MySQLデータ暗号化と暗号鍵のローテーション
1 like1,633 views
MySQL Enterprise Encryption AES暗号化のハイブリッド暗号化
![Copyright © 2017 Oracle and/or its affiliates. All rights reserved. |
ハンズオン:ステップ③
/* GRANT TO APPUSER */
8
GRANT SELECT, INSERT, DELETE, UPDATE ON secdemo.secretsdata TO 'appuser'@'localhost';
GRANT SELECT ON secdemo.apppublickey TO 'appuser'@'localhost';
GRANT INSERT ON `secdemo`.`secretskey` TO 'appuser'@'localhost';
appuserは
secretdataを更新可能
appuserは、
public keyを参照可能
appuserは、暗号化
されたパスフレーズ
をINSERTのみ可能trusteduser@localhost [secdemo]> show tables;
+--------------------+
| Tables_in_secdemo |
+--------------------+
| apppublickey |
| privuserprivatekey |
| secretsdata |
| secretskey |
+--------------------+
4 rows in set (0.00 sec)
appuser@localhost [secdemo]> show tables;
+-------------------+
| Tables_in_secdemo |
+-------------------+
| apppublickey |
| secretsdata |
| secretskey |
+-------------------+
3 rows in set (0.00 sec)
一般ユーザーに権限を付与 (暗号化のみ可能なアプリケーションユーザー)](https://image.slidesharecdn.com/mysql-170623025046/85/MySQL-8-320.jpg)
![Copyright © 2017 Oracle and/or its affiliates. All rights reserved. |
ハンズオン:ステップ④
/* Key length in bits; make larger for stronger keys : CPU usage 1024 < 2048 */
/* Create private key */
/* Server – Generate Public Key */
/* Derive corresponding public key from private key, using same algorithm */
9
[secdemo]> select appid,privatekey from secdemo.privuserprivatekey¥G
*************************** 1. row ***************************
appid: 1
privatekey: -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEApOJW4XusZ5vGKgoK/Q/3CPpMDegafghDNMxG6whiAj0E3aBh
gtXJxDz6faG6by8+IXPVhLiVAb4cKixYGQMzIh0Edsh5/5pGpsSF4dwGzyjX8oEl
jG1KThco+PbtYCNZd8OkKtUiXFsv0/ZuNHKUZ1Fg2RKe3qKZIaWgKqQXlJeOUA5o
dMTwHsT20pBHWGp4O+txwtO1dGO5UvApXmMX/mufxkEb94h4+rhYPRLSAaW2co1X
KtHCcHR9eWL/RkE1ZdULrf9GxALtFxX17gNPaexBVIBZ06MEzQ+ff38nL6sefNse
zM+RFrNEFX+qK5r9GTAgbSjPTNmFnsnrvM/JKQIDAQABAoIBACljk5GIXO+pH6Y/
3SBHGKjNQ7gd8kB+zHf9azPmZ8vOC2Git7eC+OHkuLA+n7D3N+5nyEpHl0fXs/Q2
K2sj7Xr7s7opes5ZqLCGFmFqvN7VjteV6ZoFeSh/Ec7lFRMT7Iputs/1rmlmjmvz
qRhLRstklx4GWZDjWfMjQ0BQ7oZi2bYBA1GBqVaDN6LuSGbKe9JPevCxrE69KPRR
VWswCFSnLVh59zqCXbMfNNGURP8Ii5cg23FsWcBSaUt4L8Uu+b7wOt1hzAbTRHWq
+RgedisCzpm4PepuKYR59zi5ys6mR1GJGGZxjKKtcHkF6gyIo8mZD/spiNOmsqRG
oy0A9/ECgYEAzel0lhdzUWDxThH3kYBq/phPmabfvLFusJXZT+ouRoT8falItoZq
AHYwbYnZ3kNYZYBru/Vll2PJQH5jPRS5lpqqxogkHOph/QW9KeNrc9bWvppzoMEC
IRX18ZtmZ2X942TPlsHCOHNH07Nf9d+FHG1iugO0Z7pI2KOioDngc/UCgYEAzP4A
baiq0ft84v8HrFmkNrp6sc9Ztj7xXc4f3RJVeTcWjtiGzYo9yuRX/RzOEVYcOdef
kQ7tSyxZbCoUi3lVd5SPh+1/hCiZFySyzsNgMLQTEtUVDc87InLfLFjyXdZzg6TW
e9WtbL133sS28a4IlU3AdaScabuPqN+PERGNc+UCgYAOUiRHpA3jJQjjUyCSwAmw
90rh9tcsunJmWaWphzH8uZcN7k4eU67fpVis5Z9/c9OcC5hylBiitM/0alXgk6Zs
sQkbkbBhSnPSMyn61dRNVC3PR9Ku5X2Oa4aVbSdsHY3Q2NwPMh6d6naeZKVR5l/N
oFXzdfqAFFaoqojO9/eCWQKBgQC1/8XNlnSjHg9RUnAzmxrq5EHO4HOcFOIjEMDF
fGOazUgf5yo4Dsax/m4IcaybQ8KnsEMhfQk9NtDl8a5v7nftRV7xpfETGyBgpdqD
LH+Yfih5Deo1aonsGeT+8LGukpnYhV9QbvQcmVN121050fQY6wE28cFVNotjuajB
1L2r6QKBgQCVgzVxU11bsGtFuphIKsZ7D6ptIxbiQ1x1iiM1dbnOW1PxLT/UCaUr
ceRov28FPDbpmh3L5af80dB62a8uKmtqQcUSLdm1gbM6LmvTl8kGLmgK66qmcX8n
1fR9yomrJao5CFgY/LZnGkJFfNvOV+crapX9PIajJWOcEfqEynyo+w==
-----END RSA PRIVATE KEY-----
[secdemo]> select appid,publickey from secdemo.apppublickey¥G
*************************** 1. row ***************************
appid: 1
publickey: -----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEApOJW4XusZ5vGKgoK/Q/3CPpMDegafghDNMxG6whiAj0E3aBhgtXJ
xDz6faG6by8+IXPVhLiVAb4cKixYGQMzIh0Edsh5/5pGpsSF4dwGzyjX8oEljG1K
Thco+PbtYCNZd8OkKtUiXFsv0/ZuNHKUZ1Fg2RKe3qKZIaWgKqQXlJeOUA5odMTw
HsT20pBHWGp4O+txwtO1dGO5UvApXmMX/mufxkEb94h4+rhYPRLSAaW2co1XKtHC
cHR9eWL/RkE1ZdULrf9GxALtFxX17gNPaexBVIBZ06MEzQ+ff38nL6sefNsezM+R
FrNEFX+qK5r9GTAgbSjPTNmFnsnrvM/JKQIDAQAB
-----END RSA PUBLIC KEY-----
SET @key_len = 2048;
SET @algo = 'RSA';
SET @priv = CREATE_ASYMMETRIC_PRIV_KEY(@algo, @key_len);
select @priv; INSERT INTO `secdemo`.`privuserprivatekey`
(`appid`,`privatekey`) VALUES (1, @priv);
SET @pub = CREATE_ASYMMETRIC_PUB_KEY(@algo, @priv);
INSERT INTO `secdemo`.`apppublickey` (`appid`,`publickey`)
VALUES (1, @pub);
AESパスフレーズを
解読する為のキー
AESパスフレーズを
暗号化する為のキー
非対称鍵の作成](https://image.slidesharecdn.com/mysql-170623025046/85/MySQL-9-320.jpg)
![Copyright © 2017 Oracle and/or its affiliates. All rights reserved. |
/* Web Client – Get Public Key (connected as appuser) */
/* Web Client – Generate passphrase */
/* SET @passphrase = keyring_key_generate('MyKey', 'AES', 32); */
/* Web Client – Encrypt Data with passphrase */
/* Web Client – Encrypt passphrase with Public Key */
10
appuser@localhost [secdemo]> select 'Symmetric Passphrase', @passphrase¥G
*************************** 1. row ***************************
Symmetric Passphrase: Symmetric Passphrase
@passphrase: 2555f21178e18b6ec5f883ddb5fad6992f34ece0d83a217e27063fe9
1 row in set (0.00 sec)
appuser@localhost [secdemo]> select HEX(@enc_keepsecret)¥G
*************************** 1. row ***************************
HEX(@enc_keepsecret):
3FFB3865894C83DE4356675A12C46638518D77223775729FC81461EC5534CAF409F6E3
4D0DB1852F7CD6341E1E38907FA94E03851118B7C4555AC2156E2E2E64958A3BF8F43
0348AE07874B49E7FF997
1 row in set (0.00 sec)
appuser@localhost [secdemo]> SELECT 'Decrypt just to check',
AES_DECRYPT(@enc_keepsecret, @passphrase)¥G
*************************** 1. row ***************************
Decrypt just to check: Decrypt just to check
AES_DECRYPT(@enc_keepsecret, @passphrase): Santa and his Elves location is just north east
of Longyearbyen, Norway
appuser@localhost [secdemo]> select 'Encrypted passphrase by using public key',
HEX(@enc_pp)¥G
*************************** 1. row ***************************
Encrypted passphrase by using public key: Encrypted passphrase by using public key
HEX(@enc_pp):
3AFCABA8D8FED44A548EEC89D8BF1024FBAAF40DEE078498A58BB11A2C6545958A41E7A44F
93A723C56751496BB830EEA714F44B18C52F7905C2E6F6733FFCFFDC80049A613575B6884C74
C82888C9D36A1E067ECF9200BBB102040BBA6AE944F51AE3AE137B7FD88455CF2833D978340
E0EB104A8F98DD6655AB520D2FE2C6EDA88B34B4D7ADE72ABA8734B75C0745CF21D81590FE
D309B80CB5B4E5F7B59A15AE2418D6945017CB409F8568F7C96B297729F33F638232230D207A
FB22245D91B65DBAD1C9AAE8A28ECEAD7FBF6D9E3FED486FBE89B40D891FA8112347758191
D0805638649143DADC1A1F3F1CB914333B10E24EAA8BF0F5F1A51DFB40396C8
Encrypt Passphrase by Public Key
SET @key_len = 2048;
SET @algo = 'RSA';
Set @enc_pp = ASYMMETRIC_ENCRYPT(@algo, @passphrase, @webpubkey);
SELECT 'Encrypted passphrase by using public key', HEX(@enc_pp)¥G
SET @keepsecret='Santa and his Elves location is just north east of Longyearbyen, Norway';
select @keepsecret;
SET @enc_keepsecret=AES_ENCRYPT(@keepsecret,@passphrase);
SELECT @enc_keepsecret;
INSERT INTO `secdemo`.`secretsdata` (`id`,`secret`) VALUES (1, @enc_keepsecret);
SELECT 'Decrypt just to check', AES_DECRYPT(@enc_keepsecret, @passphrase);
SET @passphrase = SHA2(lpad(conv(floor(rand()*pow(36,8)), 10, 36), 8, 0), 224);
select 'Symmetric Passphrase', @passphrase;
select publickey from `secdemo`.`apppublickey` where appid=1 INTO @webpubkey;
select 'web public key', @webpubkey;
AESパスフレーズは常に
ランダムに生成されます
ハンズオン:ステップ⑤ : データの暗号化](https://image.slidesharecdn.com/mysql-170623025046/85/MySQL-10-320.jpg)
![Copyright © 2017 Oracle and/or its affiliates. All rights reserved. |
/* Server - Store AES Data and PK Encrypted Passphrase */
/* Look at key (you can't no permission and even if could - its encrypted */
/* Look at data - its encrypted */
11
trusteduser@localhost [secdemo]> select id,hex(secretkey) from secdemo.secretskey¥G
*************************** 1. row ***************************
id: 1
hex(secretkey):
3AFCABA8D8FED44A548EEC89D8BF1024FBAAF40DEE078498A58BB11A2C6545958A41E7A44F
93A723C56751496BB830EEA714F44B18C52F7905C2E6F6733FFCFFDC80049A613575B6884C74
C82888C9D36A1E067ECF9200BBB102040BBA6AE944F51AE3AE137B7FD88455CF2833D978340
E0EB104A8F98DD6655AB520D2FE2C6EDA88B34B4D7ADE72ABA8734B75C0745CF21D81590FE
D309B80CB5B4E5F7B59A15AE2418D6945017CB409F8568F7C96B297729F33F638232230D207A
FB22245D91B65DBAD1C9AAE8A28ECEAD7FBF6D9E3FED486FBE89B40D891FA8112347758191
D0805638649143DADC1A1F3F1CB914333B10E24EAA8BF0F5F1A51DFB40396C8
1 row in set (0.00 sec)
appuser@localhost [secdemo]> select id,hex(secret) from `secdemo`.`secretsdata`¥G
*************************** 1. row ***************************
id: 1
hex(secret):
3FFB3865894C83DE4356675A12C46638518D77223775729FC81461EC5534CAF409F6E34D0DB1
852F7CD6341E1E38907FA94E03851118B7C4555AC2156E2E2E64958A3BF8F430348AE07874B4
9E7FF997
1 row in set (0.00 sec)
Encrypt AES Passphrase by Public Key
INSERT INTO `secdemo`.`secretskey` (`id`, `secretkey`) VALUES (1, @enc_pp);
appuser@localhost [secdemo]> select id,hex(secretkey) from secdemo.secretskey¥G
ERROR 1142 (42000): SELECT command denied to user 'appuser'@'localhost' for table
'secretskey'
select id,hex(secret) from `secdemo`.`secretsdata`¥G
データはAES()によって
暗号化されている
公開鍵で暗号化された
AESパスフレーズを保存
appuserはパスフレーズを、
読むことが出来なくなりました
Encrypted data by AES Passphrase
ハンズオン:ステップ⑥ : 暗号化したデータの保存](https://image.slidesharecdn.com/mysql-170623025046/85/MySQL-11-320.jpg)
![Copyright © 2017 Oracle and/or its affiliates. All rights reserved. |
/* 管理者アカウント – Read PK Encrypted Passphrase */
/* 管理者アカウント– Get Private Key */
/*管理者アカウント– Decrypt passphrase with Private Key */
/*管理者アカウント– Read AES Encrypted Data */
/*管理者アカウント– See Secret Data */
/*管理者アカウント– Decrypt data with Passphrase */
13
trusteduser@localhost [secdemo]> select 'privappprivpkey', @privappprivpkey¥G
*************************** 1. row ***************************
privappprivpkey: privappprivpkey
@privappprivpkey: -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEApOJW4XusZ5vGKgoK/Q/3CPpMDegafghDNMxG6whiAj0E3aBh
gtXJxDz6faG6by8+IXPVhLiVAb4cKixYGQMzIh0Edsh5/5pGpsSF4dwGzyjX8oEl
jG1KThco+PbtYCNZd8OkKtUiXFsv0/ZuNHKUZ1Fg2RKe3qKZIaWgKqQXlJeOUA5o
dMTwHsT20pBHWGp4O+txwtO1dGO5UvApXmMX/mufxkEb94h4+rhYPRLSAaW2co1
<SNIP>
oFXzdfqAFFaoqojO9/eCWQKBgQC1/8XNlnSjHg9RUnAzmxrq5EHO4HOcFOIjEMDF
fGOazUgf5yo4Dsax/m4IcaybQ8KnsEMhfQk9NtDl8a5v7nftRV7xpfETGyBgpdqD
LH+Yfih5Deo1aonsGeT+8LGukpnYhV9QbvQcmVN121050fQY6wE28cFVNotjuajB
1L2r6QKBgQCVgzVxU11bsGtFuphIKsZ7D6ptIxbiQ1x1iiM1dbnOW1PxLT/UCaUr
ceRov28FPDbpmh3L5af80dB62a8uKmtqQcUSLdm1gbM6LmvTl8kGLmgK66qmcX8n
1fR9yomrJao5CFgY/LZnGkJFfNvOV+crapX9PIajJWOcEfqEynyo+w==
-----END RSA PRIVATE KEY-----
trusteduser@localhost [secdemo]> select 'Original Symmetric Passphrase', @enc_pp¥G
*************************** 1. row ***************************
Original Symmetric Passphrase: Original Symmetric Passphrase
@enc_pp: 2555f21178e18b6ec5f883ddb5fad6992f34ece0d83a217e27063fe9
1 row in set (0.00 sec)
trusteduser@localhost [secdemo]> select AES_DECRYPT(secret, @enc_pp) from `secdemo`.`secretsdata`
where id=1¥G
*************************** 1. row ***************************
AES_DECRYPT(secret, @enc_pp): Santa and his Elves location is just north east of Longyearbyen,
Norway
1 row in set (0.00 sec)
trusteduser@localhost [secdemo]>
select secretkey from `secdemo`.`secretskey` where id=1 INTO @encpassphrase;
select privatekey from `secdemo`.`privuserprivatekey` where appid=1 INTO @privappprivpkey;
select 'privappprivpkey', @privappprivpkey;
SET @key_len = 2048;
SET @algo = 'RSA';
Set @enc_pp = ASYMMETRIC_DECRYPT(@algo, @encpassphrase, @privappprivpkey);
select 'Original Symmetric Passphrase', @enc_pp;
select id,hex(secret) from `secdemo`.`secretsdata`;
select AES_DECRYPT(secret, @enc_pp) from `secdemo`.`secretsdata` where id=1;
ハンズオン:ステップ⑦ :暗号化されたデータの参照](https://image.slidesharecdn.com/mysql-170623025046/85/MySQL-13-320.jpg)
![Copyright © 2017 Oracle and/or its affiliates. All rights reserved. | 15
appuser@localhost [secdemo]> SET @key_len = 2048;SET @algo = 'RSA';
appuser@localhost [secdemo]> SET @passphrase = SHA2(lpad(conv(floor(rand()*pow(36,8)), 10, 36), 8, 0), 224);
appuser@localhost [secdemo]> SET @keepsecret='This is confidential data 2nd connection by appuser';
appuser@localhost [secdemo]> SET @enc_keepsecret=AES_ENCRYPT(@keepsecret,@passphrase);
appuser@localhost [secdemo]> INSERT INTO `secdemo`.`secretsdata` (`id`,`secret`) VALUES (2, @enc_keepsecret);
appuser@localhost [secdemo]> select publickey from `secdemo`.`apppublickey` where appid=1 INTO @webpubkey;
appuser@localhost [secdemo]> Set @enc_pp = ASYMMETRIC_ENCRYPT(@algo, @passphrase, @webpubkey);
appuser@localhost [secdemo]> INSERT INTO `secdemo`.`secretskey` (`id`, `secretkey`) VALUES (2, @enc_pp);
trusteduser@localhost [secdemo]> SET @key_len = 2048;SET @algo = 'RSA';
trusteduser@localhost [secdemo]> select secretkey from `secdemo`.`secretskey` where id=2 INTO @encpassphrase;
trusteduser@localhost [secdemo]> select privatekey from `secdemo`.`privuserprivatekey` where appid=1 INTO @privappprivpkey;
trusteduser@localhost [secdemo]> Set @enc_pp = ASYMMETRIC_DECRYPT(@algo, @encpassphrase, @privappprivpkey);
trusteduser@localhost [secdemo]> select AES_DECRYPT(secret, @enc_pp) from `secdemo`.`secretsdata` where id=2;
+-----------------------------------------------------+
| AES_DECRYPT(secret, @enc_pp) |
+-----------------------------------------------------+
| This is confidential data 2nd connection by appuser |
+-----------------------------------------------------+
trusteduser@localhost [secdemo]> select id,left(hex(secretkey),100) from secretskey;
+----+------------------------------------------------------------------------------------------------------+
| id | left(hex(secretkey),100) |
+----+------------------------------------------------------------------------------------------------------+
| 1 | 3AFCABA8D8FED44A548EEC89D8BF1024FBAAF40DEE078498A58BB11A2C6545958A41E7A44F93A723C56751496BB830EEA714 |
| 2 | 692B0B30335A81CF5836A5EE090593CC71EC18690EBE3A40D1128289ECCC177FD7F64729A46227C6B8701CE7C52876C9B672 |
+----+------------------------------------------------------------------------------------------------------+
① 暗号鍵をランダムに
生成しデータを暗号化し保存
② “①”で生成した 暗号鍵を
Public鍵で暗号化して保存
③暗号化された鍵を
Private鍵で復号化しデータを参照
こちらの鍵を復号化&暗号化する事で鍵の定期的なローテーションを行う](https://image.slidesharecdn.com/mysql-170623025046/85/MySQL-15-320.jpg)
MySQLデータ暗号化と暗号鍵のローテーション
- 1. Copyright © 2017 Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Editionを利用した データの暗号化と暗号鍵のローテーション 2017/06/03
- 2. Copyright © 2017 Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 2
- 3. Copyright © 2017 Oracle and/or its affiliates. All rights reserved. | 概要 • 対称鍵の問題 – 暗号化と復号化鍵が同じな為、鍵を所持している 全てのユーザー(開発者・エンジニア)がデータの参照が可能 (ハードコーディング) – 定期的に鍵を更新する場合に、データの復号化→再暗号化が必要 データ量が多い場合は、大きな負担になる事もある • 非対称および対称暗号を使用したハイブリッド暗号化による対応 – 一般ユーザーはデータを暗号化する権限のみ (ランダム暗号化鍵を生成) – 信頼できるユーザーはデータを参照する事が可能 – 鍵のローテーションは、データそのものでは無くデータを復号化する鍵自体を 復号化→再暗号化する事で、軽い負担で鍵のローテーションが可能 Confidential – Oracle Internal 3 目的:鍵の定期的なローテーション・暗号化鍵の管理方法の改善
- 4. Copyright © 2017 Oracle and/or its affiliates. All rights reserved. | ハイブリッド暗号化による運用 • 信頼できるアプリ (機密情報・個人情報管理者) – 秘密鍵を取得する(例では、保護されたテーブルを利用してますがAPIでも可能) – 秘密鍵でランダム鍵を解読する – 機密データをランダムキーで解読する - データを読み込む • データを再暗号化せずにプライベート暗号化キーをローテーション – 新しい秘密鍵と公開鍵のペアを生成する – 鍵管理テーブルを更新 – 公開鍵と秘密鍵を変更する 4 対称鍵 非対称暗鍵 +
- 5. Copyright © 2017 Oracle and/or its affiliates. All rights reserved. | ハンズオン: システム要件 5 トライアル用ソフトウエアダウンロード先: http://edelivery.oracle.com/ プラットホームに合った、最新版のMySQL Enterprise Editionをダウンロードして下さい。 Enterprise Encryption概要 https://www.mysql.com/jp/products/enterprise/encryption.html 参照ブログ http://mysqlserverteam.com/hybrid-data-encryption-by-example-using-mysql-enterprise-edition/ ※ 必要に応じて、鍵管理サーバーを別途準備して、鍵の管理を行う事も可能です。
- 6. Copyright © 2017 Oracle and/or its affiliates. All rights reserved. | ハンズオン:ステップ① • 1 アプリケーションユーザー (一般ユーザー) – このアプリケーションユーザーは機密情報を見る事は出来ない – データを取得してランダム鍵でデータを暗号化 • 2 – 信頼しているアプリケーションユーザー(機密情報管理者) – このユーザーのみデータを参照する事が可能 6 CREATE schema secdemo; CREATE USER 'trusteduser'@'localhost' IDENTIFIED BY '*&^*(9879879DDSdse'; GRANT ALL ON secdemo.* TO 'trusteduser'@'localhost'; CREATE USER 'appuser'@'localhost' IDENTIFIED BY '8374@#$%GRfDgfPTfg';
- 7. Copyright © 2017 Oracle and/or its affiliates. All rights reserved. | ハンズオン:ステップ② /* Table secretsdata stores your “secret” as encrypted data */ /* secretskey – stores the encrypted secret key */ 7 /* secretspubkey – stores the public key – grant so web app can read the key */ /* secretsprivkey – stores the private key */ /* grant so only privileged user/app can get the private key */ CREATE TABLE `secdemo`.`secretsdata` ( `id` INT NOT NULL, `secret` VARBINARY(3000) NOT NULL, PRIMARY KEY (`id`)); CREATE TABLE `secdemo`.`apppublickey` ( `appid` INT NOT NULL, `publickey` VARBINARY(3000) NOT NULL, PRIMARY KEY (`appid`)); CREATE TABLE `secdemo`.`secretskey` ( `id` INT NOT NULL, `secretkey` VARBINARY(3000) NOT NULL, PRIMARY KEY (`id`)); CREATE TABLE `secdemo`.`privuserprivatekey` ( `appid` INT NOT NULL, `privatekey` VARBINARY(3000) NOT NULL, PRIMARY KEY (`appid`)); ハンズオンで利用するデータベースオブジェクトの作成
- 8. Copyright © 2017 Oracle and/or its affiliates. All rights reserved. | ハンズオン:ステップ③ /* GRANT TO APPUSER */ 8 GRANT SELECT, INSERT, DELETE, UPDATE ON secdemo.secretsdata TO 'appuser'@'localhost'; GRANT SELECT ON secdemo.apppublickey TO 'appuser'@'localhost'; GRANT INSERT ON `secdemo`.`secretskey` TO 'appuser'@'localhost'; appuserは secretdataを更新可能 appuserは、 public keyを参照可能 appuserは、暗号化 されたパスフレーズ をINSERTのみ可能trusteduser@localhost [secdemo]> show tables; +--------------------+ | Tables_in_secdemo | +--------------------+ | apppublickey | | privuserprivatekey | | secretsdata | | secretskey | +--------------------+ 4 rows in set (0.00 sec) appuser@localhost [secdemo]> show tables; +-------------------+ | Tables_in_secdemo | +-------------------+ | apppublickey | | secretsdata | | secretskey | +-------------------+ 3 rows in set (0.00 sec) 一般ユーザーに権限を付与 (暗号化のみ可能なアプリケーションユーザー)
- 9. Copyright © 2017 Oracle and/or its affiliates. All rights reserved. | ハンズオン:ステップ④ /* Key length in bits; make larger for stronger keys : CPU usage 1024 < 2048 */ /* Create private key */ /* Server – Generate Public Key */ /* Derive corresponding public key from private key, using same algorithm */ 9 [secdemo]> select appid,privatekey from secdemo.privuserprivatekey¥G *************************** 1. row *************************** appid: 1 privatekey: -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEApOJW4XusZ5vGKgoK/Q/3CPpMDegafghDNMxG6whiAj0E3aBh gtXJxDz6faG6by8+IXPVhLiVAb4cKixYGQMzIh0Edsh5/5pGpsSF4dwGzyjX8oEl jG1KThco+PbtYCNZd8OkKtUiXFsv0/ZuNHKUZ1Fg2RKe3qKZIaWgKqQXlJeOUA5o dMTwHsT20pBHWGp4O+txwtO1dGO5UvApXmMX/mufxkEb94h4+rhYPRLSAaW2co1X KtHCcHR9eWL/RkE1ZdULrf9GxALtFxX17gNPaexBVIBZ06MEzQ+ff38nL6sefNse zM+RFrNEFX+qK5r9GTAgbSjPTNmFnsnrvM/JKQIDAQABAoIBACljk5GIXO+pH6Y/ 3SBHGKjNQ7gd8kB+zHf9azPmZ8vOC2Git7eC+OHkuLA+n7D3N+5nyEpHl0fXs/Q2 K2sj7Xr7s7opes5ZqLCGFmFqvN7VjteV6ZoFeSh/Ec7lFRMT7Iputs/1rmlmjmvz qRhLRstklx4GWZDjWfMjQ0BQ7oZi2bYBA1GBqVaDN6LuSGbKe9JPevCxrE69KPRR VWswCFSnLVh59zqCXbMfNNGURP8Ii5cg23FsWcBSaUt4L8Uu+b7wOt1hzAbTRHWq +RgedisCzpm4PepuKYR59zi5ys6mR1GJGGZxjKKtcHkF6gyIo8mZD/spiNOmsqRG oy0A9/ECgYEAzel0lhdzUWDxThH3kYBq/phPmabfvLFusJXZT+ouRoT8falItoZq AHYwbYnZ3kNYZYBru/Vll2PJQH5jPRS5lpqqxogkHOph/QW9KeNrc9bWvppzoMEC IRX18ZtmZ2X942TPlsHCOHNH07Nf9d+FHG1iugO0Z7pI2KOioDngc/UCgYEAzP4A baiq0ft84v8HrFmkNrp6sc9Ztj7xXc4f3RJVeTcWjtiGzYo9yuRX/RzOEVYcOdef kQ7tSyxZbCoUi3lVd5SPh+1/hCiZFySyzsNgMLQTEtUVDc87InLfLFjyXdZzg6TW e9WtbL133sS28a4IlU3AdaScabuPqN+PERGNc+UCgYAOUiRHpA3jJQjjUyCSwAmw 90rh9tcsunJmWaWphzH8uZcN7k4eU67fpVis5Z9/c9OcC5hylBiitM/0alXgk6Zs sQkbkbBhSnPSMyn61dRNVC3PR9Ku5X2Oa4aVbSdsHY3Q2NwPMh6d6naeZKVR5l/N oFXzdfqAFFaoqojO9/eCWQKBgQC1/8XNlnSjHg9RUnAzmxrq5EHO4HOcFOIjEMDF fGOazUgf5yo4Dsax/m4IcaybQ8KnsEMhfQk9NtDl8a5v7nftRV7xpfETGyBgpdqD LH+Yfih5Deo1aonsGeT+8LGukpnYhV9QbvQcmVN121050fQY6wE28cFVNotjuajB 1L2r6QKBgQCVgzVxU11bsGtFuphIKsZ7D6ptIxbiQ1x1iiM1dbnOW1PxLT/UCaUr ceRov28FPDbpmh3L5af80dB62a8uKmtqQcUSLdm1gbM6LmvTl8kGLmgK66qmcX8n 1fR9yomrJao5CFgY/LZnGkJFfNvOV+crapX9PIajJWOcEfqEynyo+w== -----END RSA PRIVATE KEY----- [secdemo]> select appid,publickey from secdemo.apppublickey¥G *************************** 1. row *************************** appid: 1 publickey: -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEApOJW4XusZ5vGKgoK/Q/3CPpMDegafghDNMxG6whiAj0E3aBhgtXJ xDz6faG6by8+IXPVhLiVAb4cKixYGQMzIh0Edsh5/5pGpsSF4dwGzyjX8oEljG1K Thco+PbtYCNZd8OkKtUiXFsv0/ZuNHKUZ1Fg2RKe3qKZIaWgKqQXlJeOUA5odMTw HsT20pBHWGp4O+txwtO1dGO5UvApXmMX/mufxkEb94h4+rhYPRLSAaW2co1XKtHC cHR9eWL/RkE1ZdULrf9GxALtFxX17gNPaexBVIBZ06MEzQ+ff38nL6sefNsezM+R FrNEFX+qK5r9GTAgbSjPTNmFnsnrvM/JKQIDAQAB -----END RSA PUBLIC KEY----- SET @key_len = 2048; SET @algo = 'RSA'; SET @priv = CREATE_ASYMMETRIC_PRIV_KEY(@algo, @key_len); select @priv; INSERT INTO `secdemo`.`privuserprivatekey` (`appid`,`privatekey`) VALUES (1, @priv); SET @pub = CREATE_ASYMMETRIC_PUB_KEY(@algo, @priv); INSERT INTO `secdemo`.`apppublickey` (`appid`,`publickey`) VALUES (1, @pub); AESパスフレーズを 解読する為のキー AESパスフレーズを 暗号化する為のキー 非対称鍵の作成
- 10. Copyright © 2017 Oracle and/or its affiliates. All rights reserved. | /* Web Client – Get Public Key (connected as appuser) */ /* Web Client – Generate passphrase */ /* SET @passphrase = keyring_key_generate('MyKey', 'AES', 32); */ /* Web Client – Encrypt Data with passphrase */ /* Web Client – Encrypt passphrase with Public Key */ 10 appuser@localhost [secdemo]> select 'Symmetric Passphrase', @passphrase¥G *************************** 1. row *************************** Symmetric Passphrase: Symmetric Passphrase @passphrase: 2555f21178e18b6ec5f883ddb5fad6992f34ece0d83a217e27063fe9 1 row in set (0.00 sec) appuser@localhost [secdemo]> select HEX(@enc_keepsecret)¥G *************************** 1. row *************************** HEX(@enc_keepsecret): 3FFB3865894C83DE4356675A12C46638518D77223775729FC81461EC5534CAF409F6E3 4D0DB1852F7CD6341E1E38907FA94E03851118B7C4555AC2156E2E2E64958A3BF8F43 0348AE07874B49E7FF997 1 row in set (0.00 sec) appuser@localhost [secdemo]> SELECT 'Decrypt just to check', AES_DECRYPT(@enc_keepsecret, @passphrase)¥G *************************** 1. row *************************** Decrypt just to check: Decrypt just to check AES_DECRYPT(@enc_keepsecret, @passphrase): Santa and his Elves location is just north east of Longyearbyen, Norway appuser@localhost [secdemo]> select 'Encrypted passphrase by using public key', HEX(@enc_pp)¥G *************************** 1. row *************************** Encrypted passphrase by using public key: Encrypted passphrase by using public key HEX(@enc_pp): 3AFCABA8D8FED44A548EEC89D8BF1024FBAAF40DEE078498A58BB11A2C6545958A41E7A44F 93A723C56751496BB830EEA714F44B18C52F7905C2E6F6733FFCFFDC80049A613575B6884C74 C82888C9D36A1E067ECF9200BBB102040BBA6AE944F51AE3AE137B7FD88455CF2833D978340 E0EB104A8F98DD6655AB520D2FE2C6EDA88B34B4D7ADE72ABA8734B75C0745CF21D81590FE D309B80CB5B4E5F7B59A15AE2418D6945017CB409F8568F7C96B297729F33F638232230D207A FB22245D91B65DBAD1C9AAE8A28ECEAD7FBF6D9E3FED486FBE89B40D891FA8112347758191 D0805638649143DADC1A1F3F1CB914333B10E24EAA8BF0F5F1A51DFB40396C8 Encrypt Passphrase by Public Key SET @key_len = 2048; SET @algo = 'RSA'; Set @enc_pp = ASYMMETRIC_ENCRYPT(@algo, @passphrase, @webpubkey); SELECT 'Encrypted passphrase by using public key', HEX(@enc_pp)¥G SET @keepsecret='Santa and his Elves location is just north east of Longyearbyen, Norway'; select @keepsecret; SET @enc_keepsecret=AES_ENCRYPT(@keepsecret,@passphrase); SELECT @enc_keepsecret; INSERT INTO `secdemo`.`secretsdata` (`id`,`secret`) VALUES (1, @enc_keepsecret); SELECT 'Decrypt just to check', AES_DECRYPT(@enc_keepsecret, @passphrase); SET @passphrase = SHA2(lpad(conv(floor(rand()*pow(36,8)), 10, 36), 8, 0), 224); select 'Symmetric Passphrase', @passphrase; select publickey from `secdemo`.`apppublickey` where appid=1 INTO @webpubkey; select 'web public key', @webpubkey; AESパスフレーズは常に ランダムに生成されます ハンズオン:ステップ⑤ : データの暗号化
- 11. Copyright © 2017 Oracle and/or its affiliates. All rights reserved. | /* Server - Store AES Data and PK Encrypted Passphrase */ /* Look at key (you can't no permission and even if could - its encrypted */ /* Look at data - its encrypted */ 11 trusteduser@localhost [secdemo]> select id,hex(secretkey) from secdemo.secretskey¥G *************************** 1. row *************************** id: 1 hex(secretkey): 3AFCABA8D8FED44A548EEC89D8BF1024FBAAF40DEE078498A58BB11A2C6545958A41E7A44F 93A723C56751496BB830EEA714F44B18C52F7905C2E6F6733FFCFFDC80049A613575B6884C74 C82888C9D36A1E067ECF9200BBB102040BBA6AE944F51AE3AE137B7FD88455CF2833D978340 E0EB104A8F98DD6655AB520D2FE2C6EDA88B34B4D7ADE72ABA8734B75C0745CF21D81590FE D309B80CB5B4E5F7B59A15AE2418D6945017CB409F8568F7C96B297729F33F638232230D207A FB22245D91B65DBAD1C9AAE8A28ECEAD7FBF6D9E3FED486FBE89B40D891FA8112347758191 D0805638649143DADC1A1F3F1CB914333B10E24EAA8BF0F5F1A51DFB40396C8 1 row in set (0.00 sec) appuser@localhost [secdemo]> select id,hex(secret) from `secdemo`.`secretsdata`¥G *************************** 1. row *************************** id: 1 hex(secret): 3FFB3865894C83DE4356675A12C46638518D77223775729FC81461EC5534CAF409F6E34D0DB1 852F7CD6341E1E38907FA94E03851118B7C4555AC2156E2E2E64958A3BF8F430348AE07874B4 9E7FF997 1 row in set (0.00 sec) Encrypt AES Passphrase by Public Key INSERT INTO `secdemo`.`secretskey` (`id`, `secretkey`) VALUES (1, @enc_pp); appuser@localhost [secdemo]> select id,hex(secretkey) from secdemo.secretskey¥G ERROR 1142 (42000): SELECT command denied to user 'appuser'@'localhost' for table 'secretskey' select id,hex(secret) from `secdemo`.`secretsdata`¥G データはAES()によって 暗号化されている 公開鍵で暗号化された AESパスフレーズを保存 appuserはパスフレーズを、 読むことが出来なくなりました Encrypted data by AES Passphrase ハンズオン:ステップ⑥ : 暗号化したデータの保存
- 12. Copyright © 2017 Oracle and/or its affiliates. All rights reserved. | Web App開発時のメリット • 暗号化鍵を保存しません(挿入するたびにランダムに生成されます) • エクスポーズできるハードコーディングされたキーは不要 – 設定ファイルにキー埋め込み不要 – 鍵のローテーションが不要 • 暗号化後にデータを解読することは出来ない – アプリがメモリ内にキーを保存しない限り 12
- 13. Copyright © 2017 Oracle and/or its affiliates. All rights reserved. | /* 管理者アカウント – Read PK Encrypted Passphrase */ /* 管理者アカウント– Get Private Key */ /*管理者アカウント– Decrypt passphrase with Private Key */ /*管理者アカウント– Read AES Encrypted Data */ /*管理者アカウント– See Secret Data */ /*管理者アカウント– Decrypt data with Passphrase */ 13 trusteduser@localhost [secdemo]> select 'privappprivpkey', @privappprivpkey¥G *************************** 1. row *************************** privappprivpkey: privappprivpkey @privappprivpkey: -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEApOJW4XusZ5vGKgoK/Q/3CPpMDegafghDNMxG6whiAj0E3aBh gtXJxDz6faG6by8+IXPVhLiVAb4cKixYGQMzIh0Edsh5/5pGpsSF4dwGzyjX8oEl jG1KThco+PbtYCNZd8OkKtUiXFsv0/ZuNHKUZ1Fg2RKe3qKZIaWgKqQXlJeOUA5o dMTwHsT20pBHWGp4O+txwtO1dGO5UvApXmMX/mufxkEb94h4+rhYPRLSAaW2co1 <SNIP> oFXzdfqAFFaoqojO9/eCWQKBgQC1/8XNlnSjHg9RUnAzmxrq5EHO4HOcFOIjEMDF fGOazUgf5yo4Dsax/m4IcaybQ8KnsEMhfQk9NtDl8a5v7nftRV7xpfETGyBgpdqD LH+Yfih5Deo1aonsGeT+8LGukpnYhV9QbvQcmVN121050fQY6wE28cFVNotjuajB 1L2r6QKBgQCVgzVxU11bsGtFuphIKsZ7D6ptIxbiQ1x1iiM1dbnOW1PxLT/UCaUr ceRov28FPDbpmh3L5af80dB62a8uKmtqQcUSLdm1gbM6LmvTl8kGLmgK66qmcX8n 1fR9yomrJao5CFgY/LZnGkJFfNvOV+crapX9PIajJWOcEfqEynyo+w== -----END RSA PRIVATE KEY----- trusteduser@localhost [secdemo]> select 'Original Symmetric Passphrase', @enc_pp¥G *************************** 1. row *************************** Original Symmetric Passphrase: Original Symmetric Passphrase @enc_pp: 2555f21178e18b6ec5f883ddb5fad6992f34ece0d83a217e27063fe9 1 row in set (0.00 sec) trusteduser@localhost [secdemo]> select AES_DECRYPT(secret, @enc_pp) from `secdemo`.`secretsdata` where id=1¥G *************************** 1. row *************************** AES_DECRYPT(secret, @enc_pp): Santa and his Elves location is just north east of Longyearbyen, Norway 1 row in set (0.00 sec) trusteduser@localhost [secdemo]> select secretkey from `secdemo`.`secretskey` where id=1 INTO @encpassphrase; select privatekey from `secdemo`.`privuserprivatekey` where appid=1 INTO @privappprivpkey; select 'privappprivpkey', @privappprivpkey; SET @key_len = 2048; SET @algo = 'RSA'; Set @enc_pp = ASYMMETRIC_DECRYPT(@algo, @encpassphrase, @privappprivpkey); select 'Original Symmetric Passphrase', @enc_pp; select id,hex(secret) from `secdemo`.`secretsdata`; select AES_DECRYPT(secret, @enc_pp) from `secdemo`.`secretsdata` where id=1; ハンズオン:ステップ⑦ :暗号化されたデータの参照
- 14. Copyright © 2017 Oracle and/or its affiliates. All rights reserved. | 14 Application Use Private key For Decrypting AES Passphrase. Then decrypt encrypted data with AES_ENCRYPT(). AES_ENCRYPT() AES_DECRYPT() 1) Encrypt data with AES_ENCRYPT() AES Passphrase is always generated randomly. SET @passphrase = SHA2(lpad(conv(floor(rand()*pow(36,8)), 10, 36), 8, 0), 224); 2) Use the public key for encrypting AES passphrase. 3) Encrypted passphrase is inserted by appuser. ※ appuser doesn’t have “select” authentication.Encrypted Data Encrypted passphrase Appuser Trusteduser For Rotating Passphrase: 1) Decrypt AES Passphrase with current private key. 2) Encrypt AES Passphrase with new public key. ① 暗号鍵をランダムに 生成しデータを暗号化し保存 ② “①”で生成した 暗号鍵を Public鍵で暗号化して保存 ③暗号化された鍵を Private鍵で復号化しデータを参照
- 15. Copyright © 2017 Oracle and/or its affiliates. All rights reserved. | 15 appuser@localhost [secdemo]> SET @key_len = 2048;SET @algo = 'RSA'; appuser@localhost [secdemo]> SET @passphrase = SHA2(lpad(conv(floor(rand()*pow(36,8)), 10, 36), 8, 0), 224); appuser@localhost [secdemo]> SET @keepsecret='This is confidential data 2nd connection by appuser'; appuser@localhost [secdemo]> SET @enc_keepsecret=AES_ENCRYPT(@keepsecret,@passphrase); appuser@localhost [secdemo]> INSERT INTO `secdemo`.`secretsdata` (`id`,`secret`) VALUES (2, @enc_keepsecret); appuser@localhost [secdemo]> select publickey from `secdemo`.`apppublickey` where appid=1 INTO @webpubkey; appuser@localhost [secdemo]> Set @enc_pp = ASYMMETRIC_ENCRYPT(@algo, @passphrase, @webpubkey); appuser@localhost [secdemo]> INSERT INTO `secdemo`.`secretskey` (`id`, `secretkey`) VALUES (2, @enc_pp); trusteduser@localhost [secdemo]> SET @key_len = 2048;SET @algo = 'RSA'; trusteduser@localhost [secdemo]> select secretkey from `secdemo`.`secretskey` where id=2 INTO @encpassphrase; trusteduser@localhost [secdemo]> select privatekey from `secdemo`.`privuserprivatekey` where appid=1 INTO @privappprivpkey; trusteduser@localhost [secdemo]> Set @enc_pp = ASYMMETRIC_DECRYPT(@algo, @encpassphrase, @privappprivpkey); trusteduser@localhost [secdemo]> select AES_DECRYPT(secret, @enc_pp) from `secdemo`.`secretsdata` where id=2; +-----------------------------------------------------+ | AES_DECRYPT(secret, @enc_pp) | +-----------------------------------------------------+ | This is confidential data 2nd connection by appuser | +-----------------------------------------------------+ trusteduser@localhost [secdemo]> select id,left(hex(secretkey),100) from secretskey; +----+------------------------------------------------------------------------------------------------------+ | id | left(hex(secretkey),100) | +----+------------------------------------------------------------------------------------------------------+ | 1 | 3AFCABA8D8FED44A548EEC89D8BF1024FBAAF40DEE078498A58BB11A2C6545958A41E7A44F93A723C56751496BB830EEA714 | | 2 | 692B0B30335A81CF5836A5EE090593CC71EC18690EBE3A40D1128289ECCC177FD7F64729A46227C6B8701CE7C52876C9B672 | +----+------------------------------------------------------------------------------------------------------+ ① 暗号鍵をランダムに 生成しデータを暗号化し保存 ② “①”で生成した 暗号鍵を Public鍵で暗号化して保存 ③暗号化された鍵を Private鍵で復号化しデータを参照 こちらの鍵を復号化&暗号化する事で鍵の定期的なローテーションを行う
- 16. Copyright © 2017 Oracle and/or its affiliates. All rights reserved. | 16 Thank You 運用に合わせて適宜、カスタマイズして活用下さい。