A SEMINAR-III REPORT ON

A Secure Client Access to Encrypted Cloud Databases

SUBMITTED TO THE SAVITRIBAI PHULE PUNE
UNIVERSITY, PUNE IN PARTIAL FULFILLMENT OF THE REQUIREMENTS
FOR THE AWARD OF THE DEGREE
MASTER OF ENGINEERING (Computer Engineering)
BY
Dattatray B. Pawar

Exam No:

Under the guidance of

Prof. V. S. Gaikwad

Department of Computer Engineering

JSPM Narhe Technical Campus, Narhe, Pune
Rajarshi Shahu School of Engineering and Research
Academic Year 2014-15
SAVITRIBAI PHULE PUNE UNIVERSITY, PUNE

JSPM NARHE TECHNICAL CAMPUS

Rajarshi Shahu School of Engineering and Research
Narhe Tal.Haweli Dist.Pune-41
DEPARTMENT OF COMPUTER ENGINEERING

CERTIFICATE
This is to certify that the seminar report entitled
A Secure Client Access to Encrypted Cloud Databases
Submitted by
DATTATRAY B. PAWAR

Exam Seat No:

is a bonafide work carried out by him under the supervision of Prof. V. S. Gaikwad and
it is approved for the partial fulfillment of the requirement of Savitribai Phule University,
Pune. for the award of the degree of Master of Engineering (Computer Engineering)

Prof. V. S. Gaikwad
Internal Guide

External Examinar

Dr. Sulochana Sonkamble

HOD

Dr. D.M. Yadav

Director

Place:
Date:

ACKNOWLEDGEMENT

I hereby take this opportunity to express my heartfelt gratitude towards the people
whose help was very useful to complete my seminar work on the topic of A Secure
Client Access to Encrypted Cloud Databases . It is my privilege to express sincerest regards to my Dissertation Guide Prof. V. S. Gaikwad for his valuable inputs,
valuable guidance, encouragement, whole-hearted cooperation and constructive criticism
throughout the duration of my dissertation work.
I deeply express my sincere thank to our HOD Dr. Mrs. S. B. Sonkamble for
encouraging and allowing us to present the dissertation at our department premises for
the partial fulfilment of the requirements leading to the award of M.E. degree.
I am also thankful to our Director Dr. D. M. Yadav and the management. I
would also like to thank all the faculties who have cleared all the major concepts that
were involved in the understanding of the techniques behind my dissertation report. The
Dissertation Report is based on research work in Distributed ,concurrent and independent access to encrypted cloud databases . I am very much thankful to Author for such
a precious work.

DATTATRAY B. PAWAR
M.E.(Computer Engineering)

List of Tables

ii

List of Figures

iii

ABBREVIATIONS

CSP : Cloud Service Provider

SLA : Service Level Agreement
CSA : Cloud Security Alliance
SaaS : Software as a Service
Iaas : Infrastructure as a service
Paas : Platform as a Service
DBaaS : Database as a Service
DBA : Database Administrator

iv

ABSTRACT

Data security and confidentiality are crucial factors while considering cloud databases.
Data originality and reliability imposes extra attention towards cloud databases and its
service provisioning. Putting critical data in the hands of a cloud provider should come
with the guarantee of security and availability for data at rest, in motion, and in use.
Several alternatives exist for storage services, while data confidentiality solutions for the
database as a service paradigm are still immature. The efficacy of the proposed architecture is evaluated through theoretical analyses and extensive experimental results based
on a prototype implementation subject to the TPC-C standard benchmark for different
numbers of clients and network latencies.
This is the first solution supporting geographically distributed clients to connect directly to an encrypted cloud database, and to execute concurrent. We propose a novel
architecture that integrates cloud database services with data confidentiality and the
possibility of executing concurrent operations on encrypted data cannot apply fully homomorphic encryption schemes because of their excessive computational complexity.
Keywords:Cloud security, encryption, confidentiality, SecureDBaaS, database.

Contents

Introduction
1.1 Dissertation prerequisite . . . . .
1.1.1 Cloud service models . . .
1.1.2 Cloud Deployment Models
1.1.3 Cloud Security Issues . . .
1.2 Objective . . . . . . . . . . . . .

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

Problem statement

2
3
3
4
5
6
7

3 Motivation

4 Literature Survey

5 Methodology
5.1 Design of framework . . . . . . . .
5.1.1 Cloud Database server . . .
5.1.2 Communication mechanism
5.2 Algorithms of Existing System . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

11
11
11
11
12

6 Existing System With Mathematical Model

13

7 Proposed System With Mathematical model

14

8 Implementation

15

9 Data Table and Discussion

16

10 Conclusion

17

Chapter 1
INTRODUCTION

In a cloud context, where critical information is placed in infrastructures of untrusted

third parties, ensuring data confidentiality is of paramount importance [1], [2]. This requirement imposes clear data management choices: original plain data must be accessible
only by trusted parties that do not include cloud providers, intermediaries, and Internet;
in any untrusted context, data must be encrypted. Satisfying these goals has different
levels of complexity depending on the type of cloud service. There are several solutions
ensuring confidentiality for the storage as a service paradigm (e.g., [3], [4], [5]), while
guaranteeing confidentiality in the database as a service (DBaaS) paradigm [6] is still an
open research area. In this context, we propose SecureDBaaS as the first solution that
allows cloud tenants to take full advantage of DBaaS qualities, such as availability, reliability, and elastic scalability, without exposing unencrypted data to the cloud provider.
The architecture design was motivated by a threefold goal: to allow multiple,
independent, and geographically distributed clients to execute concurrent operations on
encrypted data, including SQL statements that modify the database structure; to preserve data confidentiality and consistency at the client and cloud level; to eliminate any
intermediate server between the cloud client and the cloud provider. The possibility
of combining availability, elasticity, and scalability of a typical cloud DBaaS with data
confidentiality is demonstrated through a prototype of SecureDBaaS that supports the
execution of concurrent and independent operations to the remote encrypted database
from many geographically distributed clients as in any unencrypted DBaaS setup. To
achieve these goals, SecureDBaaS integrates existing cryptographic schemes, isolation
mechanisms, and novel strategies for management of encrypted metadata on the untrusted cloud database. This paper contains a theoretical discussion about solutions for
data consistency issues due to concurrent and independent client accesses to encrypted
data.
In this context, we cannot apply fully homomorphic encryption schemes [7] because of their excessive computational complexity. The SecureDBaaS architecture is tailored to cloud platforms and does not introduce any intermediary proxy or broker server
between the client and the cloud provider. Eliminating any trusted intermediate server
allows SecureDBaaS to achieve the same availability, reliability, and elasticity levels of
2

a cloud DBaaS. Other proposals (e.g., [6], [7], [8]) based on intermediate server(s) were
considered impracticable for a cloud-based solution because any proxy represents a single
point of failure and a system bottleneck that limits the main benefits (e.g., scalability,
availability, and elasticity) of a database service deployed on a cloud platform. Unlike
SecureDBaaS, architectures relying on a trusted intermediate proxy do not support the
most typical cloud scenario where geographically dispersed clients can concurrently issue
read/write operations and data structure modifications to a cloud database. A large set
of experiments based on real cloud platforms demonstrate that SecureDBaaS is immediately applicable to any DBMS because it requires no modification to the cloud database
services.
Other studies where the proposed architecture is subject to the TPC-C standard
benchmark for different numbers of clients and network latencies show that the performance of concurrent read and write operations not modifying the SecureDBaaS database
structure is comparable to that of unencrypted cloud database. Workloads including
modifications to the database structure are also supported by SecureDBaaS, but at the
price of overheads that seem acceptable to achieve the desired level of data confidentiality. The motivation of these results is that network latencies, which are typical of cloud
scenarios, tend to mask the performance costs of data encryption on response time. The
overall conclusions of this paper are important because for the first time they demonstrate the applicability of encryption to cloud database services in terms of feasibility and
performance.

1.1
1.1.1

Dissertation prerequisite
Cloud service models

Cloud service models achieved a major space in cloud computing area. The service model helps to dictates an organizations scope and control with its computational
resources, and characterizes a level service for its use.
SaaS
Software as a Service is a service delivery model providing applications and computational resources for use on demand by the service user. Purpose of this model is to reduce
the total development cost, including maintenance, and operations. Security is responsibility of cloud provider. The cloud consumer isnt involved in control and management of
cloud infrastructure or personal applications, except for priority selections and very less
administrative application settings.[3]

Paas
Platform as a Service is a service delivery model that provides the computing platform
and applications can be developed and deployed on it. Motivation behind this model is
to minimize cost, complexity of purchasing, hosting, and managing platform, including
programs and databases. The development culture is typically provided by cloud provider
and supplemented to the design and architecture of its platform[3].
IaaS
Infrastructure as a Service is a service delivery model services basic computing infrastructure including servers, software, and network equipment provided on-demand service.
Platform for developing and executing applications can be established on it. Main motto
is to avoid purchasing, and management of software and infrastructure components, and
instead get such resources as virtualized objects controllable via a service interface. The
cloud user has great freedom for the choice of operating system and development environment to be used. Security is sole responsibility of cloud consumer.[3]
DBaaS
Database as a Service (DBaaS) potentially will be the next big era in IT. It is a
service that is hosted by a cloud operator (public or private) and includes applications,
where the application team doesnt have any responsibility for old database administration. With a DBaaS, the application developers need not to be expertise in database,
and there is no need to hire a database administrator (DBA) to operate and maintain
the database.[6] The recent market analysis from 451 research projects shows stunning
86 percent. progressive annul growth rate, with revenues from DBaaS providers rising
from 150 million dollar in 2012 to 1.8 billion dollar by 2016.[1] DBaaS is gaining popularity because it eases businesses to setup new databases quickly with high security and
at very minimal cost . Database as a Service (DBaaS) offers organizations speed up
deployment, elasticity, fair consolidation efficiency, higher availability, and minimal cost
and complexity.[2],[4] Following facts shows why DBaaS will hit the upcoming IT market.
1.DBaaS reduces database straggle.
2.Supports ease provision.
3.Enhance high Security and minimal complexity

1.1.2

Cloud Deployment Models

Four deployment models are present for cloud service solutions:

Private cloud
Infrastructure provided for a private organization. It may be responsibility of organization to manage it or third party can manage it. Existence of such cloud may be on

the premise or off the promise.

Community cloud
Many organizations share the infrastructure and support a distinct community that
has general concerns. Organization can manage it or third party can also operate it.
Existence of such cloud may be on the premise or off the promise [3].
Public cloud
This cloud infrastructure is available to public or a large industry group. An organization may own it to sale cloud services [3]. The growth in workload migration from
private cloud to public cloud has increased. The average workload in public cloud will
not have more difference than the private cloud.
Hybrid cloud
Cloud infrastructure is a combination of two clouds i.e. private, community, or
public, it doesnt change its properties, but tightened together by standard or proprietary
techniques, that enables communication of data and applications.

1.1.3

Cloud Security Issues

Data security is an important aspect where quality of service is considered as a

prime focus, Cloud Computing undoubtedly raise new security threats for various reasons.
Traditional cryptosystems can not directly used because user does not have control over
data under Cloud Computing. Checksum for correct data storage in the cloud must be
done without knowledge of whole database or data.
Trust
In cloud trust rely on deployment model as it provides administration of data. Trust
is considered as mandatory security policy in old architectures. In public cloud whoever
is the owner of infrastructure they have the controls over it. While the public cloud id
deployed the infrastructure owner is supposed to take all assurance regarding the suitable
security policies so that the risk related to security are reduced. Security is considered
about trusting the process or implementations that are made by owner. Deployment models must differentiate among themselves as the private cloud infrastructure is controlled
by private organizations and it do not need any other security policies as organization
maintains same trust level.[10]
Threats
The CSA (Cloud Security Alliance) has discovered various cloud computing threats
during last year. The report reflects the current issue among experts around the IT

business industry analysed by CSA, pointing on threats specifically related to shared

technology ,on demand service nature of cloud computing.

1.2

Objective

To provide security based architecture to cloud users.

To provide data confidentiality with minimal latency and improved throughput over cloud
network.
To maintain better trust relation between cloud user and cloud service provider.

Chapter 2
PROBLEM STATEMENT

The throughput for increasing numbers of concurrent clients in contexts characterized by modifications of the database structure are supported, but at the price of high
computational costs. Existing encryption techniques imposes high time complexity over
the cloud which causes performance degradation.

Chapter 3
MOTIVATION

To provide secure access to multiple users with high confidentiality.

To establish reliable and consistent connection between client and cloud database service
provider.
To provide security based architecture to cloud users.
To provide data confidentiality with minimal latency and improved throughput over cloud
network.
To maintain better trust relation between cloud user and cloud service provider.

Chapter 4
LITERATURE SURVEY

[1]Ariel J. Feldman, William P. Zeller, Michael J. Freedman, and Edward

W. Felten has published paper on Group Collaboration using Untrusted Cloud Resources. They have implemented a system that provides a generic collaboration service
in which users can create a document, modify its access control list, edit it concurrently,
experience fully automated merging of updates, and even perform these operations while
disconnected. The system framework supports a broad range of collaborative applications. Data updates are encrypted before being sent to a cloud-hosted server. The server
assigns a total order to all operations and redistributes the ordered updates to clients. If
a malicious server drops or reorders updates, the system clients can detect the servers
misbehaviour, switch to a new server, restore a consistent state, and continue. The same
mechanism that allows system to merge correct concurrent operations also enables it to
transparently recover from attacks that fork clients views.
[2] Jinyuan Li, Maxwell Krohn, David Mazires, and Dennis Shasha has
published paper on Secure Untrusted Data Repository. They have mentioned network file system designed to store data securely on untrusted servers. System lets clients
detect any attempts at unauthorized file modification by malicious server operators or
users. SUNDRs protocol achieves a property called fork consistency, which guarantees
that clients can detect any integrity or consistency failures as long as they see each others
file modifications. An implementation is described that performs comparably with NFS
(sometimes better and sometimes worse), while offering significantly stronger security.
[3] PRINCE MAHAJAN, SRINATH SETTY, SANGMIN LEE, ALLEN
CLEMENT,LORENZO ALVISI, MIKE DAHLIN, and MICHAEL WALFISH
has published paper on Cloud Storage with Minimal Trust. It supports many strategies
for coping with the failure of an SSP. In a single SSP deployment, clients are configured
such that each client stores a copy of the data that it authors. If the SSP fails, clients
can ensure availability by exchanging metadata with each other directly and by using the
data stored at the authoring clients. If the SSP later recovers, clients can continue using
the SSP (after sending the missed updates to the SSP servers).

[4]Raluca Ada Popa, Catherine M. S. Redfield, Nickolai Zeldovich, and

Hari Balakrishnan has published paper on Protecting Confidentiality with Encrypted
Query Processing.Authors have given a system that explores an intermediate design
point to provide confidentiality for applications that use database management systems
(DBMSes). CryptDB leverages the typical structure of database-backed applications,
consisting of a DBMS server and a separate application server, the latter runs the application code and issues DBMS queries on behalf of one or more users. CryptDBs approach
is to execute queries over encrypted data, and the key insight that makes it practical is
that SQL uses a well-defined set of operators, each of which we are able to support efficiently over encrypted data.
[5] Luca Ferretti, Michele Colajanni, and Mirco Marchetti has published
paper on Supporting Security and Consistency for Cloud Database.they proposed a
novel architecture that allows cloud customers to leverage untrusted DBaaS with the
guarantee of data confidentiality. Unlike previous solutions, our architecture does not
rely on a trusted proxy, and allows multiple distributed clients to execute SQL queries
concurrently and independently on the same encrypted database. All the encryption and
decryption operations are carried out by a software module that is executed on each
client machine. Their design choice does not introduce any bottleneck and single point of
failure be-cause clients connect directly to the cloud database. Moreover, our architecture
guarantees the same availability, scalability and elasticity of the unencrypted DBaaS and
it is applicable to any commercial DBaaS because it does not require modifications to
the database.

Chapter 5
METHODOLOGY

5.1

Design of framework

This framework is the prime step towards achieving the goals of the cloud infrastructure.
In this section, the details of the proposed framework are highlighted and in the sections
below describe the components and their implementations.
Figure presents the architecture of the proposed framework. The service component
including the run-time server represents the application layer where services are deployed
using a Web Service container.

5.1.1

Cloud Database server

This section describes the database server component, which is located at the Cloud
infrastructure resource level. We first explain its design and later present the implementation details

5.1.2

Communication mechanism

The implemented communication model is a sort of queuing mechanism. It realizes an

inter-process communication for passing messages within the cloud infrastructure and
between components of the cloud server framework, due to the fact that the components
can run on different machines at different locations. This queue makes the communication mechanism highly efficient and scalable.

11

5.2

Algorithms of Existing System

Algorithm 1
Input: Request for cloud database.
Output: Secure cloud database access to user.
Begin
1. Tenant wants to store and process remotely.
2. Tenant sends request to CSP
3. Authenticates tenant
4. If(n=1)
5. Access to database
6. Else
7. Response with no access
8. CSP sends cloud decrypted data and metadata and encrypted tables.
9. Tenant operates on remote data.
10. Metadata updated before tenant exit the system.
End

Chapter 6
EXISTING SYSTEM WITH MATHEMATICAL
MODEL

13

Chapter 7
PROPOSED SYSTEM WITH MATHEMATICAL
MODEL

14

Chapter 8
IMPLEMENTATION

15

Chapter 9
DATA TABLE AND DISCUSSION

16

Chapter 10
CONCLUSION

Proposed architecture guarantees the confidentiality of data stored in public cloud

databases. It yields better performance characteristics through minimal latency and improved throughput. The proposed architecture does not require modifications to the
cloud database, and it can be immediately applicable to existing cloud DBaaS, such as
the PostgreSQL Plus, Cloud Database, Windows Azure, Amazon S3 and Xeround.

17

Bibliography

[1] Cheng-Kang Chu, Sherman S. M. Chow, Wen-Guey Tzeng, Jianying Zhou, and
Robert H. Deng Key-Aggregate Cryptosystem for Scalable Data Sharing in Cloud
Storage IEEE Transactions on Parallel and Distributed Systems. Volume: 25, Issue:
2. Year :2014
[2] S. G. Akl and P. D. Taylor, Cryptographic Solution to a Problem of Access Control
in a Hierarchy, ACM Transactions on Computer Systems (TOCS), vol. 1, no. 3, pp.
239248, 1983.
[3] G. C. Chick and S. E. Tavares, Flexible Access Control with Master Keys, in Proceedings of Advances in Cryptology CRYPTO 89, ser. LNCS, vol. 435. Springer,
1989, pp. 316322.
[4] W.-G. Tzeng, A Time-Bound Cryptographic Key Assignment Scheme for Access
Control in a Hierarchy, IEEE Transactions on Knowledge and Data Engineering
(TKDE), vol. 14, no. 1, pp. 182188, 2002.
[5] G. Ateniese, A. D. Santis, A. L. Ferrara, and B. Masucci, Provably-Secure TimeBound Hierarchical Key Assignment Schemes, J. Cryptology, vol. 25, no. 2, pp.
243270, 2012.
[6] R. S. Sandhu, Cryptographic Implementation of a Tree Hierarchy for Access Control,
Information Processing Letters, vol. 27, no. 2, pp. 9598, 1988.
[7] Y. Sun and K. J. R. Liu, Scalable Hierarchical Access Control in Secure Group Communications, in Proceedings of the 23th IEEE International Conference on Computer
Communications (INFOCOM04). IEEE, 2004.
[8] Q. Zhang and Y. Wang, A Centralized Key Management Scheme for Hierarchical Access Control, in Proceedings of IEEE Global Telecommunications Conference
(GLOBECOM 04). IEEE, 2004, pp. 20672071
[9] G. 9. M. J. Atallah, M. Blanton, N. Fazio, and K. B. Frikken, Dynamic and Efficient
Key Management for Access Hierarchies, ACM Transactions on Information and
System Security (TISSEC), vol. 12,no. 3, 2009.
[10] 10. J. Benaloh, M. Chase, E. Horvitz, and K. Lauter, Patient Controlled Encryption:
Ensuring Privacy of Electronic Medical Records, in Proceedings of ACM Workshop
on Cloud Computing Security (CCSW 09). ACM, 2009, pp. 103114.
18

[11] 11. F. Guo, Y. Mu, and Z. Chen, Identity-Based Encryption: How to Decrypt Multiple Ciphertexts Using a Single Decryption Key, in Proceedings of Pairing-Based
Cryptography (Pairing 07), ser. LNCS, vol. 4575. Springer, 2007, pp. 392406.
[12] 12. V. Goyal, O. Pandey, A. Sahai, and B. Waters, Attribute-Based Encryption for
Fine-Grained Access Control of Encrypted data,in Proceedings of the 13th ACM
Conference on Computer and Communications Security (CCS 06). ACM, 2006, pp.
8998.