Encrypted databases, which use specialized cryptography to support
efficient queries on encrypted data, are a popular approach to protecting
data from compromised database management systems. They have received a
great deal of interest from academic researchers and practitioners. This
talk will examine two ways in which recent encrypted databases are
vulnerable to attacks.
The first way is by using cryptography which makes an unsafe tradeoff of
security for functionality. To demonstrate this I will present new attacks
against order-revealing encryption, a primitive used in many encrypted
databases to enable searching and sorting on encrypted data. The attacks
recover as much as 99% of plaintexts.
The second way recent encrypted databases are vulnerable to attacks is by
making incorrect assumptions about the behavior of the underlying database
system. I will show how the "snapshot attack" threat model used to support
the security claims of many encrypted databases does not reflect the
information about past queries available in any snapshot attack on a real
database system.
Paper links: https://eprint.iacr.org/2016/895 and
Paul Grubbs is a third-year PhD student at Cornell Tech, advised by Thomas Ristenpart. His research is in applied cryptography and security.