Research And Design Of Database Encryption Proxy System

With the rapid development of cloud computing technology,cloud database,as an important part of cloud computing services,has gradually become necessary for daily work of enterprises or individuals.However,entrusting data to third-party managing can lead to security issues such as data leakage,and users cannot guarantee data security.A common solution is to encrypt the data before uploading it to the cloud.When the data is operated,the ciphertext data needs to be retrieved locally for decryption,however this scheme is inefficient.In addition,for data analysis service providers,this solution is also problematic.Because third-party service providers can only analyze plaintext during data analysis,data security and data availability cannot be guaranteed at the same time.Therefore,solving the problem of efficient retrieval based on ciphertext is an urgent task for cloud database development.Based on the CryptDB,an open source database encryption proxy system designed by MIT,in this thesis we presents an improved scheme for the database encryption proxy system architecture,which could alleviate the current security problems of cloud database storage.In addition,we proposes an improvement scheme for the shortcomings of the original CryptDB system.Specific contents including:1.By studying the CryptDB system,we find that the system is lack of scalability for different databases and does not involve the management of system keys.For the shortcomings of CryptDB architecture,we propose a microservice based encryption proxy of database(MEPDB)system architecture scheme.This architecture micro-serves the proxy function in the original system,and adds conversion microservice,which can improve the compatibility with various databases.At the same time,the added key management microservice is introduced to enhance the security of the system.2.Based on the principle of self-controllable information security proposed by China,we study the packet encryption algorithm SM4 proposed by the National Cryptography Authority,and replace the original basic encryption AES algorithm which used in the Random encryption scheme and Deterministic encryption scheme of the CryptDB system with the SM4 algorithm.The scheme can improve the autonomous controllability of the system and enhance system security.3.For the inefficiency of the mutable Order-Preserving Encryption(mOPE)in CryptDB system,we propose an improved additively Order-Revealing Encryption(aORE)scheme by combining the Practical Order-Revealing Encryption(P-ORE)and mOPE.The scheme is based on pseudo-random function and double encryption.Compared with mOPE,it can improve the execution efficiency of the Order-Preserving scheme at the expense of security.