Sensitive Data Protection of DBaaS Using OPE and FPE

Abstract

DBaaS (Database as a Service) is a service provided and managed by the cloud provider and supports traditional database functionalities. The DBaaS use multi-tenant architecture to support multiple customers. The biggest problem concerned with DBaaS is the privacy and security of the data contained in the database stored in the cloud environment. The database is stored in a third party data center and it is assumed to be as untrusted. The database is therefore encrypted in order to prevent any data leaks on the third party data center. The result of any query to the database is decrypted at the service provider site before it is sent to the user. The above mentioned solution have two disadvantages. Firstly, the encryption and decryption are done at the server side and hence the cloud owner can extract information from the database. Secondly, the encryption of database does not support range queries on the database. The proposed framework focuses on securing database by supporting range queries and storing sensitive information with protection of memory leak. It performs database encryption, query encryption and also supports range query over encrypted databases. A double layered encryption mechanism is used for sensitive data and a single layer encryption is used for non-sensitive data. Order Preserving Encryption (OPE) is used for single layer encryption. OPE maintains the order in an encrypted database and so range query can be performed over encrypted database using an encrypted query. The drawback associated with OPE is the attacker can guess the value based on the ordering of data and so for sensitive attributes in the database, a double layered encryption using Format Preserving Encryption (FPE) followed by OPE symmetric key encryption algorithm is proposed.