security and performance analysis of encrypted nosql databases · security and performance analysis...
TRANSCRIPT
Security and Performance Analysis ofEncrypted NoSQL Databases
M.W. Grim BSc., Abe Wiersma BSc.Supervisor: F. Turkmen PhD
February 6, 2017
University of Amsterdam
Introduction
ProblemSecurely storing BigData on NoSQL database systems.
Necessary because:• PRISM• Security vulnerabilities
1. Ashley Madison2. Yahoo3. LinkedIn
SolutionEncrypt your plain-text data.
1
Introduction
ProblemSecurely storing BigData on NoSQL database systems.
Necessary because:• PRISM• Security vulnerabilities
1. Ashley Madison2. Yahoo3. LinkedIn
SolutionEncrypt your plain-text data.
1
Introduction
ProblemSecurely storing BigData on NoSQL database systems.
Necessary because:• PRISM• Security vulnerabilities
1. Ashley Madison2. Yahoo3. LinkedIn
SolutionEncrypt your plain-text data.
1
IntroductionPlain data
2
IntroductionEncryption at rest
3
IntroductionEncryption at rest
4
IntroductionResearch questions
• How is SQL-aware encryption realised in NoSQL database engines?• What kind of security does it provide?• How does it compare to encryption at rest?
• What is the performance impact of enabling encryption?• What limitations are their in terms of functionality?
5
Computation over encrypteddata
Computation over encrypted dataEnd-to-end encrypted database
• Key stored at client.• Encryption and decryption by client (end-to-end).
• Server can’t read data, how to query?• Homomorphic encryption / Order Revealing Encryption
6
Computation over encrypted dataEnd-to-end encrypted database
• Key stored at client.• Encryption and decryption by client (end-to-end).• Server can’t read data, how to query?
• Homomorphic encryption / Order Revealing Encryption
6
Computation over encrypted dataEnd-to-end encrypted database
• Key stored at client.• Encryption and decryption by client (end-to-end).• Server can’t read data, how to query?• Homomorphic encryption / Order Revealing Encryption
6
Computation over encrypted dataPaillier
• Partially homomorphic.• Encrypted addition.
E(m1) + E(m2) = E(m1 + m2)
7
Computation over encrypted dataElGamal
• Partially homomorphic.• Encrypted multiplication.
E(m1) ∗ E(m2) = E(m1 ∗ m2)
8
Computation over encrypted dataOrder Revealing Encryption
Public compare function on encrypted data.
-1 smallerx > y 0 equal
1 greater
9
SecureMongo
SecureMongo
• Based on work by Alves et al.• Python connector wrapper.• Logic at client side.• End-to-end encrytption with queries on encrypted data.
Our work:
• Sequential inserts.• Serialized AVL tree.• Tree balancing at server side.
10
SecureMongo
• Based on work by Alves et al.• Python connector wrapper.• Logic at client side.• End-to-end encrytption with queries on encrypted data.
Our work:
• Sequential inserts.• Serialized AVL tree.• Tree balancing at server side.
10
SecureMongoAVL tree
Self-balancing binary search tree.
Algorithm Average Worst CaseSpace O(n) O(n)Search O(log n) O(log n)Insert O(log n) O(log n)Delete O(log n) O(log n)
11
SecureMongooverview
12
SecureMongoselection
13
SecureMongoinsertion
14
Method
MethodOur work
• Studied homomorphic / order revealing encryption• Improved earlier work by Alves et al.• Evaluated performance and security
1. Encryption at rest2. End-to-end encryption
15
MethodPlain vs. encryption at rest
YCSB
16
MethodPlain vs. encryption at rest
• YCSB default core workload.• Adjustable with parameters.• Can extend framework with alternative workloads.
recordcount 16,000,000operationcount 100,000readproportion 0.5updateproportion 0.5
17
MethodPlain vs. computation over encrypted data
• BenchmarkDB• Python framework• IMDB movies
18
Results encryption at rest
ResultsPerformance encryption at rest
9000 9400 9800 10200Insert operations per second
0.0000
0.0005
0.0010
0.0015
0.0020
0.0025
0.0030
0.0035
0.0040Not encrypted
9000 9400 9800 10200Insert operations per second
0.0000
0.0005
0.0010
0.0015
0.0020
0.0025
0.0030
0.0035
0.0040Encryption at rest
140 160 180 200 220Read/update operations per second
0.00
0.01
0.02
0.03
0.04
0.05
0.06
0.07Not encrypted
140 160 180 200 220Read/update operations per second
0.00
0.01
0.02
0.03
0.04
0.05
0.06
0.07Encryption at rest
19
ResultsPerformance encryption at rest
Insert8000
8500
9000
9500
10000
10500
med
ian(
ops/
s)
Not encryptedEncryption at rest
Read/Update150
160
170
180
190
200
med
ian(
ops/
s)
Not encryptedEncryption at rest
Insert Read/Update4.9% lower throughput 7.3% lower throughput 20
ResultsPerformance encryption at rest
Read Update20000
25000
30000
35000
40000
45000
50000
55000
60000
mea
n(La
tenc
y (u
s))
Not encryptedEncryption at rest
Insert550
600
650
700
750
800
850
900
mea
n(La
tenc
y (u
s))
Not encryptedEncryption at rest
Insert Read Update5.2% slower 7.4% slower 7.5% slower 21
Results SecureMongo
ResultsPerformance SecureMongo
1000 10000 100000Database size
0.00
0.02
0.04
0.06
0.08
0.10
Ave
rage
late
ncy
Mongo readMongoSecure read
1000 10000 100000Database size
0.00
0.02
0.04
0.06
0.08
0.10
Ave
rage
late
ncy
Mongo writeMongoSecure write
22
Results security
ResultsSecurity threat model
Threat 1Full access to the database server, both logical and physical.
Threat 2The application server and database server are compromised arbitrarily.
23
ResultsSecurity threat model
Threat 1: plainIssueThe plain-text data is there no elbow grease required for access.
24
ResultsSecurity threat model
Threat 1: encrypted at restIssueKey is continuously needed on server.
1. Cold-boot extraction from memory (always).2. Extract from hard-disk (if key is stored on disk).3. Retrievable from secondary server by posing as the database-server
(can be negated by two factor key retrieval).
The AES used is AES-256CBC which is IND-CPA secure. The AEScryptosystem is run using OpenSSL in accordance with FIPS 140-2.
25
ResultsSecurity threat model
Threat 1: SecMongo framework
1. AES encryption used in AES-128CBC is IND-CPA secure. PyCryptois used with a randomly generated IV for every encryption.
2. ORE proposed by Lewi and WU offers IND-OCPA.3. ElGamal is proven IND-CPA secure.4. Paillier is proven IND-CPA secure.5. The AVL-tree implementation negates inference attack robustness.
26
ResultsSecurity threat model
Threat 2: plainIssueThe plain set-up is still utterly compromised.
27
ResultsSecurity threat model
Threat 2: encrypted at restIssueKey retrieval was already possible using a cold-boot attack, threatexpansion means decrypted data can be retrieved by posing as theapplication.
28
ResultsSecurity threat model
Threat 2: SecMongo frameworkIssueKey is continuously needed by the application.
29
Conclusion
Conclusion
Solution
Encrypt your plain-text data.
✓TradeOffSecurity ↔ Performance
30
Conclusion
Solution
Encrypt your plain-text data.✓
TradeOffSecurity ↔ Performance
30
Conclusion
Solution
Encrypt your plain-text data.✓TradeOffSecurity ↔ Performance
30
Discussion & Future work
Discussion & Future work
• Native Tree traversal in MongoDB would increase performance forSecure Mongo Framework, iterative tree traversal would be done onthe server.
• Although range requests are possible using the ORE encryption, theyare not yet implemented.
31
Questions?
31