Академический Документы
Профессиональный Документы
Культура Документы
http://www.yassl.com
(206) 369-4800
About Me
Chris Conlon
So#ware
Developer
at
yaSSL
Bozeman,
MT
YES!
16
2000
14
2001
2002
11 2003
10
2004
9
2005
8
2006
7
2007
6
6
6
2008
5
2009
3 2010
2011
Or remove them:
D. Securing mysqld
E. mysql_secure_installation script
• Don't grant all users the FILE privilege
G. Additional Measures
G. Additional Measures
• Restrict where MySQL listens
- You might only need to listen on localhost
bind-address = 127.0.0.1
G. Additional Measures
Protocols Secured by
SSL/TLS
IP Internet Layer
DES, 3DES, AES, ARC4, RABBIT, HC-128 Block and Stream Ciphers
Examples:
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Client Server
C. SSL Handshake
- Simplified Diagram
1
Client Hello
Cryptographic Info
(SSL version, supported ciphers, etc.)
2
3 Server Hello
Cipher Suite
Verify server cert, Server Certificate
check crypto Server Key Exchange (public key)
parameters ( Client Certificate Request )
Server Hello Done
4
Client Key Exchange 5
6
Change Cipher Spec
Client Finished
7
Change Cipher Spec
Server Finished
D. SSL is Everywhere
E. SSL in MySQL?
-DWITH_SSL options:
no: No SSL support (default)
yes: Use system SSL library if present, else bundled library
bundled: SSL library bundled with distro (yaSSL)
system: Use the system SSL library
To allow client connections through SSL, start MySQL with the appropriate options:
hbp://dev.mysql.com/doc/refman/5.5/en/ssl-‐opWons.html
have_openssl
have_ssl
Check:
SHOW VARIABLES LIKE 'have%ssl';
skip-ssl
Indicate that SSL should not be used
Same as using --ssl=0
ssl
Server: Specifies that the server permits SSL connections
Client: Permits a client to connect to server using SSL
ssl-ca
The path to the file containing list of trusted CAs
ssl-capath
The path to a directory containing trusted CAs
(PEM format)
ssl-cert
Name of the SSL certificate to be used
ssl-cipher
A list of permissible ciphers to use for SSL
--ssl-cipher=AES128-SHA
--ssl-cipher=DHE-RSA_AES256-SHA:AES128-SHA
ssl-key
Name of the SSL key file
ssl-verify-server-cert
- Clients only
- Server's Common Name verified against server host name
- Connection rejected if no match
A. Generating Certificates
A. Generating Certificates
A. Generating Certificates
A. Generating Certificates
A. Generating Certificates
Test Machine
MacBook Pro
2.33 GHz
2 GB 667 MHz DDR2 SDRAM
Mac OS X 10.6.6 (Snow Leopard)
Footprint Size
SSL
No
SSL
Command:
300
du -sh .
239
250
227
Result:
200
5.3% Difference
Size
(Mb)
150
100
50
0
70
60
Size
(Mb)
50
40
30
20
13
9.2
10
0
bin
lib
3
2.5
Average
Query
Time
(ms)
2
No
SSL
1.5
SSL
1
0.5
0
0
5
10
15
20
25
30
35
Concurrency
(#
of
Client
Connec1ons)
No
SSL
SSL
3.32
2.67
1.62
1.33
0.76
0.65
0.21
0.29
0.1
0.14
0.1
0.14
1
2
4
8
16
32
Concurrency
(#
of
Client
Connec1ons)
0.7 0.65
0.6
Average
Query
Time
(ms)
0.5
16.9%
Difference
0.4
0.3
0.2
0.1
0
Client
Concurrency
=
8
No SSL SSL
Advantages
• Data encrypted between code & MySQL
• Allows the use of bin logging (MySQL backup/replication)
Disadvantages
• What to do with the key?
Gazzang ezNcrypt
• ezNcrypt
sits
between
your
storage
engine
and
file
system
to
encrypt
your
data
before
it
hits
the
disk.
Applica1on
SQL
insert
into
orders
File
System
(number,
credit
card,….)
Table
Orders
orders.myd
Values
20090101,4307
9f7c7d77a87
(20090101,4307,…)
7fg8e78s09ab
Gazzang ezNcrypt
Gazzang ezNcrypt
ezNcrypt
Database
ProtecWon
• The
database
is
protected
from
all
OS
users
• Any
user
including
root
that
does
not
have
the
key
cannot
unlock
the
data.
File
System
orders.myd
9f7c7d77a87
7fg8e78s09a
b
• The
MySQL
process
is
the
only
authorized
to
retrieve
the
Key
to
unlock
the
database
data
Gazzang ezNcrypt
• Gazzang
Key
Storage
System
(KSS)
Advantages:
• Data is stored encrypted
• Easy to use
Disadvantages:
• bin logging (all queries are shown in plain text)
Exception: Gazzang can protect the bin logs
• What to do with the key?
B. FLOSS Exception
Founded: 2004
http://www.yassl.com
Email:
info@yassl.com
chris@yassl.com
Phone:
(206)
369-‐4800
MySQL Manual:
http://dev.mysql.com/doc/refman/5.5/en/
http://dev.mysql.com/doc/refman/5.5/en/default-privileges.html
http://dev.mysql.com/doc/refman/5.5/en/mysql-secure-installation.html
http://dev.mysql.com/doc/refman/5.5/en/secure-connections.html
http://dev.mysql.com/doc/refman/5.5/en/security-against-attack.html
SSL/TLS
https://www.ssllabs.com/
http://en.wikipedia.org/wiki/Transport_Layer_Security