Download as PDF, PPTX
![db.coll.insert({
name: "Doris",
ssn: "457-55-5462"
})
{
insert: "coll",
documents: [{
name: "Doris",
ssn: BinData(6, "a10x…")
}]
}
You see: MongoDB sees:
Encrypt before sending](https://image.slidesharecdn.com/2010pmclientsideencryption-200117194917/75/MongoDB-local-San-Francisco-2020-Using-Client-Side-Encryption-in-MongoDB-4-2-12-2048.jpg)
![db.coll.update({}, {
$set: { ssn: "457-55-5462" }
})
{
update: "coll",
updates: [{
q:{},
u: {
$set: { ssn: BinData(6, "a10x…") }
}
}]
}
You see: MongoDB sees:
Update that overwrites value](https://image.slidesharecdn.com/2010pmclientsideencryption-200117194917/75/MongoDB-local-San-Francisco-2020-Using-Client-Side-Encryption-in-MongoDB-4-2-26-2048.jpg)
![db.coll.aggregate([{
$project: { name_ssn: {$concat: [ "$name", " - ", "$ssn" ] } }
}]
Aggregate acting on the data](https://image.slidesharecdn.com/2010pmclientsideencryption-200117194917/75/MongoDB-local-San-Francisco-2020-Using-Client-Side-Encryption-in-MongoDB-4-2-27-2048.jpg)
![Find with equality query
* For deterministic encryption
db.test.find(
{
$and: [
{
$or: [
{ ssn : { $in : [ "457-55-5462", "153-96-2097" ]} },
{ ssn: { $exists: false } }
]
},
{ name: "Doris" }
]
}
)
You see:](https://image.slidesharecdn.com/2010pmclientsideencryption-200117194917/75/MongoDB-local-San-Francisco-2020-Using-Client-Side-Encryption-in-MongoDB-4-2-29-2048.jpg)
![Find with equality query
* For deterministic encryption
MongoDB sees:
{
find: "coll",
filter: {
$and: [
{
$or: [
{ ssn : { $in : [ BinData(6, "a10x…"), BinData(6, "8dk1…") ]} },
{ ssn: { $exists: false } }
]
},
{ name: "Doris" }
]
}
}](https://image.slidesharecdn.com/2010pmclientsideencryption-200117194917/75/MongoDB-local-San-Francisco-2020-Using-Client-Side-Encryption-in-MongoDB-4-2-30-2048.jpg)
![{
name: "Doris"
ssn: "457-55-5462",
email: "Doris@gmail.com",
credit_card: "4690-6950-9373-8791",
comments: [ …. ],
avatar: BinData(0, "0fi8…"),
profile: { likes: {…}, dislikes: {…} }
}](https://image.slidesharecdn.com/2010pmclientsideencryption-200117194917/75/MongoDB-local-San-Francisco-2020-Using-Client-Side-Encryption-in-MongoDB-4-2-48-2048.jpg)
![Describes JSON
{
bsonType: "object",
properties: {
a: {
bsonType: "int"
maximum: 10
}
b: { bsonType: "string" }
},
required: ["a", "b"]
}
{
a: 5,
b: "hi"
}
{
a: 11,
b: false
}
JSON Schema](https://image.slidesharecdn.com/2010pmclientsideencryption-200117194917/75/MongoDB-local-San-Francisco-2020-Using-Client-Side-Encryption-in-MongoDB-4-2-51-2048.jpg)
![{
bsonType: "object",
properties: {
ssn: {
encrypt: { … }
}
},
required: ["ssn"]
}
JSON Schema "encrypt"](https://image.slidesharecdn.com/2010pmclientsideencryption-200117194917/75/MongoDB-local-San-Francisco-2020-Using-Client-Side-Encryption-in-MongoDB-4-2-52-2048.jpg)
![byte algorithm
byte[16] key_id
byte original_bson_type
byte* payload
Ciphertext](https://image.slidesharecdn.com/2010pmclientsideencryption-200117194917/75/MongoDB-local-San-Francisco-2020-Using-Client-Side-Encryption-in-MongoDB-4-2-93-2048.jpg)
![byte algorithm
byte[16] key_id
byte original_bson_type
byte* payload
key_id + algorithm describes how to decrypt.
No JSON Schema necessary!
Ciphertext](https://image.slidesharecdn.com/2010pmclientsideencryption-200117194917/75/MongoDB-local-San-Francisco-2020-Using-Client-Side-Encryption-in-MongoDB-4-2-94-2048.jpg)
![byte algorithm
byte[16] key_id
byte original_bson_type
byte* payload
Provides extra server-side validation.
But prohibits single-value types (MinKey, MaxKey, Undefined, Null)
Ciphertext](https://image.slidesharecdn.com/2010pmclientsideencryption-200117194917/75/MongoDB-local-San-Francisco-2020-Using-Client-Side-Encryption-in-MongoDB-4-2-95-2048.jpg)
![byte algorithm
byte[16] key_id
byte original_bson_type
byte* payload
Payload includes encoded IV and padding block, and HMAC.
Ciphertext adds between 66 to 82 bytes of overhead.
Ciphertext](https://image.slidesharecdn.com/2010pmclientsideencryption-200117194917/75/MongoDB-local-San-Francisco-2020-Using-Client-Side-Encryption-in-MongoDB-4-2-96-2048.jpg)
![db.test.find({
$or: [
{ ssn : { $in : [ "457-55-5462", "153-96-2097" ]} },
{ name: "Doris" }
]
})
db.test.find({
$or: [
{ ssn : { $in : [ BinData(6, "a10x…"), BinData(6, "8dk1…") ]} },
{ name: "Doris" }
]
})](https://image.slidesharecdn.com/2010pmclientsideencryption-200117194917/75/MongoDB-local-San-Francisco-2020-Using-Client-Side-Encryption-in-MongoDB-4-2-100-2048.jpg)
![db.test.aggregate([
])
{ $project: { identifier: { $ifNull: ["$ssn", "$passport_num" ] } } },
{ $match: { identifier: "457-55-5462" } }
How do we encrypt 457-55-5462?](https://image.slidesharecdn.com/2010pmclientsideencryption-200117194917/75/MongoDB-local-San-Francisco-2020-Using-Client-Side-Encryption-in-MongoDB-4-2-103-2048.jpg)
![ce = ClientEncryption(opts)
db.test.aggregate([
])
{ $project: { identifier: { $ifNull: ["$ssn", "$passport_num" ] } } },
{ $match: { identifier: ce.encrypt("457-55-5462", opts) } }](https://image.slidesharecdn.com/2010pmclientsideencryption-200117194917/75/MongoDB-local-San-Francisco-2020-Using-Client-Side-Encryption-in-MongoDB-4-2-105-2048.jpg)
![One key
Specify with JSONSchema
…
ssn: {
encrypt: {
keyId: [id],
algorithm: (…),
bsonType: (…)
}
}](https://image.slidesharecdn.com/2010pmclientsideencryption-200117194917/75/MongoDB-local-San-Francisco-2020-Using-Client-Side-Encryption-in-MongoDB-4-2-108-2048.jpg)
![Labeled keys
ce = ClientEncryption(opts)
id = ce.createDataKey(keyopts, keyAltNames=["Doris"])
Create with ClientEncryption](https://image.slidesharecdn.com/2010pmclientsideencryption-200117194917/75/MongoDB-local-San-Francisco-2020-Using-Client-Side-Encryption-in-MongoDB-4-2-110-2048.jpg)
Uploaded byMongoDB
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
The document provides a detailed overview of MongoDB's encryption methods, including client-side encryption and data handling practices for sensitive information such as Social Security Numbers (SSNs). It discusses various encryption techniques, schemas, potential attack scenarios, and compliance with regulations like GDPR. The implementation details cover the use of auto-encryption options and key management, emphasizing the importance of protecting user data throughout its lifecycle.
More Related Content
![[MongoDB.local Bengaluru 2018] Just in Time Validation with JSON Schema](https://cdn.slidesharecdn.com/ss_thumbnails/1240-justintimeschemavalidationdinesh-180425155701-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
![MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]](https://cdn.slidesharecdn.com/ss_thumbnails/315pminfosysfinalsfoversionvocalpart1-200120221508-thumbnail.jpg?width=640&height=640&fit=bounds)
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
- 2.
- 4. db.coll.insert({ _id: 1, name: "Doris", ssn:"457-55-5462" })
- 6. doc = db.coll.find_one({ ssn:"457-55-5462" })
- 8.
- 9. { _id: 1 name: "Doris", ssn:"457-55-5462" }
- 12. db.coll.insert({ name: "Doris", ssn: "457-55-5462" }) { insert:"coll", documents: [{ name: "Doris", ssn: BinData(6, "a10x…") }] } You see: MongoDB sees: Encrypt before sending
- 13. { _id: 1 name: "Doris", ssn:BinData(6, "a10x…") } Driver receives: You see: { _id: 1 name: "Doris", ssn: "457-55-5462" } Decrypt after receiving
- 14. How does thisdiffer from…? •… encryption in-transit (TLS) •… encryption at-rest (encrypted storage engine)
- 15. Attacker query App (Client) Disk insert write MongoDB Auth db.coll.insert({ name:"Doris", ssn: "457-55-5462" })
- 16. Disk insert write MongoDB Attacker snoop TLS db.coll.insert({ name:"Doris", ssn: "457-55-5462" }) App (Client)
- 17. Disk insert write MongoDB Attacker insert TLS db.coll.insert({ name:"Doris", ssn: "457-55-5462" }) App (Client)
- 18. Disk insert write MongoDB Attacker steal ESE db.coll.insert({ name:"Doris", ssn: "457-55-5462" }) App (Client)
- 19. Disk insert write MongoDB Attacker login Client SideEncryption db.coll.insert({ name: "Doris", ssn: "457-55-5462" }) App (Client)
- 20. Disk insert write MongoDB Boundaries ofunencrypted data App (Client)
- 21. Disk insert write MongoDB … withEncrypted Storage Engine App (Client)
- 22. Disk insert write MongoDB … andTLS App (Client)
- 23. Disk insert write MongoDB with ClientSide Encryption App (Client)
- 25. Disk insert write MongoDB ssn: BinData(6,"a10x…") App (Client)
- 26. db.coll.update({}, { $set: {ssn: "457-55-5462" } }) { update: "coll", updates: [{ q:{}, u: { $set: { ssn: BinData(6, "a10x…") } } }] } You see: MongoDB sees: Update that overwrites value
- 27. db.coll.aggregate([{ $project: { name_ssn:{$concat: [ "$name", " - ", "$ssn" ] } } }] Aggregate acting on the data
- 28. Find with equalityquery * For deterministic encryption db.coll.find({ssn: "457-55-5462" }) { find: "coll", filter: { ssn: BinData(6, "a10x…") } } You see: MongoDB sees:
- 29. Find with equalityquery * For deterministic encryption db.test.find( { $and: [ { $or: [ { ssn : { $in : [ "457-55-5462", "153-96-2097" ]} }, { ssn: { $exists: false } } ] }, { name: "Doris" } ] } ) You see:
- 30. Find with equalityquery * For deterministic encryption MongoDB sees: { find: "coll", filter: { $and: [ { $or: [ { ssn : { $in : [ BinData(6, "a10x…"), BinData(6, "8dk1…") ]} }, { ssn: { $exists: false } } ] }, { name: "Doris" } ] } }
- 31.
- 33. Destroy the key Provablydelete all user data. GDPR "right-to-be-forgotten"
- 36. Doris Private stuff instorage
- 37. PoliceDoris Private stuff instorage
- 38. Vault key Held onlyby you Vault
- 40.
- 42. { _id: 1,ssn: BinData(0, "A81…"), name: "Kevin" } { _id: 2, ssn: BinData(0, "017…"), name: "Eric" } { _id: 3, ssn: BinData(0, "5E1…"), name: "Albert" } …
- 44.
- 45.
- 46. One key forall vaults
- 47. One key pervault
- 48. { name: "Doris" ssn: "457-55-5462", email:"[email protected]", credit_card: "4690-6950-9373-8791", comments: [ …. ], avatar: BinData(0, "0fi8…"), profile: { likes: {…}, dislikes: {…} } }
- 51. Describes JSON { bsonType: "object", properties:{ a: { bsonType: "int" maximum: 10 } b: { bsonType: "string" } }, required: ["a", "b"] } { a: 5, b: "hi" } { a: 11, b: false } JSON Schema
- 52. { bsonType: "object", properties: { ssn:{ encrypt: { … } } }, required: ["ssn"] } JSON Schema "encrypt"
- 53. encrypt: { keyId: (…), algorithm:(…), bsonType: (…) } bsonType indicates the type of underlying data. algorithm indicates how to encrypt (Random or Deterministic). keyId indicates the key used to encrypt.
- 54. opts = AutoEncryptionOptions( schema_map= { "db.coll": <schema> } …)
- 55. Remote Schema Fallback db.createCollection("coll",{ validator: { $jsonSchema: … } } ) Misconfigured Client insert "457-55-5462" error, that should be encrypted MongoDB
- 56. What if … theserver lies about the schema? Misconfigured Client insert "457-55-5462" Evil MongoDB ok :)
- 57.
- 59. Key vault Key vaultkey Held only by you
- 62.
- 63. opts = AutoEncryptionOptions( schema_map= { "db.coll": <schema> }, key_vault_namespace = "db.keyvault" …)
- 64.
- 65. What if … attackerdrops key vault collection?
- 66. Keep at home opts= AutoEncryptionOptions( schema_map = { "db.coll": <schema> }, key_vault_namespace = "db.keyvault", key_vault_client = <client> …)
- 67.
- 69.
- 70. Protects keys Storeskeys KMS Key vault key Key vault Key vault collection
- 71.
- 72. opts = AutoEncryptionOptions( schema_map= { "db.coll": <schema> }, key_vault_namespace = "db.keys", kms_providers = <creds> …)
- 73.
- 75. db.coll.insert({ name: "Doris", ssn: "457-55-5462" }) Getencrypted key Decrypt the key with KMSDecrypt the key with KMS Encrypt 457-55-5462 Send insert Compare to JSON schema
- 77. You need… •MongoDB 4.2server •Beta client (shell, Java, Python, NodeJS, Go, C#) •Enterprise license for auto encryption •Community for explicit encryption
- 79.
- 81. Authenticated Encryption withAssociated Data using the Advance
- 82.
- 83.
- 84. coll.insert({ ssn: "457-55-5462"}) { ssn: BinData(6, "a10x…") } You see: MongoDB stores: coll.insert({ ssn: "457-55-5462" }) { ssn: BinData(6, "f991…") } …Random
- 85. coll.insert({ ssn: "457-55-5462"}) { ssn: BinData(6, "a10x…") } You see: MongoDB stores: coll.insert({ ssn: "457-55-5462" }) { ssn: BinData(6, "a10x…") } …Deterministic
- 86. Can be queried doc= db.coll.find({ ssn: "457-55-5642" }) …Deterministic
- 87. Only for binarycomparable types. db.coll.find({ a: NumberDecimal("1.2")}) { a: NumberDecimal("1.2") } { a: NumberDecimal("1.20") } MongoDB returns: …Deterministic
- 88. { a: BinData(6,"b515…") } { a: BinData(6, "801f…") } Encrypted as: { a: NumberDecimal("1.2") } { a: NumberDecimal("1.20") } Value:
- 89. db.coll.find({ a: NumberDecimal("1.2")}) { a: NumberDecimal("1.2") } MongoDB returns: "a" encrypted
- 90. Encrypt-able values Deterministic encryptionvalid for… •String •Binary •ObjectID •Date •Regex •DBPointer •Javascript •Symbol •Int •Timestamp •Long Random encryption valid for… •(all of deterministic) •Document •Array •JavascriptWithScope •Double •Decimal128 •Bool
- 92. { ssn: BinData(6,"AWNkTYTCw89Ss1DPzV3/2pSRDNGNJ9NB" } New binary subtype Older drivers and older MongoDB will treat as a black box.
- 93. byte algorithm byte[16] key_id byteoriginal_bson_type byte* payload Ciphertext
- 94. byte algorithm byte[16] key_id byteoriginal_bson_type byte* payload key_id + algorithm describes how to decrypt. No JSON Schema necessary! Ciphertext
- 95. byte algorithm byte[16] key_id byteoriginal_bson_type byte* payload Provides extra server-side validation. But prohibits single-value types (MinKey, MaxKey, Undefined, Null) Ciphertext
- 96. byte algorithm byte[16] key_id byteoriginal_bson_type byte* payload Payload includes encoded IV and padding block, and HMAC. Ciphertext adds between 66 to 82 bytes of overhead. Ciphertext
- 98. ce = ClientEncryption(opts) encrypted= ce.encrypt("457-55-5462", opts)) decrypted = ce.decrypt(BinData(6, "a10x…"))) id = ce.createDataKey(opts)
- 100. db.test.find({ $or: [ { ssn: { $in : [ "457-55-5462", "153-96-2097" ]} }, { name: "Doris" } ] }) db.test.find({ $or: [ { ssn : { $in : [ BinData(6, "a10x…"), BinData(6, "8dk1…") ]} }, { name: "Doris" } ] })
- 101. Limitations If we cannotparse… or it is impossible… we err for safety.
- 102. { passport_num: "281-301-348",ssn: "457-55-5462" } { passport_num: "390-491-482", ssn: "482-38-5899" } { passport_num: "104-201-596" } passport_num and ssn encrypted with different keys
- 103. db.test.aggregate([ ]) { $project: {identifier: { $ifNull: ["$ssn", "$passport_num" ] } } }, { $match: { identifier: "457-55-5462" } } How do we encrypt 457-55-5462?
- 104. opts = AutoEncryptionOptions( bypass_auto_encryption= True …) client = MongoClient(auto_encryption_opts=opts) (Decryption still occurs)
- 105. ce = ClientEncryption(opts) db.test.aggregate([ ]) {$project: { identifier: { $ifNull: ["$ssn", "$passport_num" ] } } }, { $match: { identifier: ce.encrypt("457-55-5462", opts) } }
- 107. One key ce =ClientEncryption(opts) id = ce.createDataKey(keyopts) Create with ClientEncryption
- 108. One key Specify withJSONSchema … ssn: { encrypt: { keyId: [id], algorithm: (…), bsonType: (…) } }
- 109. One key db.coll.insert({ name: "Doris", ssn:"457-55-5462" }) Query key vault by _id Compare to JSON schema
- 110. Labeled keys ce =ClientEncryption(opts) id = ce.createDataKey(keyopts, keyAltNames=["Doris"]) Create with ClientEncryption
- 111. Labeled keys Specify JSONPointer with JSONSchema … ssn: { encrypt: { keyId: "/name", algorithm: (…), bsonType: (…) } }
- 112. db.coll.insert({ name: "Doris", ssn: "457-55-5462" }) Querykey vault by label "Doris" Compare to JSON schema Labeled keys
- 113. db.coll.insert({ name: "Kevin", ssn: "457-55-5462" }) Querykey vault by label "Kevin" Compare to JSON schema Labeled keys
- 115. DorisDB MongoDB Cloud Hosting- By Doris ™
- 118. App Server User insert MongoDB (Key Vault) fetchkey decrypt key DorisDB (Storage) encrypted insert
- 119. { email: (encrypted), pwd: (encrypted) } Emaildeterministic, pwd random, uses collection key
- 120. { user_id: "…", title: (encrypted), body:(encrypted) } Encrypted randomly with per-user key
- 121. User MongoDB (Key Vault) delete userkey DorisDB (Storage) delete all posts App Server "Delete my data" … but was it really deleted?
- 124.
- 125.
- 126.
- 127. EAST DICTATORLAND { _id: 1,body: BinData(6, "A81…") } { _id: 2, body: BinData(6, "017…") } { _id: 3, body: BinData(6, "5E1…") } …