Chip-Secured Data Access:
Confidential Data on Untrusted Servers
Luc Bouganim, Philippe Pucheral
PRISM Laboratory- 78035 Versailles - France
<Firstn ame.Lastn ame> @ prism, uvsq. fr
Abstract
The democratization of ubiquitous computing
(access data anywhere, anytime, anyhow), the
increasing connection of corporate databases to
the Internet and the today' s natural resort to Web-
hosting companies strongly emphasize the need
for data confidentiality. Database servers arouse
user's suspicion because no one can fully trust
traditional security mechanisms against more and
more frequent and malicious attacks and no one
can be fully confident on an invisible DBA
administering confidential data. This paper gives
an in-depth analysis of existing security solutions
and concludes on the intrinsic weakness of the
traditional server-based approach to preserve data
confidentiality. With this statement in mind, we
propose a solution called C-SDA (Chip-Secured
Data Access), which enforces data confidentiality
and controls personal privileges thanks to a client-
based security component acting as a mediator
between a client and an encrypted database. This
component is embedded in a smartcard to prevent
any tampering to occur This cooperation of
hardware and software security components
constitutes a strong guarantee against attacks
threatening personal as well as business data.
1. Introduction
The rapid growth of ubiquitous computing impels mobile
users to store personal data on the Web to increase its
availability. In the same way, corporate databases are
made more and more accessible to authorized employees
over the Internet. Small businesses are prompted to
delegate part of their information system to Web-hosting
companies or Database Service Providers (DSP) that
guarantee data resiliency, consistency and high availability
Permission to copy without fee all or part of this material is granted
provided that the copies are not made or distributed for direct
commercial advantage, the VLDB copyright notice and the title of the
publication and its date appear, and notice is given that copying is by
permission of the Very Large Data Base Endowment. To copy otherwise,
or to republish, requires a fee and~or special permission from the
Endowment
Proceedings of the
28 th
VLDB Conference,
Hong Kong, China, 2002
[eCr02,CaB02,Qck02]. Customer information is also
maintained on-line for the needs of e-commerce and e-
business applications. Typically, Microsoft .NET Passport
[Mic02] gathers customer information (identity,
passwords, credit card numbers, profiling data) in an
electronic wallet shared by all participating .NET Web
sites. Consequently, the amount of sensitive information
collected and shared in the marketplace is such that data
confidentiality has become one of the major concerns of
citizens, companies and public organizations, and
constitutes a tremendous challenge for the database
community.
Confidential data threatened by attackers is manifold:
information related to the private life of individuals (e.g.,
agenda, address book, bookmarks, medical records,
household expenses), credit card numbers, patents,
business strategies, diplomatic or military secrets. Even
ordinary data may become sensitive once grouped and well
organized in databases. Customers have no other choice
than trusting DSP's arguing that their systems are fully
secured and their employees are beyond any suspicion.
However, according to the "Computer Crime and Security
Survey" published by the Computer Security Institute
(CSI) and the FBI [FBI01], the theft of intellectual
property due to database vulnerability costs American
businesses $103 billion annually and 45% of the attacks
are conducted by insiders.
Traditional database security policies rely on user
authentication, communication encryption and server-
enforced access controls [BPS96]. Unfortunately, these
mechanisms are inoperative against most insider attacks
and particularly against database administrator attacks.
Several attempts have been made recently to strengthen
server-based database security policies thanks to database
encryption [Ora99, Mat00, HeW01 ].
This paper first characterizes the intrinsic limits of
these server-based solutions with respect to the different
types of attacks that can be conducted. With these
limitations in mind, we state the dimensions of the
data
confidentiality problem.
While client-based security policies have been
historically disregarded considering the vulnerability of
client environments [RusO1], we argue that the emergence
of smartcard secured client devices fundamentally changes
the problem statement. Initially developed by Bull to
secure the French banking system, smartcards have been
131

Get Proceedings 2002 VLDB Conference now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.