0) = 2

Original query made by a level 4 doctor (G1 and G3):
Maximum Security:
Best Performance:

Original query made by a doctor (G3):
Maximum Security:
Best Performance:

DBMask: Fine-Grained Access Control on Encrypted Relational Databases

Recommended

More Related Content

What's hot (19)

Viewers also liked (15)

Similar to DBMask: Fine-Grained Access Control on Encrypted Relational Databases (20)

Recently uploaded (17)

DBMask: Fine-Grained Access Control on Encrypted Relational Databases