Beruflich Dokumente
Kultur Dokumente
Founded: Location:
2004 Bozeman, MT Seattle, WA Portland, OR Open Source Embedded Security (for Applications, Devices, and the Cloud) - CyaSSL, yaSSL - yaSSL Embedded Web Server
Slide 2 / 69
Slide 3 / 69
Part I: MySQL Security 1. Good Security Practices for MySQL Part II: SSL/TLS 1. Overview of SSL and TLS 2. Configuring and Building MySQL with SSL 3. MySQL SSL Command Options 4. SSL Certificate Creation 5. Performance Comparison Part III: Additional Security Concerns 1. Data Storage and Encryption Part IV: Wrap-Up 1. Licensing
Slide 4 / 69
Part I
MySQL Security
Slide 5 / 69
YES!
MySQL is Susceptible to Many Attacks:
- Basic Attacks (empty password, etc.)
- SQL Injection Attacks
- Known MySQL Bugs and Vulnerabilities
Slide 6 / 69
Slide 7 / 69
Slide 8 / 69
yaSSL Vulnerabilities affecting MySQL in the past: CVE-2005-3731 CVE-2008-0227 CVE-2008-0226 CVE-2009-4484 Certificate Chain Processing Denial of Service (crash) Allowed Execution of Arbitrary Code Allowed Execution of Arbitrary Code, Denial of Service Possible
Slide 9 / 69
Quick Check: mysql -u root ("Welcome to the MySQL monitor" = Not Good)
shell> mysql -u root mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd') -> WHERE User = 'root'; mysql> FLUSH PRIVILEGES;
Slide 10 / 69
Slide 11 / 69
Slide 12 / 69
Slide 13 / 69
Slide 14 / 69
Slide 15 / 69
Slide 16 / 69
log les
Slide 17 / 69
Slide 18 / 69
Slide 19 / 69
Part II
SSL / TLS
Slide 20 / 69
By default, MySQL uses unencrypted connections between the client and server!
Slide 21 / 69
+ Prevent modicaRon
Slide 22 / 69
HTTP
LDAP, etc.
HTTP
Slide 23 / 69
SSL: Authentication
Alice
Bob
Slide 24 / 69
SSL: Authentication
Private
Public
Public
Private
Alice
Bob
Slide 25 / 69
SSL: Authentication
Private
X509 Cert
Public
Public
X509 Cert
Private
Alice
Bob
Slide 26 / 69
-----BEGIN CERTIFICATE-----! MIIEmDCCA4CgAwIBAgIJAIdKdb6RZtg9MA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD! VQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwG! A1UEChMFeWFTU0wxFDASBgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cu! eWFzc2wuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTAeFw0xMTEw! MjQxODIxNTVaFw0xNDA3MjAxODIxNTVaMIGOMQswCQYDVQQGEwJVUzEPMA0GA1UE! CBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwGA1UEChMFeWFTU0wxFDAS! BgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJ! KoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP! ADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2qKlIHR9amNrIHMo7Quml7xsNE! ntSBSP0taKKLZ7uhdcg2LErSG/eLus8N+e/s8YEee5sDR5q/Zcx/ZSRppugUiVvk! NPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0YbfN1EbDKE79fGjSjXk4c6W3xt+! v06X0BDoqAgwga8gC0MUxXRntDKCb42GwohAmTaDuh5AciIX11JlJHOwzu8Zza7/! eGx7wBID1E5yDVBtO6M7o5lencjZDIWz2YrZVCbbbfqsu/8lTMTRefRx04ZAGBOw! Y7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEAAaOB9jCB8zAdBgNVHQ4EFgQU! M9hFZtdohxh+VA1wJ5HHJteFZcAwgcMGA1UdIwSBuzCBuIAUM9hFZtdohxh+VA1w! J5HHJteFZcChgZSkgZEwgY4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24x! ETAPBgNVBAcTCFBvcnRsYW5kMQ4wDAYDVQQKEwV5YVNTTDEUMBIGA1UECxMLUHJv! Z3JhbW1pbmcxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkqhkiG9w0BCQEW! DmluZm9AeWFzc2wuY29tggkAh0p1vpFm2D0wDAYDVR0TBAUwAwEB/zANBgkqhkiG! 9w0BAQUFAAOCAQEAHHxCgSmeIc/Q2MFUb8yuFAk4/2iYmpVTdhh75jB27CgNdafe! 4M2O1VUjakcrTo38fQaj2A+tXtYEyQAz+3cn07UDs3shdDELSq8tGrOTjszzXz2Q! P8zjVRmRe3gkLkoJuxhOYS2cxgqgNJGIcGs7SEe8eZSioE0yR1TCo9wu0lFMKTkR! /+IVXliXNvbpBgaGDo2dlQNysosZfOkUbqGIc2hYbXFewtXTE9Jf3uoDvuIAQOXO! /eaSMVfD67tmrMsvGvrgYqJH9JNDKktsXgov+efmSmOGsKwqoeu0W2fNMuS2EUua! cmYNokp2j/4ivIP927fVqe4FybFxfhsr4eOvwA==! -----END CERTIFICATE-----!
Slide 27 / 69
Certificate:! Data:! Version: 3 (0x2)! Serial Number:! 87:4a:75:be:91:66:d8:3d! Signature Algorithm: sha1WithRSAEncryption! Issuer: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/ emailAddress=info@yassl.com! Validity! Not Before: Oct 24 18:21:55 2011 GMT! Not After : Jul 20 18:21:55 2014 GMT! Subject: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/ emailAddress=info@yassl.com! Subject Public Key Info:! Public Key Algorithm: rsaEncryption! Public-Key: (2048 bit)! Modulus: 00:c3:03:d1:2b:fe:39:a4 ! ! ! Exponent: 65537 (0x10001)! X509v3 extensions:! X509v3 Subject Key Identifier: ! 33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0! X509v3 Authority Key Identifier: ! keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0! DirName:/C=US/ST=Oregon/L=Portland/O=yaSSL/OU=Programming/CN=www.yassl.com/ emailAddress=info@yassl.com! serial:87:4A:75:BE:91:66:D8:3D! ! X509v3 Basic Constraints: ! CA:TRUE! Signature Algorithm: sha1WithRSAEncryption! 1c:7c:42:81:29:9e:21:cf:d0:d8! Copyright 2012 yaSSL
Slide 28 / 69
SSL: Authentication
Private
X509 Cert
CA
Public
Public
X509 Cert
CA
Private
Alice
Bob
Slide 29 / 69
SSL: Authentication
Buy
VeriSign, DigiCert, Comodo, etc. - Costs $$$ - Trusted
Create
Created yourself (self-sign) - Free! - Trusted (if you control both sides)
Slide 30 / 69
SSL: Encryption
- Uses a variety of encryption algorithms to secure data Hashing Func1ons Block and Stream Ciphers Public Key Op1ons MD4, MD5, SHA DES, 3DES, AES, ARC4 RSA, DSA, DSS
CIPHER SUITE
Slide 31 / 69
SSL: Encryption
- A common CIPHER SUITE is negotiated Protocol_keyexchange_WITH_bulkencrypRon_mode_messageauth SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Slide 32 / 69
SSL: Handshake
Client Server
Client Hello
Server Hello
Cipher Suite Server Certicate Server Key Exchange (public key) ( Client Certicate Request ) Server Hello Done
Slide 33 / 69
SSL is Everywhere!
- Browsers
- Email
- Routers
- Factory Automation
- VoIP - Automobile Communications
- Sensors - Smart Power Meters
And much more!!
Slide 34 / 69
- Your system must support either OpenSSL or yaSSL - MySQL must be built with SSL support
Slide 35 / 69
Slide 36 / 69
-DWITH_SSL options:
no: yes: bundled: system: No SSL support (default)
Use system SSL library if present, else bundled library
SSL library bundled with MySQL (yaSSL)
Use the system SSL library
Slide 37 / 69
To allow client connections through SSL, start MySQL with the appropriate options:
--ssl-ca: Identifies the certificate authority certificate --ssl-cert: identifies the server certificate (public key) --ssl-key: identifies the server private key
Slide 38 / 69
Slide 39 / 69
Name have_openssl have_ssl skip-ssl ssl ssl-ca ssl-capath ssl-cert ssl-cipher ssl-key ssl-verify-server-cert
Op1on File System Var Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Dynamic No No No No No No No
hap://dev.mysql.com/doc/refman/5.5/en/ssl-opRons.html
Slide 40 / 69
have_openssl
have_ssl
YES = mysqld supports SSL connections
DISABLED = server was compiled with SSL support, not enabled (--ssl-xxx)
Slide 41 / 69
skip-ssl
Indicate that SSL should not be used Same as using --ssl=0
ssl
Server: Client: Specifies that the server permits SSL connections Permits a client to connect to server using SSL
Slide 42 / 69
ssl-ca
ssl-capath
The path to a directory containing trusted CAs (PEM format) *NOTE: Only supported when using OpenSSL
Slide 43 / 69
ssl-cert
Name of the SSL certificate to be used
ssl-cipher
A list of permissible ciphers to use for SSL
--ssl-cipher=AES128-SHA
--ssl-cipher=DHE-RSA_AES256-SHA:AES128-SHA
Slide 44 / 69
ssl-key
Name of the SSL key file
ssl-verify-server-cert
- Clients only
- Server's Common Name verified against server host name
- Connection rejected if no match
Slide 45 / 69
A. Generating Certificates
1. Create CA certificate (private key, public cert)
2. Create server key
3. Create server certificate
4. Create client key
5. Create client certificate
Slide 46 / 69
A. Generating Certificates
Slide 47 / 69
A. Generating Certificates
Slide 48 / 69
A. Generating Certificates
Slide 49 / 69
A. Generating Certificates
Slide 50 / 69
Test Machine MacBook Pro 2.33 GHz 2 GB 667 MHz DDR2 SDRAM Mac OS X 10.6.6 (Snow Leopard)
Slide 51 / 69
Footprint Size
Slide 52 / 69
Command:
du -sh .
250
239
227
Result:
200
Size (Mb)
5.3% Difference
(12 Mb)
150
100
50
Slide 53 / 69
Command:
du -sh *
Size (Mb)
Slide 54 / 69
Slide 55 / 69
3.5
2.5
2 No SSL SSL
1.5
0.5
Slide 56 / 69
2.67
16
32
Slide 57 / 69
0.76
Client
Concurrency
=
8
No
SSL
SSL
Slide 58 / 69
Part III
Additional Security Concerns
Data
EncrypRon
Slide 59 / 69
Advantages Data encrypted between code & MySQL Allows the use of bin logging (MySQL backup/replication) Disadvantages What to do with the key?
Slide 60 / 69
Slide 61 / 69
Gazzang ezNcrypt
ezNcrypt
sits
between
your
storage
engine
and
le
system
to
encrypt
your
data
before
it
hits
the
disk.
TradiRonally
called
-
Transparent
Data
EncrypRon
(TDE)
The
data
is
encrypted
transparently,
no
changes
are
needed
to
your
applicaRon,
code
or
MySQL.
Applica1on SQL insert into orders (number, credit card,.) Values (20090101,4307,)
Slide 62 / 69
Gazzang ezNcrypt
Gazzang
Key
Storage
System
(KSS)
Slide 63 / 69
Slide 64 / 69
Part IV
Wrap-Up
Slide 65 / 69
Licensing Concerns
Slide 66 / 69
Part I: MySQL Security 1. Good Security Practices for MySQL Part II: SSL/TLS 1. Overview of SSL and TLS 2. Configuring and Building MySQL with SSL 3. MySQL SSL Command Options 4. SSL Certificate Creation 5. Performance Comparison Part III: Additional Security Concerns 1. Data Storage and Encryption
Slide 67 / 69
Thanks!
http://www.yassl.com
Slide 68 / 69
Helpful Sources
MySQL Manual: http://dev.mysql.com/doc/refman/5.5/en/ http://dev.mysql.com/doc/refman/5.5/en/default-privileges.html http://dev.mysql.com/doc/refman/5.5/en/mysql-secure-installation.html http://dev.mysql.com/doc/refman/5.5/en/secure-connections.html http://dev.mysql.com/doc/refman/5.5/en/security-against-attack.html MySQL Security Resources around the Internet http://www.symantec.com/connect/articles/secure-mysql-database-design SSL/TLS https://www.ssllabs.com/ http://en.wikipedia.org/wiki/Transport_Layer_Security
Slide 69 / 69