Cryptanalysis of an encrypted database in SIGMOD '14
Authors: 
Xinle Cao, Jian Liu, Hao Lu, Kui RenAuthors Info & Claims
Xinle Cao, Jian Liu, Hao Lu, Kui RenAuthors Info & ClaimsPages 1743 - 1755
Abstract
Encrypted database is an innovative technology proposed to solve the data confidentiality issue in cloud-based DB systems. It allows a data owner to encrypt its database before uploading it to the service provider; and it allows the service provider to execute SQL queries over the encrypted data. Most of existing encrypted databases (e.g., CryptDB in SOSP '11) do not support data interoperability: unable to process complex queries that require piping the output of one operation to another.
To the best of our knowledge, SDB (SIGMOD '14) is the only encrypted database that achieves data interoperability. Unfortunately, we found SDB is not secure! In this paper, we revisit the security of SDB and propose a ciphertext-only attack named co-prime attack. It successfully attacks the common operations supported by SDB, including addition, comparison, sum, equi-join and group-by. We evaluate our attack in three real-world benchmarks. For columns that support addition and comparison, we recover 84.9% -- 99.9% plaintexts. For columns that support sum, equi-join and group-by, we recover 100% plaintexts.
Besides, we provide potential countermeasures that can prevent the attacks against sum, equi-join, group-by and addition. It is still an open problem to prevent the attack against comparison.
References
[1]
[n.d.]. GCreep: Google engineer stalked teens, spied on chats. Gawker. http://gawker.com/5637234/. Accessed in December 2020.
[2]
[n.d.]. National Vulnerability Database. CVE statistics. https://nvd.nist.gov/vuln/search. Accessed in December 2020.
[3]
Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, and Yirong Xu. 2004. Order Preserving Encryption for Numeric Data. In Proceedings of the 2004 ACM SIGMOD International Conference on Management of Data (Paris, France) (SIGMOD '04). Association for Computing Machinery, New York, NY, USA, 563--574.
[4]
A. Alabdulatif, Heshan Kumarage, I. Khalil, and X. Yi. 2017. Privacy-preserving anomaly detection in cloud with lightweight homomorphic encryption. J. Comput. Syst. Sci. 90 (2017), 28--45.
[5]
Vincent Bindschaedler, Paul Grubbs, David Cash, Thomas Ristenpart, and Vitaly Shmatikov. 2018. The Tao of Inference in Privacy-Protected Databases. Proc. VLDB Endow. 11, 11 (July 2018), 1715--1728.
[6]
Alexandra Boldyreva, Nathan Chenette, Younho Lee, and Adam O'Neill. 2009. Order-Preserving Symmetric Encryption. In Advances in Cryptology - EUROCRYPT 2009, Antoine Joux (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 224--241.
[7]
Jung Cheon and Hyun Nam. 2003. A Cryptanalysis of the Original Domingo-Ferrer's Algebraic Privacy Homomophism. IACR Cryptology ePrint Archive 2003 (01 2003), 221.
[8]
Josep Domingo-Ferrer. 2002. A Provably Secure Additive and Multiplicative Privacy Homomorphism*. In Information Security, Agnes Hui Chan and Virgil Gligor (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 471--483.
[9]
Ariel J. Feldman, William P. Zeller, Michael J. Freedman, and Edward W. Felten. 2010. SPORC: Group Collaboration using Untrusted Cloud Resources. In 9th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2010, October 4--6, 2010, Vancouver, BC, Canada, Proceedings, Remzi H. Arpaci-Dusseau and Brad Chen (Eds.). USENIX Association, 337--350. http://www.usenix.org/events/osdi10/tech/full_papers/Feldman.pdf
[10]
J. Girao, D. Westhoff, and M. Schneider. 2005. CDA: concealed data aggregation for reverse multicast traffic in wireless sensor networks. In IEEE International Conference on Communications, 2005. ICC 2005. 2005, Vol. 5. 3044--3049 Vol. 5.
[11]
P. Grubbs, K. Sekniqi, V. Bindschaedler, M. Naveed, and T. Ristenpart. 2017. Leakage-Abuse Attacks against Order-Revealing Encryption. In 2017 IEEE Symposium on Security and Privacy (SP). 655--672.
[12]
H. Hu, J. Xu, C. Ren, and B. Choi. 2011. Processing private queries over untrusted data cloud through privacy homomorphism. In 2011 IEEE 27th International Conference on Data Engineering. 601--612.
[13]
Georgios Kellaris, George Kollios, Kobbi Nissim, and Adam O'Neill. 2016. Generic Attacks on Secure Outsourced Databases. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (Vienna, Austria) (CCS '16). Association for Computing Machinery, New York, NY, USA, 1329--1340.
[14]
E. M. Kornaropoulos, C. Papamanthou, and R. Tamassia. 2020. The State of the Uniform: Attacks on Encrypted Databases Beyond the Uniform Query Distribution. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, Los Alamitos, CA, USA, 1223--1240.
[15]
M. Lacharité, B. Minaud, and K. G. Paterson. 2018. Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage. In 2018 IEEE Symposium on Security and Privacy (SP). 297--314.
[16]
Derrick Norman Lehmer. 1900. Asymptotic Evaluation of Certain Totient Sums. American Journal of Mathematics 22, 4 (oct 1900), 293.
[17]
Jinyuan Li, Maxwell Krohn, David Mazières, and Dennis Shasha. 2004. Secure Untrusted Data Repository (SUNDR). In Proceedings of the 6th Conference on Symposium on Operating Systems Design amp; Implementation - Volume 6 (San Francisco, CA) (OSDI'04). USENIX Association, USA, 9.
[18]
Prince Mahajan, Srinath Setty, Sangmin Lee, Allen Clement, Lorenzo Alvisi, Mike Dahlin, and Michael Walfish. 2011. Depot: Cloud Storage with Minimal Trust. ACM Trans. Comput. Syst. 29, 4, Article 12 (Dec. 2011), 38 pages.
[19]
Muhammad Naveed, Seny Kamara, and Charles V. Wright. 2015. Inference Attacks on Property-Preserving Encrypted Databases. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (Denver, Colorado, USA) (CCS '15). Association for Computing Machinery, New York, NY, USA, 644--655.
[20]
J.E Nymann. 1972. On the probability that k positive integers are relatively prime. Journal of Number Theory 4, 5 (1972), 469--473.
[21]
Pascal Paillier. 1999. Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. In Advances in Cryptology --- EUROCRYPT '99, Jacques Stern (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 223--238.
[22]
Raluca Ada Popa, Catherine M. S. Redfield, Nickolai Zeldovich, and Hari Balakrishnan. 2011. CryptDB: Protecting Confidentiality with Encrypted Query Processing. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (Cascais, Portugal) (SOSP '11). Association for Computing Machinery, New York, NY, USA, 85--100.
[23]
Stephen Tu, M. Frans Kaashoek, Samuel Madden, and Nickolai Zeldovich. 2013. Processing Analytical Queries over Encrypted Data. Proc. VLDB Endow. 6, 5 (March 2013), 289--300.
[24]
David Wagner. 2003. Cryptanalysis of an Algebraic Privacy Homomorphism. In Information Security, Colin Boyd and Wenbo Mao (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 234--239.
[25]
D. Westhoff, J. Girao, and M. Acharya. 2006. Concealed Data Aggregation for Reverse Multicast Traffic in Sensor Networks: Encryption, Key Distribution, and Routing Adaptation. IEEE Transactions on Mobile Computing 5, 10 (2006), 1417--1431.
[26]
Wai Kit Wong, Ben Kao, David Wai Lok Cheung, Rongbin Li, and Siu Ming Yiu. 2014. Secure Query Processing with Data Interoperability in a Cloud Database Environment. In Proceedings of the 2014 ACM SIGMOD International Conference on Management of Data (Snowbird, Utah, USA) (SIGMOD '14). Association for Computing Machinery, New York, NY, USA, 1395--1406.
Index Terms
- Cryptanalysis of an encrypted database in SIGMOD '14
Index terms have been assigned to the content through auto-classification.
Recommendations
Cryptanalysis of Comparable Encryption in SIGMOD'16
SIGMOD '17: Proceedings of the 2017 ACM International Conference on Management of DataComparable Encryption proposed by Furukawa (ESORICS 2013, CANS 2014) is a variant of order-preserving encryption (OPE) and order-revealing encryption (ORE); we cannot compare a ciphertext of v and another ciphertext of v', but we can compare a ...
Azure SQL Database Always Encrypted
SIGMOD '20: Proceedings of the 2020 ACM SIGMOD International Conference on Management of DataThis paper presents Always Encrypted, a recently released feature of Microsoft SQL Server that uses column granularity encryption to provide cryptographic data protection guarantees. Always Encrypted can be used to outsource database administration ...
Why Your Encrypted Database Is Not Secure
HotOS '17: Proceedings of the 16th Workshop on Hot Topics in Operating SystemsEncrypted databases, a popular approach to protecting data from compromised database management systems (DBMS's), use abstract threat models that capture neither realistic databases, nor realistic attack scenarios. In particular, the "snapshot attacker" ...
Comments
Information & Contributors
Information
Published In
Publisher
VLDB Endowment
Publication History
Published: 01 June 2021
Published in PVLDB Volume 14, Issue 10
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 109Total Downloads
- Downloads (Last 12 months)40
- Downloads (Last 6 weeks)10
Reflects downloads up to 09 Aug 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in