Download pdf - Securing MySQL with a Focus on SSL

http://www.yassl.com (206) 369-4800

Securing MySQL!With a Focus on SSL

yaSSL (yet another SSL)

Founded: 2004 Location: Bozeman, MT

Seattle, WA Portland, OR

Our Focus: Open Source Embedded Security

(for Applications, Devices, and the Cloud) Products: - CyaSSL, yaSSL

- yaSSL Embedded Web Server

© Copyright 2012 yaSSL Slide 2 / 69

Why is this Important?

Ivan Ristic: Internet SSL Survey 2010 http://www.ssllabs.com

•  Alexa Top 1M Sites

120,000 Use SSL (12%)

© Copyright 2012 yaSSL

Alexa Top 1M Use SSL – 12%

Slide 3 / 69

What are we going to talk about?

Part I: MySQL Security

1.  Good Security Practices for MySQL Part II: SSL/TLS

1.  Overview of SSL and TLS 2.  Configuring and Building MySQL with SSL 3.  MySQL SSL Command Options 4.  SSL Certificate Creation 5.  Performance Comparison

Part III: Additional Security Concerns

1.  Data Storage and Encryption Part IV: Wrap-Up

1.  Licensing


Part I MySQL Security


MySQL Updates Account Passwords Test Databases mysqld Privileges

Slide 5 / 69

MySQL: Good Security Practices

Do we really need to secure our MySQL database?

YES!


MySQL is Susceptible to Many Attacks: -  Basic Attacks (empty password, etc.) -  SQL Injection Attacks -  Known MySQL Bugs and Vulnerabilities

Slide 6 / 69


Keeping MySQL Up to Date

An easy way to stay better protected: - New MySQL Patches, Bug Fixes, etc. - You should take advantage of updates




3

6

8

5

9

11

14

10

6

7

6

16

'MySQL' Vulnerabili1es By Year cvedetails.com (nvd.nist.gov)

2000

2001

2002

2003

2004

2005

2006

2007

2008

2009

2010

2011

Slide 8 / 69


•  yaSSL Vulnerabilities affecting MySQL in the past:

CVE-2005-3731 Certificate Chain Processing CVE-2008-0227 Denial of Service (crash) CVE-2008-0226 Allowed Execution of Arbitrary Code CVE-2009-4484 Allowed Execution of Arbitrary Code, Denial of Service Possible


Passwords: Root Accounts •  They are empty by default

Quick Check: mysql -u root ("Welcome to the MySQL monitor" = Not Good) shell> mysql -u root mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd') -> WHERE User = 'root'; mysql> FLUSH PRIVILEGES;




Passwords: Anonymous Accounts

Assign passwords to anonymous accounts: shell> mysql -u root -p Enter password: (enter root password here) mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd') -> WHERE User = ''; mysql> FLUSH PRIVILEGES; Or remove the accounts: shell> mysql -u root -p Enter password: (enter root password here) mysql> DROP USER ''@'localhost'; mysql> DROP USER ''@'host_name';



Passwords: Strength is Key Use strong passwords

•  Combine letters and numbers •  mhallwltpic++ = "mary had a little lamb who liked to program in C++” •  uuidgen, pwgen tools



Securing Test Databases •  By default, anyone can access test databases

- Convenient for testing - not production •  Delete databases or restrict privileges

shell> mysql -u root -p Enter password: (enter root password here) mysql> DELETE FROM mysql.db WHERE Db LIKE 'test%'; mysql> FLUSH PRIVILEGES;



Securing mysqld •  Don't run MySQL as root user

shell> mysqld --user=mysql •  Disable Remote Access (--skip-networking)

- Only allows access from local machine



mysql_secure_installation script Allows you to: •  Set a password for root account •  Remove root accounts that are accessible from outside of the local host •  Remove anonymous user accounts •  Remove the test database that can be accessed from all users •  Reload privilege tables so that above take effect

* Not available on Windows



Notes about Privileges •  Don't grant all users PROCESS or SUPER privilege

–  Can see text of currently-executing queries ( SHOW processlist; ) •  Don't grant all users the FILE privilege

–  Enables reading/writing to file system wherever mysqld process has access



Additional Measures These depend on your unique situation: •  Restrict access to log files

- Ensure only ‘root’ and the mysqld user can access

•  Restrict MySQL data directory access only to server account


logfiles

Slide 17 / 69


Additional Measures

•  Add Application-specific Users - Each user only has required privileges (Ex: Ruby/PHP/etc. Application)

•  Restrict where MySQL listens

- You might only need to listen on localhost --bind-address=127.0.0.1



Additional Measures •  Can disable LOAD DATA LOCAL INFILE command

- Can allow reading of local files

•  Remove Content of MySQL History File

- All executed SQL commands are stored

cat /dev/null > ~/.mysql_history


Part II SSL / TLS


Overview X.509 CerRficates Handshake MySQL and SSL

Slide 20 / 69

SSL: What is it?

By default, MySQL uses unencrypted connections between the client and server!


SSL: What is it?

•  Enables secure client/server communication, including:

•  Can be implemented on almost any operating system (or bare metal!)


Privacy + Prevent eavesdropping Authen1ca1on + Prevent impersonaRon Integrity + Prevent modificaRon

Slide 22 / 69

SSL: Where does it fit?

- Layered between Transport and Application layers:


Network Access

IP

TCP

SSL Record Layer

SSL Handshake

Protocol

SSL Change Cipher Spec

ProtocolSSL Alert Protocol HTTP LDAP,

etc.HTTP SMTP,

etc.

Protocols Secured by SSL/TLS

Network Layer

Internet Layer

Transport Layer

Application Layer

Slide 23 / 69

SSL: Authentication

- Do you really know who you’re communicating with?


??

Alice Bob

Slide 24 / 69

SSL: Authentication

- Generate a key pair (private and public keys)


Alice Bob

Private Private Public Public

Slide 25 / 69

SSL: Authentication

- X.509 Certificate == Wrapper around public key


X509Cert

Alice Bob

Private Private Public Public X509Cert

Slide 26 / 69

SSL: X.509 Certificates


X509Cert

-----BEGIN CERTIFICATE-----!MIIEmDCCA4CgAwIBAgIJAIdKdb6RZtg9MA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD!VQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwG!A1UEChMFeWFTU0wxFDASBgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cu!

eWFzc2wuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTAeFw0xMTEw!MjQxODIxNTVaFw0xNDA3MjAxODIxNTVaMIGOMQswCQYDVQQGEwJVUzEPMA0GA1UE!

CBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwGA1UEChMFeWFTU0wxFDAS!BgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJ!KoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP!

ADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2qKlIHR9amNrIHMo7Quml7xsNE!ntSBSP0taKKLZ7uhdcg2LErSG/eLus8N+e/s8YEee5sDR5q/Zcx/ZSRppugUiVvk!

NPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0YbfN1EbDKE79fGjSjXk4c6W3xt+!v06X0BDoqAgwga8gC0MUxXRntDKCb42GwohAmTaDuh5AciIX11JlJHOwzu8Zza7/!eGx7wBID1E5yDVBtO6M7o5lencjZDIWz2YrZVCbbbfqsu/8lTMTRefRx04ZAGBOw!

Y7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEAAaOB9jCB8zAdBgNVHQ4EFgQU!M9hFZtdohxh+VA1wJ5HHJteFZcAwgcMGA1UdIwSBuzCBuIAUM9hFZtdohxh+VA1w!J5HHJteFZcChgZSkgZEwgY4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24x!

ETAPBgNVBAcTCFBvcnRsYW5kMQ4wDAYDVQQKEwV5YVNTTDEUMBIGA1UECxMLUHJv!Z3JhbW1pbmcxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkqhkiG9w0BCQEW!

DmluZm9AeWFzc2wuY29tggkAh0p1vpFm2D0wDAYDVR0TBAUwAwEB/zANBgkqhkiG!9w0BAQUFAAOCAQEAHHxCgSmeIc/Q2MFUb8yuFAk4/2iYmpVTdhh75jB27CgNdafe!4M2O1VUjakcrTo38fQaj2A+tXtYEyQAz+3cn07UDs3shdDELSq8tGrOTjszzXz2Q!

P8zjVRmRe3gkLkoJuxhOYS2cxgqgNJGIcGs7SEe8eZSioE0yR1TCo9wu0lFMKTkR!/+IVXliXNvbpBgaGDo2dlQNysosZfOkUbqGIc2hYbXFewtXTE9Jf3uoDvuIAQOXO!

/eaSMVfD67tmrMsvGvrgYqJH9JNDKktsXgov+efmSmOGsKwqoeu0W2fNMuS2EUua!cmYNokp2j/4ivIP927fVqe4FybFxfhsr4eOvwA==!-----END CERTIFICATE-----!

Slide 27 / 69

SSL: X.509 Certificates


X509Cert

Certificate:! Data:! Version: 3 (0x2)! Serial Number:! 87:4a:75:be:91:66:d8:3d! Signature Algorithm: sha1WithRSAEncryption! Issuer: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/[email protected]! Validity! Not Before: Oct 24 18:21:55 2011 GMT! Not After : Jul 20 18:21:55 2014 GMT! Subject: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/[email protected]! Subject Public Key Info:! Public Key Algorithm: rsaEncryption! Public-Key: (2048 bit)! Modulus: 00:c3:03:d1:2b:fe:39:a4 …!

! ! Exponent: 65537 (0x10001)! X509v3 extensions:! X509v3 Subject Key Identifier: ! 33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0! X509v3 Authority Key Identifier: ! keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0! DirName:/C=US/ST=Oregon/L=Portland/O=yaSSL/OU=Programming/CN=www.yassl.com/[email protected]! serial:87:4A:75:BE:91:66:D8:3D!! X509v3 Basic Constraints: ! CA:TRUE! Signature Algorithm: sha1WithRSAEncryption! … 1c:7c:42:81:29:9e:21:cf:d0:d8!

Slide 28 / 69

SSL: Authentication

- Alice and Bob exchange CA-signed public keys


X509CertCA

X509CertCA

Alice Bob

Private Private Public Public

Slide 29 / 69

SSL: Authentication

- How do you get a CA-signed cert?


Buy VeriSign, DigiCert, Comodo, etc. -  Costs $$$ -  Trusted

Create Created yourself (self-sign) -  Free! -  Trusted (if you control both sides)

Slide 30 / 69

SSL: Encryption

- Uses a variety of encryption algorithms to secure data


Hashing Func1ons Block and Stream Ciphers Public Key Op1ons

MD4, MD5, SHA … DES, 3DES, AES, ARC4 …

RSA, DSA, DSS …

CIPHER SUITE

Slide 31 / 69

SSL: Encryption

- A common CIPHER SUITE is negotiated


Protocol_keyexchange_WITH_bulkencrypRon_mode_messageauth

SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Slide 32 / 69

SSL: Handshake


Client Hello

Cryptographic Info(SSL version, supported ciphers, etc.)

Client Server

Server HelloCipher SuiteServer CertificateServer Key Exchange (public key)( Client Certificate Request )Server Hello Done

Client Key Exchange

( Certificate Verify )( Client Certificate )

Change Cipher Spec

Client Finished

Change Cipher Spec

Server Finished

Exchange Messages (Encrypted)

1

23

45

6

7

8

Verify server cert,check cryptoparameters

Verify client cert(if required)

Slide 33 / 69

SSL: Where is it used?

SSL is Everywhere!

- Browsers - Email - Routers - Factory Automation - VoIP - Automobile Communications - Sensors - Smart Power Meters

And much more!!


SSL: What does MySQL provide?

- Your system must support either OpenSSL or yaSSL - MySQL must be built with SSL support Note: MySQL is bundled with yaSSL


MySQL: Is SSL Enabled?

Checking for SSL •  Confirm that user in 'mysql' database includes SSL-related columns: - Beginning with: ssl_, x509_ •  Check if binary is compiled with SSL support: shell> mysqld --ssl --help 060525 14:18:52 [ERROR] mysqld: unknown option '--ssl' •  mysqld: Check for 'have_ssl' system variable


MySQL: Building with SSL

Configure MySQL to use the built-in SSL (yaSSL): shell> cmake . -DWITH_SSL=bundled -DWITH_SSL options: no: No SSL support (default) yes: Use system SSL library if present, else bundled library bundled: SSL library bundled with MySQL (yaSSL) system: Use the system SSL library ** yaSSL on Unix requires /dev/urandom and /dev/random to be available


MySQL: Starting the Server

To allow client connections through SSL, start MySQL with the appropriate options: shell> mysqld_safe --user=mysql \ --ssl-ca=ca-cert.pem \ --ssl-cert=server-cert.pem \ --ssl-key=server-key.pem --ssl-ca: Identifies the certificate authority certificate --ssl-cert: identifies the server certificate (public key) --ssl-key: identifies the server private key


MySQL: Starting the Client

I. Account created with GRANT statement including REQUIRE_SSL: shell> mysql -u user -p --ssl-ca=ca-cert.pem II. Account created with REQUIRE_X509 in addition: shell> mysql -u user -p --ssl-ca=ca-cert.pem \ --ssl-cert=client-cert.pem \ --ssl-key=client-key.pem


MySQL: SSL Options


Name Cmd-‐Line Op1on File System Var Var Scope Dynamic

have_openssl Yes Global No have_ssl Yes Global No skip-‐ssl Yes Yes ssl Yes Yes ssl-‐ca Yes Yes Global No ssl-‐capath Yes Yes Global No ssl-‐cert Yes Yes Global No ssl-‐cipher Yes Yes Global No ssl-‐key Yes Yes Global No

ssl-‐verify-‐server-‐cert Yes Yes

hap://dev.mysql.com/doc/refman/5.5/en/ssl-‐opRons.html

Slide 40 / 69

MySQL: SSL Options

have_openssl have_ssl

YES = mysqld supports SSL connections DISABLED = server was compiled with SSL support, not enabled (--ssl-xxx)

Check: SHOW VARIABLES LIKE 'have%ssl';


MySQL: SSL Options

skip-ssl

Indicate that SSL should not be used Same as using --ssl=0

ssl

Server: Specifies that the server permits SSL connections Client: Permits a client to connect to server using SSL


MySQL: SSL Options

ssl-ca

The path to the file containing list of trusted CAs ssl-capath

The path to a directory containing trusted CAs (PEM format)

*NOTE: Only supported when using OpenSSL


MySQL: SSL Options

ssl-cert

Name of the SSL certificate to be used

ssl-cipher

A list of permissible ciphers to use for SSL

--ssl-cipher=AES128-SHA --ssl-cipher=DHE-RSA_AES256-SHA:AES128-SHA


MySQL: SSL Options

ssl-key

Name of the SSL key file

ssl-verify-server-cert

- Clients only - Server's Common Name verified against server host name - Connection rejected if no match


SSL: Certificate Creation

A. Generating Certificates 1. Create CA certificate (private key, public cert) 2. Create server key 3. Create server certificate 4. Create client key 5. Create client certificate



A. Generating Certificates Create CA certificate (private key, public cert) shell> openssl genrsa 2048 > ca-key.pem shell> openssl req -new -x509 -nodes -days 1000 \ -key ca-key.pem > ca-cert.pem



A. Generating Certificates Create server key and certificate shell> openssl req -newkey rsa:2048 -days 1000 \ -nodes -keyout server-key.pem > server-req.pem shell> openssl x509 -req -in server-req.pem -days 1000 \ -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem



A. Generating Certificates Create client key and certificate shell> openssl req -newkey rsa:2048 -days 1000 \ -nodes -keyout client-key.pem > client-req.pem shell> openssl x509 -req -in client-req.pem -days 1000 \ -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem



A. Generating Certificates Remove passphrase from client/server key: shell> openssl rsa -in client-key.pem -out client-key.pem shell> openssl rsa -in server-key.pem -out server-key.pem


MySQL: SSL Performance

Test Machine MacBook Pro 2.33 GHz 2 GB 667 MHz DDR2 SDRAM Mac OS X 10.6.6 (Snow Leopard)



Footprint Size



Command: du -sh . Result: 5.3% Difference (12 Mb)


239 227

0

50

100

150

200

250

300

Size (M

b)

MySQL Footprint Size SSL vs. No SSL

SSL No SSL

Slide 53 / 69


Command: du -sh *


86

13

79

9.2

0

10

20

30

40

50

60

70

80

90

100

bin lib

Size (M

b)

MySQL Footprint Comparison (Detail) SSL vs. No SSL

SSL No SSL

Slide 54 / 69


Average Query Times

(SELECT Queries, sysbench)




0

0.5

1

1.5

2

2.5

3

3.5

0 5 10 15 20 25 30 35

Average Que

ry Tim

e (m

s)

Concurrency (# of Client Connec1ons)

MySQL Average SELECT Query Times No SSL vs. SSL

100,000 Requests sysbench

No SSL

SSL

Slide 56 / 69



0.1 0.1 0.21

0.65

1.33

2.67

0.14 0.14 0.29

0.76

1.62

3.32

1 2 4 8 16 32 Concurrency (# of Client Connec1ons)

MySQL Average SELECT Query Times (ms) No SSL vs. SSL


No SSL SSL

Slide 57 / 69

0.65

0.76

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

Average Que

ry Tim

e (m

s)

Client Concurrency = 8

MySQL Average SELECT Query Times No SSL vs. SSL


No SSL SSL


16.9% Difference (0.11 ms)


Part III Additional Security

Concerns


Data EncrypRon

Slide 59 / 69

Data Storage and Encryption

Client Side Encryption •  Encrypt data in code before it is passed to MySQL •  Many encryption modules available (PHP, Perl, etc.)

Advantages •  Data encrypted between code & MySQL •  Allows the use of bin logging (MySQL backup/replication)

Disadvantages •  What to do with the key?



Server Side Encryption •  AES_ENCRYPT(), AES_DECRYPT() functions

- AES-128 Default - AES-256 w/ source-code change •  Entire Disk Encryption

•  Transparent Data Encryption (Gazzang ezNcrypt)



Gazzang ezNcrypt •  ezNcrypt sits between your storage engine and file system to encrypt your data before

it hits the disk.

•  TradiRonally called -‐ Transparent Data EncrypRon (TDE) –  The data is encrypted transparently, no changes are needed to your applicaRon,

code or MySQL.


Table Orders 20090101,4307

Applica1on SQL “insert into orders (number, credit card,….) Values (20090101,4307,…)”

File System orders.myd 9f7c7d77a877fg8e78s09ab

Slide 62 / 69


Gazzang ezNcrypt

•  Gazzang Key Storage System (KSS)



Server Side Encryption Advantages: •  Data is stored encrypted •  Easy to use

Disadvantages: •  bin logging (all queries are shown in plain text)

Exception: Gazzang can protect the bin logs

•  What to do with the key?


Part IV Wrap-Up


Licensing Concerns About yaSSL

Slide 65 / 69

Licensing Concerns

yaSSL vs. OpenSSL -  OpenSSL uses BSD-style license with announcement clause -  Makes it incompatible with GPL -  yaSSL = dual licensed (GPL, Commercial)


What did we cover?

Part I: MySQL Security

1.  Good Security Practices for MySQL Part II: SSL/TLS

1.  Overview of SSL and TLS 2.  Configuring and Building MySQL with SSL 3.  MySQL SSL Command Options 4.  SSL Certificate Creation 5.  Performance Comparison

Part III: Additional Security Concerns

1.  Data Storage and Encryption


http://www.yassl.com

Email: [email protected] Phone: (206) 369-‐4800

Thanks!


Helpful Sources

MySQL Manual: http://dev.mysql.com/doc/refman/5.5/en/ http://dev.mysql.com/doc/refman/5.5/en/default-privileges.html http://dev.mysql.com/doc/refman/5.5/en/mysql-secure-installation.html http://dev.mysql.com/doc/refman/5.5/en/secure-connections.html http://dev.mysql.com/doc/refman/5.5/en/security-against-attack.html

MySQL Security Resources around the Internet

http://www.symantec.com/connect/articles/secure-mysql-database-design SSL/TLS

https://www.ssllabs.com/ http://en.wikipedia.org/wiki/Transport_Layer_Security
