Access Control And Query Processing With Privacy In DaaS Paradigm

With huge data are collected and stored online, more and more enterprises can't afford the huge costs resulted by professional managing and maintaining on huge data. They resort to delegate their data to a professional third service provider, who can provide hardware in-frastructure, professional data management, and relieve enterprises from the expensive costs for data management and maintenance. Database as a Service(DaaS) as a new paradigm based on the cloud computing platform, satisfying the requirement of enterprises, can pro-vide online data management service as local database management system does. However, more and more critical and sensitive information involved in data, such as medical records, trade information, stocks information, and the competition and data theft or leakage among enterprises. make enterprises resort to choose the data management technology with security and privacy.Much security research in DaaS has been done in recent years, such as data confiden-tiality, data integrity, data completeness, query privacy preserving. However, there is much less studying on privacy preserving mechanisms, such as access control enforcement for im-proving the usability of delegated encrypted database, the access control enforcement for user identity privacy and policy privacy, and query processing for avoiding the data privacy leakage. In this paper we give deeply study and discuss on the problems of access control enforcement, privacy preserving access control enforcement, privacy preserving query pro-cessing and so on. We propose an access control enforcement mechanism based on the DSP re-encryption mechanism, a privacy preserving query processing on secret share based data storage, a privacy preserving selective authorization enforcement approach and a privacy preserving personalized access control enforcement service. We verify the correctness and effectiveness of our approach by three aspects, theory, experiments, and security analysis respectively. The contributions of our thesis are mainly listed as follows:1. The concept of DSP re-encryption mechanism and a flexible mechanism for access control enforcement management based on DSP re-encryption mechanism are pro-posed. By deeply analyzing the work model of proxy re-encryption mechanism in cryptography, we propose a DSP re-encryption mechanism applied to the DaaS paradigm. By combining the proposed mechanism with some access control policy designed in terms of the practical requirement, we propose a flexible mechanism for access control enforcement management in DaaS which implements the selective ac-cess on encrypted database and effectively relieves the client from the complex key derivation process and computation.2. Privacy preserving query processing on secret share based data storage is pro-posed, and its security and effectiveness is verified through experiments. Due to the untrusted DSP, most of the proposed papers are concentrated on using symmetric en-cryption to guarantee the confidentiality of the delegated data before their delegation. However, encryption and decryption operations on large volume of data are time con-suming, so we introduce the theoretic secure secret share based scheme in cryptogra-phy, and present a secret share based data storage model which adopts the secret share based scheme to guarantee the confidentiality of delegated data. And what is more important, we construct a privacy preserving B+index on encrypted database to speed up query efficiently.3. A privacy preserving selective authorization enforcement approach in DaaS is pro-posed. The proposed approach improves the usability of encrypted delegated database, and at the same time guarantees the privacy of the user's identities and the data owner's access control policy. The privacy preserving selective authorization enforcement is implemented by using the combination of selective encryption, Pedersen commitment and access control policy polynomial designed in terms of the delegated access control policy. And the security of proposed approach is proved from different angles.4. A privacy preserving personalized access control enforcement service at third service provider is proposed by using the combination of selective encryption, blind signa-ture and the combination of role based access control and discretionary access control. The benefit of our approach is, on one hand to avoid the important private informa-tion leakage when individual devices failed or lost, on the other hand to make the service holder have enough power to design his/her personalized access control policy and completely control and decide which authorized users can access and share the delegated information online anytime and anywhere.In conclusion, in DaaS the implementation of different privacy preserving mechanisms, such as data confidentiality, user identity hiding, access control enforcement and query pro-cessing, are all based on some particular cryptography theory, such as symmetric encryption, blind signature, proxy re-encryption, Pedersen commitment protocol. Therefore the combi-nation of cryptography theory and database technologies meets with the development and requirement of DaaS with security and privacy, and helps the secure deployment of DaaS in practical application. The continuous research on privacy preserving will make DaaS with security and privacy more perfect and practical.