Concepts
Enabling encrypted SQL
Data that is encrypted-in-use, but can still be queried with query terms that are themselves encrypted, means databases can now be fully protected without affecting performance or functionality.
This technique — known as searchable encryption — is designed specifically for the data retrieval operations used in database queries. CipherStash's searchable encryption is actually a suite of encryption schemes, each designed for different types of queries. CipherStash Proxy automatically encrypts data with the appropriate scheme based on the data stored and queries required.
Enabling Searchable Encryption
Encryption-in-use is enabled in CipherStash Proxy by generating and storing Searchable Encrypted Metadata (SEM) alongside data that has been encrypted using standard symmetric encryption called Source Encrypted Data (or SED). Queries on a table with encrypted fields are first mapped to make use of any available Searchable Encrypted Metadata stored in the table.
CipherStash Proxy implements several different types of Searchable Encrypted Metadata (SEM) which each enable different types of queries. Using full_name as an example field, these are the SEM columns that need to be added to the table:
| Column | Type | Description |
|---|---|---|
__full_name_encrypted | text | Encrypted source value for full_name |
__full_name_ore | public.ore_64_8_v1 | Encrypted ORE index for full_name |
__full_name_match | integer[] | Encrypted match index for full_name |
__full_name_unique | text | Encrypted unique index for full_name |
Always encrypted
It's important to remember that the data and the metadata columns are fully encrypted and do not reveal any information about the plaintext.
Encryption Methods
AES256 Encryption (
__full_name_encrypted)- Description: AES (Advanced Encryption Standard) GCM (Galois/Counter Mode) with a 256-bit key, a widely-used symmetric encryption algorithm.
- Usage: Encrypts the plaintext of data.
Order Revealing Encryption (ORE) (
__full_name_ore)- Description: A cryptographic scheme allowing encrypted data to be sorted and filtered.
- Usage: Facilitates operations like ordering and range queries on encrypted data.
- Examples:
1SELECT dob FROM users WHERE dob > $1; 2SELECT name FROM users ORDER BY name; 3Encrypted Bloom Filters (
__full_name_match)- Description: Combines AES 256 and envelope encryption within a bloom filter structure.
- Usage: Enables secure full-text search capabilities on encrypted data.
- Examples:
1SELECT name FROM users WHERE name LIKE $1; 2SELECT similarity($1, name) FROM users; 3HMAC with SHA-256 Encryption (
__full_name_unique)- Description: HMAC encryption with a 256-bit key.
- Usage: Enables exact query matches on encrypted data.
- Examples:
1SELECT * FROM users WHERE email = $1 AND st = $2; 2CREATE UNIQUE INDEX unique_idx ON users(email); 3
Resources
- Wikipedia: Advanced Encryption Standard
- Order-Revealing Encryption: New Constructions, Applications, and Lower Bounds
- Wikipedia: Bloom Filter
Quantun Resistant Encryption
All of CipherStash’s encryption schemes are quantum resistant. Neither the Advanced Encryption Standard (AES) with 256-bit keys, nor the SHA3 or Blake hashing schemes, are vulnerable to the same kinds of attacks that might be possible on public key encryption schemes. CipherStash uses these quantum safe schemes as the building blocks for searchable encryption-in-use.