Protecting sensitive information in data for web-based services

Privacy is the right to be let alone - the most comprehensive of rights, and the right most valued by civilized men.
(Louis Brandeis, US supreme court justice)

Motivation

As already discussed in Section 2.1.1, a well-known business model for the 2-party web-based service is the Application Service Provider (ASP). An ASP "deploys, hosts and manages access to a packaged application to multiple parties from a centrally managed facility. The applications are delivered over networks on a subscription basis. This delivery model speeds implementation, minimizes the expenses and risks incurred across the application life cycle, and overcomes the chronic shortage of qualified technical personnel available in-house" [IDC, 1999]. For these reasons, the ASP model has significant business impact and was forecasted annual growth rates between 75% and 89% [Mizoras, et al., 2001; Terdimann, et al., 2000].

Speaking in terms of the definition in Section 2.1, the ASP is the service provider and the ASP customer is the data holder (who is, in this case, the service user at the same time). We will refer to this business model throughout the rest of the chapter.

Privacy concerns for users of web-based services

Yet one reason that inhibits the wide spread use of this new kind of services is the question of data ownership and confidentiality. Classical Enterprise Resource Planning (ERP) installations that were based on the purchase and local installation of software and hardware ensured that confidential data did not leave the customer company's premises. In the ASP model this is no longer the case. Using software services over the Internet requires the customer to transfer potentially sensitive business data to the service provider which may include internal financial figures, product launch schedules and the like.

This obviously raises security concerns on behalf of the customers who urge the ASP to use firewalls, dedicated servers and encryption of the communication channel to protect their most confidential business data. These protective measures may, however, not suffice as the data is still required in unencrypted form for the ASP to process and to deliver the actual service results. In Table 3-1, we describe four different kinds of attacks. With exception of the first threat, an external attack against the customer's database, prevention along the conventional lines is very difficult.

#

Threat

Description

Risk indicators

1

External attack against the customer's database

External attacks directed at the service provider's database are still possible, and the risk is hard to estimate

Audit of the ASP's system security

2

Malicious ASP staff

Malicious staff on the provider's side (bribed or disgruntled employees etc.) may want to cause harm to their company and its customers

Fluctuation rate of ASP employees

3

Incompetent ASP staff
"Social Engineering"

Incompetent staff on the provider's side may unintendedly grant data access to unauthorized parties

Staff / workload ratio

4

Bankruptcy of the ASP or change of ownership

Bankruptcy or acquisition of the ASP leads to the transfer of the customer's business data, in the worst case to a direct competitor of the customer

Financial and competitive position of the ASP

Table 3-1: Threats to confidential business data of ASP customers

External attacks are usually accounted for with adequate cryptographic and organizational measures but cannot be completely ruled out. The damage caused by disgruntled or malicious ASP staff is even harder to predict and prevent. The CSI/FBI Computer and Crime Survey [CSI, 2003] shows that disgruntled employees are the most likely source of attacks, even more likely than independent hackers or competitors (86% vs. 74% / 53%, resp.). The risk of an attack by disgruntled employees is hard to measure. A possible indicator might be the number of employees who leave the ASP company per year (fluctuation rate).

Although applications like online banking and online book stores have become ubiquitous, people working in sensitive areas in IT companies are still vulnerable to trivial attacks called social engineering [Rusch, 2004]. One example of social engineering is walking into an office, telling an unsuspecting person that you need to fix a problem with the intranet and therefore need her password. The probability of getting the password is higher than one might expect.

Finally, the potential consequences of bankruptcy and/or change of ownership of the provider may be serious. Online retailer amazon.com's privacy statement clearly states that customer data is sold in the case of a change of ownership.

“…we might sell or buy stores, subsidiaries, or business units. In such transactions, customer information generally is one of the transferred business assets... Also, in the unlikely event that Amazon.com, Inc., or substantially all of its assets are acquired, customer information will of course be one of the transferred assets…” [Amazon.com, 2004]

Technically, no corporate purchase can change the validity of a privacy policy that the former company has agreed to, but even if the new data owner is legally bound to a privacy policy, enforcing this in an international law suit is often infeasible. In the worst case, a direct competitor of one of the provider's customers might end up owning all the outsourced business data. However unlikely, this scenario has considerable potential to scare customers.

A privacy-preserving architecture

In this section, we present a service architecture that allows for processing data with a very high level of privacy protection. Sensitive data is not only withheld with respect to non-trusted third parties, but also to the service provider itself. The service provider will not dispose of any unencrypted customer data at any time. Contrary to the concept of [Asonov and Freytag, 2002], no hardware equipment is involved. Our approach requires the service provider to work directly with encrypted data.

Following the approach of public key infrastructure first proposed by [Rivest,et al., 1978; Rivest, et al., 1978], the basic idea is to transform the sensitive data with the help of a secret key only known to the customer. The service provider uses the corresponding public key in order to process the encrypted data. Without the private key, the service provider cannot see any sensitive information in plaintext (as is intended by the customer). Without the public key, it cannot even compute the data.

From an infrastructure point of view, the architecture requires the following actions.

The creation of a private key and its safe-keeping.
The creation of a public key and distribution of it to the service provider.
Equipment of customer software with the transformation algorithm.
The adaptation of the service provider's business logic such that encrypted data can be processed.

How these requirements are dealt with in practice is discussed in Section 3.8.3. The volume of infrastructure requirements implies that the approach is more suitable for Application Service Provider (ASP)-like solutions which allow at least for some customization than for fine-grained, standardized web services. We use the following terminology.

d _i , i=1..nSensitive input data from the data holder

pPrivate key of the data holder

qPublic key (given to the service provider)

S:(d _i _, d _j ) →S(d _i _, d _j )Operation / Service on plain customer input data

T _p : d _i →T _p (d _i )= t _i Encryption / Transformation function

S':(t _i , t _j ) →S'(t _i _, t _j )Operation / Service on encrypted customer data

T _p ^-1 : t _i →T _p ^-1 (t _i )Decryption / Retransformation function

Figure 3-1: A sketch of the proposed service architecture

Figure 3-1 describes the general service procedure. The customer wants the service provider to perform some service S on the confidential data D she provides. After installing the key infrastructure, critical data is marked up as “sensitive” and the application running on the customer machine encrypts it using the provided transformation scheme T and the private key p. The server, who only sees encrypted data, now uses the public key q to perform the requested service S. Once the server has performed its service, the encrypted pseudo-solution S(T _p (D)) is retransferred to the customer who applies a re-transformation (usually T _p ^-1

Note that the retransformation is not necessarily the inverse function T-1. For reasons of simplicity, we work just with T-1 throughout the rest of the chapter.

^v ) to obtain the desired result S(D).

The whole procedure is summed up in Figure 3-2.

Figure 3-2: Steps of the proposed service architecture

Data transformation

The “transformation schemes” T that we referred to in the previous section are actually encryption functions in the cryptographic terminology. These functions map plaintext, the readable sensitive data, to ciphertext, its encoded counterpart. Cryptanalysts determine the security of an encryption scheme in terms of its resistance against six attacks of increasing scale. [Stallings, 1999] and [Schneier, 1996] give an overview of the different attacks that we summarize in Table 3-2.

Type of Attack

Known to Attacker

Difficulty of attack

No encryption algorithm

-Ciphertext to be decoded

Most
difficult

|

Ciphertext only

-Ciphertext to be decoded

-Encryption algorithm

Known plaintext

-Ciphertext to be decoded

-Encryption algorithm

-One or more plaintext-ciphertext pairs formed with the secret key

Chosen plaintext

-Ciphertext to be decoded

-Encryption algorithm

-Plaintext message chosen by attacker, together with its corresponding ciphertext generated with the secret key

Chosen ciphertext

-Ciphertext to be decoded

-Encryption algorithm

-Purported ciphertext chosen by attacker, together with its corresponding decrypted plaintext generated with the secret key

Chosen text

-Ciphertext to be decoded

-Encryption algorithm

-Plaintext message chosen by attacker, together with its corresponding ciphertext generated with the secret key

-Purported ciphertext chosen by attacker, together with its corresponding decrypted plaintext generated with the secret key

Least
difficult

Table 3-2: Difficulty of cryptographic attacks

The architecture presented in this Chapter is based on a particular class of encryption functions, so-called privacy homomorphisms (PHs). [Rivest,et al., 1978] introduce them as “encryption functions that permit encrypted data to be worked with without preliminary decryption of the operands”. We now define the homomorphic property of privacy homomorphism.

Definition (Homomorphic encryption function)

An encryption function T _p : d _i →T _p (d _i ) is homomorphic with regard to a Service S iff ∀d _i , d _j ∈ dom(T): T ^-1(S'(T(d _i ), T(d _j )) = T ^-1 (T(S(d ₁ , d ₂ ))) = S(d ₁ , d ₂ )

Referring to Figure 3-3, this means that it does not matter whether you first perform the service on plaintext and then encrypt the data or whether you first encrypt the confidential data and perform the service on encrypted data. However, working with encrypted data imposes significant restrictions on the extent of feasible operations on the underlying data. There are two fundamental findings with important implications.

First, a secure encryption scheme can never preserve order. This means that for a given set of attribute values such as e.g. (3; 17; 31; 35; 42), no secure encryption scheme allows for determining the order (T _p (3), T _p (17), T _p (31), T _p (35), T _p (42)) on the ciphertexts [Rivest,et al., 1978]. An important conclusion is that attributes in encrypted databases cannot be sorted at all.

Second, the multiplication operation can be preserved at a higher level of security than addition. On the scale that measures the security of encryption schemes (see Table 3-2), the maximum level of security for addition-preserving encryption schemes is known-plaintext-resistance [Brickell and Yacobi, 1987]. This is less secure than the maximum level for multiplication-preserving ones, chosen-ciphertext resistance. The implication is that encryption schemes that preserve all basic arithmetic operations can reach at most the lower additive security level.

Figure 3-3: The basic idea of a privacy homomorphism

To employ PHs in service environments, the basic idea would be to transfer the encrypted confidential data T(d ₁ ) and T(d ₂ ) to the service provider instead of the plaintext pair d ₁ and d ₂ . The provider then computes the pseudo-solution S'(T(d ₁ ), T(d ₂ )) which is, due to T 's homomorphic property, equal to T(S(d ₁ ·d ₂ )). Applying the inverse function T ^-1 then decrypts the pseudo-solution and yields the desired result S(d ₁ ,d ₂ ). The three solid arrows in Figure 3-3 clarify this procedure.

Example: The sample PH that [Rivest,et al., 1978] describe yields that the multiplicative product of two encrypted numbers is equal to the encryption of the corresponding plaintext product.

T(d ₁ )·T(d ₂ )= T(d ₁ ·d ₂ )

Applying the inverse function gives

T ^-1(T(d ₁ )· T(d ₂ ))= T ^-1(T(d ₁ · d ₂ ))= d ₁ · d ₂

In this case, the provided service S is the multiplication of numbers.

If one considers “multiplication” as a simple kind of service, the encryption function T thus guarantees a very high level of privacy protection because the customer may use the service while revealing neither the factors nor the result to the service provider.

Whereas this multiplicative PH is a very secure one (chosen-ciphertext-resistant), performing addition on encrypted data turns out to be a more complicated issue. [Ahituv, et al., 1987] show that an additive PH may reach at most known-plaintext-resistance. [Brickell and Yacobi, 1987] are the first to present an R-additive PH that permits the addition of up to R numbers with ciphertext-only-resistance. Finally, [Domingo-Ferrer and Herrera-Joancomarti, 1999] present a PH allowing all field operations (addition, subtraction, multiplication and inverse multiplication) on an arbitrary number of ciphertexts. Though it is ciphertext-only resistant, it would still force the potential attacker to acquire plaintext information from the customer in order to be successful, which transfers at least some of the responsibility from the service provider to the customer (see [Boyens and Günther, 2002]). If a plaintext-ciphertext pair has been known to the attacker, it will be difficult for the customer to deny at least part of the responsibility for the break-in. A practical solution for this problem is to codify these responsibilities in the service contract. The customer would then be at least partially responsible for a potential break-in. See Table 3-3 for an overview of existing privacy homomorphisms.

PHs have been employed for very specific purposes such as multi-application smart-cards [Domingo-Ferrer, 1997], signature schemes [Johnson, et al., 2002] and electronic voting [Asonov,et al., 2001]. The field of research with most potential impact however is the field of securely outsourced database services, see [Damiani,et al., 2003; Hacigumus,et al., 2002; Hacigumus,et al., 2002; Ozsoyoglu, et al., 2003] and our discussion in Section 2.2.3.2.

Authors

Service S

Secure against

Remarks

[Rivest,et al., 1978]

Chosen-ciphertext attack

Based on RSA

Preserves equality

[Brickell and Yacobi, 1987]

Ciphertext-only attack

First R-additive scheme

[Domingo-Ferrer, 1996]

Known-plaintext attack

[Domingo-Ferrer and Herrera-Joancomarti, 1999]

Ciphertext-only attack

Supports all field operations

Table 3-3: Overview of existing privacy homomorphisms

We will now describe the PH in use with the proposed architecture.

The deployed privacy homomorphism Encryption

The PH we base our architecture on is adapted slightly from the scheme proposed by [Domingo-Ferrer and Herrera-Joancomarti, 1999]. We apply the procedure depicted in Figure 3-4 to encrypt plaintext. Note that this scheme differs from the PH proposed by [Domingo-Ferrer and Herrera-Joancomarti, 1999] in the sense that a∈Z _p is not chosen arbitrarily but as a fixed and secret prime. As modular equations a · x= d (mod p) have unique solutions for a, x, d∈Z _p , unique plaintext identifiers have the same ciphertext correspondents. This would not have been the case if a had been chosen arbitrarily. This feature is important since, for instance, primary keys for a database can now be addressed by a unique ciphertext. The check for equality allows for picking single records out of the encrypted database, thus permitting the updating, deleting and retrieving of records that already exist in the database.

Figure 3-4: Encryption procedure

Decryption

The decryption works in a similar manner. The difference consists of the fact that A can be chosen arbitrarily, as the transformation scheme guarantees the plaintext originally provided as the result.

Figure 3-5: Decryption procedure

Note that modular equations of the type a·x≡d (mod p) for x∈Z _p are solvable if p is a prime and that the solution is unambiguous [Fieger, 1996].

A simple example

For the simple service of "multiplication", we will now give an example. We choose d ₁ = 3 and d ₂ = 5 and let the service provider calculate the service result S(d ₁ , d ₂ )=d ₁ ·d ₂ .

Example: p= 17

p’= 31

a= 13, a∈ {2, 3, 4, …, 16}

q= 17·31= 527

d ₁ = 3 (∈Z ₁₇ )

d ₂ = 5 (∈Z ₁₇ )

//Encrypt confidential data

♢ Solve a·x= 13·x= 3 (mod 17) ♢x= 12; a·x= 156 (mod 527)= T ₁₇ (3)∈Z ₅₂₇

♢ Solve a·x= 13·x= 5 (mod 17) ♢ x= 3; a·x= 39 (mod 527)= T ₁₇ (5) ∈Z ₅₂₇

//Service provision

T ₁₇ (3) *_{(mod 527)} T ₁₇ (5) = 156·139= 6084 (mod 527)= 287

//Decrypt confidential result

Pick A arbitrarily ∈Z _q : A= 412

Solve A·Y= 287 (mod 527), A·Y= 25056

T ₁₇ ^-1(T ₁₇ (3) *_{(mod 527)} T ₁₇ (5))= 25056 (mod 17)= 15

You can see that neither the encrypted input data nor the encrypted result is of any use or meaning to the service provider. However, the result is still valid for service user.

Enabled services: Which services can be performed

Now that the basic service idea and the corresponding transformation scheme are introduced, we will discuss which actual services the service provider is able to carry out on the modified information he possesses. Naturally, encrypted data cannot be processed with the same range of operations as unencrypted data. We will distinguish between two different elementary service types.

The first elementary service type concerns basic database queries, such as retrievals and updates. We will analyze the basic relational operators concerning their suitability for handling encrypted records and give examples in Section 3.6.1.

The second elementary service type consists of the basic arithmetic operations, addition and subtraction, multiplication and division. We will show to what extent and on which kind of plaintext data these operations can be applied in Section 3.6.2.

Database services

Here we introduce a service for our running ASP example. The customer is a company who wants to outsource its Human Resource (HR) Management System, i.e. it wants the ASP to store and process employee information such as loans, overtime, etc. For that purpose, it transfers information about its employees and about the monthly wage accounts in the following two tables.

employee (employee_no, name, year_of_birth, department);
monthly_account (employee_no, month, absence, overtime, payment);

The employee table contains general information about the staff such as employee number, name, year of birth and department. A typical data record would contain the following.

(432321, 'Schmidt', 1963, 'Finance')

The monthly_account table in contrast yields information about the monthly payment account as absent hours, overtime hours and payment.

(432321, 'AUG 2002', 12, 23, 3247)

We will now explain if and how standard Structured Query Language (SQL) queries can be mapped such that the encrypted database can be accessed.

Selection (“SELECT name, year_of_birth FROM employee WHERE (department=’Finance’)”)

The value to retrieve is simply encrypted in the query

“…WHERE department=T_p(ascii(’Finance’))”, where ascii(‘Finance’) would be the corresponding ASCII coding. The exact and complete value must be specified, as the transformation scheme does not allow for “partial encryption”. Therefore, working with wildcards (“…WHERE (department LIKE ’F%’)”) is not possible.

Projection (“SELECT name, year_of_birth FROM employee WHERE (department=’Finance’)”)

Projection is possible without restrictions, as usually all the attribute names must be specified with their exact and complete names. Furthermore, it is up to the customer to decide whether he should just encrypt the values or encrypt the attribute names, too. In the latter case, the query would start with:

(“SELECT T_p(name), T_p(year_of_birth)…”)

Join (“SELECT payment FROM employee e, monthly_account m WHERE (e.employee_no = m.employee_no)”)

The Join command for data from different tables works well as long as the matching is done with complete attributes (no wildcards). The privacy homomorphism guarantees that identical unencrypted values will have the same ciphertext correspondent. For example, T_p(employee_no) will be the same in table employee as in the table monthly_account.

Sorting (“SELECT name, year_of_birth FROM employee SORT BY year_of_birth)”)

The ability to sort presumes the existence of a total order over the encrypted data. However, [Rivest,et al., 1978] show that PHs that preserve total order in spite of the transformation cannot even be ciphertext-only resistant. Therefore, “SORT BY” cannot be conducted at all over encrypted data. An approach concerning how to facilitate this with some involvement of the customers' machines was recently proposed by [Hacigumus,et al., 2002].

In order to modify the encrypted database, additional operators are necessary for record insertion, deletion or updating. However, they all depend on the discussed query operators. Hence e.g. deletion is possible for specifically selected values, but not for wildcard values. As a result, all records whose name attribute is equal to “Miller” could be deleted, but not those with name attributes starting with “M%”, as discussed for the “Selection” operator.

Table 3-4 sums up these results

Operator

Feasible on T_p(D)?

Remarks

Selection

Partially

No wildcard selection possible

Projection

Yes

Attribute name not necessarily encrypted

Join

Partially

Only over exactly matching data

Sorting

No

Impossible on secure data

Table 3-4: Database query operators on encrypted data

Arithmetic operations

All arithmetic operations discussed are principally modular operations. Yet on the plaintext domain Z _p , the very large prime p allows for the calculation of large sums and products without creating remainder terms through division by p. Hence addition, subtraction and multiplication can normally be used as if the algebraic space was the regular algebraic ring (Z, +, *). Furthermore, as (Z _p , +_{mod p}, *_{mod p}) is equivalent to an algebraic field, it allows for the computation of multiplicative inverses. All of these properties are transferred to the algebraic space (Z _q , +_{mod q}, *_{mod q}) after applying the transformation scheme presented in Section 3.5. The basic difference between (Z _p , +_{mod p}, *_{mod p}) and (Z _q , +_{mod q}, *_{mod q}) lies in the fact that every unencrypted datum is converted into a cipher of almost the same bit length as q, i.e. up to 256 bits. That means that e.g. the addition of salaries, say of 3275$ and 4023$ turns from the addition of 12-bit-integers to the addition of its 256-bit-long encrypted correspondents.

In the following, we will discuss the four basic arithmetic field operations. Afterwards, we will indicate for which aggregate operations the algorithm fits best.

Addition d ₁ + d ₂ := T _p ^-1(T _p (d ₁ ) + _{(mod q)} T _p (d ₂ ))

The regular (non-modular) addition of the unencrypted data is mapped to the modular addition of the encrypted numbers. It works for all d ₁ _, d ₂ ∈Z _p , as long as [d ₁ +d ₂ < p], which is not a strong condition because p is large.

Subtraction d ₁ - d ₂ := T _p ^-1(T _p (d ₁ ) - _{(mod q)} T _p (d ₂ ))

As Z _p does not contain negative integers, this only works as long as d ₁ > d ₂ . From [(d ₁ - d ₂ ) > 0] and [(d ₁ -d ₂ ) < d ₁ < p] then follows [(d ₁ -d ₂ ) ∈Z _p ]

Multiplication d ₁ * d ₂ := T _p ^-1(T _p (d ₁ ) * _{(mod q)} T _p (d ₂ ))

This works as regular (non-modular) multiplication as long as [d ₁ *d ₂ < p]. This can actually turn out to be a strong condition if the number of factors is very high.

Inverse Multiplication d ₁ * d ₂ ^-1 := T _p ^-1(T _p (d ₁ ) * _{(mod q)} T _p (d ₂ ) ^-1 )

This only works as the common "division" as long as d ₂ in fact divides d₁. If division leads to a remainder, one may still compute the multiplicative inverse of T _p (d ₂ ), but the decrypted product does not correspond to the a readable figure (as d ₁ DIV d ₂ , the integer division, would). It should therefore only be used as the regular division when the property "d ₂ divides d ₁ " can be ensured beforehand.

Table 3-5 sums up these findings.

Operation

Feasible on T_p(D)?

Conditions

Addition

Yes

d ₁ +d ₂ < p

Subtraction

Partially

d ₁ -d ₂ > 0

Multiplication

Yes

d ₁ *d ₂ < p

Division

Partially

d ₂ | d ₁

Table 3-5: Arithmetic operators on encrypted data

Practical services

In this section, we will discuss a few sample services based on the encrypted employee and monthly_accounttables presented in the previous paragraph. We think that HR data is particularly appropriate for this purpose, for two reasons. First, sensitive data can be found in various forms such as regular wages and bonus payments, absent and overtime hours, and sometimes even church affiliation. Second, HR Management tools are often subject to outsourcing and therefore represent a suitable application field for the proposed architecture.

S ₁ : Mean monthly absent hours in specific departments

Formally, this figure is calculated as the average µ _i over the absent hours of the employees e in department dep1

µ_dep1=(Σ_{(e.department= dep1)} e.absence) / |{e | e.department= dep1}|

In order to calculate the mean absent hours for the ‘Finance’ department in August, the following actions are required on the provider’s part.

1) Retrieve the absence attribute of all employees in the finance department.

SELECT absence AS department_absence FROM employee e, monthly_account m WHERE (e.employee_no = m.employee_no) AND (e.department = T_p(‘Finance’))
Note that this query includes a join over encrypted data, namely the employee number in both tables.

2) Calculate the sum over department_absence.

sum_{‘Finance’}= Σ_{(e.department= Tp(‘Finance’)} e.absence

3) Return the encrypted sum_{‘Finance’} and the plain record_count_{‘Finance’}= |{e | e.department= ‘Finance’}| to the customer.

4) Finally, the customer decrypts the sum and divides it by the count to obtain the result µ_dep1.

µ _{‘Finance’}= T _p ^-1(sum_{‘Finance’}) / record_count_{‘Finance’}

Note that lacking the possibility of dividing the two numbers leads to at least some involvement of the customer. A good example for a service that does not need any kind of customer intervention is the multiplication of matrices, as only multiplication and addition is required.

S ₂ : Standard deviation of payments among departments

This metric measures the income disparities among different departments. We will use a service similar to S₁ to calculate µ_i ^* , the mean incomes per department.

σ _all =((Σ_{(departments i)} |µ _all - µ _i ^*|²) / |{ i | dep_i is department }|) ^½

with µ _all=(Σ_{(departments i)} µ _i ^*) / |{ i | dep_i is department }|

1) Compute the mean payments µ _i ^*for all departments using a similar service to S₁.

2) Compute the average µ _all over all µ _i ^* 's using S₁ again.

3) Compute the sum of the squared differences: squared_dev:= Σ_{(departments i)}|µ _all - µ _i ^* |².

4) Return squared_dev and the number of departments department_count to the customer.

5) The customer decrypts the squared deviation sum, divides it by the department count and draws the square root.

Again, some customer involvement is required. However the major part of the calculation is done by the provider, which especially pays off if the underlying databases are large.

A prototypical implementation Sketch of the implementation

In order to evaluate the proposed architecture, we implemented a prototype of the service architecture. Figure 3-6 displays a sketch of the implementation and the employment of different Java classes.

Figure 3-6: Sketch of the implementation

We chose Java as the programming language because it has convenient classes and methods to process large integers such as the secret and public primes as well as the encrypted data. The implementation was carried out with the technological components displayed in Figure 3-10.

Component

Technology

Reference

CPU

x86 (700 Mhz)

h18000.www1.hp.com/products/quickspecs/10382_ca/10382_ca.html

RAM

192 MB

Operating System

MS Windows 2000

http://www.microsoft.com/windows2000

Programming language

Java 1.4.2

java.sun.com/j2se/1.4.2

Database management system

MS Access 2000

office.microsoft.com/home/default.aspx

Table 3-6: Technological components of the implementation

Experiments

We created the employee and monthly_account tables with n=1000 data records. We first built them with unencrypted test data. Then we encrypted them using the proposed algorithm and a 32 bit, a 64 bit and a 128 bit key. As the focus is on the protection of sensitive data, we pay particular attention to the transformation of hours absent, overtime and salary (payment). The resulting tables have the following shape.

employee (T_p(employee_no), name, year_of_birth, department);

monthly_account (T_p(employee_no), month, T_p(absence), T_p(overtime), T_p(payment));

We first compared the service execution time of the service S₁ with regard to the size of the encryption key, see Figure 3-7.

Figure 3-7: Service execution time with regard to encryption key length

The service performance time increases only slightly with the key size. Note that the service performance time does not include the creation or modification of the encrypted data in the customer's database but only the request for the mean monthly absent hours in the 'Finance' department. The time that is necessary to create employee and monthly_account as encrypted tables in the customer database with key sizes of different length is displayed in Figure 3-8.

Figure 3-8: Table creation time with regard to encryption key length .

We can see a significant increase in the creation time with growing key size. This is particularly true for the monthly_account table. The reason for this is that monthly_account has more encrypted attributes (employee_no, payment, absence, overtime) than employee (just employee_no). Though differences were expected, the extent of the size gap is surprising.

Figure 3-9 shows another important dimension for database management systems, the size of the encrypted tables for different key lengths.

Figure 3-9: Table size with regard to encryption key length

Both Figure 3-8 and Figure 3-9 suggest that the time and space that the customer needs to create the encrypted tables at the service provider's site depend heavily on the number of encrypted attributes and on the key length. However, Figure 3-7 suggests that once the tables are created, the service performance time does not suffer. In the proposed system, manipulating data is costly while querying data is fast. These figures only give a trend on computational sensitivities and do not claim to meet all practical requirements such as minimal key length, etc.

Practical implementation issues

The implementation at hand is based on a JAVA applet that performs encryption and decryption as well as the post-processing on the client side. The applet would be loaded by the client every time the service is requested.

A more efficient approach would require the service provider to deliver a certified browser plug-in, which contains the transformation scheme and needs to be installed and parameterized by the client. The latter includes creation of a secret key. Sensitive data to be transmitted would then be marked with a specific HTML tag that forces the plug-in to encrypt the information before sending it.

Enterprise solutions could eventually take advantage of a proxy server through which every IP packet needs to pass. The proxy could check every packet for marked-up sensitive data and, if applicable, would transform the tag’s content. See Figure 3-10 for an illustration of this. An advantage of this setup is that the secret key is only kept at the proxy and not on every individual customer's machine.

Figure 3-10: Implementation via plug-ins (left) and via proxy server (right)

Both approaches assume the existence of locally installed browsers. In the future, this may not always be necessary, as new techniques like the remote GUI only require the presentation layer to be processed at the customer site. With the data management completely shifted to the central facility, transforming sensitive information must then take place at the (untrusted) service provider location.

Limitations and opportunities

The proposed architecture should not be considered as a “one-size-fits-all” solution that works for every kind of network services. It focuses on applications that require some basic database and arithmetic operations on sensitive data. It is especially valuable for service bundles whose main value lies in their variety and their completeness in many smaller, granular services. In other words, wage accounting services are more suited for the architecture than for complex data mining metrics such as the ones proposed in [Cutler and Sterne, 2000].

Different attributes require different encryption measures. The proposed algorithm is best suited for numbers that will later be processed with arithmetic operators. Primary key values in contrast often just serve as identification means, and are not subject to later processing. Hence it would be useful to encrypt these values with a very secure cryptographic algorithm such as RSA [Rivest,et al., 1978]. As the private key p has already been chosen, it can be used to encode the key values with this alternate algorithm.

Regarding this, the proposed software solution is not suited for complex calculation problems, but for the aggregation of many single, rather simple services. A good example is the calculation of aggregate HR figures that we discussed here. Speaking in terms of the trade-off idea sketched in the introduction, the trade-off in this approach is that for a certain kind of security, the user can only have a limited number of services S(D) from the service provider. He has to give up a certain amount of security to obtain a more extensive service offering.

Complementary to the practical reasoning, there is also theoretical work especially on the question whether or not SQL algebra can be securely outsourced. At least a part of the SQL algebra can be mapped to logical operations such as OR, AND, NOT. However, there does not yet exist a homomorphic bit-encryption scheme that is homomorphic to the complete set of these logical operations [Maurer, 2004]. But even if such an encryption scheme existed, it is not sure whether the entire SQL algebra could be mapped to these logical operations. The results that [Fischmann and Günther, 2003] derive from the related code obfuscation approach by [Barak, et al., 2001] suggest that mapping SQL algebra on encrypted data is not entirely possible. Further research is needed to (a) determine whether the complete set of logical operations can be covered by a homomorphic bit-encryption scheme and to (b) determine which parts of the SQL algebra can be mapped to logical operations.