SoK: Cryptographically Protected Database Search

Protected database search systems cryptographically isolate the roles of reading from, writing to, and administering the database. This separation limits unnecessary administrator access and protects data in the case of system breaches. Since protected search was introduced in 2000, the area has grown rapidly; systems are offered by academia, start-ups, and established companies. However, there is no best protected search system or set of techniques. Design of such systems is a balancing act between security, functionality, performance, and usability. This challenge is made more difficult by ongoing database specialization, as some users will want the functionality of SQL, NoSQL, or NewSQL databases. This database evolution will continue, and the protected search community should be able to quickly provide functionality consistent with newly invented databases. At the same time, the community must accurately and clearly characterize the tradeoffs between different approaches. To address these challenges, we provide the following contributions: 1) An identification of the important primitive operations across database paradigms. We find there are a small number of base operations that can be used and combined to support a large number of database paradigms. 2) An evaluation of the current state of protected search systems in implementing these base operations. This evaluation describes the main approaches and tradeoffs for each base operation. Furthermore, it puts protected search in the context of unprotected search, identifying key gaps in functionality. 3) An analysis of attacks against protected search for different base queries. 4) A roadmap and tools for transforming a protected search system into a protected database, including an open-source performance evaluation platform and initial user opinions of protected search.Comment: 20 pages, to appear to IEEE Security and Privac

CryptDB: A Practical Encrypted Relational DBMS

CryptDB is a DBMS that provides provable and practical privacy in the face of a compromised database server or curious database administrators. CryptDB works by executing SQL queries over encrypted data. At its core are three novel ideas: an SQL-aware encryption strategy that maps SQL operations to encryption schemes, adjustable query-based encryption which allows CryptDB to adjust the encryption level of each data item based on user queries, and onion encryption to efficiently change data encryption levels. CryptDB only empowers the server to execute queries that the users requested, and achieves maximum privacy given the mix of queries issued by the users. The database server fully evaluates queries on encrypted data and sends the result back to the client for final decryption; client machines do not perform any query processing and client-side applications run unchanged. Our evaluation shows that CryptDB has modest overhead: on the TPC-C benchmark on Postgres, CryptDB reduces throughput by 27% compared to regular Postgres. Importantly, CryptDB does not change the innards of existing DBMSs: we realized the implementation of CryptDB using client-side query rewriting/encrypting, user-defined functions, and server-side tables for public key information. As such, CryptDB is portable; porting CryptDB to MySQL required changing 86 lines of code, mostly at the connectivity layer

Storage Solutions for Big Data Systems: A Qualitative Study and Comparison

Big data systems development is full of challenges in view of the variety of application areas and domains that this technology promises to serve. Typically, fundamental design decisions involved in big data systems design include choosing appropriate storage and computing infrastructures. In this age of heterogeneous systems that integrate different technologies for optimized solution to a specific real world problem, big data system are not an exception to any such rule. As far as the storage aspect of any big data system is concerned, the primary facet in this regard is a storage infrastructure and NoSQL seems to be the right technology that fulfills its requirements. However, every big data application has variable data characteristics and thus, the corresponding data fits into a different data model. This paper presents feature and use case analysis and comparison of the four main data models namely document oriented, key value, graph and wide column. Moreover, a feature analysis of 80 NoSQL solutions has been provided, elaborating on the criteria and points that a developer must consider while making a possible choice. Typically, big data storage needs to communicate with the execution engine and other processing and visualization technologies to create a comprehensive solution. This brings forth second facet of big data storage, big data file formats, into picture. The second half of the research paper compares the advantages, shortcomings and possible use cases of available big data file formats for Hadoop, which is the foundation for most big data computing technologies. Decentralized storage and blockchain are seen as the next generation of big data storage and its challenges and future prospects have also been discussed

Chameleon: A Secure Cloud-Enabled and Queryable System with Elastic Properties

There are two dominant themes that have become increasingly more important in our technological society. First, the recurrent use of cloud-based solutions which provide infrastructures, computation platforms and storage as services. Secondly, the use of applicational large logs for analytics and operational monitoring in critical systems. Moreover, auditing activities, debugging of applications and inspection of events generated by errors or potential unexpected operations - including those generated as alerts by intrusion detection systems - are common situations where extensive logs must be analyzed, and easy access is required. More often than not, a part of the generated logs can be deemed as sensitive, requiring a privacy-enhancing and queryable solution. In this dissertation, our main goal is to propose a novel approach of storing encrypted critical data in an elastic and scalable cloud-based storage, focusing on handling JSONbased ciphered documents. To this end, we make use of Searchable and Homomorphic Encryption methods to allow operations on the ciphered documents. Additionally, our solution allows for the user to be near oblivious to our system’s internals, providing transparency while in use. The achieved end goal is a unified middleware system capable of providing improved system usability, privacy, and rich querying over the data. This previously mentioned objective is addressed while maintaining server-side auditable logs, allowing for searchable capabilities by the log owner or authorized users, with integrity and authenticity proofs. Our proposed solution, named Chameleon, provides rich querying facilities on ciphered data - including conjunctive keyword, ordering correlation and boolean queries - while supporting field searching and nested aggregations. The aforementioned operations allow our solution to provide data analytics upon ciphered JSON documents, using Elasticsearch as our storage and search engine.O uso recorrente de soluções baseadas em nuvem tornaram-se cada vez mais importantes na nossa sociedade. Tais soluções fornecem infraestruturas, computação e armazenamento como serviços, para alem do uso de logs volumosos de sistemas e aplicações para análise e monitoramento operacional em sistemas críticos. Atividades de auditoria, debugging de aplicações ou inspeção de eventos gerados por erros ou possíveis operações inesperadas - incluindo alertas por sistemas de detecção de intrusão - são situações comuns onde logs extensos devem ser analisados com facilidade. Frequentemente, parte dos logs gerados podem ser considerados confidenciais, exigindo uma solução que permite manter a confidencialidades dos dados durante procuras. Nesta dissertação, o principal objetivo é propor uma nova abordagem de armazenar logs críticos num armazenamento elástico e escalável baseado na cloud. A solução proposta suporta documentos JSON encriptados, fazendo uso de Searchable Encryption e métodos de criptografia homomórfica com provas de integridade e autenticação. O objetivo alcançado é um sistema de middleware unificado capaz de fornecer privacidade, integridade e autenticidade, mantendo registos auditáveis do lado do servidor e permitindo pesquisas pelo proprietário dos logs ou usuários autorizados. A solução proposta, Chameleon, visa fornecer recursos de consulta atuando em cima de dados cifrados - incluindo queries conjuntivas, de ordenação e booleanas - suportando pesquisas de campo e agregações aninhadas. As operações suportadas permitem à nossa solução suportar data analytics sobre documentos JSON cifrados, utilizando o Elasticsearch como armazenamento e motor de busca

Secure Abstractions for Trusted Cloud Computation

Cloud computing is adopted by most organizations due to its characteristics, namely offering on-demand resources and services that can quickly be provisioned with minimal management effort and maintenance expenses for its users. However it still suffers from security incidents which have lead to many data security concerns and reluctance in further adherence. With the advent of these incidents, cryptographic technologies such as homomorphic and searchable encryption schemes were leveraged to provide solutions that mitigated data security concerns. The goal of this thesis is to provide a set of secure abstractions to serve as a tool for programmers to develop their own distributed applications. Furthermore, these abstractions can also be used to support trusted cloud computations in the context of NoSQL data stores. For this purpose we leveraged conflict-free replicated data types (CRDTs) as they provide a mechanism to ensure data consistency when replicated that has no need for synchronization, which aligns well with the distributed and replicated nature of the cloud, and the aforementioned cryptographic technologies to comply with the security requirements. The main challenge of this thesis consisted in combining the cryptographic technologies with the CRDTs in such way that it was possible to support all of the data structures functionalities over ciphertext while striving to attain the best security and performance possible. To evaluate our abstractions we conducted an experiment to compare each secure abstraction with their non secure counterpart performance wise. Additionally, we also analysed the security level provided by each of the structures in light of the cryptographic scheme used to support it. The results of our experiment shows that our abstractions provide the intended data security with an acceptable performance overhead, showing that it has potential to be used to build solutions for trusted cloud computation

Database Design and Implementation

The book of Database Design and Implementation is a comprehensive guide that provides a thorough introduction to the principles, concepts, and best practices of database design and implementation. It covers the essential topics required to design, develop, and manage a database system, including data modeling, database normalization, SQL programming, and database administration. The book is designed for students, database administrators, software developers, and anyone interested in learning how to design and implement a database system. It provides a step-by-step approach to database design and implementation, with clear explanations and practical examples. It also includes exercises and quizzes at the end of each chapter to help reinforce the concepts covered. The book begins by introducing the fundamental concepts of database systems and data modeling. It then discusses the process of database design and normalization, which is essential for creating a well-structured and efficient database system. The book also covers SQL programming, which is used for querying, updating, and managing data in a database. Additionally, it includes a comprehensive discussion on database administration, including security, backup and recovery, and performance tuning.https://orc.library.atu.edu/atu_oer/1002/thumbnail.jp

Security of Health Information Databases

Tundlike andmete turvaline kogumine ja hoiustamine on väga vajalik. Olenevalt olukorrast võib see osutuda aga oodatust keerulisemaks. Andmebaasis olevate andmete turvalisus võib jääda tähelepanuta või seda võidakse ülehinnata. Rakenduse poolel andmete krüpteerimine on üks moodus laialdaselt esinevate probleemide ennetamiseks. Selle töö eesmärk on esitada näidisrakendus andmete turvalise kogumise kohta. See implementatsioon esitab andmete kogumise protsessi. Me katsetame kahte odavama hinnaklassi riistvaralisi turvamoodulit rakendusega siduda. Tulemustest on näha kaasnevaid raskusi, lootusega et protsessi saab parendada. Näidisrakendust saab kasutada tundlike andmete kogumise meetodite lisamisel olemasolevatesse andmehaldusrakendustesse.Secure storage of sensitive data is a strong requirement in current times. Depending on the scenario it could prove more difficult than first expected. Data security on the database side is often overlooked or underestimated. Application side encryption can be used to avoid many of the common issues. In the thesis we aim to give an implementation of one scheme for secure data gathering and storage. The implementation consists of three applications to display the process of gathering data. We also attempt to integrate two low budget Hardware Security Modules (HSMs) into our scheme. The thesis shows the difficulties with the hope, that the process could be improved. The given example can be used to add specialised sensitive data collection methods to existing data management software

A Comparative Study and Analysis of Query in Encrypted Databases

تعد البيانات اليوم هي الموجود الرئيسي للشركات وأعمالها. عادة ما يتم تخزين هذه البيانات في قاعدة البيانات. يجب أن تكون جميع أنظمة قواعد البيانات قادرة على الاستجابة لطلبات الحصول على معلومات من المستخدم وهي استعلامات العمليات. هناك حاجة إلى خوارزميات التشفير التي توفر القدرة على الاستعلام عبر قاعدة البيانات المشفرة وتتيح تحسين تشفير وفك تشفير البيانات. ومع ذلك ، تطبيق خوارزميات التشفير على قاعدة البيانات المشفرة يعتبر التحدي الذي ينشأ هو في  انخفاض اداء النظام الناتج عن نشر خوارزمية التشفير في وقت التشغيل. لذلك ، تعرض هذه الورقة معظم الأعمال الحديثة التي تم إجراؤها على معالجة الاستعلام في  قاعدة البيانات المشفرة وتحليلها لتوضيح تحليل الأداء ، بناءً على مقاييس أداء مختلفة في كل عمل ذي صلةData is the main asset of the modern companies and their businesses. Typically, it is stored in the data-base. Every database system has to be capable of responding to information requests from users, which is queries of the process. Encryption mechanisms are required, which give the capability to the query over the encrypted data-base and permit the optimization of data encryption and decryption. However, applying encryption algorithms on Encrypted database then challenge arises that the efficiency of the system degrades on deploying encryption algorithm on the runtime. Therefore, this paper presents most of the recent works that have been conducted on the query preprocessing of encrypted database and analyzes them to clarify the performance analysis, based on different performance metrics in each related work