Securing MySQL with a Focus on SSL

http://www.yassl.com
(206) 369-4800
Securing MySQL!
With a Focus on SSL

yaSSL (yet another SSL)
Founded: 2004
Location: Bozeman, MT
Seattle, WA
Portland, OR
Our Focus: Open Source Embedded Security
(for Applications, Devices, and the Cloud)
Products: - CyaSSL, yaSSL
- yaSSL Embedded Web Server
© Copyright 2012 yaSSL
Slide 2 / 69

Why is this Important?
Ivan Ristic: Internet SSL Survey 2010
http://www.ssllabs.com
•  Alexa Top 1M Sites
120,000 Use SSL (12%)
Alexa
Top
1M

Use
SSL
–
12%

Slide 3 / 69

What are we going to talk about?
Part I: MySQL Security

1.  Good Security Practices for MySQL

Part II: SSL/TLS

1.  Overview of SSL and TLS

2.  Configuring and Building MySQL with SSL

3.  MySQL SSL Command Options

4.  SSL Certificate Creation

5.  Performance Comparison

Part III: Additional Security Concerns

1.  Data Storage and Encryption

Part IV: Wrap-Up

1.  Licensing

Slide 4 / 69

Part I
MySQL Security
MySQL
Updates

Account
Passwords

Test
Databases

mysqld

Privileges

Slide 5 / 69

MySQL: Good Security Practices
Do we really need to secure our MySQL database?

YES!

MySQL is Susceptible to Many Attacks:

-  Basic Attacks (empty password, etc.)

-  SQL Injection Attacks

-  Known MySQL Bugs and Vulnerabilities

Slide 6 / 69

Keeping MySQL Up to Date

An easy way to stay better protected:

- New MySQL Patches, Bug Fixes, etc.

- You should take advantage of updates
Slide 7 / 69

3

6

8

5

9

11

14

10

6

7

6

16

'MySQL'
Vulnerabili1es
By
Year

cvedetails.com
(nvd.nist.gov)

2000

2001

2002

2003

2004

2005

2006

2007

2008

2009

2010

2011

Slide 8 / 69

•  yaSSL Vulnerabilities affecting MySQL in the past:

CVE-2005-3731 Certificate Chain Processing

CVE-2008-0227 Denial of Service (crash)

CVE-2008-0226 Allowed Execution of Arbitrary Code

CVE-2009-4484 Allowed Execution of Arbitrary Code,

Denial of Service Possible
Slide 9 / 69

Passwords: Root Accounts

•  They are empty by default
Quick Check: mysql -u root

("Welcome to the MySQL monitor" = Not Good)

shell> mysql -u root

mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd')

-> WHERE User = 'root';

mysql> FLUSH PRIVILEGES;

Slide 10 / 69

Passwords: Anonymous Accounts

Assign passwords to anonymous accounts:

shell> mysql -u root -p

Enter password: (enter root password here)

mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd')

-> WHERE User = '';


Or remove the accounts:



mysql> DROP USER ''@'localhost';

mysql> DROP USER ''@'host_name';
Slide 11 / 69

Passwords: Strength is Key

Use strong passwords

•  Combine letters and numbers
•  mhallwltpic++ = "mary had a little lamb who liked to program in C++”
•  uuidgen, pwgen tools
Slide 12 / 69

Securing Test Databases

•  By default, anyone can access test databases
- Convenient for testing - not production
•  Delete databases or restrict privileges



mysql> DELETE FROM mysql.db WHERE Db LIKE 'test%';


Slide 13 / 69

Securing mysqld

•  Don't run MySQL as root user
shell> mysqld --user=mysql

•  Disable Remote Access (--skip-networking)
- Only allows access from local machine
Slide 14 / 69

mysql_secure_installation script

Allows you to:

•  Set a password for root account

•  Remove root accounts that are accessible from outside of the local host

•  Remove anonymous user accounts

•  Remove the test database that can be accessed from all users

•  Reload privilege tables so that above take effect

* Not available on Windows
Slide 15 / 69

Notes about Privileges

•  Don't grant all users PROCESS or SUPER privilege

–  Can see text of currently-executing queries

( SHOW processlist; )

•  Don't grant all users the FILE privilege

–  Enables reading/writing to file system wherever mysqld process has access

Slide 16 / 69

Additional Measures

These depend on your unique situation:

•  Restrict access to log files

- Ensure only ‘root’ and the mysqld user can access

•  Restrict MySQL data directory access only to server account

log
ﬁles
Slide 17 / 69

Additional Measures

•  Add Application-specific Users

- Each user only has required privileges
(Ex: Ruby/PHP/etc. Application)

•  Restrict where MySQL listens

- You might only need to listen on localhost

--bind-address=127.0.0.1
Slide 18 / 69

Additional Measures

•  Can disable LOAD DATA LOCAL INFILE command

- Can allow reading of local files

•  Remove Content of MySQL History File

- All executed SQL commands are stored

cat /dev/null > ~/.mysql_history
Slide 19 / 69

Part II
SSL / TLS
Overview

X.509
CerRﬁcates

Handshake

MySQL
and
SSL

Slide 20 / 69

SSL: What is it?
By default, MySQL uses unencrypted connections between
the client and server!
Slide 21 / 69

SSL: What is it?

•  Enables secure client/server communication, including:
•  Can be implemented on almost any operating system (or bare metal!)

Privacy

+
Prevent
eavesdropping

Authen1ca1on

+
Prevent
impersonaRon

Integrity

+
Prevent
modiﬁcaRon

Slide 22 / 69

SSL: Where does it fit?

- Layered between Transport and Application layers:

Network Access
IP
TCP
SSL Record Layer
SSL
Handshake
Protocol
SSL Change
Cipher Spec
Protocol
SSL Alert
Protocol
HTTP
LDAP,
etc.
HTTP
SMTP,
etc.
Protocols Secured by
SSL/TLS
Network Layer
Internet Layer
Transport Layer
Application Layer
Slide 23 / 69

SSL: Authentication

- Do you really know who you’re communicating with?

??
Alice
Bob

Slide 24 / 69

SSL: Authentication

- Generate a key pair (private and public keys)

Alice
Bob

Private
Private
Public
Public

Slide 25 / 69

SSL: Authentication

- X.509 Certificate == Wrapper around public key

X509
Cert
Alice
Bob

Private
Private
Public
Public

X509
Cert
Slide 26 / 69

SSL: X.509 Certificates

X509
Cert
-----BEGIN CERTIFICATE-----!
MIIEmDCCA4CgAwIBAgIJAIdKdb6RZtg9MA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD!
VQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwG!
A1UEChMFeWFTU0wxFDASBgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cu!
eWFzc2wuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTAeFw0xMTEw!
MjQxODIxNTVaFw0xNDA3MjAxODIxNTVaMIGOMQswCQYDVQQGEwJVUzEPMA0GA1UE!
CBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwGA1UEChMFeWFTU0wxFDAS!
BgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJ!
KoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP!
ADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2qKlIHR9amNrIHMo7Quml7xsNE!
ntSBSP0taKKLZ7uhdcg2LErSG/eLus8N+e/s8YEee5sDR5q/Zcx/ZSRppugUiVvk!
NPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0YbfN1EbDKE79fGjSjXk4c6W3xt+!
v06X0BDoqAgwga8gC0MUxXRntDKCb42GwohAmTaDuh5AciIX11JlJHOwzu8Zza7/!
eGx7wBID1E5yDVBtO6M7o5lencjZDIWz2YrZVCbbbfqsu/8lTMTRefRx04ZAGBOw!
Y7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEAAaOB9jCB8zAdBgNVHQ4EFgQU!
M9hFZtdohxh+VA1wJ5HHJteFZcAwgcMGA1UdIwSBuzCBuIAUM9hFZtdohxh+VA1w!
J5HHJteFZcChgZSkgZEwgY4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24x!
ETAPBgNVBAcTCFBvcnRsYW5kMQ4wDAYDVQQKEwV5YVNTTDEUMBIGA1UECxMLUHJv!
Z3JhbW1pbmcxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkqhkiG9w0BCQEW!
DmluZm9AeWFzc2wuY29tggkAh0p1vpFm2D0wDAYDVR0TBAUwAwEB/zANBgkqhkiG!
9w0BAQUFAAOCAQEAHHxCgSmeIc/Q2MFUb8yuFAk4/2iYmpVTdhh75jB27CgNdafe!
4M2O1VUjakcrTo38fQaj2A+tXtYEyQAz+3cn07UDs3shdDELSq8tGrOTjszzXz2Q!
P8zjVRmRe3gkLkoJuxhOYS2cxgqgNJGIcGs7SEe8eZSioE0yR1TCo9wu0lFMKTkR!
/+IVXliXNvbpBgaGDo2dlQNysosZfOkUbqGIc2hYbXFewtXTE9Jf3uoDvuIAQOXO!
/eaSMVfD67tmrMsvGvrgYqJH9JNDKktsXgov+efmSmOGsKwqoeu0W2fNMuS2EUua!
cmYNokp2j/4ivIP927fVqe4FybFxfhsr4eOvwA==!
-----END CERTIFICATE-----!
Slide 27 / 69

SSL: X.509 Certificates

X509
Cert
Certificate:!
Data:!
Version: 3 (0x2)!
Serial Number:!
87:4a:75:be:91:66:d8:3d!
Signature Algorithm: sha1WithRSAEncryption!
Issuer: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/
emailAddress=info@yassl.com!
Validity!
Not Before: Oct 24 18:21:55 2011 GMT!
Not After : Jul 20 18:21:55 2014 GMT!
Subject: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/
Subject Public Key Info:!
Public Key Algorithm: rsaEncryption!
Public-Key: (2048 bit)!
Modulus: 00:c3:03:d1:2b:fe:39:a4 …!
! ! Exponent: 65537 (0x10001)!
X509v3 extensions:!
X509v3 Subject Key Identifier: !
33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0!
X509v3 Authority Key Identifier: !
keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0!
DirName:/C=US/ST=Oregon/L=Portland/O=yaSSL/OU=Programming/CN=www.yassl.com/
serial:87:4A:75:BE:91:66:D8:3D!
!
X509v3 Basic Constraints: !
CA:TRUE!
Signature Algorithm: sha1WithRSAEncryption!
… 1c:7c:42:81:29:9e:21:cf:d0:d8!
Slide 28 / 69

SSL: Authentication

- Alice and Bob exchange CA-signed public keys

X509
Cert
CA
X509
Cert
CA
Alice
Bob

Private
Private
Public
Public

Slide 29 / 69

SSL: Authentication

- How do you get a CA-signed cert?

Buy

VeriSign, DigiCert, Comodo, etc.
-  Costs $$$
-  Trusted
Create

Created yourself (self-sign)
-  Free!
-  Trusted (if you control both sides)
Slide 30 / 69

SSL: Encryption

- Uses a variety of encryption algorithms to secure data

Hashing
Func1ons

Block
and
Stream
Ciphers

Public
Key
Op1ons

MD4, MD5, SHA …
DES, 3DES, AES, ARC4 …
RSA, DSA, DSS …
CIPHER
SUITE

Slide 31 / 69

SSL: Encryption

- A common CIPHER SUITE is negotiated

Protocol_keyexchange_WITH_bulkencrypRon_mode_messageauth

SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Slide 32 / 69

SSL: Handshake

Client Hello
Cryptographic Info
(SSL version, supported ciphers, etc.)
Client Server
Server Hello
Cipher Suite
Server Certificate
Server Key Exchange (public key)
( Client Certificate Request )
Server Hello Done
Client Key Exchange
( Certificate Verify )
( Client Certificate )
Change Cipher Spec
Client Finished
Change Cipher Spec
Server Finished
Exchange Messages (Encrypted)
1
2
3
4
5
6
7
8
Verify server cert,
check crypto
parameters
Verify client cert
(if required)
Slide 33 / 69

SSL: Where is it used?
SSL is Everywhere!
- Browsers

- Email

- Routers

- Factory Automation

- VoIP
- Automobile Communications

- Sensors
- Smart Power Meters

And much more!!

Slide 34 / 69

SSL: What does MySQL provide?
- Your system must support either OpenSSL or yaSSL

- MySQL must be built with SSL support

Note: MySQL is bundled with yaSSL
Slide 35 / 69

MySQL: Is SSL Enabled?
Checking for SSL
•  Confirm that user in 'mysql' database includes SSL-related columns:

- Beginning with: ssl_, x509_

•  Check if binary is compiled with SSL support:

shell> mysqld --ssl --help

060525 14:18:52 [ERROR] mysqld: unknown option '--ssl'

•  mysqld: Check for 'have_ssl' system variable
Slide 36 / 69

MySQL: Building with SSL
Configure MySQL to use the built-in SSL (yaSSL):

shell> cmake . -DWITH_SSL=bundled

-DWITH_SSL options:

no: No SSL support (default)

yes: Use system SSL library if present, else bundled library

bundled: SSL library bundled with MySQL (yaSSL)

system: Use the system SSL library

** yaSSL on Unix requires /dev/urandom and /dev/random to be available
Slide 37 / 69

MySQL: Starting the Server
To allow client connections through SSL, start MySQL with the appropriate options:

shell> mysqld_safe --user=mysql

--ssl-ca=ca-cert.pem

--ssl-cert=server-cert.pem

--ssl-key=server-key.pem

--ssl-ca: Identifies the certificate authority certificate

--ssl-cert: identifies the server certificate (public key)

--ssl-key: identifies the server private key
Slide 38 / 69

MySQL: Starting the Client
I. Account created with GRANT statement including REQUIRE_SSL:

shell> mysql -u user -p --ssl-ca=ca-cert.pem

II. Account created with REQUIRE_X509 in addition:

shell> mysql -u user -p --ssl-ca=ca-cert.pem

--ssl-cert=client-cert.pem

--ssl-key=client-key.pem
Slide 39 / 69

MySQL: SSL Options
Name
Cmd-‐Line
Op1on
File
System
Var
Var
Scope
Dynamic

have_openssl

Yes
Global
No

have_ssl

Yes
Global
No

skip-‐ssl
Yes
Yes

ssl
Yes
Yes

ssl-‐ca
Yes
Yes

Global
No

ssl-‐capath
Yes
Yes

Global
No

ssl-‐cert
Yes
Yes

Global
No

ssl-‐cipher
Yes
Yes

Global
No

ssl-‐key
Yes
Yes

Global
No

ssl-‐verify-‐server-‐cert
Yes
Yes

hap://dev.mysql.com/doc/refman/5.5/en/ssl-‐opRons.html

Slide 40 / 69

MySQL: SSL Options
have_openssl

have_ssl

YES = mysqld supports SSL connections

DISABLED = server was compiled with SSL support, not enabled (--ssl-xxx)

Check:
SHOW VARIABLES LIKE 'have%ssl';
Slide 41 / 69

MySQL: SSL Options
skip-ssl
Indicate that SSL should not be used
Same as using --ssl=0
ssl
Server: Specifies that the server permits SSL connections
Client: Permits a client to connect to server using SSL
Slide 42 / 69

MySQL: SSL Options
ssl-ca

The path to the file containing list of trusted CAs

ssl-capath

The path to a directory containing trusted CAs
(PEM format)
*NOTE: Only supported when using OpenSSL
Slide 43 / 69

MySQL: SSL Options
ssl-cert

Name of the SSL certificate to be used

ssl-cipher

A list of permissible ciphers to use for SSL

--ssl-cipher=AES128-SHA

--ssl-cipher=DHE-RSA_AES256-SHA:AES128-SHA
Slide 44 / 69

MySQL: SSL Options
ssl-key
Name of the SSL key file
ssl-verify-server-cert
- Clients only

- Server's Common Name verified against server host name

- Connection rejected if no match
Slide 45 / 69

SSL: Certificate Creation
A. Generating Certificates

1. Create CA certificate (private key, public cert)

2. Create server key

3. Create server certificate

4. Create client key

5. Create client certificate
Slide 46 / 69


Create CA certificate (private key, public cert)

shell> openssl genrsa 2048 > ca-key.pem

shell> openssl req -new -x509 -nodes -days 1000

-key ca-key.pem > ca-cert.pem
Slide 47 / 69


Create server key and certificate

shell> openssl req -newkey rsa:2048 -days 1000

-nodes -keyout server-key.pem > server-req.pem

shell> openssl x509 -req -in server-req.pem -days 1000

-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

Slide 48 / 69


Create client key and certificate

shell> openssl req -newkey rsa:2048 -days 1000

-nodes -keyout client-key.pem > client-req.pem

shell> openssl x509 -req -in client-req.pem -days 1000

-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

Slide 49 / 69


Remove passphrase from client/server key:

shell> openssl rsa -in client-key.pem -out client-key.pem
shell> openssl rsa -in server-key.pem -out server-key.pem

Slide 50 / 69

MySQL: SSL Performance
Test Machine

MacBook Pro

2.33 GHz

2 GB 667 MHz DDR2 SDRAM

Mac OS X 10.6.6 (Snow Leopard)

Slide 51 / 69

Footprint Size
Slide 52 / 69

Command:
du -sh .

Result:
5.3% Difference
(12 Mb)

239

227

0

50

100

150

200

250

300

Size
(Mb)

MySQL
Footprint
Size

SSL
vs.
No
SSL

SSL
No
SSL

Slide 53 / 69

Command:
du -sh *

86

13

79

9.2

0

10

20

30

40

50

60

70

80

90

100

bin

lib

Size
(Mb)

MySQL
Footprint
Comparison
(Detail)

SSL
vs.
No
SSL

SSL
No
SSL

Slide 54 / 69

Average Query Times
(SELECT Queries, sysbench)
Slide 55 / 69

0

0.5

1

1.5

2

2.5

3

3.5

0
5
10
15
20
25
30
35

Average
Query
Time
(ms)

Concurrency
(#
of
Client
Connec1ons)

MySQL
Average
SELECT
Query
Times

No
SSL
vs.
SSL

100,000
Requests

sysbench

No
SSL

SSL

Slide 56 / 69

0.1
0.1

0.21

0.65

1.33

2.67

0.14
0.14

0.29

0.76

1.62

3.32

1
2
4
8
16
32

Concurrency
(#
of
Client
Connec1ons)

MySQL
Average
SELECT
Query
Times
(ms)

No
SSL
vs.
SSL

100,000
Requests

sysbench

No
SSL
SSL

Slide 57 / 69

0.65

0.76

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

Average
Query
Time
(ms)

Client
Concurrency
=
8

MySQL
Average
SELECT
Query
Times

No
SSL
vs.
SSL

100,000
Requests

sysbench

No
SSL
SSL

16.9%
Diﬀerence

(0.11
ms)

Slide 58 / 69

Part III
Additional Security
Concerns
Data
EncrypRon

Slide 59 / 69

Data Storage and Encryption
Client Side Encryption

•  Encrypt data in code before it is passed to MySQL

•  Many encryption modules available (PHP, Perl, etc.)

Advantages

•  Data encrypted between code & MySQL

•  Allows the use of bin logging (MySQL backup/replication)

Disadvantages

•  What to do with the key?
Slide 60 / 69

Server Side Encryption

•  AES_ENCRYPT(), AES_DECRYPT() functions

- AES-128 Default

- AES-256 w/ source-code change

•  Entire Disk Encryption
•  Transparent Data Encryption (Gazzang ezNcrypt)

Slide 61 / 69

Gazzang ezNcrypt
•  ezNcrypt
sits
between
your
storage
engine
and
ﬁle
system
to
encrypt
your
data
before

it
hits
the
disk.

•  TradiRonally
called
-‐
Transparent
Data
EncrypRon
(TDE)

–  The
data
is
encrypted
transparently,
no
changes
are
needed
to
your
applicaRon,

code
or
MySQL.

Table
Orders

20090101,4307

Applica1on
SQL

insert
into
orders

(number,
credit
card,….)

Values

(20090101,4307,…)

File
System

orders.myd

9f7c7d77a87
7fg8e78s09ab

Slide 62 / 69

Gazzang ezNcrypt

•  Gazzang
Key
Storage
System
(KSS)

Slide 63 / 69

Server Side Encryption

Advantages:

•  Data is stored encrypted

•  Easy to use

Disadvantages:

•  bin logging (all queries are shown in plain text)
Exception: Gazzang can protect the bin logs
•  What to do with the key?
Slide 64 / 69

Part IV
Wrap-Up
Licensing
Concerns

About
yaSSL

Slide 65 / 69

Licensing Concerns
yaSSL vs. OpenSSL

-  OpenSSL uses BSD-style license with announcement clause
-  Makes it incompatible with GPL
-  yaSSL = dual licensed (GPL, Commercial)
Slide 66 / 69

What did we cover?
Part I: MySQL Security

1.  Good Security Practices for MySQL

Part II: SSL/TLS

1.  Overview of SSL and TLS

2.  Configuring and Building MySQL with SSL

3.  MySQL SSL Command Options

4.  SSL Certificate Creation

5.  Performance Comparison

Part III: Additional Security Concerns

1.  Data Storage and Encryption

Slide 67 / 69

http://www.yassl.com

Email:

info@yassl.com

Phone:

(206)
369-‐4800

Thanks!
Slide 68 / 69

Helpful Sources
MySQL Manual:
http://dev.mysql.com/doc/refman/5.5/en/
http://dev.mysql.com/doc/refman/5.5/en/default-privileges.html
http://dev.mysql.com/doc/refman/5.5/en/mysql-secure-installation.html
http://dev.mysql.com/doc/refman/5.5/en/secure-connections.html
http://dev.mysql.com/doc/refman/5.5/en/security-against-attack.html
MySQL Security Resources around the Internet
http://www.symantec.com/connect/articles/secure-mysql-database-design
SSL/TLS
https://www.ssllabs.com/
http://en.wikipedia.org/wiki/Transport_Layer_Security
Slide 69 / 69

Securing MySQL with a Focus on SSL

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (13)

Similar to Securing MySQL with a Focus on SSL

Similar to Securing MySQL with a Focus on SSL (20)

Recently uploaded

Recently uploaded (20)

Securing MySQL with a Focus on SSL