paasword - distributed searchable encryption engine
TRANSCRIPT
www.paasword.eu
Distributed Searchable Encryption Engine
Innovathens 11/10/2016
Outline
Objectives
Architecture and DB Transform
Example of an SQL Query in PaaSword
Improvements so far
PaaSword – WP4 (Database Encryption)18/11/2016 2
Objectives
Improve Privacy in a transparent wayAutomatic encryption and decryption
Automatic distribution synthesis
Sufficient (but restricted) support for SQLMost important queries should be supported
EfficiencyAcceptable performance impact
PaaSword – WP4 (Database Encryption)18/11/2016 3
Basic Idea
PaaSword18/11/2016 4
Client Cloud DBDB Proxy Cloud DBClient
Common (insecure) scenario Desired (secure) scenario
DB Proxy Architecture
PaaSword18/11/2016 5
Data Index2Index1
SQL
SQLDatabaseProxy
(trusted)
SQL
Cloud(untrusted)
User / Application
Data(not encrypted)
Data (encrypted)
Database Transformation
PaaSword18/11/2016 6
ID Name Surname City Day of Birth
1 Paul Anderson Athens 01.01.1979
2 Howard Miller Karlsruhe 02.02.1974
3 Henry Cooper Berlin 03.03.1980
4 Henry Jones Brussels 04.04.1985
ID Encrypted Data
1 Enc(Paul,Anderson,Athens,01.01.1979)
2 Enc(Howard,Miller,Karlsruhe,02.02.1974)
3 Enc(Henry,Cooper,Berlin,03.03.1980)
4 Enc(Henry,Jones,Brussels,04.04.1985)
Data
Keyword IDs
Name:Paul Enc(1)
Name:Howard Enc(2)
Name:Henry Enc(3,4)
Index1
Keyword IDs
Surname:Anderson Enc(1)
Surname:Miller Enc(2)
Surname:Cooper Enc(3)
Surname:Jones Enc(4)
Index2
Original
Association is hidden
Example (1/4)
PaaSword18/11/2016 7
•SQL-Query:
•SELECT * FROM Customers WHERE Name=‚Henry‘ AND Surname=‚Jones‘
Data Index2Index1SELECT ID FROM Index1WHERE Keyword=‘Name:Henry‘
SELECT ID FROM Index2WHERE Keyword=‘Surname:Jones‘
transform query
ID Name Surname Stadt Day of Birth
1 Paul Anderson Athens 01.01.1979
2 Hans Miller Karlsruhe 02.02.1974
3 Henry Cooper Berlin 03.03.1980
4 Henry Jones Brussels 04.04.1983
Database Proxy
SELECT * FROM CustomersWHERE Name=‚Henry‘ ANDSurname=‚Jones‘
Example (2/4)
PaaSword18/11/2016 8
•SQL-Query:
•SELECT * FROM Customers WHERE Name=‚Henry‘ AND Surname=‚Jones‘
Data Index2Index1
IDs Enc(3,4)
IDs Enc(4)
decrypt andcompute result
Database Proxy
ID 4
ID Name Surname Stadt Day of Birth
1 Paul Anderson Athens 01.01.1979
2 Hans Miller Karlsruhe 02.02.1974
3 Henry Cooper Berlin 03.03.1980
4 Henry Jones Brussels 04.04.1983
Example (3/4)
PaaSword18/11/2016 9
•SQL-Query:
•SELECT * FROM Customers WHERE Name=‚Henry‘ AND Surname=‚Jones‘
Data Index2Index1SELECT * FROM DataWHERE ‘ID’ in {4}
retrieve relevantdata
ID Name Surname City Day of Birth
1 Paul Anderson Athens 01.01.1979
2 Hans Miller Karlsruhe 02.02.1974
3 Henry Cooper Berlin 03.03.1980
4 Henry Jones Brussels 04.04.1983
Database Proxy
ID Name Surname Stadt Day of Birth
1 Paul Anderson Athens 01.01.1979
2 Hans Miller Karlsruhe 02.02.1974
3 Henry Cooper Berlin 03.03.1980
4 Henry Jones Brussels 04.04.1983
Example (4/4)
PaaSword18/11/2016 10
•SQL-Query:
•SELECT * FROM Customers WHERE Name=‚Henry‘ AND Surname=‚Jones‘
Data Index2Index1
Henry,Jones,Brussels,04.04.1983
decrypt andreturn result
Database Proxy
Enc(Henry,Jones,Brussels,04.04.1983)
ID Name Surname Stadt Day of Birth
1 Paul Anderson Athens 01.01.1979
2 Hans Miller Karlsruhe 02.02.1974
3 Henry Cooper Berlin 03.03.1980
4 Henry Jones Brussels 04.04.1983
Improvements (1/2)
PaaSword18/11/2016 11
ID Name Surname City Day of Birth
1 Paul Anderson Athens 01.01.1979
2 Howard Miller Karlsruhe 02.02.1974
3 Henry Cooper Berlin 03.03.1980
4 Henry Jones Brussels 04.04.1985
ID Encrypted Data
1 Enc(Paul,Anderson,Athens,01.01.1979)
2 Enc(Howard,Miller,Karlsruhe,02.02.1974)
3 Enc(Henry,Cooper,Berlin,03.03.1980)
4 Enc(Henry,Jones,Brussels,04.04.1985)
Data
Keyword-Name IDs
Enc(Paul) Enc(1)
Enc(Howard) Enc(2)
Enc(Henry) Enc(3,4)
Index1
Keyword-Surname IDs
Enc(Anderson) Enc(1)
Enc(Miller) Enc(2)
Enc(Cooper) Enc(3)
Enc(Jones) Enc(4)
Index2
Original
Keyword Encryption
• AES (deterministic)
• Support for most query types
(excl. LIKE)
Index Distribution
• Index for same data type can be stored at different server
Data Distribution
Minimize exposure of sensitive information by careful distribution
PaaSword18/11/2016 12
Improvements (2/2)
Feature Support Before PaaSword Current State
Index Encryption
Multiple Tables
Joins
Subselect
LIKE Partial *
Privacy Constraints
Data Distribution
* Only if index keyword is not encrypted
Supported Statements
SELECT, UPDATE, INSERT, DELETE, DROP TABLE, ALTER TABLE
JoinsLeft/right, full/outer/inner, …
=, NOT, AND, OR, IN
LIKE (%)
SELECT (SELECT …) )
<, <=, >, >=
GROUP BY, LIMIT, AVG, SUM
PaaSword – WP4 (Database Encryption)18/11/2016 13
Way forward
Extend SQL query support for encrypted index
Improve performance
Measure performance in different scenarios
Integrate into PaaSword framework
Include key management
PaaSword18/11/2016 14
PaaSword18/11/2016 15
Questions?
Visit us:
www.paasword.euAcknowledgements:This project has received funding from the
European Union’s Horizon 2020 research and innovation programme under grant
agreement No 644814.