Databases Reference
In-Depth Information
A key concern in such an application is that of confidentiality of the sensitive
information in the database residing on the server. In many cases, some or all
of the data might be considered sensitive and needs to be protected from any
kind of unauthorized access on the server side. “Unauthorized access” could
refer to a break-in by hackers or an access by a legitimate, but malicious
insider, for example a database administrator. A solution is to encrypt the
sensitive portions or data where only the client has the access to the key.
As a result one needs to address a variety of new issues related to encrypted
data management, like support for encryption algorithms, key management,
query execution on encrypted data etc. By far, non-trivial query processing on
the encrypted data is the most challenging new problem that arises in such
applications. A variety of techniques for executing queries over relational,
textual and XML data have been developed in literature. We will summarize
some of these techniques in this section. We start by describing the security
model in a typical DAS application.
2.1 DAS setup & security model
In a typical setting of a DAS application, there is a data-owner, one or more
clients of the data (can be same as the owner) and a server. The owner stores
the data on the server and the clients may query/modify parts of this data
remotely according to their access rights. In a typical setting, some portions
of the data (e.g., some of the attributes of a relational table) are sensitive
and need to be protected from the
adversaries
. An adversary is some individ-
ual/organization who has malicious intention and particularly the entity from
whom the sensitive information needs to be kept hidden. In DAS applica-
tions, the client/owner side environment is assumed to be secure and trusted
therefore the main threat is from server-side adversaries. In most models the
service provider is assumed to carry out the data processing tasks honestly,
and the main concern is regarding a malicious insider who might get access
to the data (e.g., a malicious database administrator) and use this to harm
the owner or the client. In such a scenario the sensitive portions of the data
must remain encrypted at all times on the server and the secret encryption
key should remain with the client. Data is only decrypted on the client side.
This is called the
passive
or
curious
adversary model and is by far the most
widely assumed security model. In another scenario, the server-side might be
completely trustworthy, but in order to protect the data from becoming ac-
cessible to an outside hacker, the minimum requirement might be to keep the
data encrypted on disk (since for the majority of the time, that is where the
data resides).
Protecting against active adversaries is obviously more dicult and re-
quires greater effort on the client's part to ensure proper functioning of the
system. Authenticity and integrity checking becomes important in this sce-
nario and we will describe some of the work in this area in section 3.
