Database data security through the lens of cryptographic engineering

Transcription

1 Database data security through the lens of cryptographic engineering Eugene Pilyankevich, Chief Technical officer, Cossack Labs

2 Data breaches, annually

3 Airplane crashes, annually

4 Airplane crashes?

5 Sensitive data 101 Any data, leakage or tampering of which can lead to damage to data owner, data holder or related third parties.

6 Naïve security model

7 Naïve security model Ops-driven Focused on components

8 Naïve security model Few generic vectors Passive attacks Smash n grab

9 Securing the naïve security model encryption-at-rest encryption-in-transit access distribution & control event monitoring

10 Pragmatic security model

11 Real attackers are: Smart and resourceful Multi-skilled Many vectors of attack targeting an old vulnerability that you forgot to patch.

12 Pragmatic security model Poor perimeter

13 Pragmatic security model Poor perimeter Active and/or persistent attacks

14 Pragmatic security model Poor perimeter Active and/or persistent attacks Data-specific attacks

15 Pragmatic security model Poor perimeter Active and/or persistent attacks Data-specific attacks Systematic approach

16 anything else?

17 Idealistic security model

18 Idealistic security model: Future is now Future is reliable Working as guinea pig is a great idea

19 Idealistic security model: Less than 10 years in public Assumptions assumptions Not tested in production

20 Database encryption

21 What does encryption do? Encryption narrows attack surface from data to keys

22 Database encryption Classic Modern

23 Classic attacks Smash n grab Snapshot attacker Persistent passive attacker

24 Сlassic encryption? Row/column/table Database files Full disk encryption

25 Сlassic encryption? Row/column/table NO DIFFERENCE Database files Full disk encryption

26 Сlassic encryption, defeated Leak keys: Host compromise or snapshot MiTM to leak from traffic Leak plaintext: Host compromise Passive/active MiTM Source compromise

27 Extended classic security Protect data Protect database host Protect transport

28 Typical modern attacks Flow alternation (SQL Injection) VM image leak Full compromise (temporary or persistent)

29

30 Emerging DB attacks

31 Emerging attacks Write inference: Reconstruct transaction from logs Time transactions via bin logs to infer data Read inference: Buffer pool Slow query log if no full log is present

32 Emerging attacks SQL Injections to grab contents of diagnostic tables. information_schema.processlist, performance_schema.threads. See also: events_statements_current, events_statements_history

33 Emerging attacks Snapshot attacks to get memory contents of: Adaptive hash index Query cache Process heap (surprisingly revealing)

34 New sources of risk Access patterns Communication volume

35 Practicalities

36 Limit leakage Limit key leakage: fetch keys from remote side, purge from memory before/after encryption Limit data leakage: many keys, make one leak least problematic

37 Offload Encrypt/store keys on HSM. Proxies! not without drawbacks.

38 Client-side encryption Libraries Various encryption schemes not without drawbacks

39 Encrypted databases Client-side trust Novel crypto scheme enabling remote operations on ciphertext Still a bit of a naïve model

40 Ideally we want New ciphers?

41 Constant failure so exciting! NEW ATTACKS! DISPUTES ON SECURITY! IMPROVED ATTACKS! PROPOSED FIXES! BETTER ATTACKS! EMERGENCY UPDATES! DIFFERENT ATTACKS! NEW PROTOCOLS!

42 Constant failure so exciting!

43 Ideally we want boring crypto Crypto that simply works, solidly resists attacks, never needs any upgrades. Daniel J. Bernstein, famous security/crypto scientist

44 Realistically we need New ciphers! Better crypto schemes

45 Practical ideas Use great stuff Use it correctly

46 Practical ideas Use proven ciphers: ECC, AES, Salsa20 / ChaCha20. Don t roll your own crypto: just don t. Use good libraries.

47 Don t roll your own crypto Simple AES-GCM, ways to fail

48 Don t roll your own crypto Simple AES-GCM call, ways to fail Signed symmetric encryption, ways to fail

49 Don t roll your own crypto Simple AES-GCM call, ways to fail Signed symmetric encryption, ways to fail Key wrapped symmetric encryption, ways to fail

50 Don t roll your own crypto Buffer breaks here and now, with a memory fault. Crypto leaks anywhere at any point in time. Silently.

51 Don t roll your own crypto JUST DON T

52 Practical ideas Enforce non-leaky model(s). Configure with query inference in mind.

53 Practical ideas Rotate encryption keys timely. Revoke keys (rotate on compromise)

54 Practical ideas Focus on active attacks: SQL injections & full compromise. Focus on infrastructure around your DB. Encrypt what is necessary.

55 Practical ideas Use native tools, if they re well audited. Use good frameworks : Encryption: NaCl/Libsodium, Themis, KeyCzar, tink Encrypted shared access: ZeroKit, Hermes, DocRaid

56

57 cossacklabs.com Thank you!

58 Links General interest: Why Your Encrypted Database Is Not Secure, Cryptographically protected database search, Generic Attacks on Secure Outsourced Databases, Recontructing queries, inference, sensitive data leakage and other indirect attacks: InnoDB Database Forensics series: Breaking Web Applications Built On Top of Encrypted Data, Inference attacks Inference Attacks on Property-Preserving Encrypted Databases, Database encryption: Protecting sensitive information with database encryption, Cossack Labs blog, Backend security series, End-to-end data turnover, my talk at UISGCON 12,