Databases and other digital record stores may be protected by passwords, firewalls and other security mechanisms. However, once such security measures are breached then the data may be freely accessible. Therefore, encryption may be used to secure particular attributes, fields or columns within records of a database.
For example, during a SQL insert procedure to add a record to a database, certain columns may be defined as being encrypted. An encryption algorithm may be applied to the values destined for such columns before the data are added. When such data are retrieved then a corresponding decryption function may be applied to the encrypted attributes or values before the data is presented to a calling function.
In such an example, a user could place a record in a dataset with a SQL statement such as:
INSERT INTO dataset (creditCardNumber, cardType, expiryDate, emailAddress, postalAddress) VALUES (‘1234 4321 1234 4321’, ‘VISA’, ‘00-00-00’, ‘someone@somewhere.com’, ‘1 The Street, Postal Town, Somewhere’)
The database may be configured to encrypt the fields creditCardNumber and expiryDate. When the above statement is processed by the database management system, the values 1234 4321 1234 4321 and 00-00-00 will then be automatically encrypted prior to being stored.
As it is not possible to match search results (i.e. a WHERE clause within a SELECT query) to encrypted fields, columns or attributes then at least some of the fields in a record must be in plain text to facilitate retrieval. Therefore, at least some of the data, which is usually some form of business data (i.e. non-primary key data) must be stored in plain text.
This compromise allows searching and retrieval but can reduce the overall security of the database. Unauthorised access to the database can lead to access to some plain text information. The intruder may use this unencrypted information to determine the most valuable encrypted records and focus any substantial attack on such higher value records. In other words, whilst it may be impractical or impossible to decrypt the entire database, it may be relatively trivial to identify a small subset of high value records that are possible to decrypt within reasonable time frames.
Such a focused attack would be harder to carry out if all columns in the database were encrypted but this would frustrate legitimate searching and retrieval of data.
Therefore, there is required a system and method that overcomes these problems.