Efficient Network-Based Enforcement of Data Access Rights

• Published in: Security and Cryptography for Networks pp. 236 - 254
• Main Authors: Giura, Paul, Kolesnikov, Vladimir, Tentes, Aris, Vahlis, Yevgeniy
• Format: Book Chapter
• Language: English
• Published: Cham Springer International Publishing 2014
• Series: Lecture Notes in Computer Science
• Subjects: aggregate MAC; Bloom filter; implementation; provably secure access control
• ISBN: 3319108786; 9783319108780
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-319-10879-7_14

Today, databases, especially those serving/connected to the Internet need strong protection against data leakage stemming from misconfiguration, as well as from attacks, such as SQL injection. Other insider and Advanced Persistent Threat (APT) attacks are also increasingly common threats in the security landscape. We introduce access control list (ACL)-based policy checking and enforcement system designed specifically to prevent unauthorized (malicious or accidental) exfiltration of database records from real-life large scale systems. At the center of our approach is a trusted small-footprint and lightweight policy checker (e.g., implemented as a router function) that filters all outgoing traffic. We provably guarantee that only authorized data may be sent outside, and to the right recipients. We design and formally prove security of two access control schemes, with distinct security and performance guarantees: one based on authenticated Bloom filters, and one based on either long or short (e.g. 16-bits long) aggregated MAC codes. The use of the short codes, while providing a clear performance benefit, cannot be proven secure by a simple reduction to existing aggregated MAC tools, and required careful handling and a concrete security analysis. The advantage of our schemes is that they are both simple yet much more efficient than the naive MAC-based access control. Our solution requires explicit designation of each record-attribute-user tuple as permitted or disallowed. We rely on shared secret key cryptography, and our system can scale even for use by large organizations. We implemented and deployed our algorithms in an industrial system setup. Our tests mimic usage scenarios of medium-size DB (10M records) of telephone company call records. Our experiments show that we achieve high (scalable) efficiency both in the server and checker computation, as well as extremely low communication overhead.