Databases Reference
In-Depth Information
that processes range queries and MIN, MAX, and COUNT queries on the
server without decrypting the data [16]. The OPES algorithm uses as input
the source (or plaintext) distribution of a column's values and a target dis-
tribution for ciphertext column values and then transforms plaintext values,
preserving their order, into ciphertext. The resulting ciphertext column values
conform to the target distribution. With the two input distributions used for
encryption, OPES decryption maps a target value to its plaintext value.
Revealing the order of plaintext values may not always be acceptable.
Furthermore, column-level order preserving encryption as well as standard
encryption reveals duplicate values which may not provide enough security
for all application environments. Iyer, et al. address the problem of eciency
and duplicates by introducing a completely new storage model called the Par-
tition Plaintext Ciphertext (PPC) model [17]. PPC pushes encryption to the
lower levels of the database system, maintaining in-memory pages as plaintext
in the buffer pool and writing encrypted pages to the disk. The upper levels
of the database system software therefore remain unaffected and continue to
operate on plaintext data. This protects data at rest by preventing users from
circumventing database security. PPC reduces computation and storage costs
by partitioning data into plaintext and ciphertext mini-pages. All sensitive
values are stored as ciphertext on the mini-page. Only one encryption opera-
tion is needed when a page is written to disk and one decryption is required
when ciphertext page is brought into memory. This PPC storage model uses
standard and ecient cryptographic algorithms to encrypt personal informa-
tion.
4 Future Work
Improved Policy Specification.
For HDB controls to be completely effec-
tive, policies must accurately capture the data usage practices of enterprises
and the preference and choices of individuals concerning the use and disclo-
sure of their personal information. The policy language must be fine grained
to allow enterprises to collect, use, and disclose the minimum necessary infor-
mation to accomplish their intended purposes. It must also be simple enough
that technically unsophisticated individuals can understand the consequences
of their decisions to provide personal information.
Policy languages such as P3P [18] are machine interpretable and enable
automated policy enforcement. Thus, they offer significant improvement over
the complex and ambiguous legal language of written policies. While these
machine interpretable languages allow enterprises to define policies that offer
some individual choices regarding the usage of personal information, they
currently do not allow the data subject to individually tailor her own rules
regarding usage of her private information. Rather, the individual subscribes
(or not) to a policy and make choices within the boundaries of the stated
policy.
