why your encrypted database is not secure
play

Why Your Encrypted Database Is Not Secure Paul Grubbs Tom - PowerPoint PPT Presentation

Dec 08, 2023 •816 likes •1.42k views

Why Your Encrypted Database Is Not Secure Paul Grubbs Tom Ristenpart Vitaly Shmatikov Outsourced Applications Today Server data data Encrypt the data! Encrypt the Data App functionality no App functionality no longer works :( longer

  1. Why Your Encrypted Database Is Not Secure Paul Grubbs Tom Ristenpart Vitaly Shmatikov

  2. Outsourced Applications Today Server data data

  3. Encrypt the data!

  4. Encrypt the Data App functionality no App functionality no longer works :( longer works :( Server Encrypted Encrypted data data

  5. Encrypt the Data Server Encrypted Encrypted data data • Searchable encryption use property-revealing • Deterministic encryption encryption (PRE) • Order-revealing encryption

  6. Building “Secure” Systems Server Server Encrypted Encrypted data data

  7. Building “Secure” Systems Server Server “computing on encrypted data”

  8. Building “Secure” Systems • CryptDB (SOSP 2011) • CryptDB (SOSP 2011) • Mylar (NSDI 2014) • Mylar (NSDI 2014) • Seabed (OSDI 2016) • Seabed (OSDI 2016) • Arx • Arx • Many others • Many others • Lots of industry and • Lots of industry and government interest!! government interest!!

  9. What They Claim

  10. “Magically Flexible Cryptography”

  11. Claims emulates fully homomorphic encryption emulates fully homomorphic encryption provable confjdentiality provable confjdentiality semantic security semantic security the database does not leak the values the database does not leak the values of sensitive fjelds, even if the attacker of sensitive fjelds, even if the attacker has side information has side information

  12. Fallacy #1 Encryption scheme is “secure” does not mean The system is “secure”

  13. What This Talk Is About … and build a completely insecure system from it Encrypted Encrypted How to take a plausible data data encryption scheme

  14. Unsafe at Any Speed If you look at an actual commodity DBMS … • CryptDB (SOSP 2011) • CryptDB (SOSP 2011) • Mylar (NSDI 2014) • Mylar (NSDI 2014) • Seabed (OSDI 2016) • Seabed (OSDI 2016) • Arx • Arx • Many others • Many others • Lots of industry and • Lots of industry and government interest!! government interest!! … insecure under ANY real-world attack

  16. Threat Models “Snapshot” Server Persistent Encrypted Encrypted passive data data Active

  17. Claims Meet Reality • Secure against active attacks: false – Grubbs et al. “Breaking web applications built on top of encrypted data” (CCS 2016) • Secure against “snapshot” attacks: false – Grubbs et al. “Why your encrypted database is not secure” (HotOS 2017) • Sensitivity analysis helps: false – Bindschaedler et al. “The tao of inference in privacy- protected databases” (forthcoming)

  18. Security Against Active Attacks

  19. Mylar Insecure proxy re- encryption scheme Add orange user Hiring plan for 2017 [see Van Rompay et al. 2017] I trust I trust ( ) blue user blue user My secret diary Server, you can convert all Server, you can convert all my searches to blue key. my searches to blue key. Here’s a token to do it. Here’s a token to do it.

  20. Mylar Under Active Attack Hiring plan for 2017 Search(w) ( ) My secret diary

  21. some user machines … collude with some user machines … collude with the server… because the the server… because the adversary broke into a user’s adversary broke into a user’s machine machine

  22. Mylar Under Active Attack Hiring plan for 2017 Search(w) ( ) My secret diary Unkeyed “hash” of keyword. Unkeyed “hash” of keyword. Perform dictionary attack. Perform dictionary attack. ( ) + + = H(w) Search(w)

  23. … as long as none of the … as long as none of the users with access to that users with access to that data item use a data item use a compromised machine compromised machine

  24. Mylar Under Active Attack Hiring plan for 2017 Search(w) My secret diary None of the users with None of the users with access to this data item use access to this data item use a compromised machine a compromised machine

  25. Mylar in a Hospital One nurse loses their laptop, One nurse loses their laptop, server can compromise every server can compromise every doctor’s private fjles doctor’s private fjles

  26. “Snapshot” Threat Model Server False in any realistic Existing systems explicitly snapshot attack on a claim security commodity DBMS … assuming there are no queries in the snapshot

  27. A Simple System Abstraction OS Volatile DB memory Persistent storage

  28. Actual Attacks Full-system compromise OS Volatile VM DB memory snapshot leak SQL Persistent injection storage Disk theft

  29. Case Study: MySQL similar issues in any other commodity DBMS Failed encrypted Attack What MySQL leaks database MVCC data Arx’s range query Disk theft structures index Seabed’s SPLASHE SQL Injection Past query statistics scheme Full system CryptDB, Lewi/Wu, compromise or VM Text of past queries etc. snapshot leak

  30. Disk Theft If this is your threat model, just use full-disk encryption

  31. Logs on Disk Data modifjcation queries General query log (not widely used) can be reconstructed from Binary log records modifjcations, these logs used for replication and recovery [FHMW ’10, FKSHW ’12] Multi-version concurrency control using log data structures In all modern SQL databases! Insert Select MVCC log In Update Up ->

  32. Poddar et al. Arx Range queries via chained garbled circuits Tree nodes become consumed, need replacing >=2 >=2 E k (5) I used up these nodes >=2 E k (3) E k (7) Here, refresh nodes with these ciphertexts E k (1) E k (2) E k (3) E k (2) >=2 E k (5)

  33. Poddar et al. Security Claim for Arx “Arx protects the database with the “Arx protects the database with the same level of security as regular same level of security as regular AES-based encryption” AES-based encryption”

  34. Arx Under Snapshot Attack Range queries via chained garbled circuits Tree nodes become consumed, need replacing Consumed nodes immediately replaced, stored in MVCC log E k (5) E k (5) Query access pattern recorded on disk E k (3) E k (3) E k (7) Here, refresh nodes E k (1) E k (2) E k (2) Snapshot attacker can recover queries with these ciphertexts Up E k (3) and plaintexts using variants of attacks Up E k (2) E k (3) E k (2) from [GSBNR - S&P ‘17] Up E k (5) E k (5)

  35. SQL Injection Failed encrypted Attack What MySQL leaks database MVCC data Arx’s range query Disk theft structures index Seabed’s SPLASHE SQL Injection Past query statistics scheme Full system CryptDB, Lewi/Wu, compromise or VM Text of past queries etc. snapshot leak

  36. SQL Injection SQL injection accounted for 51% of all Web application attacks in 2016 (source: Akamai) Malicious code Runs here

  37. Diagnostic Tables information_schema stores current query for all users, Separate counts for queries contents of buffer cache which involve different columns performance_schema stores current query for all threads, statistics for past queries performance_schema 1 2 Inserts: Insert 1 Selects: Select Insert

  38. Problem: Frequency Analysis Name Has given this talk before Paul Grubbs 1 Thomas Ristenpart 0 Vitaly Shmatikov 0 Order-preserving encryption reveals histogram of plaintext values This is how Naveed et al. used frequency analysis to break CryptDB: match histogram to auxiliary model of data distribution

  39. Papadimitriou et al. (OSDI 2016) Seabed Name Has given this talk before Paul Grubbs 1 Thomas Ristenpart 0 Vitaly Shmatikov 0 (“Has …”=1) (“Has …”=0) Each possible plaintext gets Name C2 C3 its own column aspoiwnpoinio E k (1) E k (0) WHERE clause transformed petryoiueytiew E k (0) E k (1) to correct column Xncmxncmbcn E k (0) E k (1) SELECT Count(“Has … ”) WHERE “Has …”=1 SELECT Count(C2) Separate counts for queries which involve different columns

  40. Example

  41. SQLi Extracts Diagnostic Tables Use frequency analysis to recover plaintexts (see paper for details) performance_schema: Selects for C2: 1 SELECT Count(C3) 2 Selects for C3: SELECT Count(C2) SELECT Count(C3) Separate counts for queries which involve different columns

  42. Full-System Snapshot Failed encrypted Attack What MySQL leaks database MVCC data Arx’s range query Disk theft structures index Seabed’s SPLASHE SQL Injection Past query statistics scheme Full system CryptDB, Lewi/Wu, compromise or VM Text of past queries etc. snapshot leak

  43. Full-System Compromise Leakage of sensitive data at OS level is well-studied [CPGR, DLJKSXSW] We focus on DBMS address space, things inaccessible to users

  44. Data Structures and Caches Adaptive hash index tracks pages accesses, indexes automatically MySQL query cache stores select queries and results Other query caches (memcached) essential for performance! MySQL manages internal heaps, does not zero freed memory! Insert Select Select

  45. Token-Based Systems Still there. CryptDB, Mylar, Lewi-Wu, other Still there. searchable encryption schemes Still there. cannot be semantically secure if Still there. attacker sees a single search token Select Search Search token token 1,000 random selects… Waited a while… 100,000 more random selects…

  46. Let Me Make Myself Perfectly Clear These encrypted databases CANNOT be semantically secure under ANY real-world attack

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fast and Secure H T Y T O H Laptop Backups F G R E U D B I N with Encrypted

Fast and Secure H T Y T O H Laptop Backups F G R E U D B I N with Encrypted

I V N E U R S E I Fast and Secure H T Y T O H Laptop Backups F G R E U D B I N with Encrypted De-duplication Le Zhang <zhang.le@ed.ac.uk> Paul Anderson <dcspaul@ed.ac.uk> LISA 2010 Laptop Backup Options

390 views • 18 slides
Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure communication. Does not allow modifying encrypted data. Homomorphic Encryption: allows computation on encrypted data, but result remains encrypted Functional

987 views • 61 slides
iCLOUD KEYCHAIN WHAT IS KEYCHAIN? Ability to store encrypted passwords in a way that is secure

iCLOUD KEYCHAIN WHAT IS KEYCHAIN? Ability to store encrypted passwords in a way that is secure

iCLOUD KEYCHAIN WHAT IS KEYCHAIN? Ability to store encrypted passwords in a way that is secure and easy to access. TOTAL RECALL BENEFITS Keychain & Safari are integral to Apples operating systems. (IOS for iPad/iPhone and OS X for

442 views • 9 slides
Learning to Reconstruct: Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs ,

Learning to Reconstruct: Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs ,

Learning to Reconstruct: Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs , Marie-Sarah Lacharit, Brice Minaud, Kenny Paterson pag225@cornell.edu, @pag_crypto Outsourced Databases Database Encrypting Outsourced

705 views • 23 slides
CryptDB: Processing Queries on an Encrypted Database Raluca Ada Popa, Catherine M. S. Redfield,

CryptDB: Processing Queries on an Encrypted Database Raluca Ada Popa, Catherine M. S. Redfield,

CryptDB: Processing Queries on an Encrypted Database Raluca Ada Popa, Catherine M. S. Redfield, Nickolai Zeldovich, and Hari Balakrishnan MIT CSAIL Problem } Confidential data leaks from databases (DB) } 2012: hackers extracted 6.5

465 views • 30 slides
Learning to Reconstruct Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs,

Learning to Reconstruct Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs,

Learning to Reconstruct Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs, Marie-Sarah Lacharit, Brice Minaud, Kenny Paterson CASYS team seminar, Grenoble, December 2018 Outsourcing Data with Search Capabilities Data

534 views • 38 slides
Secure Skyline Queries on Encrypted Data CS 573 Data Privacy and Security Jinfei Liu, Juncheng

Secure Skyline Queries on Encrypted Data CS 573 Data Privacy and Security Jinfei Liu, Juncheng

Secure Skyline Queries on Encrypted Data CS 573 Data Privacy and Security Jinfei Liu, Juncheng Yang, Li Xiong, and Jian Pei. Secure Skyline Queries on Cloud Platform. ICDE 2017. Jinfei Liu, Juncheng Yang, Li Xiong, and Jian Pei. Secure and

1.1k views • 72 slides
Computations on Encrypted Data for the Cloud David Pointcheval CNRS - ENS - INRIA Secure Cloud

Computations on Encrypted Data for the Cloud David Pointcheval CNRS - ENS - INRIA Secure Cloud

Computations on Encrypted Data for the Cloud David Pointcheval CNRS - ENS - INRIA Secure Cloud Services and Storage Workshop Oslo, Norway - September 10th, 2017 The Cloud David Pointcheval Introduction 2 / 17 Anything from Anywhere One

290 views • 17 slides
How to Search on Encrypted Data SENY KAMARA MICROSOFT RESEARCH Encryption 2 Gen ( 1 k )

How to Search on Encrypted Data SENY KAMARA MICROSOFT RESEARCH Encryption 2 Gen ( 1 k )

How to Search on Encrypted Data SENY KAMARA MICROSOFT RESEARCH Encryption 2 Gen ( 1 k ) K Secure Communiation Enc ( K , m ) c Dec (K, c ) m Alice Bob Eve Encryption 3 Gen ( 1 k ) K Secure Storage Enc (

1.42k views • 84 slides
Secure Outsourcing Computation Li Xiong Outline Cloud computing Computing on encrypted

Secure Outsourcing Computation Li Xiong Outline Cloud computing Computing on encrypted

CS573 Data Privacy and Security Secure Outsourcing Computation Li Xiong Outline Cloud computing Computing on encrypted data Homomorphic encryption What is Cloud Computing ? Cloud computing Type of computing that relies on sharing

1.29k views • 62 slides
Learning to Reconstruct Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs,

Learning to Reconstruct Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs,

Learning to Reconstruct Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs, Marie-Sarah Lacharit, Brice Minaud, Kenny Paterson eprint 2019/011 and IEEE S&P 2019. C2 seminar, Rennes, 2019 Outsourcing Data Data upload

646 views • 39 slides
Smarter decisions with no privacy breaches Dan Bogdanov & the Sharemind team dan@cyber.ee

Smarter decisions with no privacy breaches Dan Bogdanov & the Sharemind team dan@cyber.ee

Smarter decisions with no privacy breaches Dan Bogdanov & the Sharemind team dan@cyber.ee http://sharemind.cyber.ee/ Secure computing encrypted database standard When a standard database tools encrypts data, it must be

483 views • 16 slides
TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1 DISCLAIMER: THIS IS NOT FULLY-BAKED We just fleshed out this idea yesterday, so its hand-wavy. Insufficient analysis has been done. IETF 94 TLS 1.3

886 views • 11 slides
Secure Database Commitments and Universal Arguments of Quasi Knowledge Melissa Chase (Microsoft

Secure Database Commitments and Universal Arguments of Quasi Knowledge Melissa Chase (Microsoft

Secure Database Commitments and Universal Arguments of Quasi Knowledge Melissa Chase (Microsoft Research) Ivan Visconti (University of Salerno) Size hiding protocols Traditional secure computation: All existing definitions and Parties

631 views • 22 slides
MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 21 TODAY: Homomorphic

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 21 TODAY: Homomorphic

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 21 TODAY: Homomorphic Encryption 1. Secure Outsourcing Input: x Program: P Enc (x) x Enc (P(x)) P(x) Client Server (the Cloud) A Special Case: Encrypted Database Lookup

515 views • 38 slides
Secure XML Database Access with Views SecReT09 Benoit Groz (joint work with Anne-Ccile

Secure XML Database Access with Views SecReT09 Benoit Groz (joint work with Anne-Ccile

Secure XML Database Access with Views SecReT09 Benoit Groz (joint work with Anne-Ccile Caron,Yves Roos, Sawek Staworko, Sophie Tison) Mostrare 10 juillet 2009 B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views

498 views • 30 slides
Secure Distributed Computation on Private Inputs David Pointcheval ENS - CNRS - INRIA

Secure Distributed Computation on Private Inputs David Pointcheval ENS - CNRS - INRIA

Secure Distributed Computation on Private Inputs David Pointcheval ENS - CNRS - INRIA Foundations & Practice of Security Clermont-Ferrand, France - October 27th, 2015 The Cloud David Pointcheval Introduction 2 / 30 Access from

761 views • 41 slides
Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations of computer science Formal Methods Logical foundations of computer science A language that machines can understand Formal Methods Logical

1.67k views • 123 slides
High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address, makes

924 views • 61 slides
Metaprogramming in SML: ;; Contents of postfix-fancy-transform.rkt (define (postfix-run pgm args)

Metaprogramming in SML: ;; Contents of postfix-fancy-transform.rkt (define (postfix-run pgm args)

Recall the Racket PostFix Interpreter Metaprogramming in SML: ;; Contents of postfix-fancy-transform.rkt (define (postfix-run pgm args) ) PostFix and S-expressions (define (postfix-exec-commands cmds init-stk) ) (define

306 views • 6 slides
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers Unbroken

739 views • 44 slides
Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint

Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint

Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint work with Pratish Datta and Ratna Dutta Department of Mathematics Indian Institute of Technology Kharagpur Kharagpur-721302 India PKC 2016

340 views • 23 slides
Advanced Tools from Modern Cryptography Lecture 0 Manoj Prabhakaran IIT Bombay

Advanced Tools from Modern Cryptography Lecture 0 Manoj Prabhakaran IIT Bombay

Advanced Tools from Modern Cryptography Lecture 0 Manoj Prabhakaran IIT Bombay Old Cryptography Scytale (ancient Greece) Caesar Cipher 100 BC - 44 BC Cryptanalysis (simple frequency analysis) of Caesar cipher by

368 views • 13 slides
Computer Security: Passwords TA: Adrian Sham adrsham@cs Thanks to Franzi for slides. Logistics

Computer Security: Passwords TA: Adrian Sham adrsham@cs Thanks to Franzi for slides. Logistics

CSE 484 / CSE M 584 Computer Security: Passwords TA: Adrian Sham adrsham@cs Thanks to Franzi for slides. Logistics / Reminders Class tomorrow at PCAR 290 Lab #2 due 5/20,5pm (next Wednesday) Next office hour: Michael and

574 views • 22 slides

More recommend