http://www.yassl.com
(206) 369-4800
Securing MySQL!
With a Focus on SSL
yaSSL (yet another SSL)
Founded: 2004
Location: Bozeman, MT
Seattle, WA
Portland, OR
Our Focus: Open Source Embedded Secur...
Why is this Important?
Ivan Ristic: Internet SSL Survey 2010
http://www.ssllabs.com
•  Alexa Top 1M Sites
120,000 Use SSL ...
What are we going to talk about?
Part I: MySQL Security	
  
1.  Good Security Practices for MySQL	
  
Part II: SSL/TLS	
  ...
Part I
MySQL Security
© Copyright 2012 yaSSL
MySQL	
  Updates	
  
Account	
  Passwords	
  
Test	
  Databases	
  
mysqld	
 ...
MySQL: Good Security Practices
Do we really need to secure our MySQL database?	
  
YES!	
  
© Copyright 2012 yaSSL
MySQL i...
MySQL: Good Security Practices
Keeping MySQL Up to Date	
  
An easy way to stay better protected:	
  
- New MySQL Patches,...
MySQL: Good Security Practices
© Copyright 2012 yaSSL
3	
  
6	
  
8	
  
5	
  
9	
  
11	
  
14	
  
10	
  
6	
  
7	
  
6	
  ...
MySQL: Good Security Practices
•  yaSSL Vulnerabilities affecting MySQL in the past:	
  
CVE-2005-3731 Certificate Chain P...
Passwords: Root Accounts	
  
•  They are empty by default
Quick Check: mysql -u root 	
  
("Welcome to the MySQL monitor" ...
MySQL: Good Security Practices
Passwords: Anonymous Accounts	
  
Assign passwords to anonymous accounts:	
  
shell> mysql ...
MySQL: Good Security Practices
Passwords: Strength is Key	
  
Use strong passwords	
  
	
  
•  Combine letters and numbers...
MySQL: Good Security Practices
Securing Test Databases	
  
•  By default, anyone can access test databases
- Convenient fo...
MySQL: Good Security Practices
Securing mysqld	
  
•  Don't run MySQL as root user
shell> mysqld --user=mysql	
  
•  Disab...
MySQL: Good Security Practices
mysql_secure_installation script	
  
Allows you to:	
  
•  Set a password for root account	...
MySQL: Good Security Practices
Notes about Privileges	
  
•  Don't grant all users PROCESS or SUPER privilege	
  
–  Can s...
MySQL: Good Security Practices
Additional Measures	
  
These depend on your unique situation:	
  
•  Restrict access to lo...
MySQL: Good Security Practices
Additional Measures	
  
•  Add Application-specific Users	
  
- Each user only has required...
MySQL: Good Security Practices
Additional Measures	
  
•  Can disable LOAD DATA LOCAL INFILE command	
  
- Can allow readi...
Part II
SSL / TLS
© Copyright 2012 yaSSL
Overview	
  
X.509	
  CerRficates	
  
Handshake	
  
MySQL	
  and	
  SSL	
  
Slide ...
SSL: What is it?
By default, MySQL uses unencrypted connections between
the client and server!
© Copyright 2012 yaSSL
Slid...
SSL: What is it?	
  
•  Enables secure client/server communication, including:
•  Can be implemented on almost any operati...
SSL: Where does it fit?	
  
- Layered between Transport and Application layers:	
  
© Copyright 2012 yaSSL
Network Access
...
SSL: Authentication	
  
- Do you really know who you’re communicating with?	
  
© Copyright 2012 yaSSL
??
Alice	
   Bob	
 ...
SSL: Authentication	
  
- Generate a key pair (private and public keys)	
  
© Copyright 2012 yaSSL
Alice	
   Bob	
  
Priva...
SSL: Authentication	
  
- X.509 Certificate == Wrapper around public key	
  
© Copyright 2012 yaSSL
X509
Cert
Alice	
   Bo...
SSL: X.509 Certificates	
  
© Copyright 2012 yaSSL
X509
Cert
-----BEGIN CERTIFICATE-----!
MIIEmDCCA4CgAwIBAgIJAIdKdb6RZtg9...
SSL: X.509 Certificates	
  
© Copyright 2012 yaSSL
X509
Cert
Certificate:!
Data:!
Version: 3 (0x2)!
Serial Number:!
87:4a:...
SSL: Authentication	
  
- Alice and Bob exchange CA-signed public keys	
  
© Copyright 2012 yaSSL
X509
Cert
CA
X509
Cert
C...
SSL: Authentication	
  
- How do you get a CA-signed cert?	
  
© Copyright 2012 yaSSL
Buy	
  
VeriSign, DigiCert, Comodo, ...
SSL: Encryption	
  
- Uses a variety of encryption algorithms to secure data	
  
© Copyright 2012 yaSSL
Hashing	
  Func1on...
SSL: Encryption	
  
- A common CIPHER SUITE is negotiated	
  
© Copyright 2012 yaSSL
Protocol_keyexchange_WITH_bulkencrypR...
SSL: Handshake	
  
© Copyright 2012 yaSSL
Client Hello
Cryptographic Info
(SSL version, supported ciphers, etc.)
Client Se...
SSL: Where is it used?
SSL is Everywhere!
- Browsers	
  
- Email	
  
- Routers	
  
- Factory Automation	
  
- VoIP
- Autom...
SSL: What does MySQL provide?
- Your system must support either OpenSSL or yaSSL	
  
- MySQL must be built with SSL suppor...
MySQL: Is SSL Enabled?
Checking for SSL
•  Confirm that user in 'mysql' database includes SSL-related columns: 	
  
	
  
-...
MySQL: Building with SSL
Configure MySQL to use the built-in SSL (yaSSL):	
  
shell> cmake . -DWITH_SSL=bundled	
  
-DWITH...
MySQL: Starting the Server
To allow client connections through SSL, start MySQL with the appropriate options:	
  
shell> m...
MySQL: Starting the Client
I. Account created with GRANT statement including REQUIRE_SSL:	
  
shell> mysql -u user -p --ss...
MySQL: SSL Options
© Copyright 2012 yaSSL
Name	
   Cmd-­‐Line	
   Op1on	
  File	
   System	
  Var	
   Var	
  Scope	
   Dyn...
MySQL: SSL Options
have_openssl	
  
have_ssl	
  
YES = mysqld supports SSL connections	
  
DISABLED = server was compiled ...
MySQL: SSL Options
skip-ssl
Indicate that SSL should not be used
Same as using --ssl=0
ssl
Server: Specifies that the serv...
MySQL: SSL Options
ssl-ca
	
  
The path to the file containing list of trusted CAs
	
  
	
  
ssl-capath
	
  
The path to a...
MySQL: SSL Options
ssl-cert
	
  
Name of the SSL certificate to be used
	
  
	
  
	
  
ssl-cipher
	
  
A list of permissib...
MySQL: SSL Options
ssl-key
Name of the SSL key file
ssl-verify-server-cert
- Clients only	
  
- Server's Common Name verif...
SSL: Certificate Creation
A. Generating Certificates	
  
1. Create CA certificate (private key, public cert)	
  
2. Create...
SSL: Certificate Creation
A. Generating Certificates	
  
Create CA certificate (private key, public cert)	
  
shell> opens...
SSL: Certificate Creation
A. Generating Certificates	
  
Create server key and certificate	
  
shell> openssl req -newkey ...
SSL: Certificate Creation
A. Generating Certificates	
  
Create client key and certificate	
  
shell> openssl req -newkey ...
SSL: Certificate Creation
A. Generating Certificates	
  
Remove passphrase from client/server key:	
  
shell> openssl rsa ...
MySQL: SSL Performance
Test Machine	
  
MacBook Pro	
  
2.33 GHz	
  
2 GB 667 MHz DDR2 SDRAM	
  
Mac OS X 10.6.6 (Snow Leo...
MySQL: SSL Performance
Footprint Size
© Copyright 2012 yaSSL
Slide 52 / 69
MySQL: SSL Performance
Command:
du -sh .	
  
Result:
5.3% Difference
(12 Mb)	
  
© Copyright 2012 yaSSL
239	
  
227	
  
0	...
MySQL: SSL Performance
Command:
du -sh *	
  
© Copyright 2012 yaSSL
86	
  
13	
  
79	
  
9.2	
  
0	
  
10	
  
20	
  
30	
 ...
MySQL: SSL Performance
Average Query Times
(SELECT Queries, sysbench)
© Copyright 2012 yaSSL
Slide 55 / 69
MySQL: SSL Performance
© Copyright 2012 yaSSL
0	
  
0.5	
  
1	
  
1.5	
  
2	
  
2.5	
  
3	
  
3.5	
  
0	
   5	
   10	
   1...
MySQL: SSL Performance
© Copyright 2012 yaSSL
0.1	
   0.1	
  
0.21	
  
0.65	
  
1.33	
  
2.67	
  
0.14	
   0.14	
  
0.29	
...
0.65	
  
0.76	
  
0	
  
0.1	
  
0.2	
  
0.3	
  
0.4	
  
0.5	
  
0.6	
  
0.7	
  
0.8	
  
Average	
  Query	
  Time	
  (ms)	
...
Part III
Additional Security
Concerns
© Copyright 2012 yaSSL
Data	
  EncrypRon	
  
Slide 59 / 69
Data Storage and Encryption
Client Side Encryption	
  
•  Encrypt data in code before it is passed to MySQL	
  
•  Many en...
Data Storage and Encryption
Server Side Encryption	
  
•  AES_ENCRYPT(), AES_DECRYPT() functions	
  
- AES-128 Default	
  ...
Data Storage and Encryption
Gazzang ezNcrypt
•  ezNcrypt	
  sits	
  between	
  your	
  storage	
  engine	
  and	
  file	
  ...
Data Storage and Encryption
Gazzang ezNcrypt	
  
•  Gazzang	
  Key	
  Storage	
  System	
  (KSS)	
  
	
  
© Copyright 2012...
Data Storage and Encryption
Server Side Encryption	
  
Advantages:	
  
•  Data is stored encrypted	
  
•  Easy to use	
  
...
Part IV
Wrap-Up
© Copyright 2012 yaSSL
Licensing	
  Concerns	
  
About	
  yaSSL	
  
Slide 65 / 69
Licensing Concerns
yaSSL vs. OpenSSL	
  
-  OpenSSL uses BSD-style license with announcement clause
-  Makes it incompatib...
What did we cover?
Part I: MySQL Security	
  
1.  Good Security Practices for MySQL	
  
Part II: SSL/TLS	
  
1.  Overview ...
http://www.yassl.com
	
  
Email:	
  	
  	
  	
  	
  	
  info@yassl.com	
  
	
  
Phone:	
  	
  	
  	
  	
  (206)	
  369-­‐4...
Helpful Sources
MySQL Manual:
http://dev.mysql.com/doc/refman/5.5/en/
http://dev.mysql.com/doc/refman/5.5/en/default-privi...
Upcoming SlideShare
Loading in...5
×

Securing MySQL with a Focus on SSL

2,719

Published on

View slides from Chris Conlon's presentation about securing MySQL - including an intro to SSL, and performance statistics for MySQL SSL usage.

To learn more about yaSSL products or the CyaSSL embedded SSL library, visit www.wolfssl.com.

Published in: Technology, Education
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,719
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
46
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Securing MySQL with a Focus on SSL

  1. 1. http://www.yassl.com (206) 369-4800 Securing MySQL! With a Focus on SSL
  2. 2. yaSSL (yet another SSL) Founded: 2004 Location: Bozeman, MT Seattle, WA Portland, OR Our Focus: Open Source Embedded Security (for Applications, Devices, and the Cloud) Products: - CyaSSL, yaSSL - yaSSL Embedded Web Server © Copyright 2012 yaSSL Slide 2 / 69
  3. 3. Why is this Important? Ivan Ristic: Internet SSL Survey 2010 http://www.ssllabs.com •  Alexa Top 1M Sites 120,000 Use SSL (12%) © Copyright 2012 yaSSL Alexa  Top  1M   Use  SSL  –  12%   Slide 3 / 69
  4. 4. What are we going to talk about? Part I: MySQL Security   1.  Good Security Practices for MySQL   Part II: SSL/TLS   1.  Overview of SSL and TLS   2.  Configuring and Building MySQL with SSL   3.  MySQL SSL Command Options   4.  SSL Certificate Creation   5.  Performance Comparison   Part III: Additional Security Concerns   1.  Data Storage and Encryption   Part IV: Wrap-Up   1.  Licensing   © Copyright 2012 yaSSL Slide 4 / 69
  5. 5. Part I MySQL Security © Copyright 2012 yaSSL MySQL  Updates   Account  Passwords   Test  Databases   mysqld   Privileges   Slide 5 / 69
  6. 6. MySQL: Good Security Practices Do we really need to secure our MySQL database?   YES!   © Copyright 2012 yaSSL MySQL is Susceptible to Many Attacks:   -  Basic Attacks (empty password, etc.)   -  SQL Injection Attacks   -  Known MySQL Bugs and Vulnerabilities   Slide 6 / 69
  7. 7. MySQL: Good Security Practices Keeping MySQL Up to Date   An easy way to stay better protected:   - New MySQL Patches, Bug Fixes, etc.   - You should take advantage of updates © Copyright 2012 yaSSL Slide 7 / 69
  8. 8. MySQL: Good Security Practices © Copyright 2012 yaSSL 3   6   8   5   9   11   14   10   6   7   6   16   'MySQL'  Vulnerabili1es  By  Year   cvedetails.com  (nvd.nist.gov)   2000   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   Slide 8 / 69
  9. 9. MySQL: Good Security Practices •  yaSSL Vulnerabilities affecting MySQL in the past:   CVE-2005-3731 Certificate Chain Processing   CVE-2008-0227 Denial of Service (crash)   CVE-2008-0226 Allowed Execution of Arbitrary Code   CVE-2009-4484 Allowed Execution of Arbitrary Code,   Denial of Service Possible © Copyright 2012 yaSSL Slide 9 / 69
  10. 10. Passwords: Root Accounts   •  They are empty by default Quick Check: mysql -u root   ("Welcome to the MySQL monitor" = Not Good)   shell> mysql -u root   mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd')   -> WHERE User = 'root';   mysql> FLUSH PRIVILEGES;   MySQL: Good Security Practices © Copyright 2012 yaSSL Slide 10 / 69
  11. 11. MySQL: Good Security Practices Passwords: Anonymous Accounts   Assign passwords to anonymous accounts:   shell> mysql -u root -p   Enter password: (enter root password here)   mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd')   -> WHERE User = '';   mysql> FLUSH PRIVILEGES;   Or remove the accounts:   shell> mysql -u root -p   Enter password: (enter root password here)   mysql> DROP USER ''@'localhost';   mysql> DROP USER ''@'host_name'; © Copyright 2012 yaSSL Slide 11 / 69
  12. 12. MySQL: Good Security Practices Passwords: Strength is Key   Use strong passwords     •  Combine letters and numbers •  mhallwltpic++ = "mary had a little lamb who liked to program in C++” •  uuidgen, pwgen tools © Copyright 2012 yaSSL Slide 12 / 69
  13. 13. MySQL: Good Security Practices Securing Test Databases   •  By default, anyone can access test databases - Convenient for testing - not production •  Delete databases or restrict privileges   shell> mysql -u root -p   Enter password: (enter root password here)   mysql> DELETE FROM mysql.db WHERE Db LIKE 'test%';   mysql> FLUSH PRIVILEGES;   © Copyright 2012 yaSSL Slide 13 / 69
  14. 14. MySQL: Good Security Practices Securing mysqld   •  Don't run MySQL as root user shell> mysqld --user=mysql   •  Disable Remote Access (--skip-networking) - Only allows access from local machine © Copyright 2012 yaSSL Slide 14 / 69
  15. 15. MySQL: Good Security Practices mysql_secure_installation script   Allows you to:   •  Set a password for root account   •  Remove root accounts that are accessible from outside of the local host   •  Remove anonymous user accounts   •  Remove the test database that can be accessed from all users   •  Reload privilege tables so that above take effect   * Not available on Windows © Copyright 2012 yaSSL Slide 15 / 69
  16. 16. MySQL: Good Security Practices Notes about Privileges   •  Don't grant all users PROCESS or SUPER privilege   –  Can see text of currently-executing queries   ( SHOW processlist; )       •  Don't grant all users the FILE privilege   –  Enables reading/writing to file system wherever mysqld process has access   © Copyright 2012 yaSSL Slide 16 / 69
  17. 17. MySQL: Good Security Practices Additional Measures   These depend on your unique situation:   •  Restrict access to log files   - Ensure only ‘root’ and the mysqld user can access   •  Restrict MySQL data directory access only to server account   © Copyright 2012 yaSSL log files Slide 17 / 69
  18. 18. MySQL: Good Security Practices Additional Measures   •  Add Application-specific Users   - Each user only has required privileges (Ex: Ruby/PHP/etc. Application)   •  Restrict where MySQL listens   - You might only need to listen on localhost   --bind-address=127.0.0.1 © Copyright 2012 yaSSL Slide 18 / 69
  19. 19. MySQL: Good Security Practices Additional Measures   •  Can disable LOAD DATA LOCAL INFILE command   - Can allow reading of local files   •  Remove Content of MySQL History File   - All executed SQL commands are stored   cat /dev/null > ~/.mysql_history © Copyright 2012 yaSSL Slide 19 / 69
  20. 20. Part II SSL / TLS © Copyright 2012 yaSSL Overview   X.509  CerRficates   Handshake   MySQL  and  SSL   Slide 20 / 69
  21. 21. SSL: What is it? By default, MySQL uses unencrypted connections between the client and server! © Copyright 2012 yaSSL Slide 21 / 69
  22. 22. SSL: What is it?   •  Enables secure client/server communication, including: •  Can be implemented on almost any operating system (or bare metal!)   © Copyright 2012 yaSSL Privacy                  +  Prevent  eavesdropping   Authen1ca1on              +  Prevent  impersonaRon   Integrity                                  +  Prevent  modificaRon   Slide 22 / 69
  23. 23. SSL: Where does it fit?   - Layered between Transport and Application layers:   © Copyright 2012 yaSSL Network Access IP TCP SSL Record Layer SSL Handshake Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol HTTP LDAP, etc. HTTP SMTP, etc. Protocols Secured by SSL/TLS Network Layer Internet Layer Transport Layer Application Layer Slide 23 / 69
  24. 24. SSL: Authentication   - Do you really know who you’re communicating with?   © Copyright 2012 yaSSL ?? Alice   Bob   Slide 24 / 69
  25. 25. SSL: Authentication   - Generate a key pair (private and public keys)   © Copyright 2012 yaSSL Alice   Bob   Private   Private  Public  Public   Slide 25 / 69
  26. 26. SSL: Authentication   - X.509 Certificate == Wrapper around public key   © Copyright 2012 yaSSL X509 Cert Alice   Bob   Private   Private  Public  Public   X509 Cert Slide 26 / 69
  27. 27. SSL: X.509 Certificates   © Copyright 2012 yaSSL X509 Cert -----BEGIN CERTIFICATE-----! MIIEmDCCA4CgAwIBAgIJAIdKdb6RZtg9MA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD! VQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwG! A1UEChMFeWFTU0wxFDASBgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cu! eWFzc2wuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTAeFw0xMTEw! MjQxODIxNTVaFw0xNDA3MjAxODIxNTVaMIGOMQswCQYDVQQGEwJVUzEPMA0GA1UE! CBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwGA1UEChMFeWFTU0wxFDAS! BgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJ! KoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP! ADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2qKlIHR9amNrIHMo7Quml7xsNE! ntSBSP0taKKLZ7uhdcg2LErSG/eLus8N+e/s8YEee5sDR5q/Zcx/ZSRppugUiVvk! NPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0YbfN1EbDKE79fGjSjXk4c6W3xt+! v06X0BDoqAgwga8gC0MUxXRntDKCb42GwohAmTaDuh5AciIX11JlJHOwzu8Zza7/! eGx7wBID1E5yDVBtO6M7o5lencjZDIWz2YrZVCbbbfqsu/8lTMTRefRx04ZAGBOw! Y7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEAAaOB9jCB8zAdBgNVHQ4EFgQU! M9hFZtdohxh+VA1wJ5HHJteFZcAwgcMGA1UdIwSBuzCBuIAUM9hFZtdohxh+VA1w! J5HHJteFZcChgZSkgZEwgY4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24x! ETAPBgNVBAcTCFBvcnRsYW5kMQ4wDAYDVQQKEwV5YVNTTDEUMBIGA1UECxMLUHJv! Z3JhbW1pbmcxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkqhkiG9w0BCQEW! DmluZm9AeWFzc2wuY29tggkAh0p1vpFm2D0wDAYDVR0TBAUwAwEB/zANBgkqhkiG! 9w0BAQUFAAOCAQEAHHxCgSmeIc/Q2MFUb8yuFAk4/2iYmpVTdhh75jB27CgNdafe! 4M2O1VUjakcrTo38fQaj2A+tXtYEyQAz+3cn07UDs3shdDELSq8tGrOTjszzXz2Q! P8zjVRmRe3gkLkoJuxhOYS2cxgqgNJGIcGs7SEe8eZSioE0yR1TCo9wu0lFMKTkR! /+IVXliXNvbpBgaGDo2dlQNysosZfOkUbqGIc2hYbXFewtXTE9Jf3uoDvuIAQOXO! /eaSMVfD67tmrMsvGvrgYqJH9JNDKktsXgov+efmSmOGsKwqoeu0W2fNMuS2EUua! cmYNokp2j/4ivIP927fVqe4FybFxfhsr4eOvwA==! -----END CERTIFICATE-----! Slide 27 / 69
  28. 28. SSL: X.509 Certificates   © Copyright 2012 yaSSL X509 Cert Certificate:! Data:! Version: 3 (0x2)! Serial Number:! 87:4a:75:be:91:66:d8:3d! Signature Algorithm: sha1WithRSAEncryption! Issuer: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/ emailAddress=info@yassl.com! Validity! Not Before: Oct 24 18:21:55 2011 GMT! Not After : Jul 20 18:21:55 2014 GMT! Subject: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/ emailAddress=info@yassl.com! Subject Public Key Info:! Public Key Algorithm: rsaEncryption! Public-Key: (2048 bit)! Modulus: 00:c3:03:d1:2b:fe:39:a4 …! ! ! Exponent: 65537 (0x10001)! X509v3 extensions:! X509v3 Subject Key Identifier: ! 33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0! X509v3 Authority Key Identifier: ! keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0! DirName:/C=US/ST=Oregon/L=Portland/O=yaSSL/OU=Programming/CN=www.yassl.com/ emailAddress=info@yassl.com! serial:87:4A:75:BE:91:66:D8:3D! ! X509v3 Basic Constraints: ! CA:TRUE! Signature Algorithm: sha1WithRSAEncryption! … 1c:7c:42:81:29:9e:21:cf:d0:d8! Slide 28 / 69
  29. 29. SSL: Authentication   - Alice and Bob exchange CA-signed public keys   © Copyright 2012 yaSSL X509 Cert CA X509 Cert CA Alice   Bob   Private   Private  Public  Public   Slide 29 / 69
  30. 30. SSL: Authentication   - How do you get a CA-signed cert?   © Copyright 2012 yaSSL Buy   VeriSign, DigiCert, Comodo, etc. -  Costs $$$ -  Trusted Create     Created yourself (self-sign) -  Free! -  Trusted (if you control both sides) Slide 30 / 69
  31. 31. SSL: Encryption   - Uses a variety of encryption algorithms to secure data   © Copyright 2012 yaSSL Hashing  Func1ons   Block  and  Stream  Ciphers   Public  Key  Op1ons   MD4, MD5, SHA … DES, 3DES, AES, ARC4 … RSA, DSA, DSS … CIPHER  SUITE   Slide 31 / 69
  32. 32. SSL: Encryption   - A common CIPHER SUITE is negotiated   © Copyright 2012 yaSSL Protocol_keyexchange_WITH_bulkencrypRon_mode_messageauth   SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA Slide 32 / 69
  33. 33. SSL: Handshake   © Copyright 2012 yaSSL Client Hello Cryptographic Info (SSL version, supported ciphers, etc.) Client Server Server Hello Cipher Suite Server Certificate Server Key Exchange (public key) ( Client Certificate Request ) Server Hello Done Client Key Exchange ( Certificate Verify ) ( Client Certificate ) Change Cipher Spec Client Finished Change Cipher Spec Server Finished Exchange Messages (Encrypted) 1 2 3 4 5 6 7 8 Verify server cert, check crypto parameters Verify client cert (if required) Slide 33 / 69
  34. 34. SSL: Where is it used? SSL is Everywhere! - Browsers   - Email   - Routers   - Factory Automation   - VoIP - Automobile Communications   - Sensors - Smart Power Meters     And much more!!   © Copyright 2012 yaSSL Slide 34 / 69
  35. 35. SSL: What does MySQL provide? - Your system must support either OpenSSL or yaSSL   - MySQL must be built with SSL support   Note: MySQL is bundled with yaSSL © Copyright 2012 yaSSL Slide 35 / 69
  36. 36. MySQL: Is SSL Enabled? Checking for SSL •  Confirm that user in 'mysql' database includes SSL-related columns:     - Beginning with: ssl_, x509_   •  Check if binary is compiled with SSL support:   shell> mysqld --ssl --help   060525 14:18:52 [ERROR] mysqld: unknown option '--ssl'   •  mysqld: Check for 'have_ssl' system variable © Copyright 2012 yaSSL Slide 36 / 69
  37. 37. MySQL: Building with SSL Configure MySQL to use the built-in SSL (yaSSL):   shell> cmake . -DWITH_SSL=bundled   -DWITH_SSL options:   no: No SSL support (default)   yes: Use system SSL library if present, else bundled library   bundled: SSL library bundled with MySQL (yaSSL)   system: Use the system SSL library   ** yaSSL on Unix requires /dev/urandom and /dev/random to be available © Copyright 2012 yaSSL Slide 37 / 69
  38. 38. MySQL: Starting the Server To allow client connections through SSL, start MySQL with the appropriate options:   shell> mysqld_safe --user=mysql   --ssl-ca=ca-cert.pem   --ssl-cert=server-cert.pem   --ssl-key=server-key.pem   --ssl-ca: Identifies the certificate authority certificate   --ssl-cert: identifies the server certificate (public key)   --ssl-key: identifies the server private key © Copyright 2012 yaSSL Slide 38 / 69
  39. 39. MySQL: Starting the Client I. Account created with GRANT statement including REQUIRE_SSL:   shell> mysql -u user -p --ssl-ca=ca-cert.pem   II. Account created with REQUIRE_X509 in addition:   shell> mysql -u user -p --ssl-ca=ca-cert.pem   --ssl-cert=client-cert.pem   --ssl-key=client-key.pem © Copyright 2012 yaSSL Slide 39 / 69
  40. 40. MySQL: SSL Options © Copyright 2012 yaSSL Name   Cmd-­‐Line   Op1on  File   System  Var   Var  Scope   Dynamic   have_openssl           Yes   Global   No   have_ssl           Yes   Global   No   skip-­‐ssl   Yes   Yes               ssl   Yes   Yes               ssl-­‐ca   Yes   Yes       Global   No   ssl-­‐capath   Yes   Yes       Global   No   ssl-­‐cert   Yes   Yes       Global   No   ssl-­‐cipher   Yes   Yes       Global   No   ssl-­‐key   Yes   Yes       Global   No   ssl-­‐verify-­‐server-­‐cert   Yes   Yes               hap://dev.mysql.com/doc/refman/5.5/en/ssl-­‐opRons.html   Slide 40 / 69
  41. 41. MySQL: SSL Options have_openssl   have_ssl   YES = mysqld supports SSL connections   DISABLED = server was compiled with SSL support, not enabled (--ssl-xxx)   Check: SHOW VARIABLES LIKE 'have%ssl'; © Copyright 2012 yaSSL Slide 41 / 69
  42. 42. MySQL: SSL Options skip-ssl Indicate that SSL should not be used Same as using --ssl=0 ssl Server: Specifies that the server permits SSL connections Client: Permits a client to connect to server using SSL © Copyright 2012 yaSSL Slide 42 / 69
  43. 43. MySQL: SSL Options ssl-ca   The path to the file containing list of trusted CAs     ssl-capath   The path to a directory containing trusted CAs (PEM format) *NOTE: Only supported when using OpenSSL © Copyright 2012 yaSSL Slide 43 / 69
  44. 44. MySQL: SSL Options ssl-cert   Name of the SSL certificate to be used       ssl-cipher   A list of permissible ciphers to use for SSL   --ssl-cipher=AES128-SHA   --ssl-cipher=DHE-RSA_AES256-SHA:AES128-SHA © Copyright 2012 yaSSL Slide 44 / 69
  45. 45. MySQL: SSL Options ssl-key Name of the SSL key file ssl-verify-server-cert - Clients only   - Server's Common Name verified against server host name   - Connection rejected if no match © Copyright 2012 yaSSL Slide 45 / 69
  46. 46. SSL: Certificate Creation A. Generating Certificates   1. Create CA certificate (private key, public cert)   2. Create server key   3. Create server certificate   4. Create client key   5. Create client certificate © Copyright 2012 yaSSL Slide 46 / 69
  47. 47. SSL: Certificate Creation A. Generating Certificates   Create CA certificate (private key, public cert)   shell> openssl genrsa 2048 > ca-key.pem   shell> openssl req -new -x509 -nodes -days 1000   -key ca-key.pem > ca-cert.pem © Copyright 2012 yaSSL Slide 47 / 69
  48. 48. SSL: Certificate Creation A. Generating Certificates   Create server key and certificate   shell> openssl req -newkey rsa:2048 -days 1000   -nodes -keyout server-key.pem > server-req.pem   shell> openssl x509 -req -in server-req.pem -days 1000   -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem   © Copyright 2012 yaSSL Slide 48 / 69
  49. 49. SSL: Certificate Creation A. Generating Certificates   Create client key and certificate   shell> openssl req -newkey rsa:2048 -days 1000   -nodes -keyout client-key.pem > client-req.pem   shell> openssl x509 -req -in client-req.pem -days 1000   -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem   © Copyright 2012 yaSSL Slide 49 / 69
  50. 50. SSL: Certificate Creation A. Generating Certificates   Remove passphrase from client/server key:   shell> openssl rsa -in client-key.pem -out client-key.pem shell> openssl rsa -in server-key.pem -out server-key.pem   © Copyright 2012 yaSSL Slide 50 / 69
  51. 51. MySQL: SSL Performance Test Machine   MacBook Pro   2.33 GHz   2 GB 667 MHz DDR2 SDRAM   Mac OS X 10.6.6 (Snow Leopard)   © Copyright 2012 yaSSL Slide 51 / 69
  52. 52. MySQL: SSL Performance Footprint Size © Copyright 2012 yaSSL Slide 52 / 69
  53. 53. MySQL: SSL Performance Command: du -sh .   Result: 5.3% Difference (12 Mb)   © Copyright 2012 yaSSL 239   227   0   50   100   150   200   250   300   Size  (Mb)   MySQL  Footprint  Size   SSL  vs.  No  SSL   SSL   No  SSL   Slide 53 / 69
  54. 54. MySQL: SSL Performance Command: du -sh *   © Copyright 2012 yaSSL 86   13   79   9.2   0   10   20   30   40   50   60   70   80   90   100   bin     lib   Size  (Mb)   MySQL  Footprint  Comparison  (Detail)   SSL  vs.  No  SSL   SSL   No  SSL   Slide 54 / 69
  55. 55. MySQL: SSL Performance Average Query Times (SELECT Queries, sysbench) © Copyright 2012 yaSSL Slide 55 / 69
  56. 56. MySQL: SSL Performance © Copyright 2012 yaSSL 0   0.5   1   1.5   2   2.5   3   3.5   0   5   10   15   20   25   30   35   Average  Query  Time  (ms)   Concurrency  (#  of  Client  Connec1ons)   MySQL  Average  SELECT  Query  Times   No  SSL  vs.  SSL   100,000  Requests   sysbench   No  SSL   SSL   Slide 56 / 69
  57. 57. MySQL: SSL Performance © Copyright 2012 yaSSL 0.1   0.1   0.21   0.65   1.33   2.67   0.14   0.14   0.29   0.76   1.62   3.32   1   2   4   8   16   32   Concurrency  (#  of  Client  Connec1ons)   MySQL  Average  SELECT  Query  Times  (ms)   No  SSL  vs.  SSL   100,000  Requests   sysbench   No  SSL   SSL   Slide 57 / 69
  58. 58. 0.65   0.76   0   0.1   0.2   0.3   0.4   0.5   0.6   0.7   0.8   Average  Query  Time  (ms)   Client  Concurrency  =  8   MySQL  Average  SELECT  Query  Times   No  SSL  vs.  SSL   100,000  Requests   sysbench   No  SSL   SSL   MySQL: SSL Performance 16.9%  Difference   (0.11  ms)   © Copyright 2012 yaSSL Slide 58 / 69
  59. 59. Part III Additional Security Concerns © Copyright 2012 yaSSL Data  EncrypRon   Slide 59 / 69
  60. 60. Data Storage and Encryption Client Side Encryption   •  Encrypt data in code before it is passed to MySQL   •  Many encryption modules available (PHP, Perl, etc.)   Advantages   •  Data encrypted between code & MySQL   •  Allows the use of bin logging (MySQL backup/replication)   Disadvantages   •  What to do with the key? © Copyright 2012 yaSSL Slide 60 / 69
  61. 61. Data Storage and Encryption Server Side Encryption   •  AES_ENCRYPT(), AES_DECRYPT() functions   - AES-128 Default   - AES-256 w/ source-code change   •  Entire Disk Encryption •  Transparent Data Encryption (Gazzang ezNcrypt)   © Copyright 2012 yaSSL Slide 61 / 69
  62. 62. Data Storage and Encryption Gazzang ezNcrypt •  ezNcrypt  sits  between  your  storage  engine  and  file  system  to  encrypt  your  data  before   it  hits  the  disk.   •  TradiRonally  called  -­‐  Transparent  Data  EncrypRon  (TDE)   –  The  data  is  encrypted  transparently,  no  changes  are  needed  to  your  applicaRon,   code  or  MySQL.     © Copyright 2012 yaSSL Table  Orders   20090101,4307   Applica1on  SQL   insert  into  orders   (number,  credit  card,….)   Values   (20090101,4307,…)   File  System   orders.myd   9f7c7d77a87 7fg8e78s09ab   Slide 62 / 69
  63. 63. Data Storage and Encryption Gazzang ezNcrypt   •  Gazzang  Key  Storage  System  (KSS)     © Copyright 2012 yaSSL Slide 63 / 69
  64. 64. Data Storage and Encryption Server Side Encryption   Advantages:   •  Data is stored encrypted   •  Easy to use   Disadvantages:   •  bin logging (all queries are shown in plain text) Exception: Gazzang can protect the bin logs •  What to do with the key? © Copyright 2012 yaSSL Slide 64 / 69
  65. 65. Part IV Wrap-Up © Copyright 2012 yaSSL Licensing  Concerns   About  yaSSL   Slide 65 / 69
  66. 66. Licensing Concerns yaSSL vs. OpenSSL   -  OpenSSL uses BSD-style license with announcement clause -  Makes it incompatible with GPL -  yaSSL = dual licensed (GPL, Commercial) © Copyright 2012 yaSSL Slide 66 / 69
  67. 67. What did we cover? Part I: MySQL Security   1.  Good Security Practices for MySQL   Part II: SSL/TLS   1.  Overview of SSL and TLS   2.  Configuring and Building MySQL with SSL   3.  MySQL SSL Command Options   4.  SSL Certificate Creation   5.  Performance Comparison   Part III: Additional Security Concerns   1.  Data Storage and Encryption   © Copyright 2012 yaSSL Slide 67 / 69
  68. 68. http://www.yassl.com   Email:            info@yassl.com     Phone:          (206)  369-­‐4800   Thanks! © Copyright 2012 yaSSL Slide 68 / 69
  69. 69. Helpful Sources MySQL Manual: http://dev.mysql.com/doc/refman/5.5/en/ http://dev.mysql.com/doc/refman/5.5/en/default-privileges.html http://dev.mysql.com/doc/refman/5.5/en/mysql-secure-installation.html http://dev.mysql.com/doc/refman/5.5/en/secure-connections.html http://dev.mysql.com/doc/refman/5.5/en/security-against-attack.html MySQL Security Resources around the Internet http://www.symantec.com/connect/articles/secure-mysql-database-design SSL/TLS https://www.ssllabs.com/ http://en.wikipedia.org/wiki/Transport_Layer_Security © Copyright 2012 yaSSL Slide 69 / 69
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×