A New Efficient Algorithm for Executing Queries over Encrypted Data Rasha Refaie1, A. A. Abd El-Aziz2, Nermin Hamza3, Mahmood A. Mahmood4, Hesham Hefny5 Dept. of Computer & Information Sciences Institute of Statistical Studies and Research Cairo University 1
2
3
4
e-mail: {
[email protected],
[email protected],
[email protected],
[email protected], 5
[email protected]}
ABSTRACT—Outsourcing databases into cloud increases the need of data security. The user of cloud must be sure that his data will be safe and will not be stolen or reused even if the data-centers were attacked. The service provider is not trustworthy so the data must be invisible to him. Executing queries over encrypted data preserves a certain degree of confidentiality. In this paper, we propose an efficient algorithm to run computations on data encrypted for different principals. The proposed algorithm allows users to run queries over encrypted columns directly without decrypting all records.
Keywords Database security, query processing, Homomorphic encryption, CryptDB, MONOMI, and Secure indexes. INTRODUCTION When a database is provided as a service, a service provider may be not trustworthy and data needs to be protected from the database service provider. The problem in using encryption is that no way to execute queries over encrypted data without decrypting it[1]. Hence the data will not be protected, which present a problem for users. There for we propose an efficient algorithm to run queries over encrypted data without decrypting it. So the data will remain confidential and invisible even to the cloud provider. RELATED WORK
Different techniques have been suggested to maintain a certain degree of privacy on database outsourcing scenarios. In addition they allow to execute some SQL queries efficiently. Fully homomorphism encryption (FHE), is a new concept of security. This system can calculate any type of function on encrypted data[2]. Using fully homomorphic encryption still very expensive and slow[3]. CryptDB’s approach is to execute queries over encrypted data on the DBMS server as it would on an Plaintext database[4]. The proxy manages all the communication to or from the database and uses secret keys to encrypt all data which included in queries issued to the DBMS[5,6]. In this approach data is encrypted in a layered way which is called as onion[7,8,9,10,11]. CryptDB is much more efficient but cannot support most analytical queries over encrypted data and cannot run computations on values which encrypted using different keys at DBMS[3]. MONOMI is a system to execute analytical workloads over encrypted data on not trusted database server. In MONOMI a part of the query is run on the not trusted server over encrypted data and the remaining of the query on the plain database at the user server[12]. MONOMI send the encrypted result for the user which decrypt it and run the final computation which is more efficiently to compute at the user. Installing new database design still a big problem in
MONOMI and any security constraints is not taken into account [3]. [13] suggest a good algorithm to search over encrypted data. The limitations of the existing techniques for fuzzy match and range queries are efficiently eliminated using this algorithm. This algorithm is efficient for searching when the result of query is less than 40%of the total data. [14] proposes a new architecture to support data's confidentiality, integrity and availability. This architecture illustrate a secure and robust cloud storage by combining cryptography and access control with two layered encryption. Using pre-computed index make the execution of queries in databases faster . But using standard indexes become Ineffective when the data is encrypted[15]. Moreover, if several users with different access rights use the same index, each one of them needs access to the entire index, possibly including indexed elements that are beyond his access rights. A simple but elegant solution to this problem is suggested by split the index into several sub-indexes where each sub-index relates to values in the column encrypted using the same key[3]. Security issues and related costs are the most strategic issues which related to outsourcing database. [16] proposes a model which includes the variability of database workload and cloud prices and the related cost of encryption schemes. By applying the model to actual cloud provider prices, the encryption and adaptive encryption costs for data privacy can be determined.
TABLE1
ID 1 2 3 4 5 6 7
Emp_Name Bob Alice Eve McDonald Bob Marley Alice McDonald
PROPOSED TECHNIQUE Our proposed technique builds on CryptDB’s design. CryptDB’s design consisting of two main parts: a database proxy and DBMS. CryptDB makes the DBMS run the queries over an encrypted database as if it was plaintext. The proxy is a trusted server which stores the database schema and a secret master key. It works as a middle layer, that encrypts and decrypts all data and changes some query operators, while keep the semantics of the query. The proxy manages all the communication to or from the database and uses secret keys to encrypt all data that included in queries issued which send to the DBMS[5,6]. CryptDB can chain encryption keys to user passwords. In CryptDB the user can decrypt his authenticate data item only by using his password. Consequently, if all servers are compromised an attacker cannot decrypt the data of any user who is not logged in and even a database administrator cannot access to decrypted data[3]. CryptDB has a problem to run computations on values which encrypted using different keys at DBMS , even if the application has the authority of all principals in question[3]. The traditional way is to perform the computation after decrypting the data. It may be practical for some computations, but for large-scale aggregates computations this approach is too expensive. For example if we have Table1 and its encrypted form Table2 which has column (salary) containing values encrypted by different keys( encrypted using K1, encrypted using K2). Table2 is saved at DBMS server.
TABLE2: Encrypted_Table
Salary 60 100 800 100 60 100 60
Dept_Num 1 1 1 1 2 2 2
ID 1 2 3 4
Emp_Name x9ak 98wu u8sb 3781e2
Salary x934bc1 x5a8c34 x84a21c x5a8c34
Dept_Num 1 1 1 1
5 6 7
ed34ef 98wu 3781e2
x1eab81 x638e54 x1eab81
2 2 2
suppose a user issues the following query: SELECT Emp_Name, Salary, Dept_Num FROM TABLE2 WHERE Salary ≥ 100 In CryptDB data is encrypted in a layered way which is called as onion. The term "onion" refers to layers of encryption, Overlapping like the layers of an onion. These onions have different layers each encrypted by using different algorithms. The outer layer of an onion is the most secure
layer. A value has only one current layer in each onion. ORD onion is used to adjust the order leakage for the queries including comparison. Order-preserving encryption (OPE), is used to encrypt values and keep the order of these values. If x < y, then OPEK(x) < OPEK(y), for any secret key K[4]. Therefore, if a column is encrypted with OPE, the server can perform range queries and queries including comparison. In our example salary is encrypted by different key. The problem is that when the same value encrypted by different keys it gives different values[EK1(100) ≠ EK2(100)]. So, server can not perform range queries and queries including comparison on a column containing values encrypted by different keys.
Fig. 1. Different Layers of ORD Onion[4].
To execute this query using CryptDB. The proxy will encrypt the query and send it to DBMS server to run it. The server cannot check if total ≥ 100 because salary encrypted by different keys. Thus, CryptDB executes the following query at the DBMS server: SELECT Emp_Name, Salary, Dept_Num FROM TABLE2 Once the proxy receives the results, it decrypts them, and executes the WHERE Salary ≥ 100 condation. Any
matching results are sent to the user [9]. Here we had to decrypt the whole two columns Emp_Name and Salary. Our proposed technique try to overcomes these limitation by encrypted the query by different keys and run every query on the corresponding data which encrypted by the same key. Our proposed technique builds on CryptDB’s design which consisting of two main parts: a database proxy and DBMS as previously explained.
Q1
User1 Password P1
Encrypted Database
Q2
Proxy server
Q3
(Trusted server)
Q...
User2
DBMS server
Password P2
(Untrusted server)
Figure 2: Proposed security technique
The following algorithm will describe the outlines of the suggested technique:
Input: user query Output: query result Begin 1. User issues query 2. The proxy check the query condition If (query condition is not on column containing data encrypted by different keys) Go to step 3 Else if (authorized user) Go to step 4 Else Go to step 6 3. i. The proxy intercepts and rewrites the query which forwards to the DBMS server ii. DBMS retrieve data from Encrypted_Table and returns it to the proxy Go to step 5 4. i. Proxy encrypt the query using different keys which forwards to the DBMS server ii. DBMS run every query on the corresponding data which encrypted by the same key and returns the results to the proxy. 5. The proxy decrypts the query results and returns it to the user . 6. Exit End
When any authorized user wants to search some records and query condition is on the column which encrypted using different keys, so the proxy will encrypt the query using different keys (K1, K2, K3, ............) to (Q1, Q2, Q3, ................). The proxy send these queries to DBMS to run every query on the corresponding data which encrypted by the same key. These queries will return these records which exactly the user wants from Encrypted_Table. This approach does not need to decrypt all the values of entire encrypted column; rather it decrypts only those values which satisfy the user query. The following example can describe the searching operation of the suggested algorithm:
Q2:SELECT Emp_Name, Salary, Dept_Num FROM TABLE2 WHERE Salary ≥ x638e54
TABLE4: RESULT of Q2
Emp_Name 98wu
Salary x638e54
Dept_Num 2
SELECT Emp_Name, Salary, Dept_Num The proxy decrypts these results and returns it to the user (TABLE5).
FROM TABLE2 WHERE Salary ≥ 100 The proxy will encrypt this query using (K1, K2) to (Q1, Q2). The proxy send Q1 and Q2 to the DBMS. The DBMS run Q1 on the data which encrypted by K1and Q2 on the data which encrypted by K2 to return exactly these records which the user wants. The DBMS server returns the encrypted query result (TABLE 3,4). Q1: SELECT Emp_Name, Salary, Dept_Num
FROM TABLE2
TABLE5:
THE RETURNED RESULT FROM PROXY SERVER’S
SIDE
Emp_Name Alice Eve McDonald Alice
Salary 100 800 100 100
Dept_Num 1 1 1 2
In this technique the proxy does not need to decrypt all the values of entire encrypted column; rather it decrypts only these values which match the user query.
WHERE Salary ≥ x5a8c34
CONCLUSION
TABLE3: RESULT of Q1 Emp_Name 98wu u8sb 3781e2
Salary x5a8c34 x84a21c x5a8c34
Dept_Num 1 1 1
In this paper, we outlined Various techniques which offer privacy on database outsourcing scenarios. A secure algorithm for searching over encrypted data was suggested. Our proposed technique builds on CryptDB’s design. CryptDB’s approach is to make a secure communication between user and the encrypted database by executing queries over encrypted data on the DBMS server as it would on an plaintext database. Our proposed algorithm will efficiently eliminate the limitations of computations on values encrypted for different principals. We will apply our algorithm to ensure its effectiveness.
REFERENCE [1]
[2]
[3]
[4]
[5]
[6]
[7]
[8] [9]
(2011) The Forbes website. [Online]. Available:http:// http://www.forbes.com/sites/andygreenberg/2011/12/19/an-mit-magic trick-computing-on-encrypted databases-without-ever-decrypting them/ TEBAA.M, EL HAJJI.S & EL GHAZI.A "Homomorphic Encryption Applied to the Cloud Computing Security". In Proc. of the World Congress on Engineering 2012, Vol I WCE 2012, London, U.K, July4- 6, 2012. R. Refaie, A. A. Abd El-Aziz, N. Hamza, M. A. Mahmood and H. Hefny "A Survey on Executing Query on Encrypted", The International Conference on Intelligent Information Technologies (ICIIT 2014), Chennai, India, 12/2014. R. A. Popa, C. M. S. Redfield, N. Zeldovich, and H. Balakrishnan "CryptDB: Protecting confidentiality with encrypted query processing". In Proc. of the 23rd R. A. Popa, C. M. S. Redfield, N. Zeldovich, and H. Balakrishnan. " Review of \CryptDB: Protecting Confidentiality with Encrypted Query Processing". May 16, 2012 SOSP, pages 85100, Cascais, Portugal, Oct. 2011. R. A. Popa, C. M. S. Redfield, N. Zeldovich, and H. Balakrishnan. " CryptDB: A Practical Encrypted Relational DBMS". Available:http: //lib4shared.com/doc-file/cryptdb-a-practical-encrypted-relationaldbms Dayioglu.Z, Kiraz.M, Birinci.F, and Akin.I. "Secure Database in Cloud Computing: CryptDB Revisited". 6t INTERNATIONAL INFORMATION SECURITY & CRYPTOLOGY CONFERENCE 2021 September/Eylül 2013 | Ankara / TURKEY http://en.wikipedia.org/wiki/Tor_(anonymity_network) Ferretti.L, Pierazzi.F, Colajanni.M, and Marchetti.M."Security and Confidentality Solutions for Public Cloud Database Services "
[10]
[11]
[12]
[13]
[14]
[15]
[16]
SECURWARE 2013 : The Seventh International Conference on Emerging Security Information, Systems and Technologies. P. SRIVANI, S. RAMACHANDRAM and R. SRIDEVI. " A SURVEY REPORT ON CRYPTDB " Computer Science , Communication & Instrumentation Devices Editors: Janahanlal Stephen,Harish Rohilk and SVasavi Copyright © 2015 AET-2014k6 Organisers. ISBN: 978981-09-5247-1. C. Curino, E.P. C. Jones, R. Popa, N. Malviya, E. Wu, S. Madden, H. Balakrishnan and N. Zeldovich. " Relational Cloud: A Database-as-aService for the Cloud " available at https://people.csail.mit.edu/nickolai/papers/curino-relcloud.pdf. Stephen Tu, M. Frans Kaashoek, Madden.S and Zeldovich.N. " Processing Analytical Queries over Encrypted Data". In Proc. of the 39th International Conference on Very Large Data Bases (VLDB), Riva del Garda, Italy, August 2013. M. Sharma, A. Chaudhary, S. Kumar. " Query Processing Performance and Searching over Encrypted Data by using an Efficient Algorithm" International Journal of Computer Applications (0975 – 8887) Volume 62– No.10, January 2013. R. Kalaichelvi and L. Arockiam " Secure and Robust Cloud Storage with Cryptography and Access Control " R. Kalaichelvi et al./ Elixir Comp. Sci. & Engg. 56 (2013) 13481-13484. Available online at www.elixirpublishers.com (Elixir International Journal) Shmueli.E, Waisenberg.R, Elovici.Y and Ben-Gurion.E. "Designing Secure Indexes for Encrypted Databases. In Proc of Data and Applications Security". 19th Annual IFIP WG 11.3 Working Conference, USA, 2005. Ferretti.L, Pierazzi.F, Colajanni.M, and Marchetti.M." Performance and Cost Evaluation of an Adaptive Encryption Architecture for Cloud Databases". IEEE TRANSACTIONS ON CLOUD COMP TING, VOL. 2, NO. 2, APRIL-JUNE 2014.
