Concurrent access on query aware Encrypted Cloud Database
advertisement
Paper Template Concurrent access on query aware Encrypted Cloud Database Jayshri C.Wagh Prof. Sonali Mhatre Mumbai University Computer Department BVCOE, Navi-Mumbai Mumbai University Information Technology BVCOE, Navi-Mumbai jayshriwagh16@gmail.com sonalinmhatre@gmail.com ABSTRACT Cloud computing enables highly scalable services to be consume over the Internet. Cloud services are provided on user request basis. Placing critical and confidential data outside the premises of an organization and in hands of cloud providers should come with guarantee that our data should be secure and available at any point of time. DataBase as a Service (DBaaS) model is used to manage databases in cloud environment. When we are storing our database on cloud then every user should be able to retrieve cloud database efficiently. Architecture Proposed in this paper provides data confidentiality for cloud databases. It is designed to allow multiple and independent clients to connect to the cloud without intermediate server. Data is encrypted before upload to the cloud. Multiple cryptography techniques are used to convert plaintext into encrypted data. Data will not be exposed to the cloud provider and any other public user who are not registered to access the database. Encrypted query submission model is used to secure the query values. Existing system require the choice of which encryption scheme must be adopted for each database column and SQL operation at design time. Some encryption schemes are not able to perform all query operations on encrypted cloud database. So it performs limited SQL operation on encrypted database and set of query are decided at design time only. Proposed system works even when set of query will change dynamically. Access control mechanism is used to grant permissions to users. Keywords- Public cloud database, security, adaptive, encryption, confidentiality, onion structure. INTRODUCTION Cloud computing is a recent trend in IT that moves computing and data away from desktop and portable PCs into large data canters. It refers to applications delivered as services over the Internet as well as to the actual cloud infrastructure — namely, the hardware and systems software in data centres that provide these services. Today user may spend lot of time with a computer to collect lot of data over network and store it where it as portable for the user. During the roaming time user may need the data from their PC (Personal Computer) it is very difficult to take it as a portable one with large datasets. So they may problem occurred while their roaming time. For this reason storing an enough data in network can solve this problem. Cloud storage is used to avoid this problem. Cloud storage refers to storing a large amount of data which in the form of pay-per-use scheme which is referred to cloud computing. It is used to off-site storage scheme maintained by a third party i.e. cloud provider. It is most popular one to store the data in geographical environment with infinite computing resources and access the data where the user need without worry about the data loss. Hence it provides greater availability, scalability, and reliability to the users. This paper shows the features are provided by the cloud provider as a service of Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS). Cloud Database Services i) Software as a Service (SaaS): This provides a service to the user by offering different software to the different user over internet. A distinct instance of service which runs in the cloud, here one or more user can utilize the service. Here no charges are detected from the user for the service or software license. In some cases, charges may detected for the maintenance of the service [1]. ii) Platform as a Service (PaaS): This provides a service to the user for the layer of software platform. It provides a storage mechanism for the various applications and consumptions. User can have an independency to build their personal applications that provides infrastructure for the user. It offers predefined components of combined OS and the application server, e.g. LAMP platforms [1]. iii) Infrastructure as a Service (IaaS): This provides a service to the user for the basic storage and processor infrastructure as a service over the network. It provides service to the computer infrastructure for the servers, network administrators, data centre, etc. to handle the workload of this service through IaaS. For this service user need to pay charges, when they use this service over network. In this mechanism cloud computing provides a service over the internet, hardware and software in data enters as a services. The data centre of hardware and software is called as Cloud [1]. The IaaS again classify into three types. i) Database as a Service ii) Storage as a Service iii) Computing as a service These types of IaaS are depends on the type of service provided by it. Among these types our interest is Database as a Service. Database as a Service (DBaaS): This provides a service to the user for their data. It does not require modifications to the database hence it is controlled by the cloud provider. Cloud provider manage and direct the database and aim to avail the instant services to the data users. Here organizations pay for the database service for getting the service from the service provider. For the organization with fewer amounts of resources limited hardware and time-bound projects, DBaas solve this problem; it is in the bases of pay per-usage manner. DBaaS is a successful paradigm where the data and the storage devices are located in cloud infrastructure and use the data in anywhere by the user [3]. from violating confidentiality of tenant data stored in plain form, SecureDBaaS adopts multiple cryptographic techniques to transform plaintext data into encrypted tenant data and encrypted tenant data structures because even the names of the tables and of their columns must be encrypted. SecureDBaaS clients produce also a set of metadata consisting of information required to encrypt and decrypt data as well as other administration information. Even metadata are encrypted and stored in the cloud DBaaS. Client Fig 1: Database as a Service Architecture In some case user have worry about the security and privacy problems from the cloud provider. Cloud provider provides a security to the frontend resource only and failed to provide a security to the backend resources, so the attackers may hack the data easily from the backend resources. Hence malicious user could compromise the data integrity and confidentiality. Where leakage details of data might be in the user’s cloud resources and cloud provider are the responsible for this issue [2]. Thus user must provide a security from the cloud provider between the attackers and the forgoing cloud resources by encrypting their data. Encryption is a process of encoding the data in some format i.e. embedding the text in the form of ciphertext to protect data managed by untrusted server. EXISTING SYSTEM Existing system[10] allow multiple and independent clients to connect directly to the untrusted cloud DBaaS without any intermediate server. Fig.2 describes the overall architecture. It assumes that a tenant organization acquires a cloud database service from an untrusted DBaaS provider. The tenant then deploys one or more machines (Client 1 through N) and installs a SecureDBaaS client on each of them. This client allows a user to connect to the cloud DBaaS to administer it, to read and write data, and even to create and modify the database tables after creation. They assume the same security model that is commonly adopted by the literature in this field (e.g., [8], [9]), where tenant users are trusted, network is untrusted, and the cloud provider is honest-but-curious, that is, cloud service operations are executed correctly, but tenant information confidentiality is at risk. For these reasons, tenant data, data structures, and metadata must be encrypted before exiting from the client. The information managed by SecureDBaaS includes plaintext data, encrypted data, metadata, and encrypted metadata. Plaintext data consist of information that a tenant wants to store and process remotely in the cloud DBaaS. To prevent an untrusted cloud provider Fig 2 : SecureDBaaS Architecture Existing system requires the choice of which encryption scheme must be adopted for each database column and SQL operations. These proposals works only when the set of queries can be statically determined at design time, if workload may change after the database design so it will not work dynamically. Some system can perform access control mechanism without the intervention of cloud provider but do not allow execution of SQL operations on encrypted data. PROPOSED SYSTEM We Proposed architecture which is extension of existing system [10] describes the overall structure shown in Fig.4. We assume that a tenant organization acquires a cloud database service from an untrusted DBaaS provider [10]. The proposed system supports adaptive encryption for public cloud database services, where distributed and concurrent clients can issue direct SQL operations. By avoiding an architecture based on intermediate servers [8, 9] between the clients and the cloud database, the proposed solution guarantees the same level of scalability and availability of the cloud service. All data and metadata stored in the cloud database are encrypted. This system stores overall database in encrypted form. In this system details of the user and what he wants to store on the cloud both stores in cloud. As per the requirement, the database designer will store user data using onion structure (adaptive encryption scheme [8]), because using normal encryption tenant are not able to perform all SQL operations. The adaptive encryption scheme, which was initially proposed for applications not referring to the cloud, encrypts each plain column into multiple encrypted columns, and each value is encapsulated into different layers of encryption, so that the outer layers guarantee higher confidentiality but support fewer computation capabilities with respect to the inner layers. In proposed system each plain column of the table is encrypted into one or more columns which depends on the need of database designer. It is encrypted into multiple columns then it will provide higher confidentiality. If number of encrypted layers are more then it is very difficult to perform operation over those columns as compared to the inner layer so it will provide higher security and confidentiality. Legitimate client can transparently issue SQL operations (e.g., SELECT, INSERT, UPDATE and DELETE) to the encrypted cloud database through the encrypted database interface. Every user has assign privilege according to access policy he can perform SQL operation on the encrypted cloud database. Every user can store a file on the cloud in encrypted form. Same file can be access or download by users using same access policies. Fig 4: System Architecture The DBA shown in fig.4 is the only subject that owns root credentials for the DBA client, and that no internal nor external attackers are able to access, steal or crack the credentials. The DBA manages user accounts, and enforces the tenant access control policies [11]. These policies represent the set of rules adopted by the tenant organization to define which user can access to which subset of tenant data. The importance of data isolation through access control policies should be clear: the tenant users must access all and only authorized data where authorizations are specified as if the database was maintained by the tenant. RELATED WORK Adaptive encryption schemes SQL-aware encryption schemes [8] that guarantee data confidentiality and allow the cloud database server to execute SQL operations over encrypted data. As each algorithm supports a specific subset of SQL operators, we refer to the following encryption schemes. • Random (Rand): it is the most secure encryption (IND-CPA) because it does not reveal any information about the original plain value. It does not support any SQL operator, and it is used only for data retrieval. • Deterministic (Det): it deterministically encrypts data, so that equality of plaintext data is preserved. It supports the equality operator. • Order Preserving Encryption (Ope): it preserves in the encrypted values the numerical order of the original unencrypted data. It supports the comparison SQL operators (i.e., =,<,≤,>,≥). • Homomorphic Sum (Sum) [: it is homomorphic with respect to the sum operation, so that the multiplication of encrypted integers is equal to the sum of plaintext integers. It supports the sum operator between integer values. • Search (Search): it supports equality check on full strings (i.e., the LIKE operator). • Plain: it does not encrypt data; it is useful to support all SQL operators on non-confidential data. The innovation of the proposed models and schemes is to enforce access control mechanisms on cloud databases while allowing the execution of SQL operations on encrypted data stored in the cloud that are accessible by any tenant cloud client. At the best of our knowledge, no existing proposal is able to satisfy both requirements. For example, there are encryption schemes that enforce access control mechanisms for cloud storage services [12], and other solutions that support concurrent accesses from independent clients [13]. Using query-aware encryption algorithms [8] allow a user to obtain all and only the requested data from the database, but that proposal is based on a trusted proxy that intercepts all operations between the tenant clients and the encrypted database, executes data re-encryption, and implements access control policies as in a privately managed infrastructure. CONCLUSION In this paper we have shown that cloud tenants can take full advantage of DBaaS qualities like accessibility, security and reliability while not exposing encrypted knowledge to the cloud provider. It permits multiple and regionally distributed clients to execute concurrent operations on encrypted data. It eliminates intermediate server between the tenant and cloud provider.Client registration details are stored in cloud database using adaptive encryption scheme. Clients are capable of reading and writing data on cloud database which is stored in encrypted form. The scheme proposed in this paper allows a client to encrypt all stored and transmitted data, to enforce standard database access control mechanisms where each tenant user has a different secret key, and to support the execution of SQL operations on encrypted data stored in a public cloud provider. REFERENCES 1. Ashalatha, r., and m. Vaidehi. "The significance of data security in cloud: a survey on challenges and solutions on data security”. 2. Arora, Indu, and Anu Gupta. "Cloud Databases: A Paradigm Shift in Databases." International J. of Computer Science Issues 9.4 (2012): 77-83. 3. D. Agrawal, A.E. Abbadi, F. Emekci, and A. Metwally, “Database Management as a Service: Challenges and Opportunities,” Proc. 25th IEEE Int’l Conf. Data Eng., Mar.Apr. 2009. 4. V. Ganapathy, D. Thomas, T. Feder, H. Garcia-Molina, and R.Motwani, “Distributing Data for Secure Database Services,” Proc. Fourth ACM Int’l Workshop Privacy and Anonymity in the Information Soc., Mar. 2011. 5. “Oracle Advanced Security,” Oracle Corporatiohttp://www.oracle.com/technetwork/database/optio ns/advanced-security, Apr. 2013. 6. M. Hadavi, E. Damiani, R. Jalili, S. Cimato, and Z. Ganjei, “AS5: A Secure Searchable Secret Sharing Scheme for Privacy Preserving Database Outsourcing,” Proc. Fifth Int’l Workshop Autonomous and Spontaneous Security, Sept. 2013. 7. E. Damiani, S.D.C. Vimercati, S. Jajodia, S. Paraboschi, and P. Samarati, “Balancing Confidentiality and Efficiency in Untrusted Relational Dbmss,” Proc. Tenth ACM Conf. Computer and Comm. Security, Oct. 2003. 8. R.A. Popa, C.M.S. Redfield, N. Zeldovich, and H. Balakrishnan,“CryptDB: Protecting Confidentiality with Encrypted Query Processing,” Proc. 23rd ACM Symp. Operating Systems Principles, Oct. 2011. 9. H. Hacigu¨mu¨ s¸, B. Iyer, C. Li, and S. Mehrotra, “Executing SQL over Encrypted Data in the DatabaseService-Provider Model,” Proc. ACM SIGMOD Int’l Conf. Management Data, June 2002. 10.L. Ferretti, M. Colajanni, and M. Marchetti, “Distributed, concurrent,and independent access to encrypted cloud databases,” IEEETrans. Parallel Distrib. Syst., vol. 25, no. 2, pp. 437–446, Feb. 2014. 11. L. Ferretti, M. Colajanni, and M. Marchetti, “Access control enforcement of query-aware encrypted cloud databases,” in Proc. 5th IEEE Int. Conf. Cloud Comput. Technol. Sci., Dec. 2013,pp. 717–722. 12. S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving secure, scalable, and fine-grained data access control in cloud computing,” in Proc. of the IEEE INFOCOM, March 2010. 13. A. J. Feldman, W. P. Zeller, M. J. Freedman, and E. W. Felten, “Sporc: group collaboration using untrusted cloud resources,” in Proc. of the 9th USENIX conference on Operating Systems Design and Implementation, October 2010.
