Secure Relational Database Management System (SRDBMS)

Monash University and Swinburne University of Technology

What we will cover today

• Background• Our solution• Application of use• Demonstration• Our value proposition• Next phase

About us

• Monash• Joseph Liu• Ron Steinfeld• Amin Sakzad• Xingliang Yuan

• Swinburne:• Yang Xiang

• Leading experts in cryptography, database security, and system security.

Defining the problem

• Cost of a data breach (from IBM security):• average USD 3.92M of a breach• most expensive industry: healthcare (USD 6.45M)• average size of a breach: 25,575 records

• In 2018, the Office of the Australia Information Commissioner (OAIC) received more than 800 data breach notifications:• spanning from cloud to in-house databases• affecting over 10 million individuals in Australia. http://www.informationisbeautiful.net/visual

izations/worlds-biggest-data-breaches-hacks/

The solution: encrypted database

The solution: encrypted database

The solution: encrypted database

The solution: encrypted database

Server can no longer access the cleartext of data and query !!!

The competitive advantage

• First generation encrypted database system, e.g., CryptDB, SAP SEEED, Azure Always Encrypted• Rely on proxy for encryption/decryption (single point of failure)• Traditional access control• Suffer from inference attacks due to the usage of property-preserving

encryption• Our solution: proxy-free architecture

• Proxy-free architecture• Enforced fine-grained access control via Attribute-based Encryption (ABE)• Resist inference attacks by adopting Searchable Symmetric Encryption (SSE)

System overview

uid name age

1 Alice 24

… … …

A5FB B1F6 76EA

Enck1(1) Enck2(Alice) Enck3(24)

… … …Encryption

Table name: User Table name: C102

• Another metadata table keeps the information of schema and the map between record attributes and ciphertexts:

Attribute Ciphertext keyUser C102 N/Auid A5FB k1

name B1F6 k2

age 76EA k3

Proxy-free query process

data

CloudServer

EncryptedSQLquery

Encryptedresult

User

metadatametadata

Usemetadatatoencryptqueriesanddecryptresult

Retrievemetadata

Encryption-based access control

data

CloudServer

User1

metadata1

User2

metadata1

metadata1

User3

metadata2

metadata2

Implementation and deployment

• Implementation:• CP-ABE, using Type A curve from jPBC library• Database Query Planner: Based on Apache DBCP 2.1

and Apache DBUtils 1.6• Proof-of-concept implementation: 3278 lines of Java code

• Deployment:• Database: MySQL 8.0 deployed in Docker• Server: Apache Tomcat 7.0.93• A demo with the student record table and the corresponding

addition/modification/deletion/search functions

Application of use: Financial Services under Geo-fencing

UK

AU

Headquarter

HK OfficerName Job Age Gender Credit …

Bob Lawyer 40 Male B …

Alice Doctor 45 Female A …

… … … … … …Record Linkage

Credit Prediction

Wealth ProductRecommendation

Our value proposition

• Reduce the risks of a data breach, especially for top targeted sectors, e.g., healthcare, finance;

• Separate the roles of providing, administering, and accessing the data;

• Comply with international and national data security and privacy regulations;

• Provide evidences for cyber insurance.

Next phase

• Seek industrial funding to push forward R&D• Rich queries, NoSQL, full-fledged demonstration,

SDK, security-aware UI, DB migration tool

• Look for partners in field testing and application integration

• Improve customer’s awareness of encrypted databases