Cloud and mobile computing give room to an unprecedented level of access points into corporate data leaving you to rethink how to protect it. Client-side encryption is increasingly being used as a solution. While it solves the problem of unauthorized access, it is still in its infancy and has many limitations and pitfalls that IT practitioners should consider before embracing it. (Source: RSA Conference USA 2017)

1. SESSION ID:SESSION ID:
#RSAC
Mohamed Nabeel
Client side encryption without knowing
its limits is a ticking time bomb!
PDAC-W03
Research Scientist
Cyber Security, QCRI – Qatar Computing Research Institute
@nabeelxy

2. #RSAC
Encryption is USELESS
Unless You know how and where it ”lives”!

3. #RSAC
Broken disk encryption
DROWN SSL attack
Apple “goto” TLS
ScreenOS backdoors
Broken file encryption
Heartbleed

4. #RSAC
Cause Vulnerability
Weak PBKDF
Weak RNG
Key in the memory
Implementation flaw
Design flaw
Insecure configuration
Backdoors
…
…
…
…
…
…
…

5. #RSAC
Encryption Algorithms are NOT
Broken
Attackers exploit weak links to grab the keys!

6. #RSAC
Right Encryption is better than
USEFUL, it keeps us SAFE!
What is right Encryption?

7. #RSAC
iPaaS
Sensitive Data
* Photo Credit: SnapLogic

8. #RSAC
Sensitive Data Exposure is a key
CONCERN for organizations
Where does sensitive data reside? How to protect them?

9. #RSAC
Cloud Security Alliance – The Notorious Seven
9
1. Abuse of Cloud
2. Insecure APIs
3. Malicious Insider
4. Shared Tech. Vul.
5. Data Breaches
6. Data Loss
7. Account Hijacking
1. Data Breaches
2. Data Loss
3. Account Hijacking
4. Insecure APIs
5. Denial of Service
6. Malicious Insider
7. Abuse of Cloud
1. Data Breaches
2. Weak IAM
3. Insecure APIs
4. Sys./App. Vul.
5. Account Hijacking
6. Malicious Insider
7. APTs
2010 2013 2016

10. #RSAC
Server
Data
API
API

11. #RSAC
API
API
Server
Data

12. #RSAC
Right Encryption Can HELP
What is the right encryption for this deployment model?

13. #RSAC
Server
Data
API
API
plaintext
plaintext
Data-at-Rest Encryption
HTTPS
Data-in-Motion Encryption

14. #RSAC
Client Side Encryption
May the keys be with you!

15. #RSAC
Server
Data
You can’t see my data!

16. #RSAC
Server
Data
Broken Functionality

17. #RSAC
Two competing requirements!

18. #RSAC
Computing over Encrypted Data
Can we process ciphertext without decrypting?

19. #RSAC
Homomorphic Encryption
19
Non-deterministic
encryption
Additive
homomorphic
Multiplicative
homomorphic
Fully homomorphic
No operations
One type of
operations
Any operations
AES, RSA, etc.
Paillier (‘99) ElGamal (‘84)
Gentry (‘09)

20. #RSAC
Property Preserving Encryption
to the Rescue
Can we perform business operations on encrypted data?

21. #RSAC
Property Preserving Encryption (PPE) Schemes
21
Deterministic
Encryption
(DE)
E(bob)
E(bob)
#@x*9
Searchable
Encryption
(SE)
Enc. Search Word
E(keyword1)
E(keyword2)
E(keyword1)
E(keyword3)
E(keyword4)
Order
Preserving
Encryption
(OPE)
20
22
101
1921
2191
2642

22. #RSAC
Systems built on top of PPE Technologies (SoPETs)
22
DBMask
CryptDB
BigQuery
Deterministic Encryption (DE)
DBMask
CryptDB
Mylar
ShadowCrypt
Searchable Encryption (SE)
BigQuery
DBMask
CryptDB
Cipherbase
Order Preserving Encryption (OPE)

23. #RSAC
SoPET Products in the Market
23
Salesforce
Workday
Office 365
Enterprise Users
CASB
Cloud Access Security Brokers
Google Drive
Dropbox
S3
Users
CEG
Cloud Encryption Gateway
Enterprise Users
Proxy
Encrypted Databases
ZeroDB
MSSQL

24. #RSAC
What Security Guarantees
SoPETs Provide?
A time ticking bomb!

25. #RSAC
Threat Models
25
Drive Through
Snapshot passive adversary
“Grab and go”
Dine In
Persistent passive adversary
“Sit and enjoy”
Cook Yourself
Active adversary
“Change and enjoy”

26. #RSAC
Encrypted Databases: MS SQL Always Encrypted
26
Name SSN Title Department
Alice *&x@#12# &*xr^t+!# IT
Bob 9(4$$^*1 ^#x@0!1* HR
Eve &&@41*) &*xr^t+!# IT
.Net client lib
SELECT name, SSN FROM emp
WHERE title = “manager”;
SELECT name, SSN FROM emp
WHERE title = “&*xr^t+!#”;
Name SSN
Alice *&x@#12#
Eve &&@41*)
Name SSN
Alice 330-61-
8769
Eve 321-90-
3217
1 2
34

27. #RSAC
Encrypted Databases: BigQuery
27
[
{
“name”: Alice,
”SSN”: *&x@#12#,
“age”: 2345
},
{
“name”: Bob,
”SSN”: 9(4$$^*1,
”age”: 3212
},
{
“name”: Eve,
”SSN”: &&@41*),
”age”: 2110
}
…
]
Proxy
SELECT name, age FROM emp
WHERE age > 20;
1 2
34
SELECT name, age FROM emp
WHERE age > 2531;
[ {
“name”: Bob,
“age”: 3212
}]
BigQuery
[ {
“name”: Bob,
“age”: 24
}]
Any Value
OPE
RND
* CryptDB: Protecting Confidentiality with Encrypted Query Processing, Popa et. al, SOSP 2011
* Onions

28. #RSAC
Encrypted Web Apps: Mylar* (Encrypted Meteor Apps)
28
Data
Principal Graph
Mylar
client
Mylar
server
Encrypted
Server-side
code
* Mylar: Building Web Applications on top of Encrypted Data, Popa et. al, NSDI 2014

29. #RSAC
Inferring Encrypted Data [1/2]
29
Snapshot Passive Adversary
Based on background information/what you don’t encrypt (MS SQL)
Statistical inference on DE encrypted values (MS SQL, CryptDB)*
Sorting attack for OPE encrypted dense columns*
Cumulative (statistical and sorting) attack for OPE encrypted sparse columns*
* Inference Attacks on Property Preserving Encrypted Databases, Naveed et. al, CCS 2015

30. #RSAC
Inferring Encrypted Data [2/2]
30
Persistent Passive Adversary
Monitoring access patterns and metadata to infer encrypted data*
Active Adversary
Brute-force querying
Repeated onion peeling to get to the DE encrypted values
* Breaking Web Applications Built on top of Encrypted Data, Grubbs et. al, CCS 2016

31. #RSAC

32. #RSAC
NOT ENCRYPTED
ENCRYPTED

33. #RSAC
A
C
C
E
S
S
P A
T T
E
R
N
S

34. #RSAC
Property Preserving Leaking
Encryption

35. #RSAC
SoPETs are not so Secure
Which adversaries can SoPETs defend against?

36. #RSAC
SoPETs at best Protect only against
Snapshot Passive Adversaries
What can we do to defend against stronger adversaries?

37. #RSAC
Apply
37
{identify}
Encryption Cast
{in depth}
Defense
{less}
Metadata
{secure}
System Design
{stronger}
PPE Schemes
{more}
Encryption

38. #RSAC
One does not simply use PPE to encrypt.
There are stronger adversaries waiting to get your data. There is
unencrypted data. SoPETs are riddled with metadata and access
traces. The very encryption may reveal information. It is folly.

39. #RSAC
Q&A
More details: medium.com/@nabeelxy