Securing MySQL with a Focus on SSL

Transcript

1. http://www.yassl.com (206) 369-4800 Securing MySQL! With a Focus on SSL

2. yaSSL (yet another SSL) Founded: 2004 Location: Bozeman, MT Seattle,

   WA Portland, OR Our Focus: Open Source Embedded Security (for Applications, Devices, and the Cloud) Products: - CyaSSL, yaSSL - yaSSL Embedded Web Server © Copyright 2012 yaSSL Slide 2 / 69

3. Why is this Important? Ivan Ristic: Internet SSL Survey 2010

   http://www.ssllabs.com •  Alexa Top 1M Sites 120,000 Use SSL (12%) © Copyright 2012 yaSSL Alexa  Top  1M   Use  SSL  –  12%   Slide 3 / 69

4. What are we going to talk about? Part I: MySQL

   Security   1.  Good Security Practices for MySQL   Part II: SSL/TLS   1.  Overview of SSL and TLS   2.  Configuring and Building MySQL with SSL   3.  MySQL SSL Command Options   4.  SSL Certificate Creation   5.  Performance Comparison   Part III: Additional Security Concerns   1.  Data Storage and Encryption   Part IV: Wrap-Up   1.  Licensing   © Copyright 2012 yaSSL Slide 4 / 69

5. Part I MySQL Security © Copyright 2012 yaSSL MySQL  Updates

     Account  Passwords   Test  Databases   mysqld   Privileges   Slide 5 / 69

6. MySQL: Good Security Practices Do we really need to secure

   our MySQL database?   YES!   © Copyright 2012 yaSSL MySQL is Susceptible to Many Attacks:   -  Basic Attacks (empty password, etc.)   -  SQL Injection Attacks   -  Known MySQL Bugs and Vulnerabilities   Slide 6 / 69

7. MySQL: Good Security Practices Keeping MySQL Up to Date  

   An easy way to stay better protected:   - New MySQL Patches, Bug Fixes, etc.   - You should take advantage of updates © Copyright 2012 yaSSL Slide 7 / 69

8. MySQL: Good Security Practices © Copyright 2012 yaSSL 3  

   6   8   5   9   11   14   10   6   7   6   16   'MySQL'  Vulnerabili1es  By  Year   cvedetails.com  (nvd.nist.gov)   2000   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   Slide 8 / 69

9. MySQL: Good Security Practices •  yaSSL Vulnerabilities affecting MySQL in

   the past:   CVE-2005-3731 Certificate Chain Processing   CVE-2008-0227 Denial of Service (crash)   CVE-2008-0226 Allowed Execution of Arbitrary Code   CVE-2009-4484 Allowed Execution of Arbitrary Code,   Denial of Service Possible © Copyright 2012 yaSSL Slide 9 / 69

10. Passwords: Root Accounts   •  They are empty by default

    Quick Check: mysql -u root   ("Welcome to the MySQL monitor" = Not Good)   shell> mysql -u root   mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd')   -> WHERE User = 'root';   mysql> FLUSH PRIVILEGES;   MySQL: Good Security Practices © Copyright 2012 yaSSL Slide 10 / 69

11. MySQL: Good Security Practices Passwords: Anonymous Accounts   Assign passwords

    to anonymous accounts:   shell> mysql -u root -p   Enter password: (enter root password here)   mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd')   -> WHERE User = '';   mysql> FLUSH PRIVILEGES;   Or remove the accounts:   shell> mysql -u root -p   Enter password: (enter root password here)   mysql> DROP USER ''@'localhost';   mysql> DROP USER ''@'host_name'; © Copyright 2012 yaSSL Slide 11 / 69

12. MySQL: Good Security Practices Passwords: Strength is Key   Use

    strong passwords     •  Combine letters and numbers •  mhallwltpic++ = "mary had a little lamb who liked to program in C++” •  uuidgen, pwgen tools © Copyright 2012 yaSSL Slide 12 / 69

13. MySQL: Good Security Practices Securing Test Databases   •  By

    default, anyone can access test databases - Convenient for testing - not production •  Delete databases or restrict privileges   shell> mysql -u root -p   Enter password: (enter root password here)   mysql> DELETE FROM mysql.db WHERE Db LIKE 'test%';   mysql> FLUSH PRIVILEGES;   © Copyright 2012 yaSSL Slide 13 / 69

14. MySQL: Good Security Practices Securing mysqld   •  Don't run

    MySQL as root user shell> mysqld --user=mysql   •  Disable Remote Access (--skip-networking) - Only allows access from local machine © Copyright 2012 yaSSL Slide 14 / 69

15. MySQL: Good Security Practices mysql_secure_installation script   Allows you to:

      •  Set a password for root account   •  Remove root accounts that are accessible from outside of the local host   •  Remove anonymous user accounts   •  Remove the test database that can be accessed from all users   •  Reload privilege tables so that above take effect   * Not available on Windows © Copyright 2012 yaSSL Slide 15 / 69

16. MySQL: Good Security Practices Notes about Privileges   •  Don't

    grant all users PROCESS or SUPER privilege   –  Can see text of currently-executing queries   ( SHOW processlist; )       •  Don't grant all users the FILE privilege   –  Enables reading/writing to file system wherever mysqld process has access   © Copyright 2012 yaSSL Slide 16 / 69

17. MySQL: Good Security Practices Additional Measures   These depend on

    your unique situation:   •  Restrict access to log files   - Ensure only ‘root’ and the mysqld user can access   •  Restrict MySQL data directory access only to server account   © Copyright 2012 yaSSL log files Slide 17 / 69

18. MySQL: Good Security Practices Additional Measures   •  Add Application-specific

    Users   - Each user only has required privileges (Ex: Ruby/PHP/etc. Application)   •  Restrict where MySQL listens   - You might only need to listen on localhost   --bind-address=127.0.0.1 © Copyright 2012 yaSSL Slide 18 / 69

19. MySQL: Good Security Practices Additional Measures   •  Can disable

    LOAD DATA LOCAL INFILE command   - Can allow reading of local files   •  Remove Content of MySQL History File   - All executed SQL commands are stored   cat /dev/null > ~/.mysql_history © Copyright 2012 yaSSL Slide 19 / 69

20. Part II SSL / TLS © Copyright 2012 yaSSL Overview

      X.509  CerRficates   Handshake   MySQL  and  SSL   Slide 20 / 69

21. SSL: What is it? By default, MySQL uses unencrypted connections

    between the client and server! © Copyright 2012 yaSSL Slide 21 / 69

22. SSL: What is it?   •  Enables secure client/server communication,

    including: •  Can be implemented on almost any operating system (or bare metal!)   © Copyright 2012 yaSSL Privacy                  +  Prevent  eavesdropping   Authen1ca1on              +  Prevent  impersonaRon   Integrity                                  +  Prevent  modificaRon   Slide 22 / 69

23. SSL: Where does it fit?   - Layered between Transport

    and Application layers:   © Copyright 2012 yaSSL Network Access IP TCP SSL Record Layer SSL Handshake Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol HTTP LDAP, etc. HTTP SMTP, etc. Protocols Secured by SSL/TLS Network Layer Internet Layer Transport Layer Application Layer Slide 23 / 69

24. SSL: Authentication   - Do you really know who you’re

    communicating with?   © Copyright 2012 yaSSL ? ? Alice   Bob   Slide 24 / 69

25. SSL: Authentication   - Generate a key pair (private and

    public keys)   © Copyright 2012 yaSSL Alice   Bob   Private   Private   Public   Public   Slide 25 / 69

26. SSL: Authentication   - X.509 Certificate == Wrapper around public

    key   © Copyright 2012 yaSSL X509 Cert Alice   Bob   Private   Private   Public   Public   X509 Cert Slide 26 / 69

27. SSL: X.509 Certificates   © Copyright 2012 yaSSL X509 Cert

    -----BEGIN CERTIFICATE-----! MIIEmDCCA4CgAwIBAgIJAIdKdb6RZtg9MA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD! VQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwG! A1UEChMFeWFTU0wxFDASBgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cu! eWFzc2wuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTAeFw0xMTEw! MjQxODIxNTVaFw0xNDA3MjAxODIxNTVaMIGOMQswCQYDVQQGEwJVUzEPMA0GA1UE! CBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwGA1UEChMFeWFTU0wxFDAS! BgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJ! KoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP! ADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2qKlIHR9amNrIHMo7Quml7xsNE! ntSBSP0taKKLZ7uhdcg2LErSG/eLus8N+e/s8YEee5sDR5q/Zcx/ZSRppugUiVvk! NPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0YbfN1EbDKE79fGjSjXk4c6W3xt+! v06X0BDoqAgwga8gC0MUxXRntDKCb42GwohAmTaDuh5AciIX11JlJHOwzu8Zza7/! eGx7wBID1E5yDVBtO6M7o5lencjZDIWz2YrZVCbbbfqsu/8lTMTRefRx04ZAGBOw! Y7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEAAaOB9jCB8zAdBgNVHQ4EFgQU! M9hFZtdohxh+VA1wJ5HHJteFZcAwgcMGA1UdIwSBuzCBuIAUM9hFZtdohxh+VA1w! J5HHJteFZcChgZSkgZEwgY4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24x! ETAPBgNVBAcTCFBvcnRsYW5kMQ4wDAYDVQQKEwV5YVNTTDEUMBIGA1UECxMLUHJv! Z3JhbW1pbmcxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkqhkiG9w0BCQEW! DmluZm9AeWFzc2wuY29tggkAh0p1vpFm2D0wDAYDVR0TBAUwAwEB/zANBgkqhkiG! 9w0BAQUFAAOCAQEAHHxCgSmeIc/Q2MFUb8yuFAk4/2iYmpVTdhh75jB27CgNdafe! 4M2O1VUjakcrTo38fQaj2A+tXtYEyQAz+3cn07UDs3shdDELSq8tGrOTjszzXz2Q! P8zjVRmRe3gkLkoJuxhOYS2cxgqgNJGIcGs7SEe8eZSioE0yR1TCo9wu0lFMKTkR! /+IVXliXNvbpBgaGDo2dlQNysosZfOkUbqGIc2hYbXFewtXTE9Jf3uoDvuIAQOXO! /eaSMVfD67tmrMsvGvrgYqJH9JNDKktsXgov+efmSmOGsKwqoeu0W2fNMuS2EUua! cmYNokp2j/4ivIP927fVqe4FybFxfhsr4eOvwA==! -----END CERTIFICATE-----! Slide 27 / 69

28. SSL: X.509 Certificates   © Copyright 2012 yaSSL X509 Cert

    Certificate:! Data:! Version: 3 (0x2)! Serial Number:! 87:4a:75:be:91:66:d8:3d! Signature Algorithm: sha1WithRSAEncryption! Issuer: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/ [email protected]! Validity! Not Before: Oct 24 18:21:55 2011 GMT! Not After : Jul 20 18:21:55 2014 GMT! Subject: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/ [email protected]! Subject Public Key Info:! Public Key Algorithm: rsaEncryption! Public-Key: (2048 bit)! Modulus: 00:c3:03:d1:2b:fe:39:a4 …! ! ! Exponent: 65537 (0x10001)! X509v3 extensions:! X509v3 Subject Key Identifier: ! 33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0! X509v3 Authority Key Identifier: ! keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0! DirName:/C=US/ST=Oregon/L=Portland/O=yaSSL/OU=Programming/CN=www.yassl.com/ [email protected]! serial:87:4A:75:BE:91:66:D8:3D! ! X509v3 Basic Constraints: ! CA:TRUE! Signature Algorithm: sha1WithRSAEncryption! … 1c:7c:42:81:29:9e:21:cf:d0:d8! Slide 28 / 69

29. SSL: Authentication   - Alice and Bob exchange CA-signed public

    keys   © Copyright 2012 yaSSL X509 Cert CA X509 Cert CA Alice   Bob   Private   Private   Public   Public   Slide 29 / 69

30. SSL: Authentication   - How do you get a CA-signed

    cert?   © Copyright 2012 yaSSL Buy   VeriSign, DigiCert, Comodo, etc. -  Costs $$$ -  Trusted Create     Created yourself (self-sign) -  Free! -  Trusted (if you control both sides) Slide 30 / 69

31. SSL: Encryption   - Uses a variety of encryption algorithms

    to secure data   © Copyright 2012 yaSSL Hashing  Func1ons   Block  and  Stream  Ciphers   Public  Key  Op1ons   MD4, MD5, SHA … DES, 3DES, AES, ARC4 … RSA, DSA, DSS … CIPHER  SUITE   Slide 31 / 69

32. SSL: Encryption   - A common CIPHER SUITE is negotiated

      © Copyright 2012 yaSSL Protocol_keyexchange_WITH_bulkencrypRon_mode_messageauth   SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA Slide 32 / 69

33. SSL: Handshake   © Copyright 2012 yaSSL Client Hello Cryptographic

    Info (SSL version, supported ciphers, etc.) Client Server Server Hello Cipher Suite Server Certificate Server Key Exchange (public key) ( Client Certificate Request ) Server Hello Done Client Key Exchange ( Certificate Verify ) ( Client Certificate ) Change Cipher Spec Client Finished Change Cipher Spec Server Finished Exchange Messages (Encrypted) 1 2 3 4 5 6 7 8 Verify server cert, check crypto parameters Verify client cert (if required) Slide 33 / 69

34. SSL: Where is it used? SSL is Everywhere! - Browsers

      - Email   - Routers   - Factory Automation   - VoIP - Automobile Communications   - Sensors - Smart Power Meters     And much more!!   © Copyright 2012 yaSSL Slide 34 / 69

35. SSL: What does MySQL provide? - Your system must support

    either OpenSSL or yaSSL   - MySQL must be built with SSL support   Note: MySQL is bundled with yaSSL © Copyright 2012 yaSSL Slide 35 / 69

36. MySQL: Is SSL Enabled? Checking for SSL •  Confirm that

    user in 'mysql' database includes SSL-related columns:     - Beginning with: ssl_, x509_   •  Check if binary is compiled with SSL support:   shell> mysqld --ssl --help   060525 14:18:52 [ERROR] mysqld: unknown option '--ssl'   •  mysqld: Check for 'have_ssl' system variable © Copyright 2012 yaSSL Slide 36 / 69

37. MySQL: Building with SSL Configure MySQL to use the built-in

    SSL (yaSSL):   shell> cmake . -DWITH_SSL=bundled   -DWITH_SSL options:   no: No SSL support (default)   yes: Use system SSL library if present, else bundled library   bundled: SSL library bundled with MySQL (yaSSL)   system: Use the system SSL library   ** yaSSL on Unix requires /dev/urandom and /dev/random to be available © Copyright 2012 yaSSL Slide 37 / 69

38. MySQL: Starting the Server To allow client connections through SSL,

    start MySQL with the appropriate options:   shell> mysqld_safe --user=mysql \   --ssl-ca=ca-cert.pem \   --ssl-cert=server-cert.pem \   --ssl-key=server-key.pem   --ssl-ca: Identifies the certificate authority certificate   --ssl-cert: identifies the server certificate (public key)   --ssl-key: identifies the server private key © Copyright 2012 yaSSL Slide 38 / 69

39. MySQL: Starting the Client I. Account created with GRANT statement

    including REQUIRE_SSL:   shell> mysql -u user -p --ssl-ca=ca-cert.pem   II. Account created with REQUIRE_X509 in addition:   shell> mysql -u user -p --ssl-ca=ca-cert.pem \   --ssl-cert=client-cert.pem \   --ssl-key=client-key.pem © Copyright 2012 yaSSL Slide 39 / 69

40. MySQL: SSL Options © Copyright 2012 yaSSL Name   Cmd-­‐Line

      Op1on  File   System  Var   Var  Scope   Dynamic   have_openssl           Yes   Global   No   have_ssl           Yes   Global   No   skip-­‐ssl   Yes   Yes               ssl   Yes   Yes               ssl-­‐ca   Yes   Yes       Global   No   ssl-­‐capath   Yes   Yes       Global   No   ssl-­‐cert   Yes   Yes       Global   No   ssl-­‐cipher   Yes   Yes       Global   No   ssl-­‐key   Yes   Yes       Global   No   ssl-­‐verify-­‐server-­‐cert   Yes   Yes               hap://dev.mysql.com/doc/refman/5.5/en/ssl-­‐opRons.html   Slide 40 / 69

41. MySQL: SSL Options have_openssl   have_ssl   YES = mysqld

    supports SSL connections   DISABLED = server was compiled with SSL support, not enabled (--ssl-xxx)   Check: SHOW VARIABLES LIKE 'have%ssl'; © Copyright 2012 yaSSL Slide 41 / 69

42. MySQL: SSL Options skip-ssl Indicate that SSL should not be

    used Same as using --ssl=0 ssl Server: Specifies that the server permits SSL connections Client: Permits a client to connect to server using SSL © Copyright 2012 yaSSL Slide 42 / 69

43. MySQL: SSL Options ssl-ca   The path to the file

    containing list of trusted CAs     ssl-capath   The path to a directory containing trusted CAs (PEM format) *NOTE: Only supported when using OpenSSL © Copyright 2012 yaSSL Slide 43 / 69

44. MySQL: SSL Options ssl-cert   Name of the SSL certificate

    to be used       ssl-cipher   A list of permissible ciphers to use for SSL   --ssl-cipher=AES128-SHA   --ssl-cipher=DHE-RSA_AES256-SHA:AES128-SHA © Copyright 2012 yaSSL Slide 44 / 69

45. MySQL: SSL Options ssl-key Name of the SSL key file

    ssl-verify-server-cert - Clients only   - Server's Common Name verified against server host name   - Connection rejected if no match © Copyright 2012 yaSSL Slide 45 / 69

46. SSL: Certificate Creation A. Generating Certificates   1. Create CA

    certificate (private key, public cert)   2. Create server key   3. Create server certificate   4. Create client key   5. Create client certificate © Copyright 2012 yaSSL Slide 46 / 69

47. SSL: Certificate Creation A. Generating Certificates   Create CA certificate

    (private key, public cert)   shell> openssl genrsa 2048 > ca-key.pem   shell> openssl req -new -x509 -nodes -days 1000 \   -key ca-key.pem > ca-cert.pem © Copyright 2012 yaSSL Slide 47 / 69

48. SSL: Certificate Creation A. Generating Certificates   Create server key

    and certificate   shell> openssl req -newkey rsa:2048 -days 1000 \   -nodes -keyout server-key.pem > server-req.pem   shell> openssl x509 -req -in server-req.pem -days 1000 \   -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem   © Copyright 2012 yaSSL Slide 48 / 69

49. SSL: Certificate Creation A. Generating Certificates   Create client key

    and certificate   shell> openssl req -newkey rsa:2048 -days 1000 \   -nodes -keyout client-key.pem > client-req.pem   shell> openssl x509 -req -in client-req.pem -days 1000 \   -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem   © Copyright 2012 yaSSL Slide 49 / 69

50. SSL: Certificate Creation A. Generating Certificates   Remove passphrase from

    client/server key:   shell> openssl rsa -in client-key.pem -out client-key.pem shell> openssl rsa -in server-key.pem -out server-key.pem   © Copyright 2012 yaSSL Slide 50 / 69

51. MySQL: SSL Performance Test Machine   MacBook Pro   2.33

    GHz   2 GB 667 MHz DDR2 SDRAM   Mac OS X 10.6.6 (Snow Leopard)   © Copyright 2012 yaSSL Slide 51 / 69

52. MySQL: SSL Performance Footprint Size © Copyright 2012 yaSSL Slide

    52 / 69

53. MySQL: SSL Performance Command: du -sh .   Result: 5.3%

    Difference (12 Mb)   © Copyright 2012 yaSSL 239   227   0   50   100   150   200   250   300   Size  (Mb)   MySQL  Footprint  Size   SSL  vs.  No  SSL   SSL   No  SSL   Slide 53 / 69

54. MySQL: SSL Performance Command: du -sh *   © Copyright

    2012 yaSSL 86   13   79   9.2   0   10   20   30   40   50   60   70   80   90   100   bin     lib   Size  (Mb)   MySQL  Footprint  Comparison  (Detail)   SSL  vs.  No  SSL   SSL   No  SSL   Slide 54 / 69

55. MySQL: SSL Performance Average Query Times (SELECT Queries, sysbench) ©

    Copyright 2012 yaSSL Slide 55 / 69

56. MySQL: SSL Performance © Copyright 2012 yaSSL 0   0.5

      1   1.5   2   2.5   3   3.5   0   5   10   15   20   25   30   35   Average  Query  Time  (ms)   Concurrency  (#  of  Client  Connec1ons)   MySQL  Average  SELECT  Query  Times   No  SSL  vs.  SSL   100,000  Requests   sysbench   No  SSL   SSL   Slide 56 / 69

57. MySQL: SSL Performance © Copyright 2012 yaSSL 0.1   0.1

      0.21   0.65   1.33   2.67   0.14   0.14   0.29   0.76   1.62   3.32   1   2   4   8   16   32   Concurrency  (#  of  Client  Connec1ons)   MySQL  Average  SELECT  Query  Times  (ms)   No  SSL  vs.  SSL   100,000  Requests   sysbench   No  SSL   SSL   Slide 57 / 69

58. 0.65   0.76   0   0.1   0.2  

    0.3   0.4   0.5   0.6   0.7   0.8   Average  Query  Time  (ms)   Client  Concurrency  =  8   MySQL  Average  SELECT  Query  Times   No  SSL  vs.  SSL   100,000  Requests   sysbench   No  SSL   SSL   MySQL: SSL Performance 16.9%  Difference   (0.11  ms)   © Copyright 2012 yaSSL Slide 58 / 69

59. Part III Additional Security Concerns © Copyright 2012 yaSSL Data

     EncrypRon   Slide 59 / 69

60. Data Storage and Encryption Client Side Encryption   •  Encrypt

    data in code before it is passed to MySQL   •  Many encryption modules available (PHP, Perl, etc.)   Advantages   •  Data encrypted between code & MySQL   •  Allows the use of bin logging (MySQL backup/replication)   Disadvantages   •  What to do with the key? © Copyright 2012 yaSSL Slide 60 / 69

61. Data Storage and Encryption Server Side Encryption   •  AES_ENCRYPT(),

    AES_DECRYPT() functions   - AES-128 Default   - AES-256 w/ source-code change   •  Entire Disk Encryption •  Transparent Data Encryption (Gazzang ezNcrypt)   © Copyright 2012 yaSSL Slide 61 / 69

62. Data Storage and Encryption Gazzang ezNcrypt •  ezNcrypt  sits  between

     your  storage  engine  and  file  system  to  encrypt  your  data  before   it  hits  the  disk.   •  TradiRonally  called  -­‐  Transparent  Data  EncrypRon  (TDE)   –  The  data  is  encrypted  transparently,  no  changes  are  needed  to  your  applicaRon,   code  or  MySQL.     © Copyright 2012 yaSSL Table  Orders   20090101,4307   Applica1on  SQL   linsert  into  orders   (number,  credit  card,….)   Values   (20090101,4307,…)z   File  System   orders.myd   9f7c7d77a87 7fg8e78s09ab   Slide 62 / 69

63. Data Storage and Encryption Gazzang ezNcrypt   •  Gazzang  Key

     Storage  System  (KSS)     © Copyright 2012 yaSSL Slide 63 / 69

64. Data Storage and Encryption Server Side Encryption   Advantages:  

    •  Data is stored encrypted   •  Easy to use   Disadvantages:   •  bin logging (all queries are shown in plain text) Exception: Gazzang can protect the bin logs •  What to do with the key? © Copyright 2012 yaSSL Slide 64 / 69

65. Part IV Wrap-Up © Copyright 2012 yaSSL Licensing  Concerns  

    About  yaSSL   Slide 65 / 69

66. Licensing Concerns yaSSL vs. OpenSSL   -  OpenSSL uses BSD-style

    license with announcement clause -  Makes it incompatible with GPL -  yaSSL = dual licensed (GPL, Commercial) © Copyright 2012 yaSSL Slide 66 / 69

67. What did we cover? Part I: MySQL Security   1. 

    Good Security Practices for MySQL   Part II: SSL/TLS   1.  Overview of SSL and TLS   2.  Configuring and Building MySQL with SSL   3.  MySQL SSL Command Options   4.  SSL Certificate Creation   5.  Performance Comparison   Part III: Additional Security Concerns   1.  Data Storage and Encryption   © Copyright 2012 yaSSL Slide 67 / 69

68. http://www.yassl.com   Email:            [email protected]  

      Phone:          (206)  369-­‐4800   Thanks! © Copyright 2012 yaSSL Slide 68 / 69

69. Helpful Sources MySQL Manual: http://dev.mysql.com/doc/refman/5.5/en/ http://dev.mysql.com/doc/refman/5.5/en/default-privileges.html http://dev.mysql.com/doc/refman/5.5/en/mysql-secure-installation.html http://dev.mysql.com/doc/refman/5.5/en/secure-connections.html http://dev.mysql.com/doc/refman/5.5/en/security-against-attack.html MySQL

    Security Resources around the Internet http://www.symantec.com/connect/articles/secure-mysql-database-design SSL/TLS https://www.ssllabs.com/ http://en.wikipedia.org/wiki/Transport_Layer_Security © Copyright 2012 yaSSL Slide 69 / 69