Upload
others
View
21
Download
0
Embed Size (px)
Citation preview
Secure Relational Database Management System (SRDBMS)
Monash University and Swinburne University of Technology
What we will cover today
• Background• Our solution• Application of use• Demonstration• Our value proposition• Next phase
About us
• Monash• Joseph Liu• Ron Steinfeld• Amin Sakzad• Xingliang Yuan
• Swinburne:• Yang Xiang
• Leading experts in cryptography, database security, and system security.
Defining the problem
• Cost of a data breach (from IBM security):• average USD 3.92M of a breach• most expensive industry: healthcare (USD 6.45M)• average size of a breach: 25,575 records
• In 2018, the Office of the Australia Information Commissioner (OAIC) received more than 800 data breach notifications:• spanning from cloud to in-house databases• affecting over 10 million individuals in Australia. http://www.informationisbeautiful.net/visual
izations/worlds-biggest-data-breaches-hacks/
The solution: encrypted database
The solution: encrypted database
The solution: encrypted database
The solution: encrypted database
Server can no longer access the cleartext of data and query !!!
The competitive advantage
• First generation encrypted database system, e.g., CryptDB, SAP SEEED, Azure Always Encrypted• Rely on proxy for encryption/decryption (single point of failure)• Traditional access control• Suffer from inference attacks due to the usage of property-preserving
encryption• Our solution: proxy-free architecture
• Proxy-free architecture• Enforced fine-grained access control via Attribute-based Encryption (ABE)• Resist inference attacks by adopting Searchable Symmetric Encryption (SSE)
System overview
uid name age
1 Alice 24
… … …
A5FB B1F6 76EA
Enck1(1) Enck2(Alice) Enck3(24)
… … …Encryption
Table name: User Table name: C102
• Another metadata table keeps the information of schema and the map between record attributes and ciphertexts:
Attribute Ciphertext keyUser C102 N/Auid A5FB k1
name B1F6 k2
age 76EA k3
Proxy-free query process
data
CloudServer
EncryptedSQLquery
Encryptedresult
User
metadatametadata
Usemetadatatoencryptqueriesanddecryptresult
Retrievemetadata
Encryption-based access control
data
CloudServer
User1
metadata1
User2
metadata1
metadata1
User3
metadata2
metadata2
Implementation and deployment
• Implementation:• CP-ABE, using Type A curve from jPBC library• Database Query Planner: Based on Apache DBCP 2.1
and Apache DBUtils 1.6• Proof-of-concept implementation: 3278 lines of Java code
• Deployment:• Database: MySQL 8.0 deployed in Docker• Server: Apache Tomcat 7.0.93• A demo with the student record table and the corresponding
addition/modification/deletion/search functions
Application of use: Financial Services under Geo-fencing
UK
AU
Headquarter
HK OfficerName Job Age Gender Credit …
Bob Lawyer 40 Male B …
Alice Doctor 45 Female A …
… … … … … …Record Linkage
Credit Prediction
Wealth ProductRecommendation
Our value proposition
• Reduce the risks of a data breach, especially for top targeted sectors, e.g., healthcare, finance;
• Separate the roles of providing, administering, and accessing the data;
• Comply with international and national data security and privacy regulations;
• Provide evidences for cyber insurance.
Next phase
• Seek industrial funding to push forward R&D• Rich queries, NoSQL, full-fledged demonstration,
SDK, security-aware UI, DB migration tool
• Look for partners in field testing and application integration
• Improve customer’s awareness of encrypted databases