german owasp day 2014, 09.12.2014, hamburg : encryption ... · title: german owasp day 2014,...
TRANSCRIPT
![Page 1: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/1.jpg)
Cloud encryp-on – Encrypt all the things!
Walter Tighzert German Owasp Day 2014
![Page 3: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/3.jpg)
Cryptographic interlude
• Randomized encryp-on • Determinis-c encryp-on • Order preserving encryp-on • Homomorphic encryp-on
Animal
cat
dog
cat
encryp-on
Animal
09122014…
080012…
0171633…
SQL operators: SELECT, COUNT
AES -‐ CBC
![Page 4: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/4.jpg)
Cryptographic interlude
• Randomized encryp-on • Determinis-c encryp-on • Order preserving encryp-on • Homomorphic encryp-on
Animal
cat
dog
cat
encryp-on
Animal
09122014…
080012…
09122014…
SQL operators: =, DISTINCT, GROUP
BY, JOIN
AES -‐ ECB
![Page 5: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/5.jpg)
Cryptographic interlude
• Randomized encryp-on • Determinis-c encryp-on • Order preserving encryp-on • Homomorphic encryp-on
Animal
cat
cat
dog
encryp-on
SQL operators: <, ORDER BY
Animal
0171633…
0171633…
080012…
BOLDYREVA
![Page 6: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/6.jpg)
Cryptographic interlude
• Randomized encryp-on • Determinis-c encryp-on • Order preserving encryp-on • Homomorphic encryp-on
SQL operators: SUM
PAILLIER ENC(f(x,y)) = g(ENC(x),ENC(y))
![Page 7: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/7.jpg)
Cryptographic interlude • SELECT animal, SUM(food) FROM animals WHERE quan-ty > 1 GROUP BY animal
• SELECT animal_RND, SUM(food_HOM) FROM animals WHERE quan-ty_OPE > 05ef GROUP BY animal_DET
![Page 8: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/8.jpg)
Agenda
• Mo-va-on • State of the art • Demo • Challenges
![Page 9: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/9.jpg)
Mo-va-on -‐ Cloud
• From personal finance (Mint) to company finance (Workday)
• What happens with my data?
• Encryp-on?
![Page 10: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/10.jpg)
Cloud scenario
SaaS Provider
1 2 3
3
DaaS Provider End User
![Page 11: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/11.jpg)
SaaS Provider DaaS Provider
Solu-on 1: between DaaS and SaaS
End User
![Page 12: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/12.jpg)
Solu-on 1: between DaaS and SaaS
• Amacker model: DaaS honest but curious • CryptDB
![Page 13: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/13.jpg)
Solu-on 1: between DaaS and SaaS
Advantages Disadvantages
Complex queries supported Encryp-on keys in the cloud
Transparent for the applica-on Plaintext on the SaaS
![Page 14: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/14.jpg)
SaaS Provider DaaS Provider End User
Solu-on 2: between End User and SaaS
Proxy
Customer
![Page 15: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/15.jpg)
Solu-on 2: between End User and SaaS
• Amacker model: SaaS honest but curious • Commercial solu-ons from 3rd par-es (CipherCloud,Vaul-ve…)
• HTTP Encryp-on Proxy for specific applica-ons
• No applica-on changes possible
![Page 16: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/16.jpg)
Solu-on 2: between End User and SaaS
Advantages Disadvantages
Keys stay at the customer Only a few applica-ons are supported
Proxy at the customer
Simple queries (only textual values)
![Page 17: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/17.jpg)
SaaS Provider DaaS Provider End User
Solu-on 3: between Browser and End User
![Page 18: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/18.jpg)
Solu-on 3: between Browser and End User
• New amacker model: SaaS malicious/compromised
• Research prototypes: ShadowCrypt, Mylar… • Plaintext is encapsulated in a sandbox
![Page 19: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/19.jpg)
Solu-on 3: between Browser and End User
Advantages Disadvantages
Sandbox Browser-‐specific
Lightweight client Key management
Simple queries (only textual values)
![Page 20: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/20.jpg)
Healthcare Applica-on
![Page 21: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/21.jpg)
Healthcare Applica-on
• Only JOIN and simple WHERE condi-ons
![Page 22: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/22.jpg)
Sales Dashboard
![Page 23: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/23.jpg)
Sales Dashboard
• Complex queries with SUM and ORDER BY SUM (not supported on encrypted data)
![Page 24: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/24.jpg)
Sales Dashboard
• Complex queries with SUM and ORDER BY SUM (not supported on encrypted data)
![Page 25: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/25.jpg)
Challenges
• Not supported func-ons: – ORDER BY SUM – LIKE/FUZZY search queries
• Business logic on the server: TOTAL = SUM(PRICE); IF TOTAL > 200 THEN TOTAL *= 0.9;
-‐> move it to the client?
![Page 26: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/26.jpg)
Final Words – Trade-‐off
Security
Performance Func8onality
![Page 28: German OWASP Day 2014, 09.12.2014, Hamburg : encryption ... · Title: German OWASP Day 2014, 09.12.2014, Hamburg : encryption encrypt all the things Author: Walter Tighzert Subject:](https://reader034.vdocuments.site/reader034/viewer/2022051814/60352df318e1a4779973c402/html5/thumbnails/28.jpg)
Sources • Mint: hmps://www.mint.com/images/rd/features/overview_hero.png • CryptDB: hmp://css.csail.mit.edu/cryptdb/cryptdbdiag.jpg • Cloud scenario: [email protected]