On-the fly AES Decryption/Encryption for Cloud SQL Databases
This provides a practical solution for organizations needing secure, outsourced encrypted SQL databases, though it appears incremental as it builds on existing encryption and cloud DBMS capabilities.
The paper tackles the problem of enabling secure, on-the-fly AES256 encryption and decryption for cloud SQL databases, allowing them to function like plaintext SQL DBMS with negligible CPU overhead and minimal storage impact.
We propose the client-side AES256 encryption for a cloud SQL DB. A column ciphertext is deterministic or probabilistic. We trust the cloud DBMS for security of its run-time values, e.g., through a moving target defense. The client may send AES key(s) with the query. These serve the on-the-fly decryption of selected ciphertext into plaintext for query evaluation. The DBMS clears the key(s) and the plaintext at the query end at latest. It may deliver ciphertext to decryption enabled clients or plaintext otherwise, e.g., to browsers/navigators. The scheme functionally offers to a cloud DBMS capabilities of a plaintext SQL DBMS. AES processing overhead appears negligible for a modern CPU, e.g., a popular Intel I5. The determin-istic encryption may have no storage overhead. The probabilistic one doubles the DB storage. The scheme seems the first generally practical for an outsourced encrypted SQL DB. An implementation sufficient to practice with appears easy. An existing cloud SQL DBMS with UDF support should do.