Mysql user-camp-march-11th-2016

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |

What’s New inMySQL 5.7 SecurityHarin Vadodaria,Developer,MySQL Server General Team March 11, 2016


Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3


Program Agenda

New Security Features in MySQL 5.7

Questions & Answers

1

2

4


Security features at a glance..

5

Code Refactoring

Secure By Default

Communication Security

Encryption

User Activity Control

User Management


Code Refactoring

Secure By Default


Encryption


User Management

User Management

6

• Password Rotation Policy

• Disabling user login• ALTER USER

enhancements


Password Rotation Policy

• Through ALTER USER

7

NEVER

DEFAULT SPECIFIC

• PASSWORD EXPIRE NEVER

– If security is not a concern!

• PASSWORD EXPIRE DEFAULT

– Global Variable : default_password_lifetime

• PASSWORD EXPIRE INTERVAL <NUM> DAY

– Useful for critical accounts


Disabling Login for User Accounts

• New authentication plugin

–mysql_no_login

– Just like shell=/bin/false

8

• CREATE USER nologin@localhostIDENTIFIED WITH ‘mysql_no_login’

• Useful for : Proxy users


User Management

• Enhanced ALTER USER support

– Change credentials

– Change authentication plugin

– Change SSL certificate details

– Change resource allocation

– Temporarily lock user account

• Making server OFFLINE

– Allows only SUPER users to connect

– Rest of the connections are killed

• SUPER Read Only mode

–Makes server READ ONLY even for users with SUPER privileges

9


Code Refactoring

Secure By Default


Encryption


User Management


10

• MySQL Firewall• Audit Log Plugin


Firewall Plugin

11

SELECT info FROM customerWHERE cust_id=123

SELECT info FROM customerWHERE cust_id=123 or 1=1


Firewall Plugin

• Engine

– Compares incoming statements with allowed set of statements

– Per user configuration• DISABLED, RECORDING, PROTECTING

– Statement digest based comparison

• Statement Cache

– Uses normalized SQL statements• SELECT info FROM customer WHERE

cust_id = 123 => SELECT info FROM customerWHERE cust_id = ?

– Generates hash from normalized SQL

– In memory cache : Faster lookup

12


Audit Log : Event Filtering

13

• Filtering by account names– SET GLOBAL

audit_log_include_account=‘admin@localhost’;

– SET GLOBAL audit_log_exclude_account=`auditor@localhost’;

• Filtering on connection event– SET GLOBAL audit_log_connection_policy= ERRORS;

• Better Instrumentation– audit_log_events

– audit_log_events_filterd

– audit_log_events_written

• Filtering by query status– SET GLOBAL audit_log_statement_policy= ALL;



14

Code Refactoring

Secure By Default


Encryption


User Management

• Enhancements in AES encryption

• Enterprise Encryption Plugin


AES Encryption : Enhanced

• Support for more secure block modes

– CBC, CFB1, CFB8, CFB128, OFB

– Support varies for OpenSSL/yaSSL

• Support for longer key size– 196, 256 bits

• Controlled via : block_encryption_mode

– e.g. “aes-256-cbc”, “aes-256-ofb”

• Ported to 5.6 as well.

15


Enterprise Encryption Plugin

• SQL Interface to OpenSSL Functions

– Supports RSA/DSA/DH algorithms

– Configurable Key Size

• Standard PEM format for generated keys– Compatible with external tools

• Useful in encrypting selected data

16



• Creating asymmetric key pair

– SET @priv_key_s= CREATE_ASYMMETRIC_PRIV_KEY(‘RSA’, 2048);

– SET @pub_key_s= CREATE_ASYMMETRIC_PUB_KEY(‘RSA’, @priv_key);

– SET @priv_key_d= CREATE_ASYMMETRIC_PRIV_KEY(‘RSA’, 2048);

– SET @pub_key_d= CREATE_ASYMMETRIC_PUB_KEY(‘RSA’, @priv_key);

• Share public keys across multiple servers

17


– Encryption, Digest creation and Signature• SET @enc_text= ASYMMETRIC_ENCRYPT(‘RSA’, ‘FooBar’, @pub_key_d);

• SET @text_digest= CREATE_DIGEST(‘SHA512’, ‘FooBar’);

• SET @signature= ASYMMETRIC_SIGN(‘RSA’, @text_digest, @priv_key_s, ‘SHA512’);

– Decryption, Signature verification• SET @plain_text= ASYMMETRIC_DECRYPT(‘RSA’, @enc_text, @priv_key_d);

• SET @text_digest= CREATE_DIGEST(‘SHA512’, @plain_text);

• SET @verify= ASYMMETRIC_VERIFY(‘RSA’, @text_digest, @signature, @pub_key_s, ‘SHA512’);

Unencrypted Channel


18



19

Code Refactoring

Secure By Default


Encryption


User Management

• Server/Client support for encrypted connection

• TLSv1.1/1.2 Support• Enforcing encrypted

connections



• Server : Encrypted connections supported by default

– Automatic generation of TLS certificates and keys• Enterprise server : At server start-up

• Community server : Through mysql_ssl_rsa_setup utility

• Clients (libmysql based) : Attempt TLS connection by default

• More information in server log about TLS setup phase

– CA certificate status

– Possible reason for TLS support failure

20



• TLSv1.1/TLSv1.2 Support

– New option : –tls-version to control protocol version

– Disabled weak ciphers

• Multi-state SSL option : --ssl-mode–Modes : DISABLED, PREFERRED, REQUIRED, VERIFY_CA, VERIFY_IDENTITY

– Backwards compatibility with legacy options : --ssl, --ssl-verify-server-cert

• Enforcing secure connection

– Server : --require-secure-transport

– Client : --ssl-mode=REQUIRED/VERIFY_CA/VERIFY_IDENTITY

21


Code Refactoring

Secure By Default


Encryption


User Management


22

• Better access control• Secure packages• Restricted data

import/export


Secure By Default

• Motivation

– Help avoid users common mistakes which may cause data loss/leakage

– Decrease MySQL attack surface

–Open to limited and authorized use by default

– Low usability impact

– Relaxing security must be an explicit and conscious decision

23


Secure By Default

• Stricter Access Control

– Single root account + Random password

– No anonymous accounts

• Packages– No tests and demos with server/client

– Separate packages for tests and demos

– Stricter permission on deployed files

• Data Import/Export restrictions– Restricted to a specific location: Through –secure-file-priv default

– Possible to disable data import/export completely

24



25

Code Refactoring

Secure By Default


Encryption


User Management

• Removal of legacy hash/encryption methods

• Uniform credential storage framework

• Tools ref


Code Refactoring

• Removal of Pre-4.1 password support

– Insecure way of generating password hash

– Upgrade flags & disables such accounts

• Password v/s Authentication String– All authentication plugins are treated equally

– Removal of PASSWORD column from mysql.user table

– Dependency on @@old_password is gone!

• Removal of weak encryption functions– ENCODE()/DECODE() are now replaced by AES_ENCRYPT()/AES_DECRYPT()

26


Code Refactoring

• Server installation through --initialize

–mysql_install_db deprecated

• mysql_upgrade : Not dependent on external libraries!

• mysql_secure_install – Now a C program!

27


Questions & Answers


Safe Harbor Statement

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

29

Date post:	16-Apr-2017
Category:	Technology
Upload:	harin-vadodaria
View:	138 times
Download:	0 times

Mysql user-camp-march-11th-2016

Technology