Encrypted databases. Tom Ristenpart CS 6431

Similar documents
Searchable symmetric encryption (SSE) Tom Ristenpart CS 6431

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Block ciphers, stream ciphers

Leakage-Abuse Attacks against Searchable Encryption

Security of Searchable Encrypted Cloud Storage

Cryptography. Andreas Hülsing. 6 September 2016

ISA 562: Information Security, Theory and Practice. Lecture 1

Order-Revealing Encryption:

Order-Revealing Encryption:

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Message-Locked Encryption and Secure Deduplication

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Security of Searchable Encrypted Cloud Storage

Security of Stateful Order-Preserving Encryption

Lecture 1: Perfect Security

Order-Revealing Encryption:

Searchable Symmetric Encryption: Optimal Locality in Linear Space via Two-Dimensional Balanced Allocations

Protection of Data on Multiple Storage Providers

Secure Conjunctive Keyword Searches For Unstructured Text

Order-Revealing Encryption:

IND-CCA2 secure cryptosystems, Dan Bogdanov

On Symmetric Encryption with Distinguishable Decryption Failures

1 Defining Message authentication

Computer Security CS 526

CS408 Cryptography & Internet Security

On the Security of Frequency-Hiding Order-Preserving Encryption

Security and Privacy through Modern Cryptography

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Scanned by CamScanner

Frequency-Hiding Order-Preserving Encryption

Computational Security, Stream and Block Cipher Functions

Lectures 4+5: The (In)Security of Encrypted Search

Symmetric-Key Cryptography

Concrete Security of Symmetric-Key Encryption

COMP4109 : Applied Cryptography

Cryptography (cont.)

SEARCHABLE SYMMETRIC ENCRYPTION

Cryptology complementary. Symmetric modes of operation

Searchable Encryption. Nuttiiya Seekhao

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Parallel and Dynamic Searchable Symmetric Encryption

The Shadow Nemesis: Inference Attacks on Efficiently Deployable, Efficiently Searchable Encryption

Defining Encryption. Lecture 2. Simulation & Indistinguishability

Information Security CS526

Goals of Modern Cryptography

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lectures 6+7: Zero-Leakage Solutions

Feedback Week 4 - Problem Set

1 Achieving IND-CPA security

RSA Cryptography in the Textbook and in the Field. Gregory Quenell

Order-Preserving Encryption Revisited: Improved Security Analysis and Alternative Solutions

Structured Encryption and Controlled Disclosure

Proofs for Key Establishment Protocols

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

On the Security of Group-based Proxy Re-encryption Scheme

CS 6903 Modern Cryptography February 14th, Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala

What Can Be Proved About Security?

Information Security

Analysing Access Pattern and Volume Leakage from Range Queries on Encrypted Data. Information Security Group

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

FINE-GRAINED QUERY RESULTS VERIFICATION FOR SECURE SEARCH SCHEME OVER ENCRYPTED CLOUD DATA

Symmetric Encryption 2: Integrity

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Optimal Average-Complexity Ideal-Security Order-Preserving Encryption

Homework 3: Solution

CS 161 Computer Security

Lecture 07: Private-key Encryption. Private-key Encryption

Leakage-Abuse Attacks Against Searchable Encryption

Applied Cryptography and Computer Security CSE 664 Spring 2018

Brief Introduction to Provable Security

Bitcoin, Security for Cloud & Big Data

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Encrypted Data Deduplication in Cloud Storage

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

COMPOSABLE AND ROBUST OUTSOURCED STORAGE

Lecture 15: Public Key Encryption: I

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Distributed ID-based Signature Using Tamper-Resistant Module

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Definitions and Notations

Encryption from the Diffie-Hellman assumption. Eike Kiltz

Hiding in the Cloud: The Perils and Promise of Searchable Encryption

Cryptographically Protected Database Search

Secure Data De-Duplication With Dynamic Ownership Management In Cloud Storage

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Lecture 8. 1 Some More Security Definitions for Encryption Schemes

A new lightweight symmetric searchable encryption scheme for string identification

symmetric cryptography s642 computer security adam everspaugh

Symmetric Cryptography

More crypto and security

Differentially Private Access Patterns for Searchable Symmetric Encryption

Secure Multiparty Computation

CPSC 467: Cryptography and Computer Security

From Crypto to Code. Greg Morrisett

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Security of Cryptosystems

Accredited Standards Committee X9, Incorporated

RSA. Public Key CryptoSystem

Transcription:

Encrypted databases Tom Ristenpart CS 6431

Outsourced storage settings Client wants to store data up on Dropbox High availability, synch across devices Server includes much value-add functionality Keyword search (find all files with Tom in text) Deduplication (if two files same, store only one copy) Thumbnail generation for images

Outsourced storage settings Salesforce stores customer records for companies Name: Clarisse Age: 22 Salary: 100,000 Comments: Works in NYC office Gender: Female SSN: 555-31-4325 Much value-add server-side functionality Keyword search (find all records with name Clarisse ) Range queries (all records with 20 <= Age <= 30) Sorted lists (return records orderered by salary) What security threats would one worry about?

Symmetric encryption key generation R signifies fresh per-message random bits. Optional R k Kg K R M Enc C C Dec M or error C is a ciphertext Correctness: Dec( K, Enc(K,M,R) ) = M with probability 1 over randomness used

IND-CPA security [Bellare, Desai, Jokippii, Rogaway 97] Adversary gets to submit messages to oracle b' M0,M1 C M0,M1 C IND-CPA challenge game Encrypt(M0,M1) C <- Enc(K,Mb) Ret C Adversary outputs guess b of b Wins if b = b b is a uniformly sampled bit and K is uniformly sampled key Both hidden from adversary Adversary must query with M0 = M1 Security goal: Enc(K,M) doesn t even leak single bit about M

Outsourced storage settings Salesforce stores customer records for companies Name: Alice Age: 22 Salary: 100,000 Comments: Works in NYC office Gender: Female SSN: 555-31-4325 What storage service provider functionalities broken? Field search (Find all records with Name = Alice) Keyword search Range queries (Find all people who make between 90k and 120k) Format problems (Age must be integer between 0 and 130)

Instead: Property-Revealing Encryption (PRE) Salesforce stores customer records for companies Name: Alice Age: 22 Salary: 100,000 Comments: Works in NYC office Gender: Female SSN: 555-31-4325 Encrypt data with special PRE schemes that leak just enough about plaintexts to perform some operations Sometimes advertised as computing over encrypted data metaphor is flawed

Property-revealing encryption Problem Crypto primitive Description Literature Keyword search Searchable symmeric encryption Perform search over ciphertexts given encrypted search token Equality search Deterministic encryption X = Y implies DET(X) = DET(Y) Range queries Range queries Deduplication Format restrictions Order-preserving encryption Order-revealing encryption Message-locked encryption (Convergent encryption) Format-preserving encryption X > Y implies OPE(X) > OPE(Y) X > Y implies Cmp(ORE(X),ORE(Y)) = 1 Different user s encryptions of same plaintext give same ciphertext Ciphertext has same format as plaintext [Dawn, Song, Wagner 2000] [Curtmola et al. 2006] [Rogaway Shrimpton 06] [Boldyreva et al. 2009] [Boldyreva et al. 11], [Boneh et al. 15] [Douceur et al. 2002] [Bellare et al. 2013] [Bellare et al. 2009]

Lots of industry activity Cloud access security brokers (CASB)

PREs in databases SQL Database Alice C1 22 C2 100,000 C3 Bob C1 29 C2 80,000 C3 Alice C1 31 C2 130,000 C3 Encrypt by column Name: C1 = DET(K1, Alice ) Age: C2 = OPE(K2, 22 ) Salary: C3 = OPE(K3, 100,000 )

PREs in databases DET(K1, Alice ) SQL Database DET(K1, Alice ) OPE(K2, 22 ) C3 DET(K1, Bob ) OPE(K2, 29 ) C3 DET(K1, Alice ) OPE(K2, 31 ) C3 Perform equality search by querying DET encryption of keyword Property revelation: DET(K1,X) = DET(K1,Y) ó X = Y

PREs in databases OPE(K2, 10), OPE(K2, 30) SQL Database DET(K1, Alice ) OPE(K2, 22 ) C3 DET(K1, Bob ) OPE(K2, 29 ) C3 DET(K1, Alice ) OPE(K2, 31 ) C3 Perform equality search by querying DET encryption of keyword Property revelation: DET(K1,X) = DET(K1,Y) ó X = Y Perform range search by querying OPE encryption of end points Property revelation: OPE(K2,X) < OPE(K2,Y) ó X < Y What is revealed to adversarial server?

CryptDB [Popa et al. 2011] SQL Database Name: Alice Age: 22 Salary: 100,000 Alice C1 22 C2 100,000 C3 Bob C1 29 C2 80,000 C3 Alice C1 31 C2 130,000 C3 Encrypted onions Name: C1 = Enc(K1, DET(K1, Alice ) ) Age: C2 = Enc(K2, OPE(K2, 22 ) ) Salary: C3 = Enc(K3, OPE(K3, 100,000 ) ) At this point nothing is leaked to Database: Full symmetric encryption security given by Enc Repeats not visible, ordering not visible

CryptDB [Ada Popa et al. 2011] K1, DET(K1, Alice ) SQL Database Name: Alice Age: 22 Salary: 100,000 DET(K1, C1 Alice C2) C2 C3 C3 DET(K1, C1 Bob C2 ) C2 C3 C3 DET(K1, C1 Alice C2 ) C2 C3 C3 Perform equality search by: Send outer encryption key for searched-on-column Server decrypts that column Use DET to find rows corresponding to Alice as before At this point equality patterns of first column leaked

CryptDB [Ada Popa et al. 2011] K2, OPE(K2, 10), OPE(K2, 30) SQL Database Name: Alice Age: 22 Salary: 100,000 DET(K1, Alice ) C2 C3 DET(K2, Bob ) C2 C3 DET(K3, Alice ) C2 C3 Perform range search by: Send outer encryption key for searched-on-column Server decrypts that column Use OPE range query mechanism from before

CryptDB [Ada Popa et al. 2011] K2, OPEnc(K2, 10), OPEnc(K2, 30) SQL Database Name: Alice Age: 22 Salary: 100,000 DET(K1, Alice ) OPE(K2, 22 ) C3 DET(K1, Bob ) OPE(K2, 29 ) C3 DET(K1, Alice ) OPE(K2, 31 ) C3 Perform range search by: Send outer encryption key for searched-on-column Server decrypts that column Use order preservation of OPEnc to find rows in range At this point equality patterns of first and second column leaked Ordering information on second column leaked

Standard PRE use and CryptDB CryptDB: lots more engineering details Other types of queries, other kinds of onions How to decompose SQL queries into appropriate levels of encrypted data Showed that some columns need not be decrypted in some workloads Does not work with legacy storage systems (e.g., SalesForce) Standard PRE use (no onions) easier to deploy. This is what is used in practice currently How damaging is the leakage?

What is known about security? Cryptographic theory offers proofs of security for OPE, DET Preservation means can t achieve IND-CPA definitions Solution: Weaken security notions until one can show achievability

IND-CPA security for DET Adversary gets to submit messages to oracle b' M0,M1 C M0,M1 C Challenge game Encrypt(M0,M1) C <- Enc(K,Mb) Ret C Adversary outputs guess b of b Wins if b = b b is a uniformly sampled bit and K is uniformly sampled key Both hidden from adversary Adversary must query with M0 = M1 Security goal: Enc(K,M) doesn t leak anything about plaintexts

IND-CPA security for DET Adversary gets to submit messages to oracle b' M0,M1 C M0,M1 C Challenge game Encrypt(M0,M1) C <- DET(K,Mb) Ret C Adversary outputs guess b of b Wins if b = b Adversary must query with M0 = M1 and Mb,Mb, all distinct for b = 0,1 b is a uniformly sampled bit and K is uniformly sampled key Both hidden from adversary Security goal: Enc(K,M) doesn t leak anything but plaintext equality

IND-OCPA security for OPE [Boldyreva, Chenette, Lewi, O Neill 09] Adversary gets to submit messages to oracle b' M0,M1 C M0,M1 C IND-OCPA challenge game Encrypt(M0,M1) C <- OPE(K,Mb) Ret C Adversary outputs guess b of b Wins if b = b Adversary must query with M0 = M1 and Mb,Mb, all distinct for b = 0,1 and M0 < M0 iff M1 < M1 for all pairs of queries b is a uniformly sampled bit and K is uniformly sampled key Both hidden from adversary Security goal: Enc(K,M) doesn t leak anything but plaintext equality and order relationships

Achieving IND-OCPA hard Scheme must have mutable ciphertexts (even w/ stateful clients & interactivity), otherwise require exponentially large ciphertexts This degrades the deployability of IND-OCPA schemes. They aren t currently used [Popa et al. 2011] Instead: weaker security goals such as indistinguishability from a random order-preserving function [BCLO 09] give clever scheme provably secure under this definition [BCO 11] show that ciphertexts leak at least approximately half the plaintext

Leakage-abuse attacks (LAAs) Question: what can attackers learn from leakage of PRE schemes? Searchable encryption [Islam, Kuzu, and Kantarcioglu 2012] [Cash, Grubbs, Perry, Ristenpart 2015] [Zhang, Katz, Papamanthou 2016] [Wright, Kamara 2016] DET, OPE, ORE [Naveed, Kamara, Wright 2015] [Durak, DuBuisson, Cash 2016] [Grubbs et al. 2016]

[Naveed, Kamara, Wright 2015] NKW paper Ciphertext-only inference attacks: get access to database Auxiliary information about plaintext distribution DET(K1, Alice ) OPE(K2, 22 ) DET(K1, Bob ) OPE(K2, 29 ) DET(K1, Alice ) OPE(K2, 31 ) Sorting attack against dense OPE columns OPE(K2, 3 ) OPE(K2, 1 ) OPE(K2, 2 ) OPE(K2, 1 ) OPE(K2, 2 ) OPE(K2, 3 ) 1 2 3 Already reveals everything for some column types (e.g., binary attributes)

Frequency analysis DET(K1, Alice ) DET(K1, Bob ) DET(K1, Alice ) DET(K1, Alice ) DET(K1, Alice ) DET(K1, Bob ) Auxiliary data is plaintext dataset distributed similarly to target. Histogram: Alice 15 Bob 3 Match most frequent ciphertext to most frequent auxiliary value Match next most frequent to next most frequent, etc. Technique is thousands of years old; applied most often to substitution ciphers But: DET is just a substitution cipher over large alphabet

Graph viewpoint: DET C1 Alice C2 Bob C3 Tim Bipartate graph problem: find matching of ciphertexts, names that minimizes total weight Weight(C,Name) = Freq(C) Freq(Name) Equivalent to frequency analysis

Graph viewpoint: OPE [Grubbs et al. 2016] C1 Alice C2 Bob C3 Tim Bipartate graph problem: find non-crossing matching of ciphertexts, names that minimizes total weight Weight(C,Name) = Freq(C) Freq(Name) This takes into account ordering constraints

Graph viewpoint: OPE [Grubbs et al. 2016] C1 Alice C2 Bob C3 Tim Bipartate graph problem: find non-crossing matching of ciphertexts, names that minimizes total weight Weight(C,Name) = Freq(C) Freq(Name) This takes into account ordering constraints Better version called multinomial w/ more principled weighting (stay tuned)

Non-crossing vs. NKW attack on first and last names Non-crossing NKW First names: red Last names: blue [Grubbs et al. 2016]

Taking account of additional leakage Recall that most OPE schemes reveal more information than just order, frequency BCLO scheme (the one used most widely in practice) leaks ~half of plaintext bits BCO 11 gave way to compute value m c which is midpoint of range of size sqrt(n) that has 99% chance of including plaintext [Grubbs et al. 2016]

Can prune graph problem using this additional leakage C1 Alice C2 Bob C3 Tim Bipartate graph problem: find non-crossing matching of ciphertexts, names that minimizes total weight Weight(C,Name) = Freq(C) Freq(Name) This takes into account ordering constraints [Grubbs et al. 2016]

Can prune graph problem using this additional leakage C1 Alice C2 Bob C3 Tim Bipartate graph problem: find non-crossing matching of ciphertexts, names that minimizes total weight Weight(C,Name) = Freq(C) Freq(Name) This takes into account ordering constraints [Grubbs et al. 2016]

LAAs Fallout Lots of open questions on how to improve already damaging attacks Unclear if, and if so where, PREs can still be used securely In practice PREs are still the only option in many important contexts otherwise: must download to process encrypted data

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback