Databases Reference
In-Depth Information
is the database server itself. One solution to this problem is to design alter-
native protocols that leverage the existence of active secure hardware such
as secure co-processors (SCPU). The SCPU will authenticate clients securely
and also persist transactional state, including a minimal amount of checksum
information used to authenticate transaction chains of committed client up-
dates. The unique vendor-provided SCPU public key and its associated trust
chain provide an authenticated communication channel between the SCPU
and database clients. The clients will use this channel to retrieve up to date
transactional state at the initiation of each server interaction. This will defeat
“universe split” attacks. Servers are unable to impersonate SCPUs without
access to the secrets in its tamper-proof storage.
2.3 Data Confidentiality
Confidentiality constitutes another essential security dimension required in
data outsourcing scenarios, especially when considering sensitive information.
Potentially un-trusted servers should be able to process queries on encrypted
data on behalf of clients without compromising confidentiality. To become
practical, any such processing mechanism requires a certain level of query
expressiveness. For example, allowing only simple data retrieval queries will
often not be sucient to justify the outsourcing of the data - the database
would then be used as a passive data repository. We believe it is important
to eciently support complex queries such as joins and aggregates with con-
fidentiality and correctness.
Hacigumus et al. [71] propose a method to execute SQL queries over partly
obfuscated outsourced data. The data is divided into secret partitions and
queries over the original data can be rewritten in terms of the resulting parti-
tion identifiers; the server can then partly perform queries directly. The infor-
mation leaked to the server is claimed to be 1-out-of-
s
where
s
is the partition
size. This balances a trade-off between client-side and server-side processing,
as a function of the data segment size. At one extreme, privacy is completely
compromised (small segment sizes) but client processing is minimal. At the
other extreme, a high level of privacy can be attained at the expense of the
client processing the queries in their entirety. Moreover, in [76] the authors ex-
plore optimal bucket sizes for certain range queries. Similarly, data partition-
ing is deployed in building “almost”-private indexes on attributes considered
sensitive. An untrusted server is then able to execute “obfuscated range queries
with minimal information leakage”. An associated privacy-utility trade-off for
the index is discussed. As detailed further in section 2.3 the main drawbacks
of these solutions lies in their computational impracticality and inability to
provide strong confidentiality.
One of the main drawbacks of such mechanisms is the fact that they leak
information to the server, at a level corresponding to the granularity of the
partitioning function. For example, if such partitioning is used in a range
query, to execute rewritten queries at the partition level, the server will be
