New encryption method promises end-to-end cloud security
- By Kevin McCaney
- Jun 13, 2013
Researchers at the Massachusetts Institute of Technology have developed an encryption technique that, down the road, could make cloud computing more secure by ensuring that data remains encrypted while being processed.
The system combines three existing schemes — homomorphic encryption, garbled circuit and attribute-based encryption — into what the researchers call a functional-encryption scheme, according to a report in MIT News. The result is that a database in the cloud could handle a request and return a response without data being decrypted.
A scheme that keeps data secure every step of the way would likely appeal to public-sector agencies, which are increasingly moving applications and services to cloud systems, although for the foreseeable future they’ll have to rely on current security measures. The key barrier right now is computing power — the functional-encryption scheme requires more of it than would be practical.
But the researchers point out that the scheme is nascent and performance improvements, as in other areas of computing, are likely. “It’s so new, there are so many things that haven’t been explored — like, ‘How do you really implement this correctly?’ ‘What are the right mathematical constructions?’ ‘What are the right parameter settings?’” MIT associate professor Nickolai Zeldovich, of the co-authors of a paper on the subject, told MIT News.
Homomorphic encryption has been researched for decades, but the first fully homomorphic scheme was developed four years ago by Craig Gentry of IBM. In 2011, he offered MIT Technology Review a very simple demonstration of the mathematical consistency required: A user sends a request to add the numbers 1 and 2, which are encrypted to become the numbers 33 and 54, respectively. The server in the cloud processes the sum as 87, which is downloaded from the cloud and decrypted to the final answer, 3.
But even that approach has its limits, such as when searching a large encrypted database for a specific record, according to MIT News. Because the request is encrypted, the server can’t come up with an exact match, so it would return information on all of its records, which the user would have to decrypt.
That’s why the team from MIT’s Computer Science and Artificial Intelligence Laboratory, who worked in conjunction with the University of Toronto and Microsoft Research, sought to combine multiple schemes. The system starts with homomorphic encryption (a public-key system), with a decryption algorithm embedded in a garbled circuit (private key) which is itself protected by attribute-based encryption (public key), which ensures the process stays encrypted.
Practical use of the functional-encryption scheme may be far off — and the researcher says it still has to be tested in a production environment — but it does hold promise for the future of cloud computing. Andrew Hay, director of applied security research at CloudPassage, told NetworkWorld that he expects homomorphic encryption to eventually play a big part in security for multi-tenant public cloud environments, such as Amazon EC2 and Google Compute Engine.
Once hardware and other computing components catch up to the scheme’s demands, those clouds could become a lot more secure.
Kevin McCaney is a former editor of Defense Systems and GCN.