1. International Institute of Information Technology
Ecient Format Preserving Encrypted
Databases
Prakruti C
prakruti@iiitb.org
Sashank Dara
sdara@cisco.com
Muralidhara V.N
murali@iiitb.org
July 9, 2015
2. 1
Content
CryptDB
Chanllenges in CryptDB
Format Preserving Encryption
Flexible Naor and Reingold Scheme
FP-CryptDB
Experiments and Results
Storage gain using FP-CryptDB
performance measure of FP-CryptDB
Conclusion and Future Work
Prakruti C prakruti@iiitb.org, Sashank Dara sdara@cisco.com, Muralidhara V.N murali@iiitb.org |
3. 2
CryptDB
CryptDB is a Onion-Layered Encryption System used to protect
data confidentiality and privacy in applications that are backed
by SQL databases.
Functions of CryptDB
Protect Confidentiality of Data
Process SQL queries on Encrypted Data
Protect Data against Passive Attacks on Database Servers
by malicious Database Administrators
Prakruti C prakruti@iiitb.org, Sashank Dara sdara@cisco.com, Muralidhara V.N murali@iiitb.org |
4. 3
Challenges in CryptDB
Use of conventional cryptographic schemes like
AES-CBC, AES-CMC, BlowFish for encryption
AES ciphers require more storage space
Format of input plaintext is not preserved
Removal of Format can open up security
vulnerabilities
Can pave way for SQL injection attacks
example
Prakruti C prakruti@iiitb.org, Sashank Dara sdara@cisco.com, Muralidhara V.N murali@iiitb.org |
5. 4
Format Preserving Encryption
Format Preserving Encryption (FPE) refers to encrypting in such
a way that the output (the ciphertext) is in the same format as
the input (the plaintext)
Example: Format Preserving Encryption of an IPv4 Address
Prakruti C prakruti@iiitb.org, Sashank Dara sdara@cisco.com, Muralidhara V.N murali@iiitb.org |
6. 5
FNR: Flexible Naor and Reingold Scheme
Small Domain Block Cipher based on classic Feistel Networks
Can cipher small domain input data formats such as IPv4(32), IPv6(32), MAC addresses etc
Preserves the format and length of small domain input data
Uses Pairwise Independent Permutation Function based on N × N Invertible Matrices
Uses AES scheme for input block encryption
Prakruti C prakruti@iiitb.org, Sashank Dara sdara@cisco.com, Muralidhara V.N murali@iiitb.org |
7. 6
FP-CryptDB: CryptDB + FPE
We propose FP-CryptDB, which is a combination of CryptDB
and FPE
We implement format-preserving encryption schemes in CryptDB
to preserve the length and format of input data and thereby re-
duce the length of the ciphertext.
FP-CryptDB
Uses FNR encryption scheme for encryption of input
database fields
Preserves the length and format of input database fields
1. Preserves format of IPv4 addresses
2. Preserves format of Timestamps of the form
'yyyy/mm/ddThh:mm:ss' using a proposed
format-preserving algorithm
3. Preserves format of Integer datatype
Achieves reduction in encrypted database size
Prakruti C prakruti@iiitb.org, Sashank Dara sdara@cisco.com, Muralidhara V.N murali@iiitb.org |
8. 7
Experiments and Results
Plain Text Cipher Text
Raw(Dotted) Ranked(Integer) Raw(Integer) De-ranked(Dotted)
64.243.129.86 941079480 1226870871 73.32.144.87
56.23.187.184 2213763856 1067498731 63.160.188.235
131.243.91.16 4026531837 2739475379 163.73.19.179
Table: Format preservation of IPv4 Addresses
Plain Text Cipher Text
Raw(String) Ranked(Integer) Raw(Integer) De-Ranked(String)
Date String Unix Timestamp Unix timestamp Date String
2004/11/16T21:04:05 1100639045 1531152620 2018/07/09T16:10:20
2004/11/15T15:44:38 1100533478 627185476 1989/11/16T02:11:16
1988/01/14T09:27:05 569150825 3645016902 2085/07/03T16:41:42
Table: Format preservation of Timestamps
Prakruti C prakruti@iiitb.org, Sashank Dara sdara@cisco.com, Muralidhara V.N murali@iiitb.org |
9. 8
Storage gain in FP-CryptDB
We achieve 50% Storage gain using FP-CryptDB
Prakruti C prakruti@iiitb.org, Sashank Dara sdara@cisco.com, Muralidhara V.N murali@iiitb.org |
10. 9
performance measure of FP-CryptDB
There is a performance degrade in the case of FP-CryptDB as
compared to CryptDB
The performance degrades y ≈ 7x times times
Prakruti C prakruti@iiitb.org, Sashank Dara sdara@cisco.com, Muralidhara V.N murali@iiitb.org |
11. 10
Conclusion and Future Work
We proposed Format Preserving Encrypted Databases,
FP-CryptDB
We have taken Network Monitoring as our reference
Application
We have provided experimental results on storage gains
that could be achieved using FPE schemes with a degrade
in performance.
Future work includes building applications like threat
analytics on encrypted data using FP-CryptDB and
Crypt-DB, to achieve data security.
Prakruti C prakruti@iiitb.org, Sashank Dara sdara@cisco.com, Muralidhara V.N murali@iiitb.org |
12. 11
Thank You!
Prakruti C prakruti@iiitb.org, Sashank Dara sdara@cisco.com, Muralidhara V.N murali@iiitb.org |
13. 12
An Example: Encryption of a 16-digit Credit Card
Number
Figure: where the conventional encryption schemes radically alter the
structure of data, Format Preserving Encryption maintains Data
Format Integrity, significantly minimizing changes to existing
applications
back
Prakruti C prakruti@iiitb.org, Sashank Dara sdara@cisco.com, Muralidhara V.N murali@iiitb.org |
14. 13
Technical Architecture of CryptDB
CryptDB is a complex system that is comprised of:
Application Server
Proxy Server
DBMS Server
Prakruti C prakruti@iiitb.org, Sashank Dara sdara@cisco.com, Muralidhara V.N murali@iiitb.org |
15. 14
Onion layers of CryptDB
Prakruti C prakruti@iiitb.org, Sashank Dara sdara@cisco.com, Muralidhara V.N murali@iiitb.org |
16. 15
Onion layers of FP-CryptDB
Prakruti C prakruti@iiitb.org, Sashank Dara sdara@cisco.com, Muralidhara V.N murali@iiitb.org |