Concepts

Enabling encrypted SQL

Data that is encrypted-in-use, but can still be queried with query terms that are themselves encrypted, means databases can now be fully protected without affecting performance or functionality.

This technique — known as searchable encryption — is designed specifically for the data retrieval operations used in database queries. CipherStash's searchable encryption is actually a suite of encryption schemes, each designed for different types of queries. Tandem automatically encrypts data with the appropriate scheme based on the data stored and queries required.

Enabling Searchable Encryption

Encryption-in-use is enabled in CipherStash Proxy by generating and storing Searchable Encrypted Metadata (SEM) alongside data that has been encrypted using standard symmetric encryption called Source Encrypted Data (or SED). Queries on a table with encrypted fields are first mapped to make use of any available Searchable Encrypted Metadata stored in the table.

Tandem implements several different types of Searchable Encrypted Metadata (SEM) which each enable different types of queries. Using full_name as an example field, these are the SEM columns that need to be added to the table:

ColumnTypeDescription
__full_name_encryptedtextEncrypted source value for full_name
__full_name_orepublic.ore_64_8_v1Encrypted ORE index for full_name
__full_name_matchinteger[]Encrypted match index for full_name
__full_name_uniquetextEncrypted unique index for full_name

Always encrypted

It's important to remember that the data and the metadata columns are fully encrypted and do not reveal any information about the plaintext.

Encryption Methods

  1. AES256 Encryption (__full_name_encrypted)

    • Description: AES (Advanced Encryption Standard) GCM (Galois/Counter Mode) with a 256-bit key, a widely-used symmetric encryption algorithm.
    • Usage: Encrypts the plaintext of data.
  2. Order Revealing Encryption (ORE) (__full_name_ore)

    • Description: A cryptographic scheme allowing encrypted data to be sorted and filtered.
    • Usage: Facilitates operations like ordering and range queries on encrypted data.
    • Examples:
    1SELECT dob FROM users WHERE dob > $1;
    2SELECT name FROM users ORDER BY name;
    3
  3. Encrypted Bloom Filters (__full_name_match)

    • Description: Combines AES 256 and envelope encryption within a bloom filter structure.
    • Usage: Enables secure full-text search capabilities on encrypted data.
    • Examples:
    1SELECT name FROM users WHERE name LIKE $1;
    2SELECT similarity($1, name) FROM users;
    3
  4. HMAC with SHA-256 Encryption (__full_name_unique)

    • Description: HMAC encryption with a 256-bit key.
    • Usage: Enables exact query matches on encrypted data.
    • Examples:
    1SELECT * FROM users WHERE email = $1 AND st = $2;
    2CREATE UNIQUE INDEX unique_idx ON users(email);
    3

Resources

Quantun Resistant Encryption

All of Tandem’s encryption schemes are quantum resistant. Neither the Advanced Encryption Standard (AES) with 256-bit keys, nor the SHA3 or Blake hashing schemes, are vulnerable to the same kinds of attacks that might be possible on public key encryption schemes. CipherStash uses these quantum safe schemes as the building blocks for searchable encryption-in-use.

Previous
What data should I protect?