Research On Data Encryption Mechanism For Multi-Tenant Data Privacy Protection

Software as a Service (SaaS for short) is a model in cloud computing. In SaaS, Tenant uses the software through tenancy, the data are stored at the service provider side, and service provider takes charge of the running, maintenance and upgrade of infrastructure and software applications. The key of SaaS is that all the infrastructure and resources are centralized managed, which could improve the resource utilization rate and service quality.In SaaS, Sensitive data are stored and computed in the data center of service providers, the threats is more and more serious. Infact, it has become the keystone to block its improvement. And the research to solve the problem brooks no delay.Now, the methods for data privacy protection classifys in three cases:Data encryption, Data diffusion and Data resolution, and this thesis focus on the Data encryption Mechanism for data privacry protection in multi-tenancy applictions.Due to the on demand customization, shared storage, Single Instance Multi-Tenancy (SIMT for short) and other features of multi-tenancy applications, the main problems and challenges are:(1) Privacy requirement for different tenants and different data are different. The privacy protection should be apt to the individual requirements.(2) Database management system provides the data independence and data manipulation capability. After encryption, it is important to keep the database management system features.(3) Data encryption affects the sequence characteristic of original data, which affects the index usage and data operation efficiency. New data privacy protection mechanism should be studied to ensure efficiency.This paper studies privacy protection based on encryption for multi-tenancy applications and solves the customization, transparency and efficiency of privacy protection. The research includes the following several aspects:(1) For the transparency and efficiency requirements, this paper proposed a key management and customized privacy protection policy management based on trusted application system to meet the customized privacy protection requirements of tenants.This paper presents a database encryption protection architecture based on trusted application system. In this architecture, sensitive data are proteced by encryption based on privacy preservation customization, key management and delivery protocol for multi-tenancy applications, data encryption engine and sql rewrite in encryption model. In this architecture, privacy preservation mechanism is transparent for multi-tenancy applications. This paper analyzed the security and rationality of the protocol, and demonstrated the practicality of this mechanism.(2) For data encryption, range query became low efficiency when data set is large. This paper proposed a partial order-preserving encryption mechanism, which supports different level service for different tenants and different sensitive data.At present, traditional encrytion mechanism made the data sequence information lost after encryption, which made the index useless and inefficiency. This paper proposed a partial order-preserving encryption mechanism, which make balance of efficiency and security level. This paper presented the definition and instances of this mechanism. This paper proved the security level of this mechanism and analyized the adaptability of partial order-preserving mechanism. It could fullfill the customized protection accroding to the different privacy requirenemtns. This paper demonstrated the practicality by instances.(3) In view of impact of database encryption algorithms, this paper proposed a logical replica placement policy for encrypted data, and provided the mixed encryption mechanism based on fusion of some encryption, which could strengthen the support for basic operation.Currently, encryption mechanisms for multi-tenancy applications just support part of data operation. Fully homomorphism encryption mechanism could operate on encrypted data, which is not practical. In practice, certain encryption mechanism could not suitable for the general application scenario, as the data operation requirement is comprehensive. The mixed encryption mechanism placed the data logical replica based on type of data operation, and mapped the type and encryption mechanism to achieve mixed encryption. This mechanism is based on the fact that data read is more than data write. After write, data is encrypted into different replica by different encryption mechanism. When read, select the suitable operation by operation type. This mechanism could increase efficiency. This paper gave the analysis and experiment results. This mechanism enhanced the practicability of existing mechanism.