Client encryption

Client encryption

"Client encryption" is a feature to protect sensitive data such as credit card or insurance numbers stored in MariaDB server. Client encryption allows to encrypt sensitive data inside client applications and never reveal the encryption keys to MariaDB server.
Client encryption provides a separation between those who own data and those who manage data (or get in unauthorized possession of data).
Client encryption makes encryption transparent: an encryption at rest enabled MariaDB connector achieves this by encrypting and decrypting data automatically inside the client application.

Encryption types

Deterministic encryption

Deterministic encryption generate always the same encrypted value for the same plain text. This allows lookups, equality joins grouping and indexing on encrypted columns.

Randomized encryption

Randomized encryption is more secure since it uses a method to encrypt data in a less predictable manner, but it prevents searching, grouping and indexing.

Restrictions:

Encrypt at rest cannot be used

• in string columns with non-binary collations
• columns with default constraints
• columns referenced by constraints
• more ... ?!

Tasks

Server:

Syntax

Extend syntax for supporting encryption at rest:

CREATE TABLE my_table (

  a unsigned int not null auto_increment primary key,

  cc_mumber VARCHAR(200) COLLATE latin1_bin

            ENCRYPTED WITH (

              COLUMN_ENCRYPTION_KEY='my_key',

              ENCRYPTION_TYPE=DETERMINISTIC,

              ALGORITHM='AES-256-CTR'))

Protocol.

Extend column definition packet (by using first byte of filler)

lenenc_str     catalog

lenenc_str     schema

lenenc_str     table

lenenc_str     org_table

lenenc_str     name

lenenc_str     org_name

lenenc_int     length of fixed-length fields [0c]

2              character set

4              column length

1              type

2              flags

1              decimals

-----------------------------------------

1              encryption_type (1= deterministic, 2= randomized)

1              filler [00]

-----------------------------------------

if (encryption type)

lenenc_str     key

lenenc_str     crypto_algorithm_

Server Problems to solve

Storing.

possible solution

• in saparate blob of data in frm
• use engine attributes

Limited usage of client side encripted fields

Non deterministic encrypted fields allowed only in SELECT list.

Deterministic encrypted fields allowed in = <> and GROUP BY.

Real problem is to pass the knowledge about client side encryption via temporary tables (for derived tables, views and CTE).

Item_func, Item_sum and other should check on fix_fields() arguments, as well as preparation of GROUP_BY/ORDER BY to prevent illegal usage of client side encrypted fields