security and performance analysis of encrypted nosql
play

Security and Performance Analysis of Encrypted NoSQL Databases M.W. - PowerPoint PPT Presentation

Jan 30, 2024 •182 likes •669 views

Security and Performance Analysis of Encrypted NoSQL Databases M.W. Grim BSc., Abe Wiersma BSc. Supervisor: F. Turkmen PhD February 6, 2017 University of Amsterdam Introduction Problem Securely storing BigData on NoSQL database systems.

  1. Security and Performance Analysis of Encrypted NoSQL Databases M.W. Grim BSc., Abe Wiersma BSc. Supervisor: F. Turkmen PhD February 6, 2017 University of Amsterdam

  2. Introduction Problem Securely storing BigData on NoSQL database systems. Necessary because: • PRISM • Security vulnerabilities 1. Ashley Madison 2. Yahoo 3. LinkedIn Solution Encrypt your plain-text data. 1

  3. Introduction Problem Securely storing BigData on NoSQL database systems. Necessary because: • PRISM • Security vulnerabilities 1. Ashley Madison 2. Yahoo 3. LinkedIn Solution Encrypt your plain-text data. 1

  4. Introduction Problem Securely storing BigData on NoSQL database systems. Necessary because: • PRISM • Security vulnerabilities 1. Ashley Madison 2. Yahoo 3. LinkedIn Solution Encrypt your plain-text data. 1

  5. Introduction Plain data 2

  6. Introduction Encryption at rest 3

  7. Introduction Encryption at rest 4

  8. Introduction Research questions • How is SQL-aware encryption realised in NoSQL database engines? • What kind of security does it provide? • How does it compare to encryption at rest? • What is the performance impact of enabling encryption? • What limitations are their in terms of functionality? 5

  9. Computation over encrypted data

  10. Computation over encrypted data End-to-end encrypted database • Key stored at client. • Encryption and decryption by client (end-to-end). • Server can’t read data, how to query? • Homomorphic encryption / Order Revealing Encryption 6

  11. Computation over encrypted data End-to-end encrypted database • Key stored at client. • Encryption and decryption by client (end-to-end). • Server can’t read data, how to query? • Homomorphic encryption / Order Revealing Encryption 6

  12. Computation over encrypted data End-to-end encrypted database • Key stored at client. • Encryption and decryption by client (end-to-end). • Server can’t read data, how to query? • Homomorphic encryption / Order Revealing Encryption 6

  13. Computation over encrypted data Paillier • Partially homomorphic. • Encrypted addition. 7 E ( m 1 ) + E ( m 2 ) = E ( m 1 + m 2 )

  14. Computation over encrypted data ElGamal • Partially homomorphic. • Encrypted multiplication. 8 E ( m 1 ) ∗ E ( m 2 ) = E ( m 1 ∗ m 2 )

  15. Computation over encrypted data Order Revealing Encryption Public compare function on encrypted data. -1 smaller 0 equal 1 greater 9 x > y

  16. SecureMongo

  17. SecureMongo • Based on work by Alves et al. • Python connector wrapper. • Logic at client side. • End-to-end encrytption with queries on encrypted data. Our work: • Sequential inserts. • Serialized AVL tree. • Tree balancing at server side. 10

  18. SecureMongo • Based on work by Alves et al. • Python connector wrapper. • Logic at client side. • End-to-end encrytption with queries on encrypted data. Our work: • Sequential inserts. • Serialized AVL tree. • Tree balancing at server side. 10

  19. SecureMongo Space Delete Insert AVL tree Search Worst Case Average Algorithm Self-balancing binary search tree. 11 O ( n ) O ( n ) O ( log n ) O ( log n ) O ( log n ) O ( log n ) O ( log n ) O ( log n )

  20. SecureMongo overview 12

  21. SecureMongo selection 13

  22. SecureMongo insertion 14

  23. Method

  24. Method Our work • Studied homomorphic / order revealing encryption • Improved earlier work by Alves et al. • Evaluated performance and security 1. Encryption at rest 2. End-to-end encryption 15

  25. Method Plain vs. encryption at rest YCSB 16

  26. Method Plain vs. encryption at rest • YCSB default core workload. • Adjustable with parameters. • Can extend framework with alternative workloads. recordcount 16,000,000 operationcount 100,000 readproportion 0.5 updateproportion 0.5 17

  27. Method Plain vs. computation over encrypted data • BenchmarkDB • Python framework • IMDB movies 18

  28. Results encryption at rest

  29. Results Performance encryption at rest 19 0.0040 0.07 Not encrypted Not encrypted 0.0035 0.06 0.0030 0.05 0.0025 0.04 0.0020 0.03 0.0015 0.02 0.0010 0.01 0.0005 0.0000 0.00 9000 9400 9800 10200 140 160 180 200 220 Insert operations per second Read/update operations per second 0.0040 0.07 Encryption at rest Encryption at rest 0.0035 0.06 0.0030 0.05 0.0025 0.04 0.0020 0.03 0.0015 0.02 0.0010 0.01 0.0005 0.0000 0.00 9000 9400 9800 10200 140 160 180 200 220 Insert operations per second Read/update operations per second

  30. Results Performance encryption at rest 7.3% lower throughput 4.9% lower throughput Read/Update Insert 20 10500 200 Not encrypted Not encrypted Encryption at rest Encryption at rest 10000 190 median(ops/s) median(ops/s) 9500 180 9000 170 8500 160 8000 150 Insert Read/Update

  31. Results Performance encryption at rest 7.5% slower 7.4% slower 5.2% slower Update Read Insert 21 900 60000 Not encrypted Not encrypted Encryption at rest Encryption at rest 850 55000 800 50000 mean(Latency (us)) mean(Latency (us)) 45000 750 40000 700 35000 650 30000 600 25000 550 20000 Insert Read Update

  32. Results SecureMongo

  33. Results Performance SecureMongo 22 Mongo read Mongo write MongoSecure read MongoSecure write 0.10 0.10 0.08 0.08 Average latency Average latency 0.06 0.06 0.04 0.04 0.02 0.02 0.00 0.00 1000 10000 100000 1000 10000 100000 Database size Database size

  34. Results security

  35. Results Security threat model Threat 1 Full access to the database server, both logical and physical. Threat 2 The application server and database server are compromised arbitrarily. 23

  36. Results Security threat model Threat 1: plain Issue The plain-text data is there no elbow grease required for access. 24

  37. Results Security threat model Threat 1: encrypted at rest Issue Key is continuously needed on server. 1. Cold-boot extraction from memory (always). 2. Extract from hard-disk (if key is stored on disk). 3. Retrievable from secondary server by posing as the database-server (can be negated by two factor key retrieval). The AES used is AES-256CBC which is IND-CPA secure. The AES cryptosystem is run using OpenSSL in accordance with FIPS 140-2. 25

  38. Results Security threat model Threat 1: SecMongo framework 1. AES encryption used in AES-128CBC is IND-CPA secure. PyCrypto is used with a randomly generated IV for every encryption. 2. ORE proposed by Lewi and WU ofgers IND-OCPA. 3. ElGamal is proven IND-CPA secure. 4. Paillier is proven IND-CPA secure. 5. The AVL-tree implementation negates inference attack robustness. 26

  39. Results Security threat model Threat 2: plain Issue The plain set-up is still utterly compromised. 27

  40. Results Security threat model Threat 2: encrypted at rest Issue Key retrieval was already possible using a cold-boot attack, threat expansion means decrypted data can be retrieved by posing as the application. 28

  41. Results Security threat model Threat 2: SecMongo framework Issue Key is continuously needed by the application. 29

  42. Conclusion

  43. Conclusion Solution Encrypt your plain-text data. TradeOfg Security Performance 30

  44. Conclusion Solution TradeOfg Security Performance 30 Encrypt your plain-text data. ✓

  45. Conclusion Solution TradeOfg 30 Encrypt your plain-text data. ✓ Security ↔ Performance

  46. Discussion & Future work

  47. Discussion & Future work • Native Tree traversal in MongoDB would increase performance for Secure Mongo Framework, iterative tree traversal would be done on the server. • Although range requests are possible using the ORE encryption, they are not yet implemented. 31

  48. Questions? 31

Recommend

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1 DISCLAIMER: THIS IS NOT FULLY-BAKED We just fleshed out this idea yesterday, so its hand-wavy. Insufficient analysis has been done. IETF 94 TLS 1.3

886 views • 11 slides
Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov

Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov

Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov Claudio Orlandi Aarhus University RWC 2018 Agenda I A Threat Model for Encrypted Cloud Storage (ECS). I A high-level look into a modern ECS service

770 views • 47 slides
NoSQL Source: Pramod J. Sadalage and Martin Fowler NoSQL Distilled: A Brief Guide to the

NoSQL Source: Pramod J. Sadalage and Martin Fowler NoSQL Distilled: A Brief Guide to the

NoSQL Source: Pramod J. Sadalage and Martin Fowler NoSQL Distilled: A Brief Guide to the Emerging World of Polyglot Persistence , Pearson Education, 2013 Objectives Introduce some key concepts behind the NoSQL family of databases Why NoSQL?

919 views • 19 slides
NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM

NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM

NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM AppScan Excellence Aviv Ron Emanuel Bronshtein Alexandra Shulman-Peleg IBM Security Systems Cyber Center of Excellence AVIV RON Security

452 views • 27 slides
NoSQL and MongoDB 1 2 Introduction to NoSQL Based on a presentation by Traversy Media 3 What

NoSQL and MongoDB 1 2 Introduction to NoSQL Based on a presentation by Traversy Media 3 What

NoSQL and MongoDB 1 2 Introduction to NoSQL Based on a presentation by Traversy Media 3 What is NoSQL? Not only SQL SQL means Relational model Strong typing ACID compliance Normalization NoSQL means more freedom or flexibility 4

376 views • 34 slides
analysing the performance of nosql vs sql databases with respect to Routing in a place which

analysing the performance of nosql vs sql databases with respect to Routing in a place which

Routing Algorithms Sarthak Agarwal, KS Rajan September 18, 2015 Lab for Sptial Informatics International Institute of Information Technology Hyderabad FOSS4G Seoul, South Korea analysing the performance of nosql vs sql databases with respect

426 views • 17 slides
Searches Through Encrypted Data presenter: Reza Curtmola Advanced Topics in Network Security

Searches Through Encrypted Data presenter: Reza Curtmola Advanced Topics in Network Security

Searches Through Encrypted Data presenter: Reza Curtmola Advanced Topics in Network Security (600/650.624) Introduction Searching usually done over plaintext But what if we could search encrypted data? Bloom Filters Efficient

459 views • 30 slides
Big Data Security: How to efficiently perform data analytics over encrypted data? Adrian Perrig

Big Data Security: How to efficiently perform data analytics over encrypted data? Adrian Perrig

Big Data Security: How to efficiently perform data analytics over encrypted data? Adrian Perrig Network Security Group ETH Zrich 1 Why worry about Big Data Security? Security is well understood and well handled! Really? 2 Problem

360 views • 16 slides
Encrypted DNS Privacy? A Traffic Analysis Perspective Sandra Siby, Marc Juarez, Claudia

Encrypted DNS Privacy? A Traffic Analysis Perspective Sandra Siby, Marc Juarez, Claudia

Encrypted DNS Privacy? A Traffic Analysis Perspective Sandra Siby, Marc Juarez, Claudia Diaz, Narseo Vallina-Rodriguez, Carmela Troncoso NDSS, 25 February 2020 Encrypted DNS > Privacy? Can encrypting DNS protect users from tra ffi

533 views • 40 slides
Improving the Performance and Endurance of Encrypted Non-volatile Main Memory through

Improving the Performance and Endurance of Encrypted Non-volatile Main Memory through

Improving the Performance and Endurance of Encrypted Non-volatile Main Memory through Deduplicating Writes Pengfei Zuo, Yu Hua, Ming Zhao*, Wen Zhou, Yuncheng Guo Huazhong University of Science and Technology (HUST), China *Arizona State

702 views • 41 slides
NoSQL Terje Gjster, Ph.D. UiA, Grimstad 16. November 2015 Overview Introduction and

NoSQL Terje Gjster, Ph.D. UiA, Grimstad 16. November 2015 Overview Introduction and

IKT437 Knowledge Engineering and Representation NoSQL Terje Gjster, Ph.D. UiA, Grimstad 16. November 2015 Overview Introduction and Motivation History of NoSQL Categories of NoSQL Examples of NoSQL systems Encodings

694 views • 55 slides
Searchable Security Scheme for Cloud NoSQL Mohammad Ahmadian ahmadian@knights.ucf.edu Advisor:

Searchable Security Scheme for Cloud NoSQL Mohammad Ahmadian ahmadian@knights.ucf.edu Advisor:

Searchable Security Scheme for Cloud NoSQL Mohammad Ahmadian ahmadian@knights.ucf.edu Advisor: Professor Dan C. Marinescu University of Central Florida September 16, 2017 Mohammad Ahmadian (UCF) Secure NoSQL September 16, 2017 1 / 48 Goal

1.31k views • 79 slides
Computer Security environment, without compromising functionality or security? Three parts

Computer Security environment, without compromising functionality or security? Three parts

9/7/2013 Some topics Im working on Computing on encrypted data Information flow: Dynamic IFC in Haskell, web Sandboxing Untrusted JavaScript Third party web tracking and other web security stories Practical web security

572 views • 21 slides
open-source, high-performance, document-oriented database

open-source, high-performance, document-oriented database

open-source, high-performance, document-oriented database Non-relational Operational Stores (NoSQL) New Gen. OLAP RDBMS (vertica, aster, greenplum) (Oracle, MySQL) NoSQL Really Means:

358 views • 35 slides
Tarantool - a NoSQL Tarantool - a NoSQL database with SQL database with SQL Pavel Lapaev,

Tarantool - a NoSQL Tarantool - a NoSQL database with SQL database with SQL Pavel Lapaev,

Tarantool - a NoSQL Tarantool - a NoSQL database with SQL database with SQL Pavel Lapaev, Kirill Yukhin, Product Manager@Mail.ru Engineering Manager @Mail.ru 1 Agenda Agenda What is Mail.ru Group? What is Tarantool? Performance Storage

1.44k views • 55 slides
NoSQL MEANS no SECURITY? Philipp Kre no @xer ab INFRASTRUCTURE | DEVELOPER ADVOCATE

NoSQL MEANS no SECURITY? Philipp Kre no @xer ab INFRASTRUCTURE | DEVELOPER ADVOCATE

NoSQL MEANS no SECURITY? Philipp Kre no @xer ab INFRASTRUCTURE | DEVELOPER ADVOCATE Vie no aDB Papers We Love Vie no a SQL Injections? JavaScript Injection

1.02k views • 52 slides
NoSQL like There is No Tomorrow Khawaja Head of Engineering, NoSQL Swaminathan Sivasubramanian

NoSQL like There is No Tomorrow Khawaja Head of Engineering, NoSQL Swaminathan Sivasubramanian

NoSQL like There is No Tomorrow Khawaja Head of Engineering, NoSQL Swaminathan Sivasubramanian Swami GM, NoSQL @swami_79 @ksshams how can you build your own DynamoDB Scale service? @swami_79 @ksshams lets start with a story about a

1.27k views • 77 slides
1 2 What is covered in this presentation? A brief history of databases NoSQL WHY, WHAT

1 2 What is covered in this presentation? A brief history of databases NoSQL WHY, WHAT

1 2 What is covered in this presentation? A brief history of databases NoSQL WHY, WHAT & WHEN? Characteristics of NoSQL databases Aggregate data models CAP theorem Ashwani Kumar 16 February 2018 NOSQL Databases 3

647 views • 31 slides
Encrypted SSDs: Self-Encryption Versus Software Solutions Michael Willett Storage Security

Encrypted SSDs: Self-Encryption Versus Software Solutions Michael Willett Storage Security

Encrypted SSDs: Self-Encryption Versus Software Solutions Michael Willett Storage Security Strategist and VP Marketing Bright Plaza Flash Memory Summit 2015 Santa Clara, CA 1 The Problem 2005-2013: over 864,108,052 records

161 views • 15 slides
Why NoSQL? Why Riak? Justin Sheehy justin@basho.com 1 What's all of this NoSQL nonsense?

Why NoSQL? Why Riak? Justin Sheehy justin@basho.com 1 What's all of this NoSQL nonsense?

Why NoSQL? Why Riak? Justin Sheehy justin@basho.com 1 What's all of this NoSQL nonsense? Voldemort Riak HBase Neo4j Cassandra MongoDB CouchDB Membase Redis (and the list goes on...) 2 What went wrong with SQL databases? Nothing!

854 views • 57 slides
How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Zrich |

How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Zrich |

How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Zrich | 26.04.2012 Agenda Speaker Profile New Demands on Data Access New Types of Data Stores Integrating NoSQL Data Stores Spring Data

360 views • 18 slides
How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Basel |

How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Basel |

How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Basel | 30.08.2012 Agenda Speaker Profile New Demands on Data Access New Types of Data Stores Integrating NoSQL Data Stores Spring Data

1.28k views • 28 slides
NoSQL performance in the real world David Mytton Woop Japan! - Examining each database in turn

NoSQL performance in the real world David Mytton Woop Japan! - Examining each database in turn

NoSQL performance in the real world David Mytton Woop Japan! - Examining each database in turn to look at 3 important factors for production - scaling reads and writes, where bottlenecks can occur and how to deal with redundancy and failover. -

1.24k views • 103 slides
Keys to the Cloud: Formal Analysis and Concrete Application-level Attacks on Encrypted Web

Keys to the Cloud: Formal Analysis and Concrete Application-level Attacks on Encrypted Web

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Keys to the Cloud: Formal Analysis and Concrete Application-level Attacks on Encrypted Web Storage Crypto on the Web Motivations Formal analysis of cryptographic web

1.19k views • 106 slides

More recommend