Authorization model for collaborative queries

ESCUDO-CLOUD offers a novel approach for enabling collaborative and distributed query execution, allowing the controlled and secure involvement of cloud providers not fully trusted to access the data content while maintaining confidentiality of information. The innovation brought by ESCUDO-CLOUD relies on a simple, yet flexible, authorization model supporting authorizations defined at the fine-grained level of attribute specifying, for every attribute, whether a subject can have: plaintext visibility, the subject has complete visibility on the plaintext values of the attribute; encrypted visibility, the subject cannot view the plaintext values of the attribute but can perform computations (e.g., evaluate conditions or perform joins) on the corresponding encrypted version; no visibility, the subject cannot view the values of the attribute at all.

The model takes into account not only information directly released but also implicit leakage of information that can derive from query execution. It does so by keeping a profile of the relations exchanged in the distributed computation that includes:

  • visible attributes, appearing in the relation schema;
  • implicit attributes, not appearing in the schema but that had been involved in the computation (e.g., involved in selections or grouping)
  • equivalent attributes, that is attributes for which the value of one leaks information on the value of the others due to the fact that they had been connected in the computation of the relation (e.g., compared in join conditions).

A subject is authorized for a relation if she has authorizations granting her: i) plaintext visibility on all visible/implicit plaintext attributes, ii) plaintext or encrypted visibility on all visible/implicit encrypted attributes, and iii) uniform visibility on attributes that are equivalent (i.e., she can access them either all plaintext or all encrypted). A subject can perform an operation in a query plan if she is authorized for its operand(s) and for its result.

To enforce restrictions given by authorizations the query plan is extended by inserting encryption and decryption operations on-the-fly to adjust visibility of attributes as required by operation requirements or authorizations. Encryption protects attributes so to permit the assignment of operations to subjects that could not be considered otherwise. Decryption permits accessing plaintext values of encrypted attributes when needed in the computation.

As an example, consider the following query tree plan (left-hand side of the figure below) and authorizations (right-hand side of the figure below.) The authorizations involve four subjects (H and I holding the base relations, the user U and an external provider X) and the figure reports, for each subject, the sets of attributes of each base relation that the subject can access plaintext (`plain’ columns) and encrypted (`encr’ gray columns).

query plan  set of authorizations 


In the figure, relation profiles are represented as tags attached to nodes in the tree. With such graphical representation, profiles have three components (v, i, and ≃): the first includes the visible attributes, the second the implicit attributes, and the third the equivalent attributes. Encrypted attributes are denoted with a gray background.

 authorized assignment


The figure above illustrates the query plan of our example extended with some encryption operations (square boxes above nodes). By encrypting attributes S and C, the join operation can be executed by X, which is authorized to access both S and C in encrypted form.

Related Publications