I DATA &
KNOWLEDGE
ENGINEERING
ELSEVIER Data & Knowledge Engineering 22 (1997) 117-131Multilevel secure database encryption with subkeys
M i n - S h i a n g H w a n g a'*, W e i - P a n g Y a n g bhDepartment of Information Management, ChaoYang Institute of Technology, Wufeng, Taiwan, R.O.C. bDepartment of Computer and Information Science, National Chiao Tung University, Hsinchu, Taiwan 300,
R.O.C.
Received 20 November 1995; revised 7 July 1996; accepted 24 July 1996
Abstract
In this paper, we propose a multilevel database encryption system with subkeys. This new system is called the record-oriented cryptosystem which encrypts each record with different field-subkeys according to a security class of the data element. Each field is decrypted individually by the field-subkeys of which security class is higher than or equal to that of the encrypted field-subkeys. This system is based on the Chinese Remainder Theorem. Our scheme can protect the finest level of granularity such as relation level, attribute level, tuple level, or data element level in the relational database model.
Keywords: Chinese R e m a i n d e r Theorem; Cryptography; Multilevel database; Data security; Subkeys
I. Introduction
Some of the advantages of using a database are the following [10, 31]: (1) shared access; (2) minimal redundancy; (3) data consistency; (4) data integrity, so that data values are protected against accidental or malicious unauthorized changes; and (5) controlled access, so that only authorized users are allowed to access data values. A database management system (DBMS) with security facility is designed to provide all of these advantages efficiently.
In general, there are four methods of enforcing database security [15]: First, physical security, such as storage medium safekeeping and fire protection [9]; second, operating system security, such as the use of an access control matrix, capability-list, and accessor-list [8, 17, 21]; third, DBMS security, such as protection mechanisms and query modification [16, 28, 36]; and fourth, data encryption, such as the data encryption standard (DES) [29, 34] and RSA scheme [32]. The first three methods, however, are not totally satisfactory in solving the
~' This research was partially supported by the National Science Council, Taiwan, R . O . C . , under contract no.: NSC-85-2213-E009-029.
* Corresponding author. Email: [email protected]
0169-023X/97/$17.00 (~) 1997 Elsevier Science B.V. All rights reserved P l l S 0 1 6 9 - 0 2 3 X ( 9 6 ) 0 0 0 4 0 - 7
118 M.-S. Hwang, W.-P. Yang / Data & Knowledge Engineering 22 (1997) 117-131
database security problems, for three reasons. First, it is difficult to control the disclosure of raw data, because the raw data exists in readable form inside a database [11]. Second, it is invalid to prevent the disclosure of sensitive data, because the sensitive data must be backed up frequently in storage media in case of system failure or disk crash. Third, it is difficult to control the disclosure of confidential data in a distributed database system. A practical solution to the above problems is to use encryption methods to enforce database security [2, 3, 11, 18-20, 38, 40]. An encryption database security can solve the above problems in the following manner: Data are encrypted into ciphertext, which only can be decrypted with the proper decryption key, thus eliminating the problem of data disclosure.
Database security methods based on encryption include database encryption systems with a single key [18] and database encryption systems with subkeys [11]. The first type of method needs a trustworthy centralized access control scheme with which to control all access to data stored in the database system (DBS). All encryption and decryption are executed by the trusted access control scheme with private keys. In the second type of method, however, decryption is executed by users themselves with their own subkeys.
A database system with subkeys has the following advantages over conventional systems. First, each encrypted record is a single encrypted value which is a function of all fields, so the system is record-oriented. Obviously, a small change in the encrypted value will cause a significant change in the decrypted value. Therefore, unauthorized modification of data can be prevented. Second, the system's properties can withstand pattern matching attacks. Third, the possibility of substitution attacks is eliminated because the system encrypts all fields together. Finally, a user can read only some of the field data objects, depending on the reading field-subkey he has. Not all fields need to be available to everyone.
A single-level database encryption/decryption system with subkeys has been proposed by Davida et al. [11]. This system is called the record-oriented cryptosystem which encrypts each record with field subkeys and decrypts individually each field by these single-level field- subkeys. In this paper, we propose a multilevel database encryption/decryption system with subkeys.
This multilevel databases system is a partially-ordered hierarchy as shown in Fig. 1. Each subject (e.g., user, program, processor, etc.) is given a distinct clearance and each object (e.g., a file, a message, data, etc.) is assigned a security level. Subjects and objects are classified into a number of distinct security classes S 1 , S 2, . . . , S m [24, 35]. In such a hierarchy, an object with a particular security class can be accessed only by subjects in the same or a higher security class [1, 5, 33].
This new system encrypts each record with different field-subkeys according to the security class of the data element and each field is decrypted individually by the field-subkeys of which
M.-S. Hwang, W.-P. Yang / Data & Knowledge Engineering 22 (1997) 117-131 119
the security class is higher than or equal to that of the encrypted field-subkeys. O u r system is based on the Chinese R e m a i n d e r T h e o r e m ( C R T ) . O u r scheme can protect the finest level of granularity such as relation level, attribute level, tuple level, or data e l e m e n t level in the relational database model.
Using the C R T , the subkey scheme has the following merit: The raw field data can be easily r e c o v e r e d within only one operation. The C R T has been used widely in security control, such as in access control schemes [23], in secure broadcasting schemes [6], in identification and authentication schemes [4], in database encryptions [11], and in public-key cryptosystems [27]. T h e paper is organized as follows. In Section 2, we review and develop a single-level database system with subkeys. In Section 3, we propose an encryption scheme for multilevel database security. We analyze the security and computational complexity of o u r scheme in Section 4 and Section 5, respectively. In Sections 6 and 7, we p r o p o s e several algorithms for relational algebra and dynamic ability. Section 8 is the conclusion of this paper.
2. Single-level database encryption schemes with subkeys
A single-level database e n c r y p t i o n / d e c r y p t i o n system with subkeys was p r o p o s e d by Davida et al. in 1981. Their system was based on the C R T [30]. Let C be the ciphertext of an e n c r y p t e d record, m i be the value of the ith field of a record, r i be the r a n d o m n u m b e r g e n e r a t e d for field i, e i be the encryption key for field i and there be n fields in each record of the database. T h e encryption p r o c e d u r e is done by forming
C = ~ ei(rillmi)modU (1)
i - I
where N = IIT= l ki; k i is the decryption key for field i; II indicates a concatenation; (r i II mi) -< ki; and e i = (N/ki)b i where b i is the multiplicative inverse of N/ki m o d u l o k~. Decryption can be done as follows
r , l [ m i = C m o d k ~ , i=
1 , . . . , n .
(2)By discarding the r a n d o m bit r i, one can get the ith field value m~.
In o r d e r to prevent known-plaintext attacks, Davida et al. [11] concatenate a r a n d o m r e d u n d a n c y value r i in each field (the length of the redundancy value r i is at least 32 bits, which leads to better security.) Therefore, their scheme needs extra spaces to store the raw data. We p r o p o s e d a two-phase encryption scheme in [22] for enhancing database security. Phase 1 encrypts the data in each field with one-way function. Phase 2 encrypts the encrypted data based on the CRT.
We briefly describe the two-phase encryption algorithm as follows. To illustrate the scheme, we assume that there are n fields in each record of a database. Let m i , m 2, . . . , m n be the n raw data of fields of a record.
Phase El: Encrypt m i, for i-- 1 , . . . , n. Let f be the encryption algorithm and di be a secret key of the algorithm of field i. This encryption is done as fdi(mi).
120 M.-S. Hwang, W.-P. Yang / Data & Knowledge Engineering 22 (1997) 117-131
C = E ( ( f d l ( m l ) , e l ) , (fd2(m2), e 2 ) , . . . , (fd~(mn), e n ) ) , ( 3 )
where E is an encryption algorithm, e i is a writing key for field i, and C is the e n c r y p t e d data of a record. With the C R T , the encryption p r o c e d u r e is the following:
C = ~ eifdi(mi) m o d X . (4)
i = l
T h e decryption procedure is the reverse of the encryption procedure.
Phase D I : Decrypt ciphertext C with reading subkeys kl, k 2 , . . . , kn. T h e decryption is d o n e
as
fd,(mi) = D ( C , ki) , (5)
where D is a decryption algorithm which is based on the C R T and k i is a reading key for field i. T h e decryption p r o c e d u r e is as follows:
fd~(mi) = C m o d k i . (6)
Phase D2: Decrypt fd~(mi)= m~ with the secret key d i as follows:
m i = fdi l(m~ ) , (7)
3. Multilevel database encryption schemes with subkeys
We now p r o p o s e a new encryption scheme for multilevel database security. To illustrate the s c h e m e , we assume that there are n fields in each record of a database. Each field i has a security hierarchy H i. Each atomic has a security class. Let rn 1 , m 2, . . . , rn n be the n raw data fields of a record associated with the security class six, S 2 y , . . . , snz as shown in Fig. 2. H e r e , sij E Hi denotes the j t h security class in H i. A i is an attribute n a m e and L i is a type of security
class which corresponds to A i.
Let kij be the decryption key for the security class sij. All kii are pairwise relatively prime integers. Essentially, the encryption process is to convert the field values of a record into a ciphertext form, say C, and later we can recover it to the original raw values by using the decryption key. This encryption is done by the following equation
C = f~ ezra i m o d N , (8)
i = l
w h e r e N = k~, . k 2 y . . . k n z . Each field value rn i thus can be decrypted by the equation
A1 L1 A2 L~ ... A,, L,~
"O'gl 8 1 ~ m s ,$2~ • . • m ~ 8r~z
M.-S. Hwang, W.-P. Yang / Data & Knowledge Engineering 22 (1997) 117-131 1 2 1
C mod k~j = C mod k .
= m i ,
for a modulus k . of a security class s. >1 sij.
We employ the following two theorems to show that Eqs. (8) and (9) are correct.
(9)
r h e o r e m 3.1 (Chinese Remainder Theorem) [12]. Let k~x, k 2 y , . . . , knz 9rime integers and let N = klxk2y • • • knz, then there exists
C = 2 eimi m o d N . (10)
i = l
C is the smallest constant such that
C m o d k i j = m i , i = l , . . . , n ; j = x , y , . . . , z . (11) l'heorem 3.2. If Equation (11) holds and k u can be divided by k then C mod k = m i when
rni < k .
be pairwise relatively
Proof. Since C mod kgj = mi, C = ak o + mi, where a is an integer. We have C mod k = m i. []
According to Theorems 3.1 and 3.2, we can construct two cryptographic key generation schemes for access control in a totally-ordered hierarchy and a partially-ordered hierarchy, respectively. The algorithm for generating the secret key of security class for each hierarchy H i is stated as follows.
Algorithm Key-Generation for Totally-Ordered Hierarchy
Step 1: Get a node s~j from the hierarchy H i by preorder traversal.
Step 2: Assigns sij a large randomly prime Pij.
Step 3: Computes the secure key kij for s u as follows.
kij = I-[ Pil"
Sil~Sij
Step 4:
(12)
Repeat from Step 1 until all nodes of the hierarchy H~ are completely examined.
Algorithm Key-Generation for Partially-Ordered Hierarchy
Step 1: Get a node sij from the hierarchy H i by preorder traversal.
Step 2: Assigns sij two large randomly primes pq and Pi'j.
Step 3: Computes the secure key kij for sij as follows.
Step 3.1: If sij is a root node, then kij =Pij.
Step 3.2: If sij is not a root node, then
! k i j = I-I Pi, H Pit.
Sil>~Sij Sil>Sij
Step 4: Repeat from Step 1 until all nodes of the hierarchy H i are completely examined.
122
M.-S. Hwang, W.-P. Yang / Data & Knowledge Engineering 22 (1997) 117-131
~. ~ Pil
~ ) P i l P i 2~' ) PilPi2Pi3
~')Pl,Pi2Pi3Pi4
(~)
Pll PnPnPi2( s. ilPi3PilP " , a ~ 2 P i 4 . " Pl IP~ lPi3Pi3pi6 t t I I ¢
Pi I Pi 1Pi 2 Pl 2Pi~Pi3Pi 5 (b)
Fig. 3. An example of generating secret key for each security class in (a) totally-ordered hierarchy Hi, (b) partially-ordered hierarchy H i.
A n illustrative e x a m p l e for g e n e r a t i n g secret key k~j for each security class by the A l g o r i t h m K e y - G e n e r a t i o n is s h o w n in Fig. 3.
T h e following e x a m p l e illustrates the e n c r y p t i o n and d e c r y p t i o n of the p r o p o s e d s c h e m e .
E x a m p l e 3.1. A s s u m e that t h e r e are t h r e e fields in each r e c o r d of a d a t a b a s e a n d two security levels (top-secret and secret). L e t (4, Sl2 ), (10, s21 ), (15,
s32 )
be t h r e e atomics of a r e c o r d R. H e r e sij is the ] t h security level of the ith field. L e t (P11, P12) = (5, 7), (P21, P22) = (11, 13),(P31, P32)= (17, 19). By the a l g o r i t h m K e y - G e n e r a t i o n for T o t a l l y - O r d e r e d H i e r a r c h y , we
can c o m p u t e the secret keys (kij) of the t h r e e fields as follows:
ks12 = P l l P I 2 = 5 x 7 , k,21 =P21 = 11 ,
ks32
=P31P32 = 17 x 1 9 ,By T h e o r e m s 3.1 and 3.2, we obtain N =
ks~2k,21k,32
= 124355. T h e writing key e i, e~ =(N/
ko)b i
w h e r eb i
is the multiplicative inverse of( N / k o
m o d k , ) , can be c o m p u t e d (e 1 = 7106,e 2 = 79135, e 3 = 38115). Finally, we c o m p u t e the ciphertext of the r e c o r d as follows: c = (7106 x 4 + 79135 x 10 + 38115 x 15) m o d 124355
= 23594.
W h e n a user wants to r e a d the m e s s a g e of the ith field, the user decrypts the c i p h e r t e x t using t h e c o r r e s p o n d i n g d e c r y p t i o n key of the ith field.
T o r e a d field 1: 23594 m o d 5 x 7 = 23594 m o d 5 = 4 T o r e a d field 2: 23594 m o d 11 = 10
M . - S . H w a n g , W.-P. Y a n g / D a t a & K n o w l e d g e E n g i n e e r i n g 2 2 ( 1 9 9 7 ) 1 1 7 - 1 3 1 To r e a d field 3: 23594 m o d 17 × 19 = 23594 m o d 17 = 15 123 4. Cryptanalysis
T h e r e are s o m e ways to challenge the security of the s c h e m e using C h i n e s e r e m a i n d e r t h e o r e m [39].
1. It c a n n o t withstand known-plaintext attacks. Let C and C' be the ciphertext of two different records R and R', respectively. If m i and m~ are the raw d a t a of field i in R and R', respectively, and both are k n o w n to a cryptanalyst, t h e n f r o m Eq. (9) we have
C - m i = a l k i j , C ' - m ~ = a 2 k q ,
w h e r e a 1 and a 2 are an integer. The s u b k e y kq thus can be d e r i v e d f r o m the a b o v e two equations using the greatest c o m m o n divisor, a 1 and a 2 m a y have a c o m m o n divisor. In this case, we derive kq using m o r e raw data such that all a i are pairwise relatively prime. 2. T h e following strategy can also be used to attack the scheme. Let C r be the rth e n c r y p t e d r e c o r d and m~ be the ith field raw data of the rth record. Thus, t h e r e exists an integer a 3 in the system such that
C r = a 3 k q + m i .
A s s u m e that a field o t h e r than i is u p d a t e d , t h e n
C ~ --= a 4 k i j + m i .
Since m~ is not c h a n g e d , then C r - C~ = C" = (a 3 - a 4 ) k q .
If a similar o p e r a t i o n is p e r f o r m e d on a n o t h e r e n c r y p t e d r e c o r d C h, t h e n
v Vt t t
C h - C A = C h = (a 3 - a a ) k q •
T h e s u b k e y kq can t h e n be c o m p u t e d by finding the gcd(C", C~).
3. T h e s c h e m e c a n n o t withstand collusion attacks. All users who have r e a d capability only can, t o g e t h e r , c o m p u t e the writing key e~, which is k n o w n only by the system, if t h e y have all of the reading keys k i j .
N o w let us see if the two-phase encryption s c h e m e can withstand the k n o w n - p l a i n t e x t attack. F r o m Eq. (6) we have
C - L q ( m i ) = a , k i : ,
, (14)
124 M.-S. Hwang, W.-P. Yang / Data & Knowledge Engineering 22 (1997) 117-131
The above simultaneous equations have three unknown variables, fk,j(mi), fk,j(m~ ), and k#. Hence, there are infinite possible solutions for kij. In general, if t corresponding fields of t records are known, there are t + 1 unknown variables to be determined with t simultaneous equations. Hence, it will be much more difficult to mount a known-plaintext attack against our scheme.
The security of our scheme depends on the one-way function in addition to the subkey scheme. Illegal users cannot read the raw data of a tuple unless they know both the reading subkey and the secret key of the encryption algorithm. Thus, security is guaranteed in our scheme to eliminate the second weakness.
In order to eliminate the third weakness in a read-only environment, we add a d u m m y field in relation tables. Since the writing key for field i, e i, is equal to (N/kij)b i, e i can be obtained if we know all the ki/s. However, any user does not know the secret key of the dummy field. Therefore, our scheme can withstand the collusion attacks.
The other security issue to consider is that cryptosystems can withstand timing attacks [26]. Since ciphertext is an encrypted record with many field-messages in our scheme, attackers need many timing measurements to cryptanalyze our scheme using timing attacks.
A n o t h e r security issue to consider is that a security class sij should not be able to derive the secret key of the other security classes sit, using its own cryptographic key for sij <-sit. The scheme must also provide security against two or more security classes collaborating to derive a higher level key. In the following, we prove that our method is secure against such derivation.
Theorem 4.1. The security of the Algorithm Key-Generation for a totally-ordered hierarchy is equivalent to factoring a large composed prime.
Proof. We divide the proof into the following two cases:
Case 1: It is trivial to show that if a large composed prime can be factored, the secret key kit can be derived by sij where sij < sit.
Case 2: If the secret key kih c a n be derived by sij where sij < Sih, a large composed prime can
be factored. From step 3 of algorithm Key-Generation for Totally-Ordered Hierarchy in Section 3 we know that
kij = I-[ Pit.
Sil>~Sij
Since kiy/kih = l-Isih>sit>~sij Pll, this case thus holds. []
The security of the Algorithm key-Generation for Partially-Ordered Hierarchy is also equivalent to factoring a large composed prime. The proof is similar to that for T h e o r e m 4.1.
Next, we show that our scheme is correct in the following:
Theorem 4.2. The proposed scheme satisfies si/ <~ sit if and only if the encrypted data C under kij can be decrypted under kit, where kit and kij are the secret keys of si~ and si/, respectively.
M.-S. Hwang, W.-P. Yang / Data & Knowledge Engineering 22 (1997) 117-131 125
Proof. We divide the proof into the following two cases:
Case 1: Case 2:
If sij <~si~ then C under kij can be decrypted under kit. This case holds by the
T h e o r e m 3.2.
If C under kij can be decrypted under ki~ then sij <<-sit. This case is equivalent to
stating that if sij~sit then C mod kij = m i and C mod kit ~ m i. If C mod k i t = mi, implies kii[kir However, from step 3 of algorithm Key-generation for Totally-
Ordered Hierarchy and step 3.2 of algorithm Key-Generation for Partially-Ordered Hierarchy in Section 3 we know that
kit = kit p' for sij <~ sit,
where p ' is relatively prime with kit. By Theorem 4.1, this case thus holds. []
5. Computational and storage space complexity
In this section, we examine storage space and computational complexity of enciphering and deciphering each field. Assume that each record contains n fields; the number of bits of each field is b on the average; there are total l security classes in a relation table. The computation time n e e d e d for each record in Section 3 is as follows.
Encryption equation (8) requires a total of 2n multiplications, (n - 1) additions, n divisions, and one module operation. Let top(a, b) denote the time cost of an " o p " operation (i.e., multiplication, division, addition, or module) with two bits a and b.
t e n c r y p t i o n = 2ntmultiplication(nbl , b) + (n - 1 ) t a d d i t i o n ( n b l , nbl) + n t d i v i s i o n ( n b l , b)
+ tmodule(nbl, n b l ) ,
2
= 2 n t m u l t i p l i c a t i o n ( b , b) + n(n -
l)taddition(b,
b) + n t d i v i s i o n ( n b l , b)+ tmodu~e(nbl, n b l ) .
Decryption equation (9) requires only one module operation:
t d e c r y p t i o n = tmodule(nbl, b) .
Some efficient implementations of the CRT have been developed [13, 25, 37]. Dirr and Taylor [13] have designed a fast and efficient hardware implementation of the CRT in residue arithmetic. Their method incurs a time cost of 70[log2L ] ns for computing the equation C = m i mod kij, for i = 1, 2 , . . . , L. It only needs 3.5 ms to encipher a large database with 32 fields, 1000 records, and 10 security levels. Thus, our subkey scheme is practical to implement. Next we discuss the storage space of the scheme. Our scheme encodes each field mi of a record as a number modulo a number kij of the form described in Eq. (10). Assume that there are n fields in a relation table, an average of b bits in each field, and l security classes for a hierarchy. The total number of bits in each record is nbl. Although the scheme does some data
126 M.-S. Hwang, W.-P. Yang / Data & Knowledge Engineering 22 (1997) 117-131
T a b l e 1
A l g o r i t h m of projecting ith field
I n p u t : Ciphertext C~, g = 1 . . . . , h, where h is the n u m b e r of records in the database.
R e a d subkey k , .
O u t p u t : The raw data mig in the ith field of the gth record.
1. f o r g = l , . . . , h do
2. meg = C 8 m o d k , ;
6. Cryptographic relational algebra
In this section, we show how to perform the relational operations in our scheme. Codd [7] defined a very specific set of eight operations: restrict, project, Cartesian product, union, intersection, difference, natural join, and division. Basically, only the first five primitive operations are needed; the other operations can be derived from these five [10]. For example, natural join is a projection of a restriction of a product, intersection is a difference twice, and division is the difference of a product of a difference. Thus, we shall treat only the five primitive operations.
Since our scheme is a so-called record-oriented (tuple-oriented) subkey scheme, it is easy to see that the restrict, union, intersection, and difference are the same as in a traditional database. By the CRT, we develop two algorithms for projection and production, as shown in Table 1 and Table 2, respectively. In Table 1, we only project the ith field. By iteration, other fields can also be projected.
T a b l e 2
A l g o r i t h m for Cartesian production I n p u t : O u t p u t : 1 . 2. 3 , 4. 5. 6. 7. 8. 9. 10. 11.
Ciphertext C~, g = 1 . . . h ' , where h ' is the n u m b e r of records in a relation table R'. Ciphertext C~', g' = 1 . . . . , h", where h" is the n u m b e r of records in a relation table R". R e a d field subkeys k'j, i = 1 , . . . , n', where n ' is the n u m b e r of fields in a relation table R ' .
~l tl tr pp
R e a d field subkeys k,er i = 1 , . . . , n in a relation table R , where kit ~ kej for all i a n d j.
New relation table R.
n '
C o m p u t e N~ = Ile=~ ke~
t t
C o m p u t e N 2 = II7_' 1 k o
*/ C o m p u t i n g the ciphertext by the C R T */ C o m p u t e N = N 1 × N z for g = 1 , 2 do begin C o m p u t e Gg = N/Ng; t t F i n d G 8 such that GgGg m o d N g = 1; e n d ; */ C o m p u t e s n e w ciphertext record */ f o r g = l , . . . , h ' do for g ' = 1 . . . . , h " do C,g_,~h,,+g, <---(c'galG' 1 + c:,a2a'2) m o d N;
M.-S. Hwang, W.-P. Yang / Data & Knowledge Engineering 22 (1997) 117-131
Table 3
Algorithm for view mechanism
127
Input: Ciphertext C~, g = 1 . . . h, where h is the number of records in the database.
Read subkeys kij for some fields i.
Output: New encrypted record data C~ in the view.
1. Compute N ' = I1 i kij;
2. for g = 1 . . . h do
¢
3. C~ = Cu mod N ' ;
View is an important mechanism in relational database model. A view is a table that does not have any existence in its own right, but is instead derived from one or more underlying base tables [10]. We develop an algorithm for view mechanism, as shown in Table 3. Step 3 in
¢ !
Table 3, Cg = Cg mod N , can be proved to be correct as follows:
t
C~ mod kgj
= (C~ mod N ' ) mod kij
= Cu mod ki] ,
7. Dynamic ability
In the following subsections we give algorithms for inserting a new field, updating a data element, and removing a field in the relation table.
7.1. Inserting a new field
W h e n inserting a new field to the relation table, we compute the encrypted data of records of the form described in Eq. (10). The algorithm for inserting a new field to the relation table is given in Table 4.
t I ? t
Step 8 in Table 4, Cg =(CgGtG 1 +mi,gG2G2) m o d N , can be proved to be correct as follows:
C'g mod k,,j, for the new field i'
=((CgGIG' I + m i , g G 2 G ~ ) m o d U ' ) m o d k i 7 ! = m i , g G z G 2 m o d ki, j = m i , g . A n d p
Cg m o d kij , for some existing field i
¢ ?
= ((C~G~G~ + m~,gGzG2) mod N ' ) mod k~j
!
= C ~ G 1 G 1 mod kij = m i g •
128 M.-S. Hwang, W.-P. Yang / Data & Knowledge Engineering 22 (1997) 117-131
Table 4
Algorithm for inserting a new field to the relation table Input: Output: 1° 2. 3. 4. 5. 6. 7 . 8.
Ciphertext Cg, g = 1 , . . . , h, where h is the number of records in a relation table R. Existing read subkeys k~j, i = 1 , . . . , n.
New read subkey k~,j, for a new field.
New raw data mrg , g = 1 , . . . , h, for the new field i' of the gth record. Ciphertext Cg, g = 1 , . . . , h.
Compute N = HT_ i k~j Compute N' = N x k~,j Compute G1 = N'/N;
Find G'~ such that G~G'~ m o d N = 1; Compute G 2 = N'/krj;
Find G~ such that G2G 2 modkrj = 1; */ Compute new ciphertext record */ f o r g = l , . . . , h do
C'g ~---(CgGtG' 1 + mi,gG2G~) mod N ' ;
7.2. Updating a data element
!
W h e n t h e i t h field r a w d a t a o f t h e g t h r e c o r d (mig) is u p d a t e d i n t o mig , w e c o m p u t e t h e n e w e n c r y p t e d d a t a o f r e c o r d s f r o m t h e o l d Cg a c c o r d i n g t o t h e f o l l o w i n g e q u a t i o n . ¢ ! t Cg =[Cg + ( m i g - m i g ) a i a i ] m o d N ' . ( 1 5 ) T h e a l g o r i t h m f o r u p d a t i n g a d a t a e l e m e n t in t h e r e l a t i o n t a b l e is g i v e n in T a b l e 5. 7.3. R e m o v i n g a field B y t h e p r o p e r t y o f C R T , a field c a n b e a r b i t r a r i l y d e l e t e d f r o m t h e r e l a t i o n t a b l e . T h e r e m o v a l will n o t a f f e c t t h e p r e v i o u s l y d i s c u s s e d a c t i o n s . Table 5
Algorithm for updating a data element Input: Output: 1 . 2. 3. 4.
Ciphertext Cg in the record g.
Existing read subkeys k~j, i = 1 , . . . , n, where n is the number of fields in a relation table R. Old raw data m~g in record g field i.
t
New raw data mig in record g field i. Ciphertext C~.
Compute N = II~'= ~ kij
Compute G i = N/kifi
Find G~ such that G~G~ m o d N = 1; */ Computes new ciphertext record */
t t
M.-S. Hwang, W.-P. Yang / Data & Knowledge Engineering 22 (1997) 117-131 129
~. Conclusions
We have proposed a multilevel database encryption system with subkeys. The system has :he following four important advantages.
1. It allows the finest level of granularity to be protected such as relation level, attribute level, tuple level, or data element level in the relational database model.
2. It allows the encryption of fields with different security class, but the decryption is permitted only in the security class higher than or equal to that of the encrypted field-subkeys.
3. It allows the encryption/decryption of fields within a record.
4. The security of our scheme is equivalent to factoring a large composed prime.
~.cknowledgements
The authors wish to thank many anonymous referees for their suggestions to improve this 9aper. Part of this research was supported by the National Science Council, Taiwan, R.O.C., ruder contract no. NSC85-2213-E-009-029.
~eferences
[1] S.G. Akl and P.D. Taylor, Cryptographic solution to a problem of access control in a hierarchy, A C M Trans. on Computer Systems 1(3) (1983) 239-248.
[2] Y.M. Babad and J.A. Hoffer, Data element security and its effects on file segmentation, IEEE Trans. on Software Engineering SE-6(5) (1980) 402-410.
[3] R. Bayer and J.K. Metzger, On the encipherment of search trees and random access files, A C M Trans. on Database Systems 1(1) (1976) 37-52.
[4] C.C. Chang and T.C. Wu, Remote password authentication with smart cards, lEE Proceedings-E 138(3) (1991) 165-168.
[5] G.C. Chick and S.E. Tavares, Flexible access control with master keys, Proc. Crypto '89 (1989) 316-322. [6] G.H. Chiou and W.T. Chen, Secure Broadcasting Using the Secure Lock, IEEE Trans. on Software
Engineering 15(8) (1989) 929-934.
[7] E.F. Codd, Relational Completeness of Data Base Sublanguages (Prentice-Hall, N.J., 1972).
[8] R.W. Conway, W.L. Maxwell and H.L. Morgan, On the implementation of security measures in information systems, Communications of the A C M 15(4) (1972) 211-220.
[9] J.A. Coper, Computer & Communication Security: Strategies for the 1990s (McGraw-Hilt, New York, 1989). 10] C.J. Date, An Introduction to Database Systems, Vol. 1, Fifth Edition (Addison-Wesley, Massachusetts, 1990). 11] G.I. Davida, D.L. Wells and J.B. Kam, A database encryption system with subkeys, A C M Trans. on
Database Systems 6(2) (1981) 312-328.
12] D.E. Denning, Cryptography and Data Security (Addison-Wesley, Massachusetts, 1982).
13] W. Dirr, Jr. and F.J. Taylor, On implementing the CRT in residue arithmetic, J. Comput. Math. 17 (1985) 155-163.
14] R. Eriksson and K. Beckman, Protection of data-bases using file encryption, Proc. First Security Conf., IFIP/Sec'83 (1983) 217-221.
15] E.B. Fernandez, R.C. Summers and C. Wood, Database Security and Integrity (Addison-Wesley, Massachu- setts, 1980).
130 M.-S. Hwang, W.-P. Yang / Data & Knowledge Engineering 22 (1997) 117-131
[16] C. Garvey and A. Wu, ASD-Views, Proc. IEEE Symposium on Security and Privacy (Oakland, California, 1988) 85-95.
[17] G.S. Graham and P.J. Denning, Protection-principles and practice, Proc. Spring Jt. Computer Conf., Voi. 40, AFIPS (Montrale, NJ, 1972) 417-429.
[18] E. Gudes, The design of a cryptography based secure file system, IEEE Trans. on Software Engineering SE-6(5) (1980) 411-420.
[19] T. Hardjono, Record encryption in distributed databases, Auscrypt'90 (1990) 386-395.
[20] T. Hardjono, Y. Zheng and J. Seberry, Database authentication revisited, Computers & Security 13(7) (1994) 573-580.
[21] M.S. Hwang and W.P. Yang, A new dynamic access control scheme based on subject-object-list, Data and Knowledge Engineering 14(1) (1994) 45-56.
[22] M.S. Hwang and W.P. Yang, A two-phase encryption scheme for enhancing database security, J. Systems and Software 31(12) (1995) 257-265.
[23] M.S. Hwang, W.G. Tzeng and W.P. Yang, An access control scheme based on Chinese remainder theorem and time stamp concept, Computers & Security 15(1) (1996) 73-81.
[24] S. Jajodia and R. Sandhu, Toward a multilevel secure relational data model, SIGMOD Record 20(1) (1991) 50-59.
[25] D.E. Knuth, The Art of Computer Programming, Vol. 2 (Seminumerical Algorithm), 2nd ed. (Addison- Wesley, Massachusetts, 1980).
[26] P.C. Kocher, Cryptanalysis of Diffie-Hellman, RSA, DSS and other systems using timing attacks, http:/ /www.cryptography.com /timingat-tack.html, 1996.
[27] S.C. Lu and L.N. Lee, A simple and effective public-key cryptosystem, C O M S A T Technical Review 9(1) (1979) 15-23.
[28] T.F. Lunt, D.E. Denning, R.R. Schell, M. Heckman and W.R. Shockley, The SeaView security model, IEEE Trans. on Software Engineering, SE-16(6) (1990) 593-607.
[29] National Bureau of Standard, Data Encryption Standard (FIPS, NBS, 1977).
[30] I. Niven and H. Zuckerman, Introduction to the Theory of Numbers (Wiley, New York, 1966). [31] C.P. Pfleeger, Security in Computing (Prentice-Hall, N.J., 1989).
[32] R.L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public key cryptosystems, Communications of the A C M 21(2) (1978) 120-126.
[33] R.S. Sandhu, Cryptographic implementation of a tree hierarchy for access control, Information Processing Letters 27 (1988) 95-98.
[34] M.E. Smid and D.K. Branstad, The data encryption standard: past and future, Proc. IEEE 76(5) (1988) 550-559.
[35] K. Smith and M. Winslett, Entity modeling in the MMLS relational model, Proc. 18th VLDB Conf., Vancouver, British Columbia, Canada, 1992.
[36] P.D. Stachour and B. Thuraisingham, Design of LDV: A multilevel secure relational database management system, IEEE Trans. on Knowledge and Data Engineering 2(2) (1990) 190-209.
[37] T.V. Vu, Efficient implementations of the Chinese remainder theorem for sign detection and residue decoding, 1EEE Trans. Comput. C-34(7) (1985) 646-651.
[38] N.R. Wagner, P.S. Putter and M.R. Cain, Encrypted database design: Specialized approaches, Proc. IEEE Symp. Security and Privacy (Oakland, California, 1986) 148-153.
[39] D.L. Wells, A short note on the dangers of loading crt subkeys, Technical Report TITR-CSE-8106, Technical Report, Department of Computer Science and Engineering, SMU (1981).
[40] T.C. Wu, Y.S. Yeh and C.C. Chang, Algebraic operations on encrypted relational databases, Information Systems 18(1) (1983) 55-62.
M.-S. Hwang, W.-P. Yang / Data & Knowledge Engineering 22 (1997) 117-131 131
Min-Shiang Hwang received the B.S.
in Electronic Engineering from Na- tional Taipei Institute of Technology, Taipei, Taiwan, Republic of China, in 1980; the M.S. in Industrial En- gineering from National Tsing Hua University, Taiwan, in 1988; and the Ph.D. in Computer and Information Science from National Chiao Tung University, Taiwan, in 1995. He also studied Applied Mathematics at Na-
tional Cheng Kung University,
Taiwan, from 1984-1986. From 1988 to 1991, he was the leader of the Computer Center at Telecommunication Laboratories (TL), Ministry of Trans- portation and Communications. He was also a project leader for research in computer security at TL in July 1990. He is currently an Associate Professor in Department of Infor- mation Management, Chao Yang Institute of Technology, Taiwan, R.O.C. He is a member of IEEE, ACM. Dr. Hwang's current research interests include cryptography, data security, and mobile communications.
Wei-Pang Yang was born on May 17, 1950 in Hualien, Taiwan, Republic of China. He received the B.S. degree
in mathematics from National
Taiwan Normal University in 1974, and the M.S. and Ph.D. degrees from the National Chiao Tung Uni- versity in 1979 and 1984, respective- ly, both in computer engineering. Since August 1979, he has been on the faculty of the Department of Computer Engineering at National Chiao Tung University, Hsinchu, Taiwan. In the academic year 1985-1986, he was awarded the National Postdoctoral Research Fellowship and was a visiting scholar at Harvard University. From 1986 to 1987, he was the Director of the Computer Center of National Chiao Tung University. In August 1988, he joined the Department of Computer and Information Science at National Chiao Tung University, and acted as the Head of the Department for one year. Then he went to IBM Almaden Research Center in San Jose, California for another one year as visiting scientist. From 1990 to 1992, he was the Head of the Department of Computer and Information Science again. His research interests include database theory, database security, object-oriented database, image database and Chinese data- base systems. Dr. Yang is a full professor and a member of IEEE, ACM, and the phi Tau Phi Society. He was the winner of the 1988 and 1992 Acer Long Term Award for Outstanding M.S. Thesis Supervision, and the winner of 1990 Outstanding Paper Award of the Computer Society of the Republic of China. He also obtained the 1991-1993 Out- standing Research Award of National Science Council of the R.O.C.
