MIT Researchers Create Platform To Build Secure Web Apps That Never Leak Data

← Back to Stories (view on slashdot.org)

MIT Researchers Create Platform To Build Secure Web Apps That Never Leak Data

Posted by Soulskill on Tuesday March 25, 2014 @06:18PM from the what-about-when-leak-exists-between-keyboard-and-chair dept.

rjmarvin writes: "Researchers in the MIT Computer Science and Artificial Intelligence Laboratory have developed a platform for building secure web applications and services that never decrypt or leak data. MIT researcher Raluca Ada Popa, who previously worked on the Google and SAP-adopted CryptoDB, and her team, have put a longstanding philosophy into practice: to never store unencrypted data on servers. They've redesigned the entire approach to securing online data by creating Mylar, which builds and updates applications to keep data secure from server breaches with constant encryption during storage, only decrypting the data in the user's browser. Integrated with the open-source Meteor framework, a Mylar prototype has already secured six applications by changing only 35 lines of code."

65 of 90 comments (clear)

Min score:

Reason:

Sort:

Never say never by Anonymous Coward · 2014-03-25 18:25 · Score: 2

I feel like this is what they all said.
How can you search data by CBravo · 2014-03-25 18:33 · Score: 2

How can you search or sort data and present it to a user when the data is encrypted? So you lose the sql storage which is essential for a web application imho.

--
nosig today
1. Re: How can you search data by Anonymous Coward · 2014-03-25 18:46 · Score: 3, Insightful
  
  Why do you need to search or sort credit card info?
2. Re:How can you search data by gl4ss · 2014-03-25 18:47 · Score: 2
  
  well.. you have all the clients connected all the time and when a search is done the server sends the search to all the clients and they decide if they want to answer that search query... ..... . .. .. ...
  sounds real nice in a lab with 5 clients, right? but really shitty if you start to think about it at all.
  (sure, plenty of web apps work nicely for that too because you don't do searches and only interact with a limited number of other clients..)
  
  --
  world was created 5 seconds before this post as it is.
3. Re:How can you search data by L-One-L-One · 2014-03-25 18:59 · Score: 5, Informative
  
  It's called "searchable" encryption. It already exists in a few commercial products.
  See for example:
  http://www.ciphercloud.com/tec...
4. Re:How can you search data by L4t3r4lu5 · 2014-03-25 23:35 · Score: 1
  
  Why is this even a thing? All reversible encryption (which in itself is a tautology) is searchable.
  
  Plaintext record ID > Encryption+key+salt etc > Cyphertext record ID. Search for the cyphertext record ID. Bring encrypted record back from database. Encrypted record > Encryption > Plaintext record.
  
  How is this a marketable product?!
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
5. Re:How can you search data by L-One-L-One · 2014-03-26 00:01 · Score: 2
  
  Why is this even a thing? All reversible encryption (which in itself is a tautology) is searchable.
  Plaintext record ID > Encryption+key+salt etc > Cyphertext record ID. Search for the cyphertext record ID. Bring encrypted record back from database. Encrypted record > Encryption > Plaintext record.
  How is this a marketable product?!
  Searchable encryption is more complicated than you think. For example if I encrypt the sentence "I like reading slashot" with traditional encryption I will get a block binary data that is meaningless. Now suppose I want to check if that block contains the word "slashdot"? Your "cyphertext record id" approach won't be of much help. You need a few tricks to do it correctly, notably adding some metadata and additional cryptographic mechanisms. To make things more complicated, you often need the encryption mechanism to be "format preserving": if you encrypt a string field you get a string field, if you encrypt a number field you get a number field, while traditional cryptography outputs binary data.
  Note that you may have misunderstand how encryption works, if you believe that all reversible encryption is searchable. Good encryption is randomised: if you encrypt the same plaintext twice with the same key you get 2 different cypher-texts (to take your analogy, you must use different salts).
6. Re: How can you search data by Anonymous Coward · 2014-03-26 01:06 · Score: 1
  
  Why do you assume the only data stored on a server is a credit card number?
7. Re:How can you search data by Anonymous Coward · 2014-03-26 01:08 · Score: 1
  
  A friend of mine did some work on this in grad school.
  For a simple scheme, say you have a 32 bit integer as data but you store it in a 64 bit SQL field. You can come up with transformations that conserve ordering (e.g. 1 -> 15, 2 ->29, 3-> 54 and so on). You keep the key to that transformation in a local SQL proxy server and code and decode the data before sending it to the backend (in the cloud, for example). Nowadays this could be implemented in the model of your MVC application. The SQL server can still do ordering and range queries (parameters also get coded by the proxy), but the data isn't stored in the clear.
  Now, if you coded, say, a person's wage, an attacker that gains access to your cloud storage could tell that the CEO earns more than everyone else, but not how much he actually earns (except statistically given the general properties of the transform).
  That's a simple scheme, and the hard part of the work was figuring out how much information was leaking. There are also obvious attacks (hack the server then send queries through the UI for example), but I think they got much farther with it after I saw the work.
8. Re: How can you search data by tepples · 2014-03-26 01:12 · Score: 2
  
  An online store needs to search or sort the identities of products purchased with the credit card, as well as the shipping addresses for orders purchased with the credit card, in order to fulfill the orders. A store offering a subscription arrangement needs to search for upcoming expiration dates so that it can 1. notify each subscriber that the card on file with the store is about to expire and 2. charge the ETF on the last valid day if the subscriber fails to update the card by the expiration date.
9. Re:How can you search data by eth1 · 2014-03-26 01:28 · Score: 1
  
  Well, if you're encrypting, it means the keeper of the data isn't supposed to know what it is, which means they can't do any data mining, selling, etc. of it anyway, which would be where the ability to do queries on the data would be useful. If you're encrypting everything, then all you need is to be able to find the records, and you could use hashed account names or something to index those.
  So yes, it would be difficult to search/sort on the encrypted data, but then that's sort of the whole point...
10. Re:How can you search data by Ronin+Developer · 2014-03-26 03:47 · Score: 2
  
  With symmetric encryption, when you encrypt with the same encryption key, you WILL get the same output that can be decrypted using the same key.
  With password based encryption, you start with a passphrase and a salt, The passphrase and salt are combined and then run through a secure hash an agreed number of times. The resulting hash is the encryption key that is used with the cipher to perform the actual encryption. The salt and iteration count are why you can reuse the same passphrase.
  In this context, if you alter the salt or number of iterations, you will get a different encryption key for the same passphrase and the resulting cipher text will be different. Of course, you should never encrypt using a straight block cipher but rather should use something like cipher block chaining (CBC) which uses the results of the previous encryption to seed the encryption of the next block to encrypt. This action helps to make cryptanalysis harder on the resulting encrypted code.
  In simpler terms:
  CipherText = Encrypt(passphrase, salt, interations, ciphermode, Plaintext).
  PlainText = Decrypt(passphrase, salt, interations, ciphermode, CipherText)
11. Re: How can you search data by ilsaloving · 2014-03-26 03:51 · Score: 1
  
  If you're using the card info purely as a primary key, then it should work just as well in an encrypted form as it would in it's original.
12. Re: How can you search data by tepples · 2014-03-26 04:22 · Score: 1
  
  But you still need to store which cards are set to expire in a given month. And you still need to store some key with which to decrypt the card number when charging the customer for the subscription each month.
13. Re:How can you search data by Doomsought · 2014-03-26 04:52 · Score: 1
  
  If it is searchable, then you can create a tracker.
14. Re:How can you search data by CBravo · 2014-03-26 05:59 · Score: 1
  
  I understand the equality operator is transferrable to the encrypted domain. There are other sql operators that are not (without leaking information).
  
  I can only see a future for private clouds.
  
  --
  nosig today
15. Re: How can you search data by tattood · 2014-03-26 09:34 · Score: 1
  
  A store offering a subscription arrangement needs to search for upcoming expiration dates so that it can 1. notify each subscriber that the card on file with the store is about to expire and 2. charge the ETF on the last valid day if the subscriber fails to update the card by the expiration date.
  Why do the expiration dates need to be encrypted? A thief can't do anything with just the expiration date without also knowing the CC number
  
  --
  WTB [sig], PST!!!
16. Re: How can you search data by tepples · 2014-03-26 13:24 · Score: 1
  
  Why do you need to search or sort credit card info?
  search for upcoming expiration dates so that it can notify [customers]
  Why do the expiration dates need to be encrypted?
  They may not. But like credit card numbers, expiration dates are "credit card info", and notifying subscribers of cards due to expire is still "search[ing] credit card info". Besides, a store still needs to store the credit card numbers with which to charge the customer for each month, and the periodic billing process needs to store the key with which to decrypt the credit card numbers. So does the refund process for any store that sells physical goods and accepts returns.
17. Re:How can you search data by L4t3r4lu5 · 2014-03-26 23:00 · Score: 1
  
  Exactly what I was getting at. I was including op mode, iterations etc in "encryption" for brevity. Very few here (including me) understand what it actually does, just that it's part of good "encryption". The fact that it is reversible by definition is all I was getting at. If you couldn't recover the plaintext, it would be more like a hashing algorithm.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
18. Re: How can you search data by ilsaloving · 2014-03-27 02:10 · Score: 1
  
  True, if that was part of the use case. Recurring payments weren't mentioned by the parent.
  But yeah, if you *need* access to the data (any data) then it can't be encrypted only on the user side. At that point there's nothing you can do besides being dilligent in your security.
19. Re:How can you search data by EndlessNameless · 2014-03-28 08:53 · Score: 1
  
  I think you don't understand what searchable encryption is. It means you can search the data without decrypting it. Once you find the records you need, you decrypt them.
  The only data that is ever decrypted is the actual data that you want.
  If you're like me, you probably had a brief moment of "OMG, how is that even possible?" when you first grasped it. And that is why it is an expensive software package for those who need it.
  
  --
  
  ---
  According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
I've implemented something similar by xombo · 2014-03-25 18:42 · Score: 4, Interesting

I've implemented a similar solution for one of my web apps.
It encrypts the data in the client with a password that they provide before it gets sent to the server. The client also decrypts the value when it receives it from the server.
The password is kept in LocalStorage (a feature of HTML5) so that it is never transmitted to the server.
Assuming the client application is not compromised, this is a great way to keep data secret even from the service operator.
Unfortunately, you won't see this scheme implemented in many apps because almost everyone's business model these days is all about scraping your data for use by advertisers.
1. Re: I've implemented something similar by ModernGeek · 2014-03-25 18:47 · Score: 4, Insightful
  
  I agree in that this won't be implemented because of the business implications but would also go on to say that this solution is unoriginal and undeserving of all the pomp and circumstance that the media and the educational institutions are giving it, before we know it they're going to give out Ph.D's and there patents for a high school paper on using electrolysis to make hydrogen and oxygen. Call the press!
  
  --
  Sig: I stole this sig.
2. Re: I've implemented something similar by ModernGeek · 2014-03-25 18:58 · Score: 1
  
  * three patents
  
  --
  Sig: I stole this sig.
3. Re:I've implemented something similar by phantomfive · 2014-03-25 19:06 · Score: 2
  
  Honestly, I would be happy if every website I deal with encrypted their passwords. We still haven't passed that low bar yet.
  
  --
  "First they came for the slanderers and i said nothing."
4. Re:I've implemented something similar by thegarbz · 2014-03-25 19:34 · Score: 3, Interesting
  
  There's another side to this too. You won't see this scheme implemented because encrypted data can not be de-duplicated, and can not be compressed. Effectively your solution increases the cost of doing business, both in terms of bandwidth and in infrastructure.
5. Re:I've implemented something similar by Anonymous Coward · 2014-03-25 19:35 · Score: 1
  
  So what happens when your hard drive goes or you switch computers, then your data is gone because the key stored in the local storage that is no longer accessible! This sounds like a terrible solution!
6. Re:I've implemented something similar by mwvdlee · 2014-03-25 20:03 · Score: 1
  
  This.
  I'd have to be on the support side of an application implementing this.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
7. Re:I've implemented something similar by GuB-42 · 2014-03-25 23:26 · Score: 2
  
  In many cases people prefer the ability to recover their data when they forget their password over the additional security of client-side encryption.
8. Re:I've implemented something similar by swb · 2014-03-25 23:43 · Score: 1
  
  How much of "the data" needs to be encrypted and how much can be stored unencrypted?
  In a lot of applications there seems to a subset of data that is sensitive and needs to be encrypted while much of it seems like it could be left unencrypted. There may be situations where all of it needs to be encrypted, but I'm guessing that means its stored encrypted now which means its not available for dedupe or compression anyway.
9. Re:I've implemented something similar by Gothmolly · 2014-03-25 23:53 · Score: 1
  
  So instead of keeping the password on the server, where you have some measure of control, you trust the client's unknown browser running on unknown hardware to keep it safe?
  
  --
  I want to delete my account but Slashdot doesn't allow it.
10. Re:I've implemented something similar by Barbarian · 2014-03-26 00:06 · Score: 1
  
  There's another side to this too. You won't see this scheme implemented because encrypted data can not be de-duplicated, and can not be compressed. Effectively your solution increases the cost of doing business, both in terms of bandwidth and in infrastructure.
  Encrypted data can be compressed...just you have to compress before encrypting.
11. Re:I've implemented something similar by DuckDodgers · 2014-03-26 00:59 · Score: 1
  
  You won't see it implemented in free services for the reasons you describe. But it could work as a pay service. Most people will skip that in favor of free services that scrape their data, but some might.
  
  I'm tempted to rent a server from Amazon or DigitalOcean or whoever and put the application on it myself, so I can access my data from anywhere without dealing with advertisements and privacy concerns.
12. Re:I've implemented something similar by Archtech · 2014-03-26 03:34 · Score: 1
  
  So what happens when your hard drive goes or you switch computers, then your data is gone because the key stored in the local storage that is no longer accessible!
  
  Actually, that objection applies to all encryption systems. You must have a key - which must also be hard to guess, thus fairly long and random - and that key must always be available to YOU. Once you recognize the necessity, there are many ways to handle it. Two or three USB sticks, for example (in case you lose one).
  More generally, the objections to this approach seem to be largely based on cost and inconvenience. That's fine: you simply have to take a view of how much security and privacy are worth to you.
  
  --
  I am sure that there are many other solipsists out there.
Quit Using JavaScript! by littlewink · 2014-03-25 19:07 · Score: 1, Insightful

Stick to HTML & CSS.
1. Re:Quit Using JavaScript! by hh10k · 2014-03-25 23:31 · Score: 1
  
  You can do a lot with just HTML and CSS, but you're a bit small minded if you can't think of applications that need interactivity beyond basic HTML components.
  And you obviously didn't RTFA, because their approach is about defending from security vulnerabilities on the server itself. Are we to stop using executable code on the server too?
Encryption alone isn't the holy grail. by Anonymous Coward · 2014-03-25 19:59 · Score: 1

Once decrypted, the data can be snooped on. If data can be decrypted in the browser, then the browser has everything that's necessary to decrypt it. If "Everything that's necessary to decrypt it" is provided by the server, then leaking is still possible. Browser-side decryption also makes this sound like a Javascript solution, which also means the site is potentially open to cross-site scripting attacks - if the application is not properly secured against that (and 35 lines of code hardly implies that it is), it all comes tumbling down.
1. Re:Encryption alone isn't the holy grail. by tepples · 2014-03-26 01:20 · Score: 1
  
  In theory, securing a web application against cross-site scripting is easy: use textContent instead of innerHTML.
Did this in 2005 by renzhi · 2014-03-25 20:12 · Score: 2

Did something like this in 2005, with the data encrypted on the client side using the user's public key. The key pair is in a hardware USB token.
We also did something with this scheme for an electronic patient record project. Each doctor was issued a USB key with his/her own key pair, and when the doctor submitted any prescription to the system, the data were signed with his key, and the operation was logged into a central log database, each log record is linked to some previous log records in a Merkle tree so that we could detect if a log record has been tampered with or removed.
However, cryptography is hard to get right in applications, and clients are not willing to pay for it. Se stopped doing this after a while.
What about complex sites though? by Adam+Jorgensen · 2014-03-25 20:23 · Score: 1

So, this is all well and good for really simple sites but what about larger, more complex sites that require server-side processing of data that, as I understand it, will only be available unencrypted to the client? Does this mean you need to expose your business logic on the client-side? This does not seem very secure to me no matter what promises they make about being able to detect client-side tampering...
Also, with regards to "searchable encryption", can this be applied to real search tools like Solr or ElasticSearch?
1991 called by antifoidulus · 2014-03-25 20:25 · Score: 1

So basically this is PGP, it's pgp for the web, but ultimately still PGP. How is this even remotely newsworthy? PGP is 23 years old, throwing it up on the web then calling what you are offering a "web service" is a joke. Real web services actually offer you know, services, beyond simple data retrieval, and I saw nothing in the paper that would allow for instance a server to scan a database table with user information in it in order to present the data in a useful fashion, or for the data to be useful at all beyond a pgp-encrypted file sharing/email service.

--
Monstar L
hushmail by sugarmotor · 2014-03-25 21:18 · Score: 1

***** Hard to see how to avoid the hushmail scenario ***** http://www.wired.com/threatlev... ***** http://www.wired.com/threatlev... ***** https://www.hushmail.com/about... ("But I thought the data was always encrypted") *****

--
http://stephan.sugarmotor.org
analog hole by Gothmolly · 2014-03-25 23:54 · Score: 1

Eventually the data has to be rendered and presented for use by the application user. I'll just screen-scrape, thanks.
--Russian hacker

--
I want to delete my account but Slashdot doesn't allow it.
Seriously? RTFM by shellster_dude · 2014-03-26 00:39 · Score: 1

Am I the only one who read the read the article?

The Mylar system supports searching of the encrypted data and encryption with multiple, separate keys allowing multiple users to have access to specific records without requiring any key sharing.

The server can operate in a completely compromised fashion (in theory), as the data is all encrypted on the client side, before it goes to the server, and the server will never have the plaintext or the key to decrypt the ciphertext.

They seems to be operating under the assumption that it is much harder to compromise all the clients than a single server...unfortunately I don't think that claim holds up as there is nothing to prevent compromise of the clients if the server is compromised, via simple XSS-like attacks, which will be trivial since it will be same-origin.

IMHO, the only way to make something like this really work, would be hardened browser clients, with special encryption APIs which cannot be directly accessed by code that the server can inject (NOT JavaScript).
1. Re:Seriously? RTFM by DMUTPeregrine · 2014-03-26 02:37 · Score: 1
  
  You don't even need XSS-like attacks. If you compromise the server you can re-write all the JS to send the encryption keys, the plaintext, or whatever you want to your server instead. Or back to the original server, and have it forward things on to you.
  
  --
  Not a sentence!
2. Re:Seriously? RTFM by Lennie · 2014-03-26 10:48 · Score: 1
  
  I wonder if you read the PDF, if you did you would know they use a browser extension to verify signed Javascript/HTML/CSS code.
  So an attacked of the server can not modify the code unless they have the private key which is used for signing.
  
  --
  New things are always on the horizon
April Fools Comes Early? by swsuehr · 2014-03-26 00:50 · Score: 1

It's a few days early for the April Fools edition of Slashdot. I'm sure the MIT researchers in question think they really have something here but it would be nice if they would've looked around before beginning their research. It seems as though this system connects to a server which then sends back encrypted data. That data is then decrypted at the local client. And they made a browser plugin for it. How is this fundamentally different than public key encryption?

The performance is horrible. From the Mylar web site, "a 17% throughput loss and a 50 msec latency increase for sending a message in a chat application." A 17% throughput loss and 50ms latency is *huge* for something as trivial as a chat application. Imagine what happens when real data is being crunched.

There are still enough attack vectors that make this a non-starter. First off, the encryption itself is still brute-forceable by a determined attacker with enough resources. Second, it assumes a secure client environment. Finally, it assumes that your adversary plays by the rules and won't inject malicious code or backdoors into the software or encryption, with or without a complicit service provider. The client code can check authenticity? Cute, but only works if your adversary doesn't "require" that the service provider comply with a secret order to say that the code is authentic, even when backdoored.

Steve
1. Re:April Fools Comes Early? by cryptizard · 2014-03-26 04:02 · Score: 1
  
  First off, the encryption itself is still brute-forceable by a determined attacker with enough resources.
  I realized you don't know what you're talking about right here. It would take until the heat death of the universe to brute force a 128-bit AES key.
2. Re:April Fools Comes Early? by swsuehr · 2014-03-26 04:32 · Score: 1
  
  I realized you don't know what you're talking about right here. It would take until the heat death of the universe to brute force a 128-bit AES key.
  Seems like you're making an assumption that AES itself hasn't been backdoored and that the implementation of the same is also correct, neither of which I would assume. Steve
3. Re:April Fools Comes Early? by cryptizard · 2014-03-26 05:44 · Score: 1
  
  Pretty sure you said brute-forcable which means just trying every key. As far as AES being weak, it is probably the most trusted cipher in existence. It has been around for over 15 years with the smartest cryptographers in the world trying to break it and no flaws have been found. Compare that to other ciphers like DES which researchers were skeptical of on day one and still took 20 years to break.
No localStorage in IE 8 by tepples · 2014-03-26 01:18 · Score: 1

The password is kept in LocalStorage (a feature of HTML5)
Which breaks for businesses that have standardized on IE 8 because it's all their intranet apps support.
1. Re:No localStorage in IE 8 by BitZtream · 2014-03-26 01:29 · Score: 1
  
  Theres a plugin that solves that problem.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
JS haters want native apps instead by tepples · 2014-03-26 01:19 · Score: 1

you're a bit small minded if you can't think of applications that need interactivity beyond basic HTML components.
JavaScript haters would prefer that such rich applications be made with Qt, not HTML+JavaScript.
1. Re:JS haters want native apps instead by hh10k · 2014-03-26 02:17 · Score: 1
  
  JavaScript haters would prefer that such rich applications be made with Qt, not HTML+JavaScript.
  So, they think that it's a good idea to go back to the days where every application had to be downloaded and given free reign to access every document on your computer?
Never leaks until it does. by oscrivellodds · 2014-03-26 01:25 · Score: 1

Never until it does. When will we learn?
Secure Web Apps That Never Leak Data by NikeHerc · 2014-03-26 02:25 · Score: 1

so far.

--
Circle the wagons and fire inward. Entropy increases without bounds.
Jailed native apps by tepples · 2014-03-26 02:43 · Score: 1

So, they think that it's a good idea to go back to the days where every application had to be downloaded and given free reign to access every document on your computer?
Of course they don't. That's what Sandboxie, FreeBSD jails, a dedicated user account for each application publisher (Android's approach), and other container technologies are for.
Re:Ridiculous by SydShamino · 2014-03-26 06:12 · Score: 1

So because the NSA could install a keylogger on every gmail user's machine worldwide, google shouldn't bother to encrypt the data on their internal gmail servers where the NSA was previously snooping on all of it at once?
Of course there's always a weak point. Make that point less weak and the work to steal the data gets a little harder - maybe hard enough to defer the attacker - until the attacker adapts. Then fix the new weak point, and iterate until death.

--
It doesn't hurt to be nice.
Re:Explaining why browser JS needs to disappear by Lennie · 2014-03-26 10:35 · Score: 1

If you read the article, you would find they download the signed application code and have a generic browser extension which verifies the signature of the code.
This is some what similar to what CryptoCat does, but the browser extension works only with CryptoCat.
But as their browser extension is generic then it can be made into a standard to be part of every browser, so their would be nothing to install.

--
New things are always on the horizon
Re:What can possibly go wrong? by Lennie · 2014-03-26 10:40 · Score: 1

Did you know Mozilla is building a new browser engine build in their new safe Rust language so fix that problem ones and for all ?
http://en.wikipedia.org/wiki/S...
http://en.wikipedia.org/wiki/R...
That method would at least eliminate all those pesky buffer overflow bugs in browsers.

--
New things are always on the horizon
Re:"PRISM proof" my ass by Lennie · 2014-03-26 10:45 · Score: 1

"How do I notice that the Javascript they serve me is secure, if I'm not to trust the server?"
They use a browser extension to very the signature of the downloaded Javascript code.
But their browser extension is generic, so it could be made into a standard so it will be part of the browser.
"The fact that Mozilla supports DRM now means that soon I can't even trust Firefox without any addons."
As far as I know Mozilla/Firefox does not support Encrypted Media Extensions and don't seem to have the intention to do so.

--
New things are always on the horizon
Re:Interesting but still... by Lennie · 2014-03-26 10:59 · Score: 1

The attack they are trying to fix is a bad actor on the server.
If the software on the user's computer is compromised or the user is stupid enough to print it on paper and leave it at the desk unattended... then those kind of things are out of a web application programmer.
The real problem is eventually you have to present the clear text to the user, what the user does with the clear text isn't an easy problem to solve.
I'm glad if they at least solved the untrusted server problem.

--
New things are always on the horizon
my security analysis at Schneier blog by Kishin · 2014-03-26 14:39 · Score: 1

I've done an analysis based on what's in their paper and posted it to Schneier's blog. Link below.

https://www.schneier.com/blog/...

Spoiler: it's not trustworthy but it's good work in progress.

Nick P
Security Engineer
(High assurance security focus)
Clarifications by mstefanro · 2014-03-26 23:28 · Score: 1

To clarify all misconceptions in other posts, having been to a talk of hers a few days ago, here's the encryption types involved:
* RND (salted symmetric key encryption) - used for columns where no sql manipulation is needed
* DET (unsalted symmetric key encryption) - used for columns that need to be looked up by equality
* Partially homomorphic encryption - used for aggregation such as SUM()
* Order preserving encryption - useful for inequality where clauses, indexes, aggregations such as MIN()
* Searchable encryption - allows something like ILIKE on text columns
OPE is the most dangerous, but is rarely needed for the most sensitive fields. They've run CryptDB on top of phpBB and
some other thngs with acceptable overhead. Let me know if you have other questions.
Re:Why don't they just use Polymorphic data? by mstefanro · 2014-03-27 08:58 · Score: 1

Can you detail how can this support any of the features of a relational database? Filtering rows, joining tables, aggregation, ordering.