15 votes

Encryption At Rest: Whose Threat Model Is It Anyway?


  1. vord
    As a DBA, nothing, and I mean nothing annoys me more than backup 'solutions' which require me to take unencrypted backups so that they can compress and encrypt them. It's almost certainly a data...

    As a DBA, nothing, and I mean nothing annoys me more than backup 'solutions' which require me to take unencrypted backups so that they can compress and encrypt them. It's almost certainly a data breach waiting to happen.

    We encrypt backup, then send to multiple places. Not trust that each individual place is doing things correctly.

    8 votes
  2. skybrian
    From the article: ... ... ... ... ... ...

    From the article:

    One of the lessons I learned during my time at AWS Cryptography (and particularly as an AWS Crypto Bar Raiser) is that the threat model for Encryption At Rest is often undefined.

    Prior to consulting cryptography experts, most software developers do not have a clear and concise understanding of the risks they’re facing, let alone how or why the encrypting data at rest would help protect their customers.

    Unsurprisingly, I’ve heard a few infosec thought leader types insist that encryption-at-rest is security theater over the years. I disagree with this assessment in the absolute terms, but there is a nugget of truth in that assertion.


    If you’re only interested in compliance requirements, you can probably just enable Full Disk Encryption and call it a day. Then, if your server’s hard drive grows legs and walks out of the data center, your users’ most sensitive data will remain confidential.

    Unfortunately, for the server-side encryption at rest use case, that’s basically all that Disk Encryption protects against.


    Disk Encryption is important for disk disposal and mitigating hardware theft, not preventing data leakage to online attackers.


    There are a lot of software projects that aim to provide client-side encryption for data stored in a database or filesystems; e.g., in Amazon S3 buckets.

    This is a step in the right direction, but implementation details matter a lot.


    To understand the attack, first consider this sort of scenario:

    Alice and Bob use the same health insurance provider, whom is storing sensitive medical records for both parties. Bob works as a database administrator for the insurance company he and Alice both use. One day, he decides to snoop on her private medical history.

    Fortunately, the data is encrypted at the web application, so all of the data Bob can access is indistinguishable from random. He can access his own account and see his data through the application, but he cannot see Alice’s data from his vantage point on the database server.

    Here’s the stupid simple attack that works in far too many cases: Bob copies Alice’s encrypted data, and overwrites his records in the database, then accesses the insurance provider’s web app.


    The cryptographic attack is literally copy and paste, from the database administrator’s perspective. It’s stupid but it works against too many encryption-at-rest software projects.

    In this setup, the application is the Deputy, and you can easily confuse it by replaying an encrypted blob in the incorrect context.

    The mitigation is simple: Use the AAD mechanism (part of the standard AEAD interface) to bind a ciphertext to its context. This can be a customer ID, each row’s value for the primary key of the database table, or something else entirely.


    This doesn’t come for free, however: Users have to know the serial / primary key for a record prior to writing it, in order to use it as AAD when encrypting fields. However, that’s a much easier pill to swallow than expecting PHP devs to manage the complexity of context-binding themselves.

    As you can see, mitigating confused deputies in an encryption library (without making it unwieldy) requires a painstaking attention to detail to get right.

    7 votes