Presentation given at the KDE Seminar (University of Tsukuba) about CryptDB*. This presentation is based on the uploader's understanding of the paper and may contain inaccurate interpretations. A summary of the paper is available at: https://mshcruz.wordpress.com/2016/06/24/summary-cryptdb/ The official website for CryptDB is: http://css.csail.mit.edu/cryptdb/ *Popa et al.: "CryptDB: Protecting Confidentiality with Encrypted Query Processing". SOSP 2011.

1. CryptDB: Protecting
Confidentiality with
Encrypted Query Processing
Raluca Ada Popa, Catherine M. S. Redfield,
Nickolai Zeldovich, and Hari Balakrishnan
23rd ACM Symposium on Operating Systems Principles (SOSP)
Cascais, Portugal, October 2011
KDE Seminar
May 11th, 2015
Mateus Cruz

2. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
OUTLINE
1 Introduction
2 SQL-Aware Encryption
3 Adjustable Encryption
4 Experiments
5 Conclusion
2 / 32

3. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
OUTLINE
1 Introduction
2 SQL-Aware Encryption
3 Adjustable Encryption
4 Experiments
5 Conclusion
3 / 32

4. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
OVERVIEW
SQL queries over encrypted data
Security
Performance (low overhead)
Dynamic encryption levels
Protection against security threats
1 Curious DBA
2 Adversary compromises application or server
4 / 32

5. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
MAIN IDEAS
SQL-Aware encryption
Execute queries over encrypted data
Adjustable query-based encryption
Change encryption for data items at runtime
5 / 32

6. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
LIMITATIONS
Does not ensure
Integrity
Freshness
Completeness
Does not cover attacks on user machines
6 / 32

7. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
ARCHITECTURE
7 / 32

8. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
OUTLINE
1 Introduction
2 SQL-Aware Encryption
3 Adjustable Encryption
4 Experiments
5 Conclusion
8 / 32

9. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
INTUITION
Many cryptosystems available
Different security levels
IND-CPA
IND-CCA
Different allowed computations
Equality comparison
Ordering
Summation
Use the most secure cryptosystem that
allows the desired computation over the
data item
9 / 32

10. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
RANDOM (RND)
Different ciphertexts for the same plaintext
Maximum security in CryptDB
IND-CPA
Does not allow computations
Constructed using AES/Blowfish with a
random initialization vector (IV)
10 / 32

11. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
DETERMINISTIC (DET)
Same ciphertext for the same plaintext
Leaks which items are repeated
But not the values
Allows equality checks
SELECT with equality predicates, GROUP BY,
COUNT, DISTINCT, etc
Constructed using AES/Blowfish
11 / 32

12. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
ORDER-PRESERVING ENCRYPTION
(OPE)
Random mapping that preserves order
If x < y, then OPEK(x) < OPEK(y)
Allows range queries and ordering
ORDER BY, MIN, MAX, etc
Leaks order between data items
12 / 32

13. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
HOMOMORPHIC ENCRYPTION
(HOM)
IND-CPA that allows computations
Fully HOM is very slow
Slowdowns on the order of 109
Constructed using Paillier cryptosystem
HOMK(x) × HOMK(y) = HOMK(x + y)
Allows SUM aggregates
13 / 32

14. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
ADJUSTABLE JOIN (JOIN-ADJ)
Join columns with the same encryption
Prevent join without request
JOIN(x) = JOIN-ADJ(x)||DET(x)
JOIN-ADJ is non-invertible
Can obtain x by decrypting DET(x)
Can join columns by using JOIN-ADJ(x)
14 / 32

15. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
WORD SEARCH (SEARCH)
Searches on encrypted text
Allows LIKE operations
Does not support regular expressions
Nearly as secure as RND
Leaks the number of duplicated words
15 / 32

16. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
OUTLINE
1 Introduction
2 SQL-Aware Encryption
3 Adjustable Encryption
4 Experiments
5 Conclusion
16 / 32

17. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
INTUITION
Different encryption models
Different security levels
Allow different computations
Balance between security and functionality
Adjust the encryption at runtime
17 / 32

18. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
ONION MODEL
Each data item has layers of encryption
Layers form an onion
18 / 32

19. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
DATA LAYOUT
Multiple onions for one data item
19 / 32

20. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
DECRYPTION OF ONIONS
The proxy issues a decryption using UDFs
User Defined Functions
Speeds up subsequent queries
Example
Decrypt onion Ord of column 2 in Table1:
UPDATE Table1 SET C2-ORD =
DECRYPT RND(K,C2-ORD,C2-IV)
20 / 32

21. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
DECRYPTION OF ONIONS
The proxy issues a decryption using UDFs
User Defined Functions
Speeds up subsequent queries
Example
Decrypt onion Ord of column 2 in Table1:
UPDATE Table1 SET C2-ORD =
DECRYPT RND(K,C2-ORD,C2-IV
Decryption from RND
requires the initializa-
tion vector (IV)
)
20 / 32

22. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
QUERY EXECUTION
Example
Initial query:
SELECT ID FROM Employees
WHERE Name = ’Alice’
1 - Lower encryption of Name to DET:
UPDATE Table1 SET C2-Eq =
DECRYPT RND(KT1,C2,Eq,RND,C2-Eq,C2-IV)
21 / 32

23. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
QUERY EXECUTION
Example
Initial query:
SELECT ID FROM Employees
WHERE Name = ’Alice’
1 - Lower encryption of Name to DET:
UPDATE Table1 SET C2-Eq =
DECRYPT RND(KT1,C2,Eq,RND
Key for decrypting
layer RND, of onion
Eq, of column C2, on
table T1
,C2-Eq,C2-IV)
21 / 32

24. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
QUERY EXECUTION
Example
Initial query:
SELECT ID FROM Employees
WHERE Name = ’Alice’
1 - Lower encryption of Name to DET:
UPDATE Table1 SET C2-Eq =
DECRYPT RND(KT1,C2,Eq,RND,C2-Eq,C2-IV)
21 / 32

25. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
QUERY EXECUTION
Example (Cont.)
2 - Perform the selection:
SELECT C1-Eq, C1-IV FROM Table1
WHERE C2-Eq = ’x7..d’
3 - Decrypt results using keys KT1,C1,Eq,RND,
KT1,C1,Eq,DET, KT1,C1,Eq,JOIN and obtain the final
result: 23.
21 / 32

26. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
QUERY EXECUTION
Example (Cont.)
2 - Perform the selection:
SELECT C1-Eq, C1-IV
Requires the initializa-
tion vector (IV) to de-
crypt layer RND
FROM Table1
WHERE C2-Eq = ’x7..d’
3 - Decrypt results using keys KT1,C1,Eq,RND,
KT1,C1,Eq,DET, KT1,C1,Eq,JOIN and obtain the final
result: 23.
21 / 32

27. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
QUERY EXECUTION
Example (Cont.)
2 - Perform the selection:
SELECT C1-Eq, C1-IV FROM Table1
WHERE C2-Eq = ’x7..d’
Encryption of the
value ’Alice’ with
layers JOIN and DET
3 - Decrypt results using keys KT1,C1,Eq,RND,
KT1,C1,Eq,DET, KT1,C1,Eq,JOIN and obtain the final
result: 23.
21 / 32

28. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
QUERY EXECUTION
Example (Cont.)
2 - Perform the selection:
SELECT C1-Eq, C1-IV FROM Table1
WHERE C2-Eq = ’x7..d’
3 - Decrypt results using keys KT1,C1,Eq,RND,
KT1,C1,Eq,DET, KT1,C1,Eq,JOIN and obtain the final
result: 23
Decrypts three layers
to obtain the plaintext
.
21 / 32

29. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
IMPROVING SECURITY
Minimum number of layers
Specify the lowest layer revealed
Onion re-encryption
Re-encrypt onions after infrequent queries
22 / 32

30. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
IMPROVING PERFORMANCE
Training mode
Obtain correctly adjusted layers
Cyphertext pre-computing and caching
Encryption of HOM and OPE are expensive
Pre-computes and caches frequent constants
for HOM and OPE under different keys
23 / 32

31. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
OUTLINE
1 Introduction
2 SQL-Aware Encryption
3 Adjustable Encryption
4 Experiments
5 Conclusion
24 / 32

32. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
IMPLEMENTATION
C++ library: 18.000 lines
Lua module: 150 lines
MySQL 5.1
NTL library
Cryptographic implementation
25 / 32

33. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
ENVIRONMENT
Server
Node with two 2.46Ghz Intel Xeon E5620
4-cores
12GB RAM
Proxy and clients
Node with eight 2.4Ghz AMD Opteron 8431
6-cores
64GB RAM
All workloads fit in the server’s RAM
26 / 32

34. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
PERFORMANCE
Using TPC-C workload
21% to 26% slower than plaintext MySQL
27 / 32

35. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
PERFORMANCE PER QUERY TYPE
Slower for queries involving HOM (SUM)
28 / 32

36. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
LATENCY
Overall server latency increased by 20%
Proxy adds 0.6ms
23% in encryption and decryption
24% in MySQL proxy
53% in parsing and processing
29 / 32

37. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
STORAGE
Increased required storage
Multiple onions per field
Some ciphertexts are larger than plaintexts
– HOM maps 32 bits integer to 2048 bits
Increased size by 3.76 times using TPC-C
30 / 32

38. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
OUTLINE
1 Introduction
2 SQL-Aware Encryption
3 Adjustable Encryption
4 Experiments
5 Conclusion
31 / 32

39. Introduction SQL-Aware Encryption Adjustable Encryption Experiments Conclusion
CONCLUSION
Provide practical confidentiality
Deal with two threat models
Curious DBAs
Compromise of DBMS server
Main points
SQL-Aware encryption
Adjustable encryption
Modest performance penalty
14.5% to 26%
32 / 32