SemCrypt Secure XML Processing in Outsourced Databases

Transcription

1 Institute für Wirtschaftsinformatik Nr / September 2008 SemCrypt Secure XML Processing in Outsourced Databases Katharina Grün Michael Karlinger Michael Schrefl Forschungsbericht Research Report 08.02

2 Vorbemerkung der Herausgeber / Editors preamble Die Forschungsberichte der Institute für Wirtschaftsinformatik dienen der Darstellung vorläufiger Ergebnisse z. B. Projektberichte und Zwischenergebnisse, die i. d. R. für spätere Veröffentlichungen überarbeitet werden. Die Autoren sind für kritische Hinweise dankbar. Alle Rechte vorbehalten. Research reports comprise preliminary results, e.g. project reports and intermediary results which will usually be revised for subsequent publications. Critical comments are appreciated by the authors. All rights reserved. Herausgeber / Editors o. Univ.-Prof. Dipl.-Ing. Dr. Gustav Pomberger, Institut für Wirtschaftsinformatik Software Engineering o. Univ.-Prof. Mag. Dr. Friedrich Roithmayr, Institut für Wirtschaftsinformatik Information Engineering o. Univ.-Prof. Dipl.-Ing. Dr. Michael Schrefl, Institut für Wirtschaftsinformatik Data & Knowledge Engineering o. Univ.-Prof. Dipl.-Ing. Dr. Christian Stary, Institut für Wirtschaftsinformatik Communications Engineering Autoren / Authors Mag. Katharina Grün gruen@dke.uni-linz.ac.at Mag. Michael Karlinger karlinger@dke.uni-linz.ac.at o. Univ.-Prof. Dr. Michael Schrefl schrefl@dke.uni-linz.ac.at Johannes Kepler Universität Linz Institut für Wirtschaftsinformatik - Data & Knowledge Engineering Altenberger Str. 69, A-4040 Linz, Austria

3 SemCrypt - Secure XML Processing in Outsourced Databases Katharina Grün Michael Karlinger Michael Schrefl Department of Business Informatics - Data & Knowledge Engineering Johannes Kepler University Linz, Austria {gruen, karlinger, schrefl}@dke.uni-linz.ac.at Abstract The increasing number and size of XML documents require efficient techniques for storing, querying and updating XML data. Current XML databases disregard privacy and security concerns when processing sensitive documents at external storage providers because they cannot prevent the untrustworthy storage provider from accessing either the content or the structure of the outsourced documents. At the external storage provider, SemCrypt 1 exclusively processes encrypted documents. Documents or document fragments are only decrypted at the client-side for authorized users. To query and update encrypted documents, the approach developed explores the structural semantics of the documents as well as special index structures. The SemCrypt database provides an administration tool that visualizes how data is stored and processed. 1 Introduction The trend to outsource data and the increasing need to process sensitive XML documents call for a secure processing model that ensures the privacy of stored documents without depending on service level agreements. Such a processing model grounds on a client-server architecture, where clients process data and the server acts as storage provider in an untrustworthy domain. All data processed at the storage provider is encrypted to protect it from being misused. Encryption and decryption for query and update processing are exclusively performed in the trusted domain of the client. In the secure processing model, querying and updating documents can basically be performed according to one of the following approaches: (i) encrypt 1 SemCrypt is a collaborative research project funded by FIT-IT, a programme initiative of the Austrian Federal Ministry of Transport, Innovation and Technology, with partners Johannes Kepler University Linz, Electronic Competence Center Vienna, and EC3 Networks GmbH. 1

4 whole documents or large document parts and transfer them between client and server for query and update processing [4], (ii) develop special encryption techniques for processing encrypted data directly at the server [1], (iii) exploit the structural semantics of documents and develop special storage and index structures. While approach (i) requires large amount of data to be transferred between client and server, approach (ii) cannot easily replace its encryption techniques when they are broken or better ones are available. Approach (iii) minimizes the amount of data transferred and works with off-the-shelf encryption techniques. SemCrypt [5] follows approach (iii) to efficiently query and update encrypted XML documents. This paper presents the main concepts that have been developed for SemCrypt. 1.1 Setup configurations To be adaptable to different application scenarios, SemCrypt s design allows for different configurations (cf. Figure 1.1), all of which rely on a potentially untrustworthy storage provider to store encrypted data. The storage provider is also responsible for backup, recovery and basic transaction control. Arbitrary DB Server Storage Provider Client SC Core / User App Arbitrary DB Server Storage Provider Client SC Core / User App Security Component store encrypted storage common access query processing encryption store encrypted storage common access query processing encryption authorization a) Single user configuration. b) Multi user configuration. Figure 1: Setup configurations of SemCrypt (SC). (a) Single user scenario: Each one of several single users has full access to exactly one encrypted store, where one storage provider may host several stores. A typical application scenario for this setting is a secure, remote document store where users manage their documents, e.g. insurance contracts, using a special purpose application. This application utilizes the SemCrypt Core for performing query and update processing as well as encryption/decryption within the trusted domain of the client. (b) Multi user scenario: Several users access the same documents from different, potentially insecure clients. Access authorization is delegated to a Security Component which en- and decrypts document fragments for authorized users. Alternatively, this security check could also be performed by specific 2

5 secure devices, such as powerful smart cards. A typical application scenario is to outsource the storage of records in e-government applications. 1.2 Challenges Designing a secure XML database system (DBS) poses several challenges. To ensure data privacy and prevent security risks as identified by Fong [2], the system must guarantee both storage and communication security. The physical storage structure must neither reveal the document content nor the document structure to the storage provider. To be widely applicable, the DBS should not depend on specific encryption techniques. Repeated encryption of the same plain text fragments or markups needs to result in different cipher texts in order to avoid statistic-based attacks. Regarding the client-server communication, repeated transmission of the same data has to be avoided, again in order to avoid statistic-based attacks. The DBS needs to support querying and updating of both the content and structure of documents, i.e. navigating within documents and constraining values and types. Finally, regarding the system s overall performance, the data volume to be transferred from the server for answering queries has to be minimized. 1.3 Achievements SemCrypt tackles these challenges as follows. The physical storage structure guarantees data privacy and security through encryption. To identify encrypted fragments, query and update processing techniques exploit the structural semantics of XML, i.e. schema information, which is captured by the document structure. Processing documents is based on a schema-aware labeling scheme [3] which not only allows to identify each node of a document by a unique node label, but also enables to execute many operations directly onto node labels without accessing encrypted data. To efficiently process queries that constrain node values, SemCrypt provides an index framework that supports indexing the content of arbitrary document fragments. Query processing is based on a query algebra enabling query optimization and index selection. Prior works on XML processing present isolated solutions for these problems, which cannot easily be combined due to conflicting assumptions. SemCrypt not only extends these techniques, but also integrates them into a multi-layered architecture. The layered structure of this architecture enables to use SemCrypt also as a conventional XML database by transferring the SemCrypt Core to the Storage Provider. 2 Architecture The architecture of the SemCrypt Core, depicted in Figure 2, integrates the various components and their data models and bridges the gap between the physical storage of encrypted data and its representation to end users. SemCrypt processes four kinds of primary data, namely schemas, documents, indices and 3

6 queries. Following database reference architectures, the processing of primary data occurs within different layers. The external layer represents data in a way familiar to end users, who e.g. formulate queries in terms of XPath. The Sem- Crypt Service takes user requests in their external representation, parses and dispatches them. Various database tasks, such as query optimization, cannot be efficiently performed on external primary data. The logical layer thus abstracts from external representations, while the internal layer incorporates special techniques to improve system performance. Within the logical and the internal layer, there is one specific component for each kind of primary data. At the physical layer, the Storage Engine provides access to the physical storage structures. These components and their data models are subsequently explained in more detail. All components create metadata, like names of available documents or schema information, and provide this metadata to other components. To manage metadata, SemCrypt follows the approach of using a separate database, encapsulated by the Metadata Manager. external SemCrypt Service logical internal Schema Manager Schema Engine Document Manager Document Engine Query Engine Execution Engine Index Manager Index Engine Metadata Manager physical Storage Engine network Storage Provider Figure 2: SemCrypt Architecture. 3 Concepts This section elaborates on the specific techniques developed for SemCrypt. To gain a better understanding of these techniques, we use a simplified example of managing insurance contracts within a secure, remote document store. Throughout the paper, the concepts are demonstrated by screen dumps taken from the prototype administration tool of SemCrypt (SCAdmin). 4

7 3.1 Physical storage To prevent security risks, SemCrypt uses the physical storage structure depicted in Figure 3. Data fragments are encrypted with a user defined standard encryption algorithm (E) and encryption key (K). The use of nonrecurring random numbers (nonce) prevents statistical analysis by encrypting same fragments differently in each communication with the Storage Provider. To identify encrypted fragments, each fragment has assigned a unique id, which encodes structural information about the fragment and is encrypted using a cryptographic hash function (H). In order to prevent frequency analysis, the Storage Engine caches frequently requested fragments. Figure 3: Storage view. Example 1 Figure 3 depicts sample terms of an insurance contract as encrypted fragment (top) and its unencrypted counterpart (bottom) when viewed in the SCAdmin tool. When the client requires a fragment to answer a query, it assembles its unique id, e.g based on metadata or partial query results and requests the fragment from the Storage Provider. 3.2 Schema processing Schema information, which in general can be extracted from XML schemas, DTDs or directly from XML documents, is primarily required for identifying encrypted document fragments and maintained by the Schema Manager. The Schema Engine builds a corresponding schema tree and encodes its paths and subtypes into schema labels, which are part of node labels and are exploited when processing queries and updates. Example 2 Figure 4 depicts the schema view of the SCAdmin tool when an XML Schema modeling insurance contracts is imported. The logical and internal representations of this XML Schema are depicted in the middle and bottom parts of Figure 4, respectively. Internally, for example, the path insurances/insurance is denoted by schema label 2. The two subtypes of insurances, life and car insurances, have assigned individual schema labels (3 and 4). 5

8 Figure 4: Schema view. 3.3 Document processing The Document Manager logically represents documents as trees of nodes, which the Document Engine internally identifies through node labels. The schemaaware, dynamic prefix labeling scheme of SemCrypt [3] not only allows to determine structural relationships between nodes, but also encodes schema labels, identifying paths and types. The Document Engine is further responsible for storing and updating content and structure of documents. It fragments documents to minimize the amount of data retrieved from the Storage Provider for query processing and it maintains a condensed representation of the document structure capturing the relationships between the fragments. Example 3 Figure 5 depicts the representations of a document in the SCAdmin tool when an insurance contract is uploaded. Node label

9 Figure 5: Document view. internally identifies the insurance contract of John Doe and consists of (i) the internal document id 1, (ii) the schema label 2 4 encoding the path 2 (insurances/insurance) and the subtype 4 (CarInsurance), and (iii) the instance label 1 denoting that this is the first insurance contract with respect to document order. 3.4 Index processing SemCrypt uses a special index framework to directly support queries on encrypted documents by adjusting secondary index structures to the query workload. The specific characteristic of this framework is that it allows indexing the content and structure of arbitrary document fragments. It provides indices for exact match, range queries and text retrieval as well as for hierarchical queries on the document structure and type hierarchies. While the Index Manager abstracts index definition and index selection from the index structures per se, the Index Engine maintains and traverses the indices and stores them via the Storage Engine using the same encrypted storage structure as used for documents. Example 4 Figure 6 shows how to define a hash index in the SemCrypt Query Language (SCQL). The index (i1) associates with each insurant name the node 7

10 Figure 6: Index view. labels of their contracts. The logical representation of an index corresponds to a logical query with variables. Internally, an index has the form of a tree pattern whose nodes contain schema labels and variables. Tree patterns are used for index selection and maintenance. 3.5 Query processing The Query Engine performs query optimization based on a logical query algebra, which represents each query as a graph of logical operators. The particularities of this algebra are (i) independence of specific query execution techniques and (ii) support for types, type hierarchies and XPath-like function calls. To select appropriate indices for executing queries, the Query Engine exploits schema information to match index definitions with logical query plans. The Execution Engine evaluates query plans compiled into an internal query algebra, which incorporates performance boosting techniques such as node labels, schema information and index structures. Example 5 Figure 7 depicts the query view of the SCAdmin tool when a query on the insurance terms of insurant Jane Doe is submitted. Based on the XPath query, a corresponding logical query plan is derived and optimized. The resulting internal query plan specifies to process the query as follows: (1) access the sample index with search condition Jane Doe to retrieve the label of the respective insurance contract in document 1, i.e. label ; (2) navigate from the retrieved contract to its terms by modifying its node label based on schema information, i.e. exchanging its schema label 2 to 8, and retrieve the encrypted fragment identified by the corresponding label The value of this fragment corresponds to the queried insurance terms. The XML fragment returned by this query is depicted at the very bottom of Figure 7. 8

11 Figure 7: Query view. 4 Summary Recapitulating, SemCrypt uses the following techniques to efficiently process outsourced XML documents without revealing their content or structure to the untrustworthy storage provider: (i) encrypt all data with a cryptographic hash function and an encryption algorithm, (ii) exploit schema information to identify encrypted fragments and perform query operations on labels instead of accessing encrypted data, (iii) define specific index structures based on the expected query workload, enabling to exactly retrieve the encrypted fragments needed to answer the queries. References [1] R. Brinkman, L. Feng, J. Doumen, P. Hartel, and W. Jonker. Efficient Tree Search in Encrypted Data. In Proc. 2nd Int. Workshop on Security In Information Systems, pages , [2] K. Fong. Potential Security Holes in Hacigümüs Scheme of Executing SQL over Encrypted Data. kfong/research/database.pdf. [3] K. Grün, M. Karlinger, and M. Schrefl. Schema-aware Labelling of XML Documents for Efficient Query and Update Processing in SemCrypt. Computer Systems Science and Engineering, 21(1):65,

12 [4] H. Hacigümüs, B. Iyer, C. Li, and S. Mehrotra. Executing SQL over Encrypted Data in the Database-Service-Provider Model. In Proc ACM SIGMOD Int. Conf. on Management of Data, pages , [5] M. Schrefl, J. Dorn, and K. Grün. SemCrypt - Ensuring Privacy of Electronic Documents through Semantic-based Encrypted Query Processing. PDM 2005 International Workshop on Privacy Data Management, 8,

13 Bisher erschienene Institutsberichte (seit 1996) Nr / Februar 1996 P. Brandl, H. S. Huber: Diagnose der Informationsverarbeitung: Der DASIE- Benchmark Nr / Oktober 1996 M. Schrefl, G. Kappel, P. Lang: Modeling Collaborative Behavior Using Cooperation Contracts Nr / Dezember 1996 I. Wiesinger, B. Hemetsberger: Evaluierung von Managementunterstützungssystemen Nr / Januar 1997 P. Lang, W. Obermair, M. Schrefl: Modeling Business Rules with Situation/Activation Diagrams Nr / Februar 1997 P. Bichler, G. Preuner, M. Schrefl: Workflow Transparency Nr / Jänner 1998 A. Mittelmann: Organisationales Lernen und Geschäftsprozessmanagement Nr / Mai 1999 M. Gappmaier, J. Siller: Partizipative Interaktionsanalyse Videogestützte Methoden für ganzheitliches Geschäftsprozessmanagement Nr / Mai 1999 M. Gappmaier, H. Merl, V. Pilsl: Das Organisationsgesundheitsbild Nr / Mai 1999 M. Gappmaier, M. Ruzicka: Partizives Gestalten von Geschäftsprozessen mit der Bildkartengestaltungsmethode (BKM) Nr / September 1999 I. Häntschel, H. Schmidt: Methoden zur Ermittlung des Informationsbedarfs des Managements Nr / September 1999 I. Häntschel, W. Erhart: Ein Vorgehensmodell zur strategiegeleiteten Einführung von Managementunterstützungssystemen (VEM) Nr / März 2000 G. Preuner, S. Conrad, M. Schrefl: View Integration of Behavior in Object-oriented Databases Nr / März 2000 G. Preuner, S. Conrad: View Integration of Life-cycles in Object-oriented Design Nr / April 2000 M. Schrefl, M. Stumptner: Behavior Consistent Refinement of Object Life Cycles

14 Bisher erschienene Institutsberichte (seit 1996, Fortsetzung) Nr / April 2000 A. Felfernig, G. Friedrich, D. Jannach, M. Stumptner: An Integrated Development Environment for the Design and Maintenance of Large Configuration Knowledge Bases Nr / April 2001 T. Thalhammer, M. Schrefl, M. Mohania: Active Data Warehouses: Complementing OLAP with Active Rules Nr / April 2001 C. Thonabauer, L. J. Heinrich: Ein Messsystem zur Erfassung von Potenzial und Nutzung von E-Commerce / E-Business Nr / Mai 2002 M. Bernauer, M. Schrefl: Bringing Life into Self-Maintaining Web Pages Nr / September 2002 G. Preuner, M. Schrefl: Behavior-consistent Composition of Business Processes from Internal and External Services Nr / Mai 2003 T. Auinger: Wissensmanagement-Audit Nr / Juni 2003 S. Lechner, M. Schrefl: By-example schema transformers for supporting the process of conceptual web application modelling Nr / Jänner 2004 T. Auinger, M. Kobler: Laborstudie eine Evaluierung des Wissensmanagement- Audits Nr / April 2005 R. Riedl, M. Kobler, F. Roithmayr: An Action Model for Business Strategy Creation in IT-related SMEs Nr / August 2005 R. Riedl: Auswahl eines Application Service Providers: Analytic Hierarchy Process oder Nutzwertanalyse? Nr / August 2007 A. Bögl: pmodeler: Ein System zu semantischen Prozessmodellanalyse Nr / November 2007 M. Karlinger, M. Vincent, M. Schrefl: On the Definition and Axiomatization of Inclusion Dependencies for XML Nr / August 2008 K. Grün, M. Schrefl: Extensible Indexing in XML Databases