Provable Security for Outsourcing Database Operations

Database outsourcing, whilst becoming more popular in recent years, is creating substantial security and privacy risks. In this paper, we assess cryptographic solutions to the problem that some client party (Alex) wants to outsource database operations on sensitive data sets to a service provider (Eve) without having to trust her. Contracts are an option, but for various reasons their effectiveness is limited [2]. Alex would rather like to use privacy homomorphisms [6], i.e., encryption schemes that transform relational data sets and queries into ciphertext such that (i) the data is securely hidden from Eve; and (ii) Eve computes hidden results from hidden queries that Alex can efficiently decrypt. Unfortunately, all privacy homomorphisms we know of lack a rigorous security analysis. Before they can be used in practice, we need formal definitions that are both sound and practical to assess their effectiveness.

[1]  Niv Gilboa,et al.  Computationally private information retrieval (extended abstract) , 1997, STOC '97.

[2]  Josep Domingo-Ferrer,et al.  A Provably Secure Additive and Multiplicative Privacy Homomorphism , 2002, ISC.

[3]  Claus Boyens,et al.  Profiting from Untrusted Parties in Web-Based Applications , 2003, EC-Web.

[4]  Rafail Ostrovsky,et al.  Public Key Encryption with Keyword Search , 2004, EUROCRYPT.

[5]  Sanjay Jasola Security Model for Educational Satellite Networks , 2007, Encyclopedia of Information Ethics and Security.

[6]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[7]  Hakan Hacigümüs,et al.  Executing SQL over encrypted data in the database-service-provider model , 2002, SIGMOD '02.

[8]  Sushil Jajodia,et al.  Balancing confidentiality and efficiency in untrusted relational DBMSs , 2003, CCS '03.

[9]  Jun Zheng,et al.  Handbook of Research on Wireless Security , 2008 .

[10]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[11]  Hamid R. Nemati,et al.  Information Security and Ethics: Concepts, Methodologies, Tools and Applications , 2008 .

[12]  Eyal Kushilevitz,et al.  Private information retrieval , 1995, Proceedings of IEEE 36th Annual Foundations of Computer Science.

[13]  Oliver Günther,et al.  Trust Is not Enough: Privacy and Security in ASP and Web Service Environments , 2002, ADBIS.

[14]  Thomas P. Van Dyke Ignorance is Bliss: The Effect of Increased Knowledge on Privacy Concerns and Internet Shopping Site Personalization Preferences , 2007, Int. J. Inf. Secur. Priv..

[15]  Ronald L. Rivest,et al.  ON DATA BANKS AND PRIVACY HOMOMORPHISMS , 1978 .

[16]  Chris Clifton,et al.  Security Issues in Querying Encrypted Data , 2005, DBSec.

[17]  R. Sharman,et al.  Social and Human Elements of Information Security: Emerging Trends and Countermeasures , 2008 .

[18]  Paolo Bellavista,et al.  Trust Management and Context-Driven Access Control , 2008 .

[19]  Robert Hauptman Encyclopedia of Information Ethics and Security , 2007, Encyclopedia of Information Ethics and Security.

[20]  Dawn Xiaodong Song,et al.  Practical techniques for searches on encrypted data , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[21]  Hamid R. Nemati International Journal of Information Security and Privacy , 2007 .

[22]  Michael Mitzenmacher,et al.  Privacy Preserving Keyword Searches on Remote Encrypted Data , 2005, ACNS.