Mysql user-camp-march-11th-2016

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
What’s New in
MySQL 5.7 Security
Harin Vadodaria,
Developer,
MySQL Server General Team
March 11, 2016

Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.
3

Program Agenda
New Security Features in MySQL 5.7
Questions & Answers
1
2
4

Security features at a glance..
5
Code Refactoring
Secure By Default
Communication
Security
Encryption
User Activity Control
User Management

Code Refactoring
Secure By Default
Communication
Security
Encryption
User Management
User Management
6
• Password Rotation
Policy
• Disabling user login
• ALTER USER
enhancements

Password Rotation Policy
• Through ALTER USER
7
NEVER
DEFAULT SPECIFIC
• PASSWORD EXPIRE NEVER
– If security is not a concern!
• PASSWORD EXPIRE DEFAULT
– Global Variable :
default_password_lifetime
• PASSWORD EXPIRE INTERVAL
<NUM> DAY
– Useful for critical accounts

Disabling Login for User Accounts
• New authentication plugin
– mysql_no_login
– Just like shell=/bin/false
8
• CREATE USER nologin@localhost
IDENTIFIED WITH ‘mysql_no_login’
• Useful for : Proxy users

User Management
• Enhanced ALTER USER support
– Change credentials
– Change authentication plugin
– Change SSL certificate details
– Change resource allocation
– Temporarily lock user account
• Making server OFFLINE
– Allows only SUPER users to connect
– Rest of the connections are killed
• SUPER Read Only mode
– Makes server READ ONLY even for
users with SUPER privileges
9

Code Refactoring
Secure By Default
Communication
Security
Encryption
User Management
10
• MySQL Firewall
• Audit Log Plugin

Firewall Plugin
11
SELECT info FROM customer
WHERE cust_id=123
SELECT info FROM customer
WHERE cust_id=123 or 1=1

Firewall Plugin
• Engine
– Compares incoming statements with
allowed set of statements
– Per user configuration
• DISABLED, RECORDING, PROTECTING
– Statement digest based comparison
• Statement Cache
– Uses normalized SQL statements
• SELECT info FROM customer WHERE
cust_id = 123 => SELECT info FROM customer
WHERE cust_id = ?
– Generates hash from normalized SQL
– In memory cache : Faster lookup
12

Audit Log : Event Filtering
13
• Filtering by account names
– SET GLOBAL
audit_log_include_account=‘admin@localhost’;
– SET GLOBAL
audit_log_exclude_account=`auditor@localhost’;
• Filtering on connection event
– SET GLOBAL audit_log_connection_policy= ERRORS;
• Better Instrumentation
– audit_log_events
– audit_log_events_filterd
– audit_log_events_written
• Filtering by query status
– SET GLOBAL audit_log_statement_policy= ALL;

14
Code Refactoring
Secure By Default
Communication
Security
Encryption
User Management
• Enhancements in AES
encryption
• Enterprise Encryption
Plugin

AES Encryption : Enhanced
• Support for more secure block
modes
– CBC, CFB1, CFB8, CFB128, OFB
– Support varies for OpenSSL/yaSSL
• Support for longer key size
– 196, 256 bits
• Controlled via :
block_encryption_mode
– e.g. “aes-256-cbc”, “aes-256-ofb”
• Ported to 5.6 as well.
15

Enterprise Encryption Plugin
• SQL Interface to OpenSSL Functions
– Supports RSA/DSA/DH algorithms
– Configurable Key Size
• Standard PEM format for generated keys
– Compatible with external tools
• Useful in encrypting selected data
16

• Creating asymmetric key pair
– SET @priv_key_s= CREATE_ASYMMETRIC_PRIV_KEY(‘RSA’, 2048);
– SET @pub_key_s= CREATE_ASYMMETRIC_PUB_KEY(‘RSA’, @priv_key);
– SET @priv_key_d= CREATE_ASYMMETRIC_PRIV_KEY(‘RSA’, 2048);
– SET @pub_key_d= CREATE_ASYMMETRIC_PUB_KEY(‘RSA’, @priv_key);
• Share public keys across multiple servers
17

– Encryption, Digest creation and Signature
• SET @enc_text= ASYMMETRIC_ENCRYPT(‘RSA’, ‘FooBar’, @pub_key_d);
• SET @text_digest= CREATE_DIGEST(‘SHA512’, ‘FooBar’);
• SET @signature= ASYMMETRIC_SIGN(‘RSA’, @text_digest, @priv_key_s,
‘SHA512’);
– Decryption, Signature verification
• SET @plain_text= ASYMMETRIC_DECRYPT(‘RSA’, @enc_text, @priv_key_d);
• SET @text_digest= CREATE_DIGEST(‘SHA512’, @plain_text);
• SET @verify= ASYMMETRIC_VERIFY(‘RSA’, @text_digest, @signature,
@pub_key_s, ‘SHA512’);
Unencrypted Channel
18

19
Code Refactoring
Secure By Default
Communication
Security
Encryption
User Management
• Server/Client support
for encrypted
connection
• TLSv1.1/1.2 Support
• Enforcing encrypted
connections

Communication Security
• Server : Encrypted connections supported by default
– Automatic generation of TLS certificates and keys
• Enterprise server : At server start-up
• Community server : Through mysql_ssl_rsa_setup utility
• Clients (libmysql based) : Attempt TLS connection by default
• More information in server log about TLS setup phase
– CA certificate status
– Possible reason for TLS support failure
20

Communication Security
• TLSv1.1/TLSv1.2 Support
– New option : –tls-version to control protocol version
– Disabled weak ciphers
• Multi-state SSL option : --ssl-mode
– Modes : DISABLED, PREFERRED, REQUIRED, VERIFY_CA, VERIFY_IDENTITY
– Backwards compatibility with legacy options : --ssl, --ssl-verify-server-cert
• Enforcing secure connection
– Server : --require-secure-transport
– Client : --ssl-mode=REQUIRED/VERIFY_CA/VERIFY_IDENTITY
21

Code Refactoring
Secure By Default
Communication
Security
Encryption
User Management
22
• Better access control
• Secure packages
• Restricted data
import/export

Secure By Default
• Motivation
– Help avoid users common mistakes which may cause data loss/leakage
– Decrease MySQL attack surface
– Open to limited and authorized use by default
– Low usability impact
– Relaxing security must be an explicit and conscious decision
23

Secure By Default
• Stricter Access Control
– Single root account + Random password
– No anonymous accounts
• Packages
– No tests and demos with server/client
– Separate packages for tests and demos
– Stricter permission on deployed files
• Data Import/Export restrictions
– Restricted to a specific location: Through –secure-file-priv default
– Possible to disable data import/export completely
24

25
Code Refactoring
Secure By Default
Communication
Security
Encryption
User Management
• Removal of legacy
hash/encryption
methods
• Uniform credential
storage framework
• Tools ref

Code Refactoring
• Removal of Pre-4.1 password support
– Insecure way of generating password hash
– Upgrade flags & disables such accounts
• Password v/s Authentication String
– All authentication plugins are treated equally
– Removal of PASSWORD column from mysql.user table
– Dependency on @@old_password is gone!
• Removal of weak encryption functions
– ENCODE()/DECODE() are now replaced by AES_ENCRYPT()/AES_DECRYPT()
26

Code Refactoring
• Server installation through --initialize
– mysql_install_db deprecated
• mysql_upgrade : Not dependent on external libraries!
• mysql_secure_install – Now a C program!
27

Questions &
Answers

Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.
29

Mysql user-camp-march-11th-2016

Mysql user-camp-march-11th-2016

More Related Content

What's hot

Similar to Mysql user-camp-march-11th-2016

Recently uploaded

Mysql user-camp-march-11th-2016