enki: access control for encrypted query processing

ENKI: Access Control forEncrypted Query Processing

Isabelle Hang, Florian Kerchbaum, and Ernesto Damiani

ACM SIGMOD International Conference on Management of DataMelbourne, Victoria, Australia, May 2015

SWIM SeminarNovember 27, 2015

Mateus Cruz

Introduction Access Control Query Rewriting Proxy Re-Encryption Split Execution Experiments Summary

OUTLINE

1 Introduction

2 Access Control

3 Query Rewriting

4 Proxy Re-Encryption

5 Split Execution

6 Experiments

7 Summary


OVERVIEW

Query data encrypted using different keysAccess control enforced by encryptionSecure proxy re-encryption

I Non-transitive and non-symmetricSplit query execution

I Less computation on the client

37% performance overhead

1 / 33


REVIEW: CRYPTDBSQL queries over encrypted dataProxy controls accessLimitations

I Column-level as minimum granularityI Onions of encryption

– Decreasing security– Storage overhead

2 / 33


ARCHITECTURE

Threat modelI Passive attackerI Attacks on clients are out of the scope

3 / 33


OUTLINE

1 Introduction

2 Access Control

3 Query Rewriting


5 Split Execution

6 Experiments

7 Summary


ACCESS CONTROL MATRIXRows correspond to subjects (S = |n|)Columns correspond to objects (O)Values 1 represent granted rights

I Read, update or deleteNo support for different rights

I E.g.: Read-only

Example

User t1 t2 t3 t4 t5Alice 0 1 1 1 1Bob 1 1 0 1 0

4 / 33


QUALIFIED SET (QS i )Set of subjects with access to an object

I Column of an access control matrix

Never empty

Example


QSt4 = {1,1}So, Alice and Bobhave access to t4.

5 / 33


USER GROUPS (pi )

pi ∈ P∗(S)I P∗(S): power set of all subjects S (without ∅)

Examplep1 = {Alice} := Ap2 = {Bob} := Bp3 = {Alice,Bob} := AB

6 / 33


USER GROUP MAPPING

User group mappingI Assigns users to the groups they participate in

Example

User User Group

Alice AAlice ABBob BBob AB

7 / 33


OBJECT SET (O(pi))Objects accessible by the same user groupO(pi) forms a partition over O

O(pi) = {o|o ∈ O ∧QSo = pi}

Example


p1 = {Alice}p2 = {Bob}p3 = {Alice,Bob}O(p1) = {t3, t5}O(p2) = {t1}O(p3) = {t2, t4}

8 / 33


VIRTUAL RELATIONRelation corresponding to one object setOne user group can access all of its tuplesVirtual relation mapping

Example

User Group Relation Virtual Relation

A R RAB R RBAB R RAB

9 / 33


VIRTUAL RELATIONRelation corresponding to one object setOne user group can access all of its tuplesVirtual relation mapping

Specified and maintainedby the data owner

Example

User Group Relation Virtual Relation

A R RAB R RBAB R RAB

9 / 33


ENCRYPTION OF RELATIONS

The data owner splits RI Virtual relations: RA, RB, RABI Same schema as R

The data owner generates encryption keysI One key per groupI Distributed to group member

ExampleGenerate key r a for group A and encrypt RA:

κr a(Ra) = {κr a(t)|t ∈ RA}

10 / 33


ENCRYPTION OF RELATIONS

The data owner splits RI Virtual relations: RA, RB, RABI Same schema as R

The data owner generates encryption keysI One key per groupI Distributed to group member

The number of keys for each userdepends on the number of groupsshe participates

ExampleGenerate key r a for group A and encrypt RA:

κr a(Ra) = {κr a(t)|t ∈ RA}

10 / 33


OUTLINE

1 Introduction

2 Access Control

3 Query Rewriting


5 Split Execution

6 Experiments

7 Summary


QUERY REWRITING

Queries over more than one virtual relationPerformed by the ENKI Query Adapter

11 / 33


REWRITING STRATEGIES

SelectionProjectionRenameCountSet unionCartesian product

12 / 33


SELECTION: σαθβ(R)

Predicate θ (=, <,≤, >,≥)α, β (E.g.: attributes, constants)Encrypt αθβ for both virtual relations:

I κr a(α)θκr a(β) (for key r a)I κr ab(α)θκr ab(β) (for key r ab)

Example(σαθβ(R),Alice) = σκr a(α)θκr a(β)(κr a(RA))∧

σκr ab(α)θκr ab(β)(κr ab(RAB))= {κr a(t)|t ∈ RA ∧ κr a(α)θκr a(β)}∪{κr ab(t)|t ∈ RAB ∧ κr ab(α)θκr ab(β)}

13 / 33


CARTESIAN PRODUCT: R × S

Tuple from R: rTuple from S: s

Example(R × S,Alice) = {κr a(r)κs a(s)∨

κr a(r)κs ab(s)∨κr ab(r)κs a(s)∨κr ab(r)κs ab(s)|r ∈ (RA ∨ RAB) ∧ s ∈ (SA ∨ SAB)}

14 / 33


OTHER OPERATIONS

Also support update, delete or insertSupport queries to modify the schema

I Must modify schemas of virtual relations

15 / 33


OUTLINE

1 Introduction

2 Access Control

3 Query Rewriting


5 Split Execution

6 Experiments

7 Summary


PROXY RE-ENCRYPTIONVirtual relations encrypted with different keys

I Cannot perform comparison– Count distinctf, equi-join, set difference

Proxy re-encryptionI Change keys without revealing plaintextsI Allow comparison

DefinitionProxy re-encryption of attribute Ai :χy(κz(Ai)) := {χy(κz(ti k))|ti k ∈ Ai for all k = 1, ..., j}

= {κy(ti k)|ti k ∈ Ai for all k = 1, ..., j}= κy(Ai)

16 / 33


PROPERTIES

Symmetryχb(κa(Ai)) = κb(Ai)↔ χa(κb(Ai)) = κa(Ai)

Transitivityχb(κa(Ai)) = κb(Ai) ∧ χc(κb(Ai)) = κc(Ai)→χc(κa(Ai)) = κc(Ai)

17 / 33


PROBLEM

ExampleAlice has key r a, Bob has key r b, both havekey r ab.

Suppose a comparison between RA and RAB.Proxy re-encryption of keys r a and r ab to r c:r a ∼ r c and r ab ∼ r c.

Symmetry and transitivity allow:r a ∼ r c ∼ r ab.So Bob can access Alice’s data.

18 / 33


ALGORITHMS

Parameter generationKey generationEncryptionToken

I Input: Two keys ki and kjI Output: Token to proxy re-encrypt ki to kj :

T = Token(ki , kj)

Proxy re-encryptionI Input: Ciphertext C and token TI Output: Ciphertext C ′ = Pre(C,T )

19 / 33


TEMPORARY RE-ENCRYPTION

A ciphertext can be re-encrypted only oncePersisting re-encryption restricts usabilityTemporary re-encryption

I Base values: values initially encryptedI DetPre values: temporary re-encrypted valuesI Concatenate DetPre to BaseI Delete DetPre after the user logs out

20 / 33


EXECUTING EQUI-JOINS

Execute join on the virtual relationsI Encrypted with different keys

Re-encrypt with a shared keyI Also encrypt the join condition

Example(R ./Ai=Bi S,Alice) = {κc(r)κc(s)|

r ∈ (RA ∨ RAB)∧s ∈ (SA ∨ SAB)∧κc(ri)θκc(sj)}

21 / 33


OUTLINE

1 Introduction

2 Access Control

3 Query Rewriting


5 Split Execution

6 Experiments

7 Summary


EXECUTING AGGREGATE FUNCTIONS

Aggregate functions over virtual relationsI Encrypted with different keys

Proxy re-encryption could be usedI Depends on the encryption scheme used

ExampleFor SUM, the Paillier cryptosystem can be used.

Problem: Creation of a secure proxyre-encryption for the Paillier cryptosystem.Either hard to construct or expensive.

22 / 33


CLIENT-SERVER SPLIT EXECUTION

Compute partial results on the serverI Results for each virtual relation

Generate final result on the clientI Decrypt partial resultsI Compute FAgg for the final results

23 / 33


SUPPORTED AGGREGATIONS

MaximumMinimumSumAverageSort

24 / 33


MAXIMUM

ExampleOn the server, compute:Res(RA) = Max(RA)Res(RAB) = Max(RAB)

On the client, compute:FMax = Max(Max(RA),Max(RAB))

25 / 33


OUTLINE

1 Introduction

2 Access Control

3 Query Rewriting


5 Split Execution

6 Experiments

7 Summary


ENVIRONMENT

SAP HANA databaseI Extended with UDFs

ServerI 8-core 2.6GHz 252GB RAM

ClientI 2-core 2.8GHz 16GB RAM

Proxy re-encryption implementationI C languageI pbc and gmp libraries

26 / 33


DATASETSTCP-C benchmarkIS-H: Healthcare managementLSM: Resources planningSFIN: Simplified finances for SAP ERP

Dataset # Tables # Columns

TCP-C 9 92IS-H 7 477LSM 25 173SFIN 9 741

27 / 33


MULTI USER MODE OVERHEAD

Overhead of multi user mode: 37%28 / 33


IMPACT OF QUERY REWRITING

29 / 33


IMPACT OF NUMBER OF USER GROUPS

30 / 33


IMPACT OF POST-PROCESSING

31 / 33


OUTLINE

1 Introduction

2 Access Control

3 Query Rewriting


5 Split Execution

6 Experiments

7 Summary


SUMMARY

ENKII Query processing over encrypted data

ContributionI Access controlI Query rewriting strategiesI Secure proxy re-encryptionI Split execution

EvaluationI “Modest overhead” (40%)

32 / 33

Rewriting Strategies Proxy Re-Encryption Split Execution System Execution Flow Key Management

EXTRA SLIDES


PROJECTION: πβ(R)

Relation R′I R′(Ai(1), ...,Ai(k)) ⊆ R(A1, ...,An)

Attribute list βI β = (Ai(1), ...,Ai(k)) ⊆ (A1, ...,An)

Example(πβ(R),Alice) = πκr a(β)(κr a(RA))∪

πκr ab(β)(κr ab(RAB))= κr a(R′A) ∪ κr ab(R′AB)


RENAME: ρQ←Ai(R)

Rename ρ of an attribute Ai ∈ R to QEncrypt the new attribute name

I Use keys of virtual relations

Rename is not persisted

Example(ρQ←Ai(R),Alice) = ρκr a(Q)←κr a(Ai)(κr a(RA))∪

ρκr ab(Q)←κr ab(Ai)(κr ab(RAB))


COUNT: βγCount(Ai)(R)

Executed on server-sideCount attributes values of Ai

I Sum the partial results from virtual relations

Example(βγCount(Ai)(R),Alice) = κr a(β)γCount(κr a(Ai))(κr a(RA))+

κr ab(β)γCount(κr ab(Ai))(κr ab(RAB))


SET UNION: R ∪ S

Union between two relations R and SI Same set of attributes

Example(R ∪ S,Alice) = {κr a(t)|t ∈ RA}∪

{κr ab(t)|t ∈ RAB}∪{κs a(t)|t ∈ SA}∪{κs ab(t)|t ∈ SAB}


ALGORITHMS

Parameter generationKey generationEncryptionTokenProxy re-encryption


PARAMETER GENERATION

Receives a security parameter λGenerate a prime number pGenerate two groups G1,G2 of order pGenerate a map e : G1 ×G1 → G2

Choose a random generator G ∈ G1


KEY GENERATION

Choose a random ki ∈ Zp


ENCRYPTION

Receives a plaintext m with key kiGenerates a ciphertext

I C = Gmki ∈ G1


TOKEN

Receive two keys ki and kj

Generate a token T for proxy re-encryptionI T = G

kjki ∈ G1


PROXY RE-ENCRYPTION

Receives a ciphertext C encrypted with ki

Generate ciphertext C ′ encrypted with kj

C ′ = e(C,T )

= e(Gmki ,Gkjki )

= e(G,G)mki

kjki

= e(G,G)mkj

= gmkj ∈ G2


EXECUTING COUNT DISTINCT

Adjust keys of virtual relationsI Re-encrypt to a common key

Example(βγCountDistinct(Ai)(R),Alice) =κc(β)γCountDistinct(κc(Ai))(κc(RA) ∪ κc(RAB))


EXECUTING SET DIFFERENCE

Adjust keys of virtual relationsI Re-encrypt to a common key

Example(R \ S,Alice) = {κc(t)|

t ∈ (RA ∨ RAB)∧t /∈ (SA ∨ SAB)}


SUM

ExampleOn the server, compute:Res(RA) = Sum(RA)Res(RAB) = Sum(RAB)

On the client, compute:FSum = Sum(Sum(RA),Sum(RAB))


AVERAGE

Replaced by the functions sum and count

ExampleOn the server, compute:Res(RA) = {Sum(RA),Count(RA)}Res(RAB) = {Sum(RAB),Count(RAB)}

On the client, compute:FAvg = Sum(RA)+Sum(RAB)

Count(RA)+Count(RAB)


SORT

ExampleOn the server, compute:Res(RA) = Sort(RA)Res(RAB) = Sort(RAB)

On the client, compute:FSort = Merge sorted lists(Sort(RA),Sort(RAB))


SYSTEM SETUP

The data ownerI Handles n usersI Defines the user group mappingI Defines the virtual relation mapping


QUERY EXECUTION STEPS

1 Look up2 Proxy Re-encryption3 Query encryption4 Query rewriting5 Server-side execution6 Client-side execution


LOOK UP

Checks the user group mappingI Groups the query issuer belongs to

Checks virtual relation mappingI Virtual relations used to answer the query


PROXY RE-ENCRYPTIONQueries containing

I Equi-joinI Set differenceI Count distinct

Adjust keys of virtual relationsI Temporary re-encryption to shared key

Example(R ./Ai=Bi S,Alice) = {κc(r)κc(s)|

r ∈ (RA ∨ RAB)∧s ∈ (SA ∨ SAB)∧κc(ri)θκc(sj)}


QUERY ENCRYPTION

Encrypt attributes used in the queryI Attributes accessible by the issuer

Example(σαθβ(R),Alice) = σκr a(α)θκr a(β)(κr a(RA))∧

σκr ab(α)θκr ab(β)(κr ab(RAB))= {κr a(t)|t ∈ RA ∧ κr a(α)θκr a(β)}∪{κr ab(t)|t ∈ RAB ∧ κr ab(α)θκr ab(β)}


QUERY REWRITING

Modifies queryI Executed over virtual relations

Returns a query sQI Executed on the server

Can return am additional query cQI Executed on the client

ExamplesQ : Sum(RA),Count(RA),Sum(RAB),Count(RAB)

cQ : FAvg = Sum(RA)+Sum(RAB)Count(RA)+Count(RAB)


SERVER-SIDE EXECUTION

Executes the encrypted query sQReturns encrypted results to the clientIf necessary, also returns cQ

ExampleRes(RA) = {Sum(RA),Count(RA)}Res(RAB) = {Sum(RAB),Count(RAB)}


CLIENT-SIDE EXECUTION

Receives the encrypted resultsDecryptExecute cQ if it exists

ExampleFAvg = Sum(RA)+Sum(RAB)

Count(RA)+Count(RAB)


DYNAMIC ACCESS CONTROL POLICIES

Objects are encrypted with different keysBusy user groups

I User groups associated with objectsI Non-empty object set

Access policies might changeI Granting or revoking rightsI Changes busy user groups


USER HIERARCHY

User Hierarchy (U)Given a set of users S = {s1, ..., sn}, a userhierarchy U is a pair (P∗(S),≺) where P∗(S) isthe powerset without the empty set of S and ≺is a partial order such that for all sets of userspi ,pj ∈ P∗(S),pi ≺ pj if pj ⊆ pi for all i , j ={1, ...,2n−1}.

User dynamics change the hierarchyI Adding or deleting users


ADDING USER sn+1

Case 1I The original busy group porig

i becomes not busyI The new group (pnew

i ∪ sn+1) is busyCase 2

I The original busy group porigi stays busy

I The new group (pnewi ∪ sn+1) is also busy


ADDING USER sn+1: CASE 1

The busy group porigi becomes non busy

The new group (pnewi ∪ sn+1) is busy

SolutionI Add the user to the object setI Share the group key with user sn+1

O(porigi ) = O(porig

i ∪ sn+1)


ADDING USER sn+1: CASE 2

The busy group porigi stays busy

The new group (pnewi ∪ sn+1) is also busy

SolutionI sn+1 has access to a subset of objects of porig

iI Re-encrypt O(porig

i ∪ sn+1) with a new key

O(porigi ) = O(pnew

i ) ∪O(porigi ∪ sn+1)

O(pnewi ) ∩O(porig

i ∪ sn+1) = ∅


REVOKING RIGHTS OF USER sn

Case 1I A user sn is revoked from all rights

Case 2I A user sn is revoked from a user group

Case 3I A user sn is revoked from certain objects


REVOKING USER sn: CASE 1

A user sn is revoked from all rightsI The hierarchy changes

SolutionI The busy group porig

i ∪ sn is deletedI Objects from porig

i ∪ sn are accessible by porigi

I Re-encrypt O(porigi ∪ sn) using the key of porig

i

O(pnewi ) = O(porig

i ) ∪O(porigi )



A user sn is revoked from a user groupI Does not change the hierarchyI Changes busy user groups

SolutionI Busy user group porig

i ∪ sn becomes non busyI Re-encrypt O(porig

i ∪ sn) using the key of porigi

O(pnewi ) = O(porig

i ∪ sn) ∪O(porigi )



A user sn is revoked from certain objectsSolution

I Busy group porigi ∪ sn is split into two

– pnewi ∪ sn and pnew

i

I Re-encrypt O(pnewi ) using the key of porig

i

O(porigi ∪ sn) = O(pnew

i ∪ sn) ∪O(pnewi )

O(pnewi ∪ sn) ∩O(pnew

i ) 6= ∅

enki: access control for encrypted query processing

Internet