Keeping Secrets: Emerging Practice in Database Encryption

Transcript

1. Keeping Secrets: Emerging Practice in Database Encryption

2. Keeping Secrets: Emerging Practice in Database Encryption Kenneth White @kennwhite

3. Goals Highlight the gaps between real-world attack scenarios and the

   implicit security guarantees of most popular encrypted databases Review recent advances & breaks in database encryption techniques Look at emerging methods around data in-use & blind admin models Provide architects and defenders with practical guidance for high-sensitivity workloads

4. A Brief History on Database Encryption...

5. A Brief History on Database Encryption... - Transport SSL/TLS over

   native wire protocols - Storage Volume encryption (FDE)

6. A Brief History on Database Encryption... - Tables/tablespaces Transparent Data

   Encryption (TDE)/Encrypted Storage Engine (ESE) Oracle Server TDE SQLServer TDE MongoDB WiredTiger ESE MySQL Enterprise TDE

7. Current Market - Microsoft/Azure Transparent Data Encryption (TDE; server-side) Always

   Encrypted engine (AE; client-side) Deterministic Randomized SGX enclave encryption

8. Current Market - CryptDB (Popa et al) - Google Encrypted

   BigQuery CMKs - delegated - Oracle TDE with table- & column-level encryption

9. Current Market - Postgres pgcrypto: DIY column-level PGP: home-brew AES

   constructions, etc.

10. Current Market - MongoDB Wired Tiger ESE Atlas (BYOK w/

    AWS KMS, Azure Vault, GCP KMS) Enterprise (native KMIP w/ HSM)

11. Current Market - Amazon (this bullet will be obsolete in

    3 months)

12. Broken Promises

13. Broken Promises - Histograms & statistics views: DBA vs. DBA

    - (some) format-preserving encryption - (some) deterministic encryption - Tokenization - Cloud Access Brokers

14. Broken Promises - Histograms & statistics views: DBA vs. DBA

15. Histograms & statistics views: DBA vs. DBA © Mad Magazine

16. Source: Robert Lockard, https://web.archive.org/web/20180726160818/http://oraclewizard.com/Oraclewizard/2015/07/oracle-tde-dataleak-histograms/ Robert Lockard: An Oracle PoC

17. Source: Robert Lockard, https://web.archive.org/web/20180726160818/http://oraclewizard.com/Oraclewizard/2015/07/oracle-tde-dataleak-histograms/

18. Source: Robert Lockard, https://web.archive.org/web/20180726160818/http://oraclewizard.com/Oraclewizard/2015/07/oracle-tde-dataleak-histograms/

19. Source: Robert Lockard, https://web.archive.org/web/20180726160818/http://oraclewizard.com/Oraclewizard/2015/07/oracle-tde-dataleak-histograms/

20. Broken Promises - Histograms & statistics views: DBA vs. DBA

    - (some) format-preserving encryption
21. None
22. None
23. None

24. Broken Promises - Histograms & statistics views: DBA vs. DBA

    - (some) format-preserving encryption - (some) deterministic encryption - Tokenization - Cloud Access Brokers

25. The threat model of most encrypted databases Source: Imgur, author

    unknown

26. Your threat model is wrong, but your database is worse.

27. Breaking next-gen crypto in 2018 with 9th century frequency analysis

    Source: Wikimedia CC

28. Your threat model is wrong, but your database is worse

    - Breaking next-gen crypto in 2018 with 9th century frequency analysis Inference attacks on property-preserving encrypted databases Wright, Naveed, Kamara - Logs, diagnostics, in-memory structures, oh my! Why your database is not secure Grubbs, Ristenpart, Shmatikov

29. Thinking beyond naive on/off key rotation lifecycle: Lessons from Google

    & Amazon scaling AWS key management service (KMS): Handling cryptographic bounds for use of AES-GCM Campagna & Gueron (Amazon) Achieving high availability in the internal Google key management system Kanagala, et al (Google)

30. First Principles - Threat model-driven design - My game over

    is not your game over - RAM is the achilles heel of confidentiality - Snapshot attackers will usually win, but you probably already lost - Thinking through zero knowledge

31. First Principles - Sane defenses - Rate-limiting - Segmentation -

    Partial views/visibility (excellent use case for rational encryption) - Real time anomaly detection & response

32. First Principles - Savage key segregation

33. "Of course you'd use sane key management & identity access

    policy." — Cryptographers "We need to give all of Finance, Accounting, HR, and Helpdesk the key." — Senior Management "This web app has [select * from *] & a hard-coded HSM API token." — Production Ops

34. If your security sucks now without identity management, you'll be

    pleasantly surprised by the lack of change with encryption.

35. First Principles Game out your own attacks before the bad

    guys do it for you "You're on the Internet. You're already getting the pen test, just not the report" — Zane Lacke

36. Emerging - Secure enclave hardware - Geo-attestation/location assurance - Instance-based

    identity/temporary credentials - Sane FDE & key management - Homomorphic encryption - Attribute-based (multi-party) encryption

37. Recommended Reading • Microsoft Always Encrypted engine overview • Oracle

    Column-Mode Transparent Data Encryption • Deterministic & randomized encryption modes • Guidelines for Using the CryptDB System Securely (Popa et al) • Outsourcing the Decryption of ABE Ciphertexts • Searchable Symmetric Encryption. Kamara & Moataz • Inference Attacks on Property-Preserving Encrypted Databases (MSR) • Adrian Colyer analysis on Grubbs et al • Searchable Symmetric Encryption Implementation: Clusion (Kamara Lab)

38. Black Hat Sound Bytes - Most encrypted database security models

    are weak/underspecified - Encrypted DB disks protect against eBay & Craigslist attacks, not Amazon, Microsoft, Google (and, only minimally, their customers) - You may have to think about: court orders/discovery and motivated advanced attackers - You do have to think about key surface/exposures, AppSec, SQLi, bearer tokens, API intercepts, backups, logs, sysadmins, DBAs...

39. Questions? Kenneth White @kennwhite