Why your encrypted Database isn't secure: practical attacks against encrypted OSS databases
Kaya Theatre | Sun 16 Jan 2:25 p.m.–3:10 p.m.
Presented by
-
Dan Draper
@danieldraper
https://cipherstash.com
Dan is the CEO and founder of CipherStash, a Sydney based data security startup building a searchable encrypted data storage platform for sensitive data. Previously, Dan has worked as a VP of Engineering at Medical Director and at Expert360 and is also the Executive Producer or the forthcoming docu-series, Debugging Diversity. Dan is an experienced cryptography engineer and his mission is to empower all developers with the knowledge they need to build secure applications.
Dan Draper
@danieldraper
https://cipherstash.com
Abstract
There is a growing trend of encrypting data stored in relational databases such as PostgreSQL and MariaDB. The goal is to improve the security of the data we store. But how effective is encryption at meeting that goal? Hint: not as effective as you might think! So what are the limitations of an encrypted database and what should you be aware of to mitigate potential attacks? (And while maintaining performance, scalability and usability!) In this talk, Dan Draper summarises several recent papers from Cornell, Stanford and the University of Illinois on practical attacks against encrypted databases. He also provides some guidance and examples of how to mitigate these risks, how they can be factored into a threat-model and provides a look some alternative approaches that go some way towards addressing the problems.
There is a growing trend of encrypting data stored in relational databases such as PostgreSQL and MariaDB. The goal is to improve the security of the data we store. But how effective is encryption at meeting that goal? Hint: not as effective as you might think! So what are the limitations of an encrypted database and what should you be aware of to mitigate potential attacks? (And while maintaining performance, scalability and usability!) In this talk, Dan Draper summarises several recent papers from Cornell, Stanford and the University of Illinois on practical attacks against encrypted databases. He also provides some guidance and examples of how to mitigate these risks, how they can be factored into a threat-model and provides a look some alternative approaches that go some way towards addressing the problems.