DiCE -- A Data Encryption Proxy for the Cloud

TL;DR

DiCE is a JDBC proxy driver that enables secure, encrypted database queries in the cloud by transparently encrypting SQL queries with minimal performance overhead, supporting various encryption algorithms.

Contribution

The paper introduces DiCE, a novel JDBC driver that transparently encrypts SQL queries for cloud databases, maintaining query functionality and performance.

Findings

Supports multiple encryption algorithms including order-preserving encryption.

Enables execution of queries on encrypted data with minimal performance overhead.

Compatible with various JDBC databases.

Abstract

Outsourcing a relational database to the cloud offers several benefits, including scalability, availability, and cost-effectiveness. However, there are concerns about the confidentiality and security of the outsourced data. A general approach here would be to encrypt the data with a standardized encryption algorithm and then store the data only encrypted in the cloud. The problem with this approach, however, is that with encryption, important properties of the data such as sorting, format or comparability, which are essential for the functioning of database queries, are lost. One solution to this problem is the use of (e.g. order-preserving) encryption algorithms, which also preserve these properties in the encrypted data, thus enabling queries to encrypted data. These algorithms range from simple algorithms like Caesar encryption to secure algorithms like mOPE. In order to be able to use these algorithms as easy as possible, ``DiCE'' a JDBC driver was developed, that parses SQL queries as a proxy and transparently encrypts and decrypts these queries. This allows to execute many queries on an encrypted database in the cloud with (nearly) the performance as on unencrypted databases. The DiCE driver can be used with any other JDBC driver and therefore supports a variety of databases. The driver can be configured to support different encryption algorithms. To keep track of the operations, the ``Dice Information Client'' has been developed to track the encryption and decryption of the driver. Although the result of the performance analysis shows a certain overhead due to the parsing and encryption of the SQL queries in the Dice driver, this overhead is significantly reduced by other influencing factors such as the network and parallel queries.