Using In-Memory Encrypted Databases on the Cloud

Using In-Memory Encrypted Databases on the Cloud Francesco (and Davide) Pagano [email_address] Department of Information Technology Università degli Studi di Milano - Italy

Agenda Privacy issue on the cloud An agent based approach Database encryption In Memory Databases and HyperSql Our solution Benchmarking Conclusion Question time

Access control problem Cloud Platform Desktop Desktop controlled accesses for external users uncensored access for cloud provider

Privacy within the cloud: on the same side of the wall Presentation Layer privacy Data Layer performance

An agent-based approach Untrusted Synchronizer never holds plaintext data Local agent with local db

Database encryption * L. Bouganim and Y. Guo, “Database encryption,” in Encyclopedia of Cryptography and Security, Springer, 2010, 2nd Edition

Granularity in database-level encryption database tables columns rows

In Memory Databases “ An in-memory database (IMDB also known as main memory database system or MMDB and as real-time database or RTDB) is a database management system that primarily relies on main memory for computer data storage.” * Wikipedia

.script file of a sample database CREATE SCHEMA PUBLIC AUTHORIZATION DBA CREATE MEMORY TABLE DOSSIER(ID INTEGER GENERATED BY DEFAULT AS IDENTITY(START WITH 0) NOT NULL PRIMARY KEY,NAME CHAR(80)) CREATE MEMORY TABLE STUDENTS(ID INTEGER GENERATED BY DEFAULT AS IDENTITY(START WITH 0) NOT NULL PRIMARY KEY,NAME CHAR(80)) ALTER TABLE DOSSIER ALTER COLUMN ID RESTART WITH 0 ALTER TABLE STUDENTS ALTER COLUMN ID RESTART WITH 32 CREATE USER SA PASSWORD "" GRANT DBA TO SA SET WRITE_DELAY 10 SET SCHEMA PUBLIC INSERT INTO STUDENTS VALUES(12,'Alice') INSERT INTO STUDENTS VALUES(31,'Bob')

Implemented solution: client side On the client side, using IMDBs, we have only two interactions between each local agent and the Synchronizer

The modified .script file INSERT INTO students(id,name) VALUES(12,'Alice'); INSERT INTO students(id,name) VALUES(31,'Bob'); $27@5F3C25EE5738DAAAED5DA06A80F305A93C95A $45@5DA67ADA06AAED580FA914BF3C953057D387F INSERT INTO students(id,name) VALUES(23,'Carol'); Encrypted rows id_pending_row

Performances In contrast to the usual row-level encryption, which needs encryption/decryption at every data access, our solution uses these heavy operations only when communicating with Synchronizer, with a clear advantage, especially in the case of rarely modified databases.

Performances: read operations The system uses decryption only at start time, when records are loaded from the disk into the main memory. Each row is decrypted none (if it is owned by local node) or just once (if it is owned by a remote node), so this is optimal for read operations. Each decryption implies an access to the remote Synchronizer to download the related decrypting key and, eventually, the modified row.

Performances: write operations Write operations occur when a record is inserted / updated into the db, with no overload until the client, when online, explicitly synchronizes data with the central server. At this moment, for each modified record, the client needs to: • generate a new (symmetric) key • encrypt the record • dispatch the encrypted data and the decrypting key to the remote synchronizer

Benchmark (1) Creation of database and sample tables Population of tables with sample values Sharing of a portion of data with another user Receipt of shared dossiers from other users Opening of the newly created (and populated) database

Benchmark (2) To minimize communication delay, the central Synchronizer and the clients ran on the same computer. For testing purpose, it was sufficient to use only two clients (to enable data sharing). The application was compared with an equivalent one having the following differences: • It uses the unmodified HyperSQL driver • It doesn’t share data with other clients • When populating the database, it creates the same number of dossiers than the previous application; after benchmarking, however, it adds the number of shared dossiers, resulting in the same final number of dossiers.

Benchmark (3) We benchmarked the system using single-table dossiers of about 200 bytes, in two batteries of tests; the first with 20%, and the second with 40% of shared dossiers, which numbered from 1,000 to 500,000.

Results (1) Overhead when 20% of dossiers are shared

Results (2) Overhead when 40% of dossiers are shared

Conclusion In this paper, using IMDBs, we presented a simple solution to row-level encryption of databases. It can be used in the cloud to manage very granular access rights in a highly distributed database. This allows for stronger confidence in the privacy of shared sensitive data. An interesting field of application is the use in (business) cooperative environments, e.g. professional networks. In these environments, privacy is a priority, but low computing resources don't allow the use of slow and complex algorithms. IMDBs and our smart encryption, instead, achieve the goal in a more effective way.

Using In-Memory Encrypted Databases on the Cloud

More Related Content

What's hot

Viewers also liked

Similar to Using In-Memory Encrypted Databases on the Cloud

Recently uploaded

Using In-Memory Encrypted Databases on the Cloud

Editor's Notes