Security and Performance Analysis ofEncrypted NoSQL Databases

M.W. Grim BSc., Abe Wiersma BSc.Supervisor: F. Turkmen PhD

February 6, 2017

University of Amsterdam

Introduction

ProblemSecurely storing BigData on NoSQL database systems.

Necessary because:• PRISM• Security vulnerabilities

1. Ashley Madison2. Yahoo3. LinkedIn

SolutionEncrypt your plain-text data.

1

Introduction

ProblemSecurely storing BigData on NoSQL database systems.

Necessary because:• PRISM• Security vulnerabilities

1. Ashley Madison2. Yahoo3. LinkedIn

SolutionEncrypt your plain-text data.

1

Introduction

ProblemSecurely storing BigData on NoSQL database systems.

Necessary because:• PRISM• Security vulnerabilities

1. Ashley Madison2. Yahoo3. LinkedIn

SolutionEncrypt your plain-text data.

1

IntroductionPlain data

2

IntroductionEncryption at rest

3

IntroductionEncryption at rest

4

IntroductionResearch questions

• How is SQL-aware encryption realised in NoSQL database engines?• What kind of security does it provide?• How does it compare to encryption at rest?

• What is the performance impact of enabling encryption?• What limitations are their in terms of functionality?

5

Computation over encrypteddata

Computation over encrypted dataEnd-to-end encrypted database

• Key stored at client.• Encryption and decryption by client (end-to-end).

• Server can’t read data, how to query?• Homomorphic encryption / Order Revealing Encryption

6

Computation over encrypted dataEnd-to-end encrypted database

• Key stored at client.• Encryption and decryption by client (end-to-end).• Server can’t read data, how to query?

• Homomorphic encryption / Order Revealing Encryption

6

Computation over encrypted dataEnd-to-end encrypted database

• Key stored at client.• Encryption and decryption by client (end-to-end).• Server can’t read data, how to query?• Homomorphic encryption / Order Revealing Encryption

6

Computation over encrypted dataPaillier

• Partially homomorphic.• Encrypted addition.

E(m1) + E(m2) = E(m1 + m2)

7

Computation over encrypted dataElGamal

• Partially homomorphic.• Encrypted multiplication.

E(m1) ∗ E(m2) = E(m1 ∗ m2)

8

Computation over encrypted dataOrder Revealing Encryption

Public compare function on encrypted data.

-1 smallerx > y 0 equal

1 greater

9

SecureMongo

SecureMongo

• Based on work by Alves et al.• Python connector wrapper.• Logic at client side.• End-to-end encrytption with queries on encrypted data.

Our work:

• Sequential inserts.• Serialized AVL tree.• Tree balancing at server side.

10

SecureMongo

• Based on work by Alves et al.• Python connector wrapper.• Logic at client side.• End-to-end encrytption with queries on encrypted data.

Our work:

• Sequential inserts.• Serialized AVL tree.• Tree balancing at server side.

10

SecureMongoAVL tree

Self-balancing binary search tree.

Algorithm Average Worst CaseSpace O(n) O(n)Search O(log n) O(log n)Insert O(log n) O(log n)Delete O(log n) O(log n)

11

SecureMongooverview

12

SecureMongoselection

13

SecureMongoinsertion

14

Method

MethodOur work

• Studied homomorphic / order revealing encryption• Improved earlier work by Alves et al.• Evaluated performance and security

1. Encryption at rest2. End-to-end encryption

15

MethodPlain vs. encryption at rest

YCSB

16

MethodPlain vs. encryption at rest

• YCSB default core workload.• Adjustable with parameters.• Can extend framework with alternative workloads.

recordcount 16,000,000operationcount 100,000readproportion 0.5updateproportion 0.5

17

MethodPlain vs. computation over encrypted data

• BenchmarkDB• Python framework• IMDB movies

18

Results encryption at rest

ResultsPerformance encryption at rest

9000 9400 9800 10200Insert operations per second

0.0000

0.0005

0.0010

0.0015

0.0020

0.0025

0.0030

0.0035

0.0040Not encrypted

9000 9400 9800 10200Insert operations per second

0.0000

0.0005

0.0010

0.0015

0.0020

0.0025

0.0030

0.0035

0.0040Encryption at rest

140 160 180 200 220Read/update operations per second

0.00

0.01

0.02

0.03

0.04

0.05

0.06

0.07Not encrypted

140 160 180 200 220Read/update operations per second

0.00

0.01

0.02

0.03

0.04

0.05

0.06

0.07Encryption at rest

19

ResultsPerformance encryption at rest

Insert8000

8500

9000

9500

10000

10500

med

ian(

ops/

s)

Not encryptedEncryption at rest

Read/Update150

160

170

180

190

200

med

ian(

ops/

s)

Not encryptedEncryption at rest

Insert Read/Update4.9% lower throughput 7.3% lower throughput 20

ResultsPerformance encryption at rest

Read Update20000

25000

30000

35000

40000

45000

50000

55000

60000

mea

n(La

tenc

y (u

s))

Not encryptedEncryption at rest

Insert550

600

650

700

750

800

850

900

mea

n(La

tenc

y (u

s))

Not encryptedEncryption at rest

Insert Read Update5.2% slower 7.4% slower 7.5% slower 21

Results SecureMongo

ResultsPerformance SecureMongo

1000 10000 100000Database size

0.00

0.02

0.04

0.06

0.08

0.10

Ave

rage

 late

ncy

Mongo readMongoSecure read

1000 10000 100000Database size

0.00

0.02

0.04

0.06

0.08

0.10

Ave

rage

 late

ncy

Mongo writeMongoSecure write

22

Results security

ResultsSecurity threat model

Threat 1Full access to the database server, both logical and physical.

Threat 2The application server and database server are compromised arbitrarily.

23

ResultsSecurity threat model

Threat 1: plainIssueThe plain-text data is there no elbow grease required for access.

24

ResultsSecurity threat model

Threat 1: encrypted at restIssueKey is continuously needed on server.

1. Cold-boot extraction from memory (always).2. Extract from hard-disk (if key is stored on disk).3. Retrievable from secondary server by posing as the database-server

(can be negated by two factor key retrieval).

The AES used is AES-256CBC which is IND-CPA secure. The AEScryptosystem is run using OpenSSL in accordance with FIPS 140-2.

25

ResultsSecurity threat model

Threat 1: SecMongo framework

1. AES encryption used in AES-128CBC is IND-CPA secure. PyCryptois used with a randomly generated IV for every encryption.

2. ORE proposed by Lewi and WU offers IND-OCPA.3. ElGamal is proven IND-CPA secure.4. Paillier is proven IND-CPA secure.5. The AVL-tree implementation negates inference attack robustness.

26

ResultsSecurity threat model

Threat 2: plainIssueThe plain set-up is still utterly compromised.

27

ResultsSecurity threat model

Threat 2: encrypted at restIssueKey retrieval was already possible using a cold-boot attack, threatexpansion means decrypted data can be retrieved by posing as theapplication.

28

ResultsSecurity threat model

Threat 2: SecMongo frameworkIssueKey is continuously needed by the application.

29

Conclusion

Conclusion

Solution

Encrypt your plain-text data.

✓TradeOffSecurity ↔ Performance

30

Conclusion

Solution

Encrypt your plain-text data.✓

TradeOffSecurity ↔ Performance

30

Conclusion

Solution

Encrypt your plain-text data.✓TradeOffSecurity ↔ Performance

30

Discussion & Future work

Discussion & Future work

• Native Tree traversal in MongoDB would increase performance forSecure Mongo Framework, iterative tree traversal would be done onthe server.

• Although range requests are possible using the ORE encryption, theyare not yet implemented.

31

Questions?

31