DBMask: Fine-grained access control on encrypted relational databases

Muhammad I. Sarfraz, Mohamed Nabeel, Jianneng Cao, Elisa Bertino

Research output: Contribution to journalArticle

1 Citation (Scopus)


DBMask is a system that implements encrypted query processing with support for complex queries and fine grained access control with create, update, delete and cryptographically enforced read (CRUD) operations for data stored on an untrusted database server hosted in a public cloud. Past research efforts have not adequately addressed flexible access control on encrypted data at different granularity levels which is critical for data sharing among different users and applications. DBMask proposes a novel technique that separates fine grained access control from encrypted query processing when evaluating SQL queries on encrypted data and enforces fine grained access control at the granularity level of a column, row and cell based on an expressive attribute-based group key encryption scheme. DBMask does not require modifications to the database engine, and thus maximizes the reuse of the existing DBMS infrastructures. Our experiments evaluate the performance of an encrypted database, managed by DBMask, using queries from TPC-H benchmark in comparison to plaintext Postgres. We further evaluate the functionality of our prototype using a policy simulator and a multi-user web application. The results show that DBMask is efficient and scalable to large datasets.

Original languageEnglish
Pages (from-to)187-214
Number of pages28
JournalTransactions on Data Privacy
Issue number3
Publication statusPublished - 1 Dec 2016
Externally publishedYes


  • Attribute-based group key management
  • Database-as-a-service
  • Encrypted query processing

ASJC Scopus subject areas

  • Software
  • Statistics and Probability

Fingerprint Dive into the research topics of 'DBMask: Fine-grained access control on encrypted relational databases'. Together they form a unique fingerprint.

  • Cite this