log in  |  register  |  feedback?  |  help  |  web accessibility
Logo
Why Your Encrypted Database is Not Secure
Paul Grubbs - Cornell Tech
3460 A.V. Williams Building (AVW)
Friday, November 10, 2017, 12:00-1:00 pm Calendar
  • You are subscribed to this talk through .
  • You are watching this talk through .
  • You are subscribed to this talk. (unsubscribe, watch)
  • You are watching this talk. (unwatch, subscribe)
  • You are not subscribed to this talk. (watch, subscribe)
Abstract

Encrypted databases, which use specialized cryptography to support

efficient queries on encrypted data, are a popular approach to protecting

data from compromised database management systems. They have received a

great deal of interest from academic researchers and practitioners. This

talk will examine two ways in which recent encrypted databases are

vulnerable to attacks.

 

The first way is by using cryptography which makes an unsafe tradeoff of

security for functionality. To demonstrate this I will present new attacks

against order-revealing encryption, a primitive used in many encrypted

databases to enable searching and sorting on encrypted data. The attacks

recover as much as 99% of plaintexts.

 

The second way recent encrypted databases are vulnerable to attacks is by

making incorrect assumptions about the behavior of the underlying database

system. I will show how the "snapshot attack" threat model used to support

the security claims of many encrypted databases does not reflect the

information about past queries available in any snapshot attack on a real

database system.

 

Paper links:  https://eprint.iacr.org/2016/895 and

https://eprint.iacr.org/2017/468

Bio

Paul Grubbs is a third-year PhD student at Cornell Tech, advised by Thomas Ristenpart. His research is in applied cryptography and security.

This talk is organized by Octavian Suciu