Encryption Security Recommendations



Similar documents
Identity Theft Prevention Program (FACTA Identity Theft Red Flags Rule)

Network Infrastructure Security Recommendations

Cloud Computing Thunder and Lightning on Your Horizon?

Ruby on Rails Secure Coding Recommendations

Crypto Lab Public-Key Cryptography and PKI

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

The Linux CryptoAPI A User s Perspective

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

Pulling up the Roots: a Guide to Corporate Relocation

SSL Tunnels. Introduction

On Disk Encryption with Red Hat Enterprise Linux

BATTENING DOWN THE DISKS

COMP 3704 Computer Security

SafeGuard Easy upgrade guide. Product version: 7

Crystal Practice Management Encrypting the Database

Generating and Installing SSL Certificates on the Cisco ISA500

Replacing vcenter Server 4.0 Certificates VMware vsphere 4.0

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Virtual Private Network (VPN) Lab

LoadMaster SSL Certificate Quickstart Guide

Open Source Encrypted Filesystems for Free Unix Systems

Backtrack 4 Bootable USB Thumb Drive with Full Disk Encryption

SSL Certificates HOWTO

MySQL Security: Best Practices

What s New in MySQL 5.7 Security Georgi Joro Kodinov Team Lead MySQL Server General Team

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Cisco TelePresence VCS Certificate Creation and Use

Securing MySQL! With a Focus on SSL. (206)

Installing Ubuntu LTS with full disk encryption

WebApp S/MIME Manual. Release Zarafa BV

Creation and Management of Certificates

SafeGuard Enterprise upgrade guide. Product version: 7

Cisco Expressway Certificate Creation and Use

Easy Setup Guide 1&1 CLOUD SERVER. Creating Backups. for Linux

Online Backup Client User Manual

AD Image Encryption. Format Version 1.2

Cryptographic Filesystems. Background and Implementations for Linux and OpenBSD

Getting Started with the Ed-Fi ODS and Ed-Fi ODS API

Securing the OpenAdmin Tool for Informix web server with HTTPS

Xpresstransfer Online Backup Manager General Technical FAQ

Using etoken for SSL Web Authentication. SSL V3.0 Overview

CLOUD INFRASTRUCTURE VIRTUAL SERVER (SHARED) DATA IMPORT GUIDE

PVFS High Availability Clustering using Heartbeat 2.0

Using Encrypted File Systems with Caché 5.0

EventTracker Windows syslog User Guide

PGP Desktop Quick Start Guide version 9.6

RecoveryVault Express Client User Manual

Backup/Restore Microsoft SQL Server 7.0 / 2000 / 2005 / 2008

Online Backup Linux Client User Manual

DOCUMENTUM CONTENT SERVER CERTIFICATE BASED SSL CONFIGURATION WITH CLIENTS

Sophos SafeGuard Disk Encryption for Mac Startup guide

Apache Security with SSL Using Ubuntu

Online Backup Client User Manual

OpenADR 2.0 Security. Jim Zuber, CTO QualityLogic, Inc.

Configuring Samba with SSL

HTTPS Configuration for SAP Connector

Securing Web Access with a Private Certificate Authority

Implementing SSL Security on a PowerExchange Network

1. Product Information

Online Backup Client User Manual Linux

Percona Server features for OpenStack and Trove Ops

Ciphermail Gateway Separate Front-end and Back-end Configuration Guide

SubmitedBy: Name Reg No Address. Mirza Kashif Abrar T079 kasmir07 (at) student.hh.se

PowerChute TM Network Shutdown Security Features & Deployment

How To Install Storegrid Server On Linux On A Microsoft Ubuntu 7.5 (Amd64) Or Ubuntu (Amd86) (Amd77) (Orchestra) (For Ubuntu) (Permanent) (Powerpoint

jodbc Service and SQL Catalog

Cisco TelePresence VCS Certificate Creation and Use

Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015

SSL Interception on Proxy SG

Browser-based Support Console

Secure Communication Requirements

SSO Eurécia. and external Applications. Purpose

4D v11 SQL Release 6 (11.6) ADDENDUM

vtiger CRM Database UTF-8 Configuration (For MySQL)

Eurobackup PRO: Configuration Best Practices

DigiVault Online Backup Manager. Microsoft SQL Server Backup/Restore Guide

Replacing VirtualCenter Server Certificates VMware Infrastructure 3

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

VERITAS NetBackup 6.0 Encryption

SafeGuard Enterprise upgrade guide. Product version: 6.1

DigiVault Online Backup Manager. User Guide

owncloud 8 and DigitalOcean Matthew Davidson Bluegrass Linux User Group 03/09/2015

How To Encrypt Data With Encryption

Backup/Restore MySQL Server

SBClient SSL. Ehab AbuShmais

Netop Remote Control Security Server

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Domino and Internet. Security. IBM Collaboration Solutions. Ask the Experts 12/16/2014

Creating Certificate Authorities and self-signed SSL certificates

Go to Policy/Global Properties/SmartDashboard Customization, click Configure. In Certificates and PKI properties, change host_certs_key_size to 2048

Using TrueCrypt to protect data

Disk encryption... (not only) in Linux. Milan Brož

Transcription:

Basic Concepts Sensitive data should be encrypted while in transit and stored. All communication between clients and servers, and between servers (Web server to app server, app server to database server, etc.) should be authenticated and encrypted. Sensitive data should never be sent over http/ftp since information is sent in clear text. Recommended encryption strength minimums: Certificates: 256-bit SHA-2 Block Encryption: 256-bit AES Hash: SHA-512 Certificates Certificate options in order of preference: Internal PKI Third Party signed certificates for all servers Self-signed certificates - should be avoided due to their insecure nature Application Level (My SQL Database Server / Application Server) The default encryption methods of MySQL only use 128bit encryption. This is not considered to be strong encryption. Furthermore, the MySQL AES_ENCRYPT() functions are also potentially not secure because they haven't documented how they hash the password into the key and the cipher mode used. This may cause the encryption to be significantly weaker depending on the actual implementation. While it is possible to make changes to the source of MySQL and recompile, Altius IT recommends that data be encrypted prior to being sent to MySQL. Network Level (MySQL Server / Application server) OpenSSL should be used for all connections to the database. This provides a centralized method for managing keys. Most standard MySQL packages of the common Linux distributions already offer OpenSSL-enabled MySQL services out of the box. If not, compile the sources of MySQL manually and run the configure script with the option --with-vio --with-openssl. OpenSSL activation forces the environment variable have_openssl to be set to YES. This can be checked by: mysql > SHOW VARIABLES LIKE %openssl% ; Variable_name Value have_openssl YES Since the OpenSSL encryption implementation of MySQL sustains upon certificates, we 151 Kalmus Drive Suite L-4 Costa Mesa California 92626 (714) 794-5210 www.altiusit.com 1

need to create 1. Certificate Authority (CA) key and certificate, 2. Server encryption key, as well as a server certificate request, 3. Client encryption key, as well as a client certificate request. The following shellscript will do the above (OpenSSL binaries needs to be installed): #!/bin/bash DIR=`pwd`/openssl PRIV=$DIR/private mkdir $DIR $PRIV $DIR/newcerts cp /usr/lib/ssl/openssl.cnf $DIR replace./democa $DIR -- $DIR/openssl.cnf openssl req -new -x509 -keyout $PRIV/cakey.pem -out $DIR/cacert.pem -config $DIR/openssl.cnf openssl req -new -keyout $DIR/server-key.pem -out $DIR/server-req.pem -days 3600 -config $DIR/openssl.cnf openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem openssl ca -policy policy_anything -out $DIR/server-cert.pem -config $DIR/openssl.cnf -infiles $DIR/server-req.pem openssl req -new -keyout $DIR/client-key.pem -out $DIR/client-req.pem -days 3600 -config $DIR/openssl.cnf openssl rsa -in $DIR/client-key.pem -out $DIR/client-key.pem openssl ca -policy policy_anything -out $DIR/client-cert.pem -config $DIR/openssl.cnf -infiles $DIR/client-req.pem Line numbers Lines 1-6 create a useable directory structure for storing the resulting keys and certificates. Be sure to call this script from a safe location; keys are normally stored in /etc/mysql/keys or something similar. Line 7 and 8 generate a local Certificate Authority for signing the certificates which are to be created. Lines 9 and 10 create an encryption key for the MySQL server and a certificate request, which is to be signed afterwards. The certificate will be valid for 3600 days. Line 11 (and line 16) is optional and would remove the passphrase from the server key. This means that it s not necessary to give the passphrase every time the MySQL server is restarted. This behavior may be seen as security risk, depending on where the (unencrypted) key will be stored. Lines 12 and 13 will sign the previously generated server certificate with our local CA instance. Lines 14 and 15 create a client key and certificate request. The last lines sign the client certificate with our local CA instance. 151 Kalmus Drive Suite L-4 Costa Mesa California 92626 (714) 794-5210 www.altiusit.com 2

We finally have to tell MySQL where our encryption keys and certificates are stored, which is done in my.cnf. We need entries for both, server and client. Note that the client configuration as well as the client and CA certificates have to be available on all clients who wish to encrypt MySQL related network traffic. ssl-ca=$dir/cacert.pem ssl-cert=$dir/client-cert.pem ssl-key=$dir/client-key.pem <...> [mysqld] ssl-ca=$dir/cacert.pem ssl-cert=$dir/server-cert.pem ssl-key=$dir/server-key.pem <...> $DIR is to be replaced by the chosen key and certificate directory. Server (block level) Level (all servers) Block level encryption should be used for all servers that contain sensitive information. The following are two examples of how this can be accomplished: Linux: dmcrypt The following steps need to have losetup and cryptsetup installed on the System, as well as a kernel which has been built with CONFIG_DM_CRYPT and CONFIG_BLK_DEV_DM support (which most of the current kernels have). Most Unices offer the use of encryption, but most of them are not platform independent. MySQL stores its data in the $MYSQL_CHROOT/data directory, we will now encrypt. We will proceed with the following steps: 1. We generate a file with completely randomized content, with the maximum size of the MySQL storage tables (in the following example, 100MiB). If the reserved space points out to be too few, we can simply create a bigger one and transfer the encrypted data later. 2. We create a new loopback-device, which is capable of handling our encrypted data-image as hard disk partition. 3. We connect the loopback-device with a so called crypto-target, which encrypts everything which is written onto the target, and decrypts everything which is read from the target, as long as the crypto-target is enabled. 4. Format the encrypted data container with a filesystem of our choice (ReiserFS in this case). 5. Mount the encrypted container, as it s ready to use. 151 Kalmus Drive Suite L-4 Costa Mesa California 92626 (714) 794-5210 www.altiusit.com 3

These above steps are performed via the following commands: # dd if=/dev/urandom of=$mysql_chroot/data.crypt # losetup /dev/loop0 $MYSQL_CHROOT/data.crypt # cryptsetup -y create mysql_data /dev/loop0 Enter passphrase: Passphrase Verify passphrase: Passphrase # mkreiserfs /dev/mapper/mysql_data # mount /dev/mapper/mysql_data $MYSQL_CHROOT/data Before starting up the MySQL database server for everyday use, enforce step 2, 3 and 7. Detailed information about the theoretical backgrounds to cryptography may be found in the wonderful reference of Bruce Schneier [Sch05], as well as [Ert03] and [Wae03]. Information on practical file system encryption is found in [Pac05]. TrueCrypt The installation of TrueCcrypt is quite easy since precompiled binaries are available for all supported platforms, including Linux binaries as well as Debian (and Ubuntu) packages. When starting the software, an easy-to-use graphical dialog appears which should be quite self-explanatory. Like dmcrypt, also TrueCrypt offers two possibilities of creating encrypted volumes: Format a whole partition which is to be filled with encrypted content, or Creating a fixed-size container archive file; this file will again be looped back to a pseudo-device which can be accessed by the operating system just like a normal partition. File level encryption. If sensitive data, either in production or backup, is stored in shared directories it should be encrypted using file level encryption. This can be accomplished using something like AES Crypt for Linux. Refer to Altius IT s Recommended Software Security Controls for additional safeguards and security best practices. Resources Advanced Encryption Standard - www.aescrypt.com/linux_aes_crypt.html National Institute of Standards and Technology: http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf http://csrc.nist.gov/publications/nistpubs/800-66-rev1/sp-800-66-revision1.pdf 151 Kalmus Drive Suite L-4 Costa Mesa California 92626 (714) 794-5210 www.altiusit.com 4

Open Web Application Security Project - www.owasp.org/index.php/owasp_backend_security_project_mysql_hardening TrueCrypt - www.truecrypt.org/docs/ Publication and Author Information Jim Kelton is Managing Principal of Altius IT (www.altiusit.com), an IT security audit, security consulting, and risk management company based in Costa Mesa, California. Mr. Kelton has over 30 years of experience in the Information Technology industry and is recognized as a security expert. He is certified by the Information Systems Audit and Control Association (ISACA) as: Certified Information Systems Auditor (CISA) Certified in Risk and Information Systems Controls (CRISC) Certified in the Governance of Enterprise IT (CGEIT) He sits on the Board of Directors of the following associations and organizations: Association of Professional Consultants (APC) International Association of Professional Security Consultants (IAPSC) Technology Professionals Association (TPA) 151 Kalmus Drive Suite L-4 Costa Mesa California 92626 (714) 794-5210 www.altiusit.com 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information