Database Reference
In-Depth Information
written in the same year:
Macbeth
and
Othello
. So with this information he
could narrow the field down to only two plays by finding out which plays
had an encrypted year that matched another one. He can further narrow this
down to one with the knowledge that
Macbeth
is shorter than
Othello
, so it
should have fewer words.
Without decrypting the data, the attacker can now find the exact rows that
represent
Macbeth
. Of course, he can't decrypt the words, so you're safe,
right? Not quite; say he knows the words in
Othello
. He can also tell which
encrypted words are in
Othello
because it is the other one from the same
year. He can then find out which words in
Macbeth
are also in
Othello
.
As you can see, by cleverly using outside knowledge and some of the
plaintext values, an attacker can start to pick apart your encryption.
Encrypted BigQuery has a clever way around this:
probabilistic encryption
.
This means that the same data may be encrypted in different ways. The
value
Macbeth
might be encrypted one way in one row and another way in
the next row. This would thwart the attacker because he wouldn't be able to
perform correlations.
The
"encrypt": "probabilistic"
entry in the encrypted Shakespeare
schema instructs
ebq
to encrypt the field a different way each time it is
seen. The downside of probabilistic encryption is that it makes the field a
bit harder to use; you can decrypt it only when you select it; you can't do a
GROUP BY
or an
EQUALS
check on the field.
However, the corpus field uses
pseudonym encryption
, which encrypts the
same value the same way every time. Pseudonym encryption is useful for
filtering or grouping by values. For example, you can
GROUP BY
and even
ORDER BY
the corpus field because it uses pseudonym encryption.
$
ebq --master_key_filename=ebq.key query "
SELECT corpus, COUNT(word_count)
FROM ch13.enc_shakes
GROUP BY corpus"
However, if you group by the word field, you'll get an error because you can't
group by something that uses probabilistic encryption, since it is encrypted
differently every time.
