Databases Reference
In-Depth Information
concentrate its activity on its core business where data are managed by an
external service provider. The main drawback of this practice is that the ser-
vice provider may not be fully trusted. The data owner and final users are
usually supposed to trust the provider for managing data stored on its server,
and to correctly execute queries on it, but the provider is not fully trusted
for accessing data content. To solve this problem, different solutions have
been proposed in the literature, mainly based on the use of cryptography as
a mechanism for protecting data privacy [1, 2, 3]. Most of the proposals in
this area focus on issues related to querying encrypted data, to the aim of
avoiding server-side decryption, while minimizing client-side burden in query
evaluation. Another drawback of existing proposals is that they assume that
any client has complete access to the query results, and therefore the data
owner has to be involved for filtering out the data not accessible by the client.
This would cause an excessive burden on the owner, thus nullifying the ad-
vantages of outsourcing data management. On the other hand, the remote
server cannot enforce access control policies, since it may not be allowed to
know the access control policy defined by the owner. Since neither the data
owner nor the remote server can enforce the access control policy, for either
security or eciency reasons, the data themselves need to implement selective
access. This can be realized through
selective encryption
, which consists in
encrypting data using different keys and distributing the keys so that users
can decrypt only the data they are authorized to access.
The problem of enforcing access control policies through selective encryp-
tion has been analyzed both for databases and for XML documents. In the
following, we briefly introduce the most important proposals for these two
scenarios [48, 49, 50].
5.1 Overview of Database Outsourcing Solutions
Let us consider a system composed of a set
of resources.
A resource may be a table, an attribute, a tuple, or even a cell, depending on
the granularity at which the data owner wishes to define her policy. Since this
distinction does not affect access control policy enforcement, we will always
refer generically to resources. The access control policy defined by the data
owner can be easily represented through a traditional access matrix
U
of users and a set
R
A
, where
each cell
[
u
,
r
] may assume either the value 1, if
u
can access
r
, or the value
0, otherwise (currently only read privileges have been considered). Figure 6
represents an example of access matrix, where there are four users, namely
A
,
B
,
C
,and
D
, and four resources
r
1
,
r
2
,
r
3
,and
r
4
.
A first solution that could be adopted for selectively encrypting data for
access control purposes consists in using a different key for each resource,
and in communicating each user the set of keys used to protect the resources
belonging to her capability list (i.e., the set of resources that the user can
access). This solution requires each user to keep a possibly great number of
A
