Mais conteúdo relacionado Semelhante a Securing MySQL with a Focus on SSL (20) Securing MySQL with a Focus on SSL2. yaSSL (yet another SSL)
Founded: 2004
Location: Bozeman, MT
Seattle, WA
Portland, OR
Our Focus: Open Source Embedded Security
(for Applications, Devices, and the Cloud)
Products: - CyaSSL, yaSSL
- yaSSL Embedded Web Server
© Copyright 2012 yaSSL
Slide 2 / 69
3. Why is this Important?
Ivan Ristic: Internet SSL Survey 2010
http://www.ssllabs.com
• Alexa Top 1M Sites
120,000 Use SSL (12%)
© Copyright 2012 yaSSL
Alexa
Top
1M
Use
SSL
–
12%
Slide 3 / 69
4. What are we going to talk about?
Part I: MySQL Security
1. Good Security Practices for MySQL
Part II: SSL/TLS
1. Overview of SSL and TLS
2. Configuring and Building MySQL with SSL
3. MySQL SSL Command Options
4. SSL Certificate Creation
5. Performance Comparison
Part III: Additional Security Concerns
1. Data Storage and Encryption
Part IV: Wrap-Up
1. Licensing
© Copyright 2012 yaSSL
Slide 4 / 69
5. Part I
MySQL Security
© Copyright 2012 yaSSL
MySQL
Updates
Account
Passwords
Test
Databases
mysqld
Privileges
Slide 5 / 69
6. MySQL: Good Security Practices
Do we really need to secure our MySQL database?
YES!
© Copyright 2012 yaSSL
MySQL is Susceptible to Many Attacks:
- Basic Attacks (empty password, etc.)
- SQL Injection Attacks
- Known MySQL Bugs and Vulnerabilities
Slide 6 / 69
7. MySQL: Good Security Practices
Keeping MySQL Up to Date
An easy way to stay better protected:
- New MySQL Patches, Bug Fixes, etc.
- You should take advantage of updates
© Copyright 2012 yaSSL
Slide 7 / 69
8. MySQL: Good Security Practices
© Copyright 2012 yaSSL
3
6
8
5
9
11
14
10
6
7
6
16
'MySQL'
Vulnerabili1es
By
Year
cvedetails.com
(nvd.nist.gov)
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
Slide 8 / 69
9. MySQL: Good Security Practices
• yaSSL Vulnerabilities affecting MySQL in the past:
CVE-2005-3731 Certificate Chain Processing
CVE-2008-0227 Denial of Service (crash)
CVE-2008-0226 Allowed Execution of Arbitrary Code
CVE-2009-4484 Allowed Execution of Arbitrary Code,
Denial of Service Possible
© Copyright 2012 yaSSL
Slide 9 / 69
10. Passwords: Root Accounts
• They are empty by default
Quick Check: mysql -u root
("Welcome to the MySQL monitor" = Not Good)
shell> mysql -u root
mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd')
-> WHERE User = 'root';
mysql> FLUSH PRIVILEGES;
MySQL: Good Security Practices
© Copyright 2012 yaSSL
Slide 10 / 69
11. MySQL: Good Security Practices
Passwords: Anonymous Accounts
Assign passwords to anonymous accounts:
shell> mysql -u root -p
Enter password: (enter root password here)
mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd')
-> WHERE User = '';
mysql> FLUSH PRIVILEGES;
Or remove the accounts:
shell> mysql -u root -p
Enter password: (enter root password here)
mysql> DROP USER ''@'localhost';
mysql> DROP USER ''@'host_name';
© Copyright 2012 yaSSL
Slide 11 / 69
12. MySQL: Good Security Practices
Passwords: Strength is Key
Use strong passwords
• Combine letters and numbers
• mhallwltpic++ = "mary had a little lamb who liked to program in C++”
• uuidgen, pwgen tools
© Copyright 2012 yaSSL
Slide 12 / 69
13. MySQL: Good Security Practices
Securing Test Databases
• By default, anyone can access test databases
- Convenient for testing - not production
• Delete databases or restrict privileges
shell> mysql -u root -p
Enter password: (enter root password here)
mysql> DELETE FROM mysql.db WHERE Db LIKE 'test%';
mysql> FLUSH PRIVILEGES;
© Copyright 2012 yaSSL
Slide 13 / 69
14. MySQL: Good Security Practices
Securing mysqld
• Don't run MySQL as root user
shell> mysqld --user=mysql
• Disable Remote Access (--skip-networking)
- Only allows access from local machine
© Copyright 2012 yaSSL
Slide 14 / 69
15. MySQL: Good Security Practices
mysql_secure_installation script
Allows you to:
• Set a password for root account
• Remove root accounts that are accessible from outside of the local host
• Remove anonymous user accounts
• Remove the test database that can be accessed from all users
• Reload privilege tables so that above take effect
* Not available on Windows
© Copyright 2012 yaSSL
Slide 15 / 69
16. MySQL: Good Security Practices
Notes about Privileges
• Don't grant all users PROCESS or SUPER privilege
– Can see text of currently-executing queries
( SHOW processlist; )
• Don't grant all users the FILE privilege
– Enables reading/writing to file system wherever mysqld process has access
© Copyright 2012 yaSSL
Slide 16 / 69
17. MySQL: Good Security Practices
Additional Measures
These depend on your unique situation:
• Restrict access to log files
- Ensure only ‘root’ and the mysqld user can access
• Restrict MySQL data directory access only to server account
© Copyright 2012 yaSSL
log
files
Slide 17 / 69
18. MySQL: Good Security Practices
Additional Measures
• Add Application-specific Users
- Each user only has required privileges
(Ex: Ruby/PHP/etc. Application)
• Restrict where MySQL listens
- You might only need to listen on localhost
--bind-address=127.0.0.1
© Copyright 2012 yaSSL
Slide 18 / 69
19. MySQL: Good Security Practices
Additional Measures
• Can disable LOAD DATA LOCAL INFILE command
- Can allow reading of local files
• Remove Content of MySQL History File
- All executed SQL commands are stored
cat /dev/null > ~/.mysql_history
© Copyright 2012 yaSSL
Slide 19 / 69
20. Part II
SSL / TLS
© Copyright 2012 yaSSL
Overview
X.509
CerRficates
Handshake
MySQL
and
SSL
Slide 20 / 69
21. SSL: What is it?
By default, MySQL uses unencrypted connections between
the client and server!
© Copyright 2012 yaSSL
Slide 21 / 69
22. SSL: What is it?
• Enables secure client/server communication, including:
• Can be implemented on almost any operating system (or bare metal!)
© Copyright 2012 yaSSL
Privacy
+
Prevent
eavesdropping
Authen1ca1on
+
Prevent
impersonaRon
Integrity
+
Prevent
modificaRon
Slide 22 / 69
23. SSL: Where does it fit?
- Layered between Transport and Application layers:
© Copyright 2012 yaSSL
Network Access
IP
TCP
SSL Record Layer
SSL
Handshake
Protocol
SSL Change
Cipher Spec
Protocol
SSL Alert
Protocol
HTTP
LDAP,
etc.
HTTP
SMTP,
etc.
Protocols Secured by
SSL/TLS
Network Layer
Internet Layer
Transport Layer
Application Layer
Slide 23 / 69
24. SSL: Authentication
- Do you really know who you’re communicating with?
© Copyright 2012 yaSSL
??
Alice
Bob
Slide 24 / 69
25. SSL: Authentication
- Generate a key pair (private and public keys)
© Copyright 2012 yaSSL
Alice
Bob
Private
Private
Public
Public
Slide 25 / 69
26. SSL: Authentication
- X.509 Certificate == Wrapper around public key
© Copyright 2012 yaSSL
X509
Cert
Alice
Bob
Private
Private
Public
Public
X509
Cert
Slide 26 / 69
27. SSL: X.509 Certificates
© Copyright 2012 yaSSL
X509
Cert
-----BEGIN CERTIFICATE-----!
MIIEmDCCA4CgAwIBAgIJAIdKdb6RZtg9MA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD!
VQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwG!
A1UEChMFeWFTU0wxFDASBgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cu!
eWFzc2wuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTAeFw0xMTEw!
MjQxODIxNTVaFw0xNDA3MjAxODIxNTVaMIGOMQswCQYDVQQGEwJVUzEPMA0GA1UE!
CBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwGA1UEChMFeWFTU0wxFDAS!
BgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJ!
KoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP!
ADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2qKlIHR9amNrIHMo7Quml7xsNE!
ntSBSP0taKKLZ7uhdcg2LErSG/eLus8N+e/s8YEee5sDR5q/Zcx/ZSRppugUiVvk!
NPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0YbfN1EbDKE79fGjSjXk4c6W3xt+!
v06X0BDoqAgwga8gC0MUxXRntDKCb42GwohAmTaDuh5AciIX11JlJHOwzu8Zza7/!
eGx7wBID1E5yDVBtO6M7o5lencjZDIWz2YrZVCbbbfqsu/8lTMTRefRx04ZAGBOw!
Y7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEAAaOB9jCB8zAdBgNVHQ4EFgQU!
M9hFZtdohxh+VA1wJ5HHJteFZcAwgcMGA1UdIwSBuzCBuIAUM9hFZtdohxh+VA1w!
J5HHJteFZcChgZSkgZEwgY4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24x!
ETAPBgNVBAcTCFBvcnRsYW5kMQ4wDAYDVQQKEwV5YVNTTDEUMBIGA1UECxMLUHJv!
Z3JhbW1pbmcxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkqhkiG9w0BCQEW!
DmluZm9AeWFzc2wuY29tggkAh0p1vpFm2D0wDAYDVR0TBAUwAwEB/zANBgkqhkiG!
9w0BAQUFAAOCAQEAHHxCgSmeIc/Q2MFUb8yuFAk4/2iYmpVTdhh75jB27CgNdafe!
4M2O1VUjakcrTo38fQaj2A+tXtYEyQAz+3cn07UDs3shdDELSq8tGrOTjszzXz2Q!
P8zjVRmRe3gkLkoJuxhOYS2cxgqgNJGIcGs7SEe8eZSioE0yR1TCo9wu0lFMKTkR!
/+IVXliXNvbpBgaGDo2dlQNysosZfOkUbqGIc2hYbXFewtXTE9Jf3uoDvuIAQOXO!
/eaSMVfD67tmrMsvGvrgYqJH9JNDKktsXgov+efmSmOGsKwqoeu0W2fNMuS2EUua!
cmYNokp2j/4ivIP927fVqe4FybFxfhsr4eOvwA==!
-----END CERTIFICATE-----!
Slide 27 / 69
28. SSL: X.509 Certificates
© Copyright 2012 yaSSL
X509
Cert
Certificate:!
Data:!
Version: 3 (0x2)!
Serial Number:!
87:4a:75:be:91:66:d8:3d!
Signature Algorithm: sha1WithRSAEncryption!
Issuer: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/
emailAddress=info@yassl.com!
Validity!
Not Before: Oct 24 18:21:55 2011 GMT!
Not After : Jul 20 18:21:55 2014 GMT!
Subject: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/
emailAddress=info@yassl.com!
Subject Public Key Info:!
Public Key Algorithm: rsaEncryption!
Public-Key: (2048 bit)!
Modulus: 00:c3:03:d1:2b:fe:39:a4 …!
! ! Exponent: 65537 (0x10001)!
X509v3 extensions:!
X509v3 Subject Key Identifier: !
33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0!
X509v3 Authority Key Identifier: !
keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0!
DirName:/C=US/ST=Oregon/L=Portland/O=yaSSL/OU=Programming/CN=www.yassl.com/
emailAddress=info@yassl.com!
serial:87:4A:75:BE:91:66:D8:3D!
!
X509v3 Basic Constraints: !
CA:TRUE!
Signature Algorithm: sha1WithRSAEncryption!
… 1c:7c:42:81:29:9e:21:cf:d0:d8!
Slide 28 / 69
29. SSL: Authentication
- Alice and Bob exchange CA-signed public keys
© Copyright 2012 yaSSL
X509
Cert
CA
X509
Cert
CA
Alice
Bob
Private
Private
Public
Public
Slide 29 / 69
30. SSL: Authentication
- How do you get a CA-signed cert?
© Copyright 2012 yaSSL
Buy
VeriSign, DigiCert, Comodo, etc.
- Costs $$$
- Trusted
Create
Created yourself (self-sign)
- Free!
- Trusted (if you control both sides)
Slide 30 / 69
31. SSL: Encryption
- Uses a variety of encryption algorithms to secure data
© Copyright 2012 yaSSL
Hashing
Func1ons
Block
and
Stream
Ciphers
Public
Key
Op1ons
MD4, MD5, SHA …
DES, 3DES, AES, ARC4 …
RSA, DSA, DSS …
CIPHER
SUITE
Slide 31 / 69
32. SSL: Encryption
- A common CIPHER SUITE is negotiated
© Copyright 2012 yaSSL
Protocol_keyexchange_WITH_bulkencrypRon_mode_messageauth
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Slide 32 / 69
33. SSL: Handshake
© Copyright 2012 yaSSL
Client Hello
Cryptographic Info
(SSL version, supported ciphers, etc.)
Client Server
Server Hello
Cipher Suite
Server Certificate
Server Key Exchange (public key)
( Client Certificate Request )
Server Hello Done
Client Key Exchange
( Certificate Verify )
( Client Certificate )
Change Cipher Spec
Client Finished
Change Cipher Spec
Server Finished
Exchange Messages (Encrypted)
1
2
3
4
5
6
7
8
Verify server cert,
check crypto
parameters
Verify client cert
(if required)
Slide 33 / 69
34. SSL: Where is it used?
SSL is Everywhere!
- Browsers
- Email
- Routers
- Factory Automation
- VoIP
- Automobile Communications
- Sensors
- Smart Power Meters
And much more!!
© Copyright 2012 yaSSL
Slide 34 / 69
35. SSL: What does MySQL provide?
- Your system must support either OpenSSL or yaSSL
- MySQL must be built with SSL support
Note: MySQL is bundled with yaSSL
© Copyright 2012 yaSSL
Slide 35 / 69
36. MySQL: Is SSL Enabled?
Checking for SSL
• Confirm that user in 'mysql' database includes SSL-related columns:
- Beginning with: ssl_, x509_
• Check if binary is compiled with SSL support:
shell> mysqld --ssl --help
060525 14:18:52 [ERROR] mysqld: unknown option '--ssl'
• mysqld: Check for 'have_ssl' system variable
© Copyright 2012 yaSSL
Slide 36 / 69
37. MySQL: Building with SSL
Configure MySQL to use the built-in SSL (yaSSL):
shell> cmake . -DWITH_SSL=bundled
-DWITH_SSL options:
no: No SSL support (default)
yes: Use system SSL library if present, else bundled library
bundled: SSL library bundled with MySQL (yaSSL)
system: Use the system SSL library
** yaSSL on Unix requires /dev/urandom and /dev/random to be available
© Copyright 2012 yaSSL
Slide 37 / 69
38. MySQL: Starting the Server
To allow client connections through SSL, start MySQL with the appropriate options:
shell> mysqld_safe --user=mysql
--ssl-ca=ca-cert.pem
--ssl-cert=server-cert.pem
--ssl-key=server-key.pem
--ssl-ca: Identifies the certificate authority certificate
--ssl-cert: identifies the server certificate (public key)
--ssl-key: identifies the server private key
© Copyright 2012 yaSSL
Slide 38 / 69
39. MySQL: Starting the Client
I. Account created with GRANT statement including REQUIRE_SSL:
shell> mysql -u user -p --ssl-ca=ca-cert.pem
II. Account created with REQUIRE_X509 in addition:
shell> mysql -u user -p --ssl-ca=ca-cert.pem
--ssl-cert=client-cert.pem
--ssl-key=client-key.pem
© Copyright 2012 yaSSL
Slide 39 / 69
40. MySQL: SSL Options
© Copyright 2012 yaSSL
Name
Cmd-‐Line
Op1on
File
System
Var
Var
Scope
Dynamic
have_openssl
Yes
Global
No
have_ssl
Yes
Global
No
skip-‐ssl
Yes
Yes
ssl
Yes
Yes
ssl-‐ca
Yes
Yes
Global
No
ssl-‐capath
Yes
Yes
Global
No
ssl-‐cert
Yes
Yes
Global
No
ssl-‐cipher
Yes
Yes
Global
No
ssl-‐key
Yes
Yes
Global
No
ssl-‐verify-‐server-‐cert
Yes
Yes
hap://dev.mysql.com/doc/refman/5.5/en/ssl-‐opRons.html
Slide 40 / 69
41. MySQL: SSL Options
have_openssl
have_ssl
YES = mysqld supports SSL connections
DISABLED = server was compiled with SSL support, not enabled (--ssl-xxx)
Check:
SHOW VARIABLES LIKE 'have%ssl';
© Copyright 2012 yaSSL
Slide 41 / 69
42. MySQL: SSL Options
skip-ssl
Indicate that SSL should not be used
Same as using --ssl=0
ssl
Server: Specifies that the server permits SSL connections
Client: Permits a client to connect to server using SSL
© Copyright 2012 yaSSL
Slide 42 / 69
43. MySQL: SSL Options
ssl-ca
The path to the file containing list of trusted CAs
ssl-capath
The path to a directory containing trusted CAs
(PEM format)
*NOTE: Only supported when using OpenSSL
© Copyright 2012 yaSSL
Slide 43 / 69
44. MySQL: SSL Options
ssl-cert
Name of the SSL certificate to be used
ssl-cipher
A list of permissible ciphers to use for SSL
--ssl-cipher=AES128-SHA
--ssl-cipher=DHE-RSA_AES256-SHA:AES128-SHA
© Copyright 2012 yaSSL
Slide 44 / 69
45. MySQL: SSL Options
ssl-key
Name of the SSL key file
ssl-verify-server-cert
- Clients only
- Server's Common Name verified against server host name
- Connection rejected if no match
© Copyright 2012 yaSSL
Slide 45 / 69
46. SSL: Certificate Creation
A. Generating Certificates
1. Create CA certificate (private key, public cert)
2. Create server key
3. Create server certificate
4. Create client key
5. Create client certificate
© Copyright 2012 yaSSL
Slide 46 / 69
47. SSL: Certificate Creation
A. Generating Certificates
Create CA certificate (private key, public cert)
shell> openssl genrsa 2048 > ca-key.pem
shell> openssl req -new -x509 -nodes -days 1000
-key ca-key.pem > ca-cert.pem
© Copyright 2012 yaSSL
Slide 47 / 69
48. SSL: Certificate Creation
A. Generating Certificates
Create server key and certificate
shell> openssl req -newkey rsa:2048 -days 1000
-nodes -keyout server-key.pem > server-req.pem
shell> openssl x509 -req -in server-req.pem -days 1000
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
© Copyright 2012 yaSSL
Slide 48 / 69
49. SSL: Certificate Creation
A. Generating Certificates
Create client key and certificate
shell> openssl req -newkey rsa:2048 -days 1000
-nodes -keyout client-key.pem > client-req.pem
shell> openssl x509 -req -in client-req.pem -days 1000
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
© Copyright 2012 yaSSL
Slide 49 / 69
50. SSL: Certificate Creation
A. Generating Certificates
Remove passphrase from client/server key:
shell> openssl rsa -in client-key.pem -out client-key.pem
shell> openssl rsa -in server-key.pem -out server-key.pem
© Copyright 2012 yaSSL
Slide 50 / 69
51. MySQL: SSL Performance
Test Machine
MacBook Pro
2.33 GHz
2 GB 667 MHz DDR2 SDRAM
Mac OS X 10.6.6 (Snow Leopard)
© Copyright 2012 yaSSL
Slide 51 / 69
53. MySQL: SSL Performance
Command:
du -sh .
Result:
5.3% Difference
(12 Mb)
© Copyright 2012 yaSSL
239
227
0
50
100
150
200
250
300
Size
(Mb)
MySQL
Footprint
Size
SSL
vs.
No
SSL
SSL
No
SSL
Slide 53 / 69
54. MySQL: SSL Performance
Command:
du -sh *
© Copyright 2012 yaSSL
86
13
79
9.2
0
10
20
30
40
50
60
70
80
90
100
bin
lib
Size
(Mb)
MySQL
Footprint
Comparison
(Detail)
SSL
vs.
No
SSL
SSL
No
SSL
Slide 54 / 69
56. MySQL: SSL Performance
© Copyright 2012 yaSSL
0
0.5
1
1.5
2
2.5
3
3.5
0
5
10
15
20
25
30
35
Average
Query
Time
(ms)
Concurrency
(#
of
Client
Connec1ons)
MySQL
Average
SELECT
Query
Times
No
SSL
vs.
SSL
100,000
Requests
sysbench
No
SSL
SSL
Slide 56 / 69
57. MySQL: SSL Performance
© Copyright 2012 yaSSL
0.1
0.1
0.21
0.65
1.33
2.67
0.14
0.14
0.29
0.76
1.62
3.32
1
2
4
8
16
32
Concurrency
(#
of
Client
Connec1ons)
MySQL
Average
SELECT
Query
Times
(ms)
No
SSL
vs.
SSL
100,000
Requests
sysbench
No
SSL
SSL
Slide 57 / 69
58. 0.65
0.76
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Average
Query
Time
(ms)
Client
Concurrency
=
8
MySQL
Average
SELECT
Query
Times
No
SSL
vs.
SSL
100,000
Requests
sysbench
No
SSL
SSL
MySQL: SSL Performance
16.9%
Difference
(0.11
ms)
© Copyright 2012 yaSSL
Slide 58 / 69
60. Data Storage and Encryption
Client Side Encryption
• Encrypt data in code before it is passed to MySQL
• Many encryption modules available (PHP, Perl, etc.)
Advantages
• Data encrypted between code & MySQL
• Allows the use of bin logging (MySQL backup/replication)
Disadvantages
• What to do with the key?
© Copyright 2012 yaSSL
Slide 60 / 69
61. Data Storage and Encryption
Server Side Encryption
• AES_ENCRYPT(), AES_DECRYPT() functions
- AES-128 Default
- AES-256 w/ source-code change
• Entire Disk Encryption
• Transparent Data Encryption (Gazzang ezNcrypt)
© Copyright 2012 yaSSL
Slide 61 / 69
62. Data Storage and Encryption
Gazzang ezNcrypt
• ezNcrypt
sits
between
your
storage
engine
and
file
system
to
encrypt
your
data
before
it
hits
the
disk.
• TradiRonally
called
-‐
Transparent
Data
EncrypRon
(TDE)
– The
data
is
encrypted
transparently,
no
changes
are
needed
to
your
applicaRon,
code
or
MySQL.
© Copyright 2012 yaSSL
Table
Orders
20090101,4307
Applica1on
SQL
insert
into
orders
(number,
credit
card,….)
Values
(20090101,4307,…)
File
System
orders.myd
9f7c7d77a87
7fg8e78s09ab
Slide 62 / 69
63. Data Storage and Encryption
Gazzang ezNcrypt
• Gazzang
Key
Storage
System
(KSS)
© Copyright 2012 yaSSL
Slide 63 / 69
64. Data Storage and Encryption
Server Side Encryption
Advantages:
• Data is stored encrypted
• Easy to use
Disadvantages:
• bin logging (all queries are shown in plain text)
Exception: Gazzang can protect the bin logs
• What to do with the key?
© Copyright 2012 yaSSL
Slide 64 / 69
66. Licensing Concerns
yaSSL vs. OpenSSL
- OpenSSL uses BSD-style license with announcement clause
- Makes it incompatible with GPL
- yaSSL = dual licensed (GPL, Commercial)
© Copyright 2012 yaSSL
Slide 66 / 69
67. What did we cover?
Part I: MySQL Security
1. Good Security Practices for MySQL
Part II: SSL/TLS
1. Overview of SSL and TLS
2. Configuring and Building MySQL with SSL
3. MySQL SSL Command Options
4. SSL Certificate Creation
5. Performance Comparison
Part III: Additional Security Concerns
1. Data Storage and Encryption
© Copyright 2012 yaSSL
Slide 67 / 69