LGPD: Levantamento de Técnicas Criptográficas e de Anonimização para Proteção de Bases de Dados
Resumo
A Lei nº 13.709, de 14 de agosto de 2018, conhecida como Lei Geral de Proteção de Dados Pessoais (LGPD), veio para instituir princípios e regras para a proteção das pessoas naturais no que diz respeito ao tratamento de seus dados, principalmente no formato digital. Por essa razão, surge a necessidade de se estabelecer soluções tecnológicas capazes de atender às imposições da lei. Neste trabalho, apresentamos um levantamento de técnicas e ferramentas de anonimização e de criptografia que demonstram potencial para auxiliar no cumprimento da LGPD, no caso específico da proteção de bases de dados. Dentre as técnicas comparadas, percebe-se que não há nenhuma que atenda perfeitamente a todas as situações, seja por questões de desempenho ou por considerações de segurança. Ainda assim, conclui-se que, quando possível, essas soluções devem ser utilizadas, pois têm o potencial de aumentar significativamente a segurança dos sistemas e auxiliar no cumprimento da lei.
Referências
Akin, I. H. and Sunar, B. (2014). On the difficulty of securing web applications using CryptDB. In IEEE Fourth International Conference on Big Data and Cloud Computing, pages 745–752.
Alvim, M. S., Andrés, M. E., Chatzikokolakis, K., and Palamidessi, C. (2011). On the relation between differential privacy and quantitative information flow. In International Colloquium on Automata, Languages, and Programming, pages 60– 76. Springer.
Blum, A., Ligett, K., and Roth, A. (2013). A learning theory approach to noninteractive database privacy. Journal of the ACM (JACM), 60(2):1–25.
Boneh, D., Gentry, C., Halevi, S., Wang, F., and Wu, D. J. (2013). Private database queries using somewhat homomorphic encryption. In International Conference on Applied Cryptography and Network Security, pages 102–118. Springer.
Boneh, D., Sahai, A., and Waters, B. (2011). Functional encryption: Definitions and challenges. In Theory of Cryptography Conference, pages 253–273. Springer.
Boneh, D. and Shoup, V. (2015). A graduate course in applied cryptography. Draft 0.2.
Bourse, F., Minelli, M., Minihold, M., and Paillier, P. (2018). Fast homomorphic evaluation of deep discretized neural networks. In Annual International Cryptology Conference, pages 483–512. Springer.
Brightwell, M. and Smith, H. (1997). Using datatype-preserving encryption to enhance data warehouse security. In 20th National Information Systems Security Conference Proceedings (NISSC).
Chillotti, I., Gama, N., Georgieva, M., and Izabachène, M. (2016). TFHE: Fast fully homomorphic encryption library. https://tfhe.github.io/tfhe/.
Dai, W. and Sunar, B. (2015). cuhe: A homomorphic encryption accelerator library. In International Conference on Cryptography and Information Security in the Balkans, pages 169–186. Springer.
Ducas, L. and Micciancio, D. (2015). FHEW: bootstrapping homomorphic encryption in less than a second. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 617–640. Springer.
Durak, F. (2017). Cryptanalytic study of property-preserving encryption. PhD thesis, Rutgers University-School of Graduate Studies, New Brunswick, NJ, USA.
Dwork, C. (2008). Differential privacy: A survey of results. In International conference on theory and applications of models of computation, pages 1–19. Springer.
Dwork, C. and Nissim, K. (2004). Privacy-preserving datamining on vertically partitioned databases. In Annual International Cryptology Conference, pages 528–544. Springer.
Dwork, C., Roth, A., et al. (2014). The algorithmic foundations of differential privacy. Foundations and Trends in Theoretical Computer Science, 9(3-4):211–407.
Fuller, B., Varia, M., Yerukhimovich, A., Shen, E., and Hamlin, A. (2017). SoK : Cryptographically Protected Database Search. IEEE Symposium on Security and Privacy (SP), pages 172–191.
Gentry, C., Halevi, S., and Smart, N. P. (2012). Homomorphic evaluation of the AES circuit. In Annual Cryptology Conference, pages 850–867. Springer.
Goldreich, O. and Ostrovsky, R. (1996). Software protection and simulation on oblivious rams. Journal of the ACM (JACM), 43(3):431–473.
Grubbs, P., Lacharité, M.-S., Minaud, B., and Paterson, K. G. (2019). Learning to reconstruct: Statistical learning theory and encrypted database attacks. In IEEE Symposium on Security and Privacy (SP), pages 1067–1083.
Grubbs, P., Ristenpart, T., and Shmatikov, V. (2017). Why your encrypted database is not secure. In Proceedings of the 16th Workshop on Hot Topics in Operating Systems, pages 162–168.
Jain, P., Gyanchandani, M., and Khare, N. (2016). Big data privacy: a technological perspective and review. Journal of Big Data, 3(1):25.
Li, N., Li, T., and Venkatasubramanian, S. (2007). t-closeness: Privacy beyond k-anonymity and l-diversity. In IEEE 23rd International Conference on Data Engineering, pages 106–115.
Machanavajjhala, A., Kifer, D., Gehrke, J., and Venkitasubramaniam, M. (2007). l-diversity: Privacy beyond k-anonymity. ACM Transactions on Knowledge Discovery from Data (TKDD), 1(1):3–es.
Mattsson, U. and Rozenberg, Y. (2013). Tokenization in payment environments. US Patent App. 13/761,009.
Mishra, P., Poddar, R., Chen, J., Chiesa, A., and Popa, R. A. (2018). Oblix: An efficient oblivious search index. In IEEE Symposium on Security and Privacy (SP), pages 279–296.
Narayanan, A. and Shmatikov, V. (2008). Robust deanonymization of large sparse datasets. In IEEE Symposium on Security and Privacy, pages 111–125.
Naveed, M., Kamara, S., and Wright, C. V. (2015). Inference attacks on property-preserving encrypted databases. Proceedings of the ACM Conference on Computer and Communications Security, 2015:644–655.
Paillier, P. (1999). Public-Key cryptosystems based on composite degree residuosity classes. In International conference on the theory and applications of cryptographic techniques, pages 223–238. Springer.
Pappas, V., Krell, F., Vo, B., Kolesnikov, V., Malkin, T., Choi, S. G., George, W., Keromytis, A., and Bellovin, S. (2014). Blind Seer: A scalable private DBMS. In IEEE Symposium on Security and Privacy, pages 359–374.
Pimenta Rodrigues, G. A., de Oliveira Albuquerque, R., Gomes de Deus, F. E., De Oliveira Júnior, G. A., García Villalba, L. J., Kim, T.- H., et al. (2017). Cybersecurity and network forensics: Analysis of malicious traffic towards a honeynet with deep packet inspection. Applied Sciences, 7(10):1082.
Poddar, R., Boelter, T., and Popa, R. A. (2019). Arx: an encrypted database using semantically secure encryption. Proceedings of the VLDB Endowment, 12(11):1664–1678.
Popa, R. A., Redfield, C. M., Zeldovich, N., and Balakrishnan, H. (2011). CryptDB: protecting confidentiality with encrypted query processing. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, pages 85–100.
Stalla-Bourdillon, S. and Knight, A. (2016). Anonymous data v. personal data-false debate: An eu perspective on anonymization, pseudonymization and personal data. Wis. Int’l LJ, 34:284.
Sweeney, L. (2002). k-anonymity: A model for protecting privacy. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(05):557–570.
Alvim, M. S., Andrés, M. E., Chatzikokolakis, K., and Palamidessi, C. (2011). On the relation between differential privacy and quantitative information flow. In International Colloquium on Automata, Languages, and Programming, pages 60– 76. Springer.
Blum, A., Ligett, K., and Roth, A. (2013). A learning theory approach to noninteractive database privacy. Journal of the ACM (JACM), 60(2):1–25.
Boneh, D., Gentry, C., Halevi, S., Wang, F., and Wu, D. J. (2013). Private database queries using somewhat homomorphic encryption. In International Conference on Applied Cryptography and Network Security, pages 102–118. Springer.
Boneh, D., Sahai, A., and Waters, B. (2011). Functional encryption: Definitions and challenges. In Theory of Cryptography Conference, pages 253–273. Springer.
Boneh, D. and Shoup, V. (2015). A graduate course in applied cryptography. Draft 0.2.
Bourse, F., Minelli, M., Minihold, M., and Paillier, P. (2018). Fast homomorphic evaluation of deep discretized neural networks. In Annual International Cryptology Conference, pages 483–512. Springer.
Brightwell, M. and Smith, H. (1997). Using datatype-preserving encryption to enhance data warehouse security. In 20th National Information Systems Security Conference Proceedings (NISSC).
Chillotti, I., Gama, N., Georgieva, M., and Izabachène, M. (2016). TFHE: Fast fully homomorphic encryption library. https://tfhe.github.io/tfhe/.
Dai, W. and Sunar, B. (2015). cuhe: A homomorphic encryption accelerator library. In International Conference on Cryptography and Information Security in the Balkans, pages 169–186. Springer.
Ducas, L. and Micciancio, D. (2015). FHEW: bootstrapping homomorphic encryption in less than a second. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 617–640. Springer.
Durak, F. (2017). Cryptanalytic study of property-preserving encryption. PhD thesis, Rutgers University-School of Graduate Studies, New Brunswick, NJ, USA.
Dwork, C. (2008). Differential privacy: A survey of results. In International conference on theory and applications of models of computation, pages 1–19. Springer.
Dwork, C. and Nissim, K. (2004). Privacy-preserving datamining on vertically partitioned databases. In Annual International Cryptology Conference, pages 528–544. Springer.
Dwork, C., Roth, A., et al. (2014). The algorithmic foundations of differential privacy. Foundations and Trends in Theoretical Computer Science, 9(3-4):211–407.
Fuller, B., Varia, M., Yerukhimovich, A., Shen, E., and Hamlin, A. (2017). SoK : Cryptographically Protected Database Search. IEEE Symposium on Security and Privacy (SP), pages 172–191.
Gentry, C., Halevi, S., and Smart, N. P. (2012). Homomorphic evaluation of the AES circuit. In Annual Cryptology Conference, pages 850–867. Springer.
Goldreich, O. and Ostrovsky, R. (1996). Software protection and simulation on oblivious rams. Journal of the ACM (JACM), 43(3):431–473.
Grubbs, P., Lacharité, M.-S., Minaud, B., and Paterson, K. G. (2019). Learning to reconstruct: Statistical learning theory and encrypted database attacks. In IEEE Symposium on Security and Privacy (SP), pages 1067–1083.
Grubbs, P., Ristenpart, T., and Shmatikov, V. (2017). Why your encrypted database is not secure. In Proceedings of the 16th Workshop on Hot Topics in Operating Systems, pages 162–168.
Jain, P., Gyanchandani, M., and Khare, N. (2016). Big data privacy: a technological perspective and review. Journal of Big Data, 3(1):25.
Li, N., Li, T., and Venkatasubramanian, S. (2007). t-closeness: Privacy beyond k-anonymity and l-diversity. In IEEE 23rd International Conference on Data Engineering, pages 106–115.
Machanavajjhala, A., Kifer, D., Gehrke, J., and Venkitasubramaniam, M. (2007). l-diversity: Privacy beyond k-anonymity. ACM Transactions on Knowledge Discovery from Data (TKDD), 1(1):3–es.
Mattsson, U. and Rozenberg, Y. (2013). Tokenization in payment environments. US Patent App. 13/761,009.
Mishra, P., Poddar, R., Chen, J., Chiesa, A., and Popa, R. A. (2018). Oblix: An efficient oblivious search index. In IEEE Symposium on Security and Privacy (SP), pages 279–296.
Narayanan, A. and Shmatikov, V. (2008). Robust deanonymization of large sparse datasets. In IEEE Symposium on Security and Privacy, pages 111–125.
Naveed, M., Kamara, S., and Wright, C. V. (2015). Inference attacks on property-preserving encrypted databases. Proceedings of the ACM Conference on Computer and Communications Security, 2015:644–655.
Paillier, P. (1999). Public-Key cryptosystems based on composite degree residuosity classes. In International conference on the theory and applications of cryptographic techniques, pages 223–238. Springer.
Pappas, V., Krell, F., Vo, B., Kolesnikov, V., Malkin, T., Choi, S. G., George, W., Keromytis, A., and Bellovin, S. (2014). Blind Seer: A scalable private DBMS. In IEEE Symposium on Security and Privacy, pages 359–374.
Pimenta Rodrigues, G. A., de Oliveira Albuquerque, R., Gomes de Deus, F. E., De Oliveira Júnior, G. A., García Villalba, L. J., Kim, T.- H., et al. (2017). Cybersecurity and network forensics: Analysis of malicious traffic towards a honeynet with deep packet inspection. Applied Sciences, 7(10):1082.
Poddar, R., Boelter, T., and Popa, R. A. (2019). Arx: an encrypted database using semantically secure encryption. Proceedings of the VLDB Endowment, 12(11):1664–1678.
Popa, R. A., Redfield, C. M., Zeldovich, N., and Balakrishnan, H. (2011). CryptDB: protecting confidentiality with encrypted query processing. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, pages 85–100.
Stalla-Bourdillon, S. and Knight, A. (2016). Anonymous data v. personal data-false debate: An eu perspective on anonymization, pseudonymization and personal data. Wis. Int’l LJ, 34:284.
Sweeney, L. (2002). k-anonymity: A model for protecting privacy. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(05):557–570.
Publicado
13/10/2020
Como Citar
SOUSA, Thiago R.; COUTINHO, Murilo; COUTINHO, Lilian; ALBUQUERQUE, Robson.
LGPD: Levantamento de Técnicas Criptográficas e de Anonimização para Proteção de Bases de Dados. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 20. , 2020, Petrópolis.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2020
.
p. 55-68.
DOI: https://doi.org/10.5753/sbseg.2020.19227.
