Library for cryptographically securing data stored in Accumulo

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Library for cryptographically securing data stored in Accumulo

Ruoti, Scott - 0553 - MITLL

All,

 

Over the past several years, MIT Lincoln Laboratory has been exploring how to protect data stored in Accumulo from malicious and honest-but-curious system administrators. Currently, an administrator is free to view any data stored in Accumulo, and can insert, modify, or delete data at will. To address these threat vectors, we have developed the Proactively-secure Accumulo with Cryptographic Enforcement (PACE) library.

 

The PACE library supports both encrypting and signing records. Encryption is used to ensure that only users with the appropriate keys (i.e., not the system administrator) can read the unencrypted context of data stored in Accumulo. Signatures can be used to provide protection against an administrator spuriously inserting or modifying records.

 

The PACE library works as a drop-in replacement for the existing Accumulo client-API, allowing existing code to be secure with only the change of a few lines of code. The PACE library can be found at This library can be found at https://github.com/mit-ll/PACE. All are welcome to use this library or fork the repository and modify the code for their own use.

 

At this time, development of PACE at Lincoln Laboratory is complete. In my free time, I will attempt to address any reported bugs, but I am also interested in identify Accumulo developers that would like to help maintain this library. Alternatively, I am willing to turn ownership of this library entirely over to the Accumulo community.

 

If you have any questions or comments about PACE, feel free to reach out to me.

 

Thank you,

Scott Ruoti

 


Dr. Scott Ruoti                             voice:  (781) 981-1551
Technical Staff                             mobile: (801) 300-7013
Secure, Resilient Systems and Technology    e-mail: [hidden email]
Group 53
MIT Lincoln Laboratory

 


smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Library for cryptographically securing data stored in Accumulo

Mike Drob-4
Neat stuff, Scott.

Before we dive in too deeply, how does this differ from the native
encryption offered inside of Accumulo?

Mike

On Wed, May 31, 2017 at 4:38 PM, Ruoti, Scott - 0553 - MITLL <
[hidden email]> wrote:

> All,
>
>
>
> Over the past several years, MIT Lincoln Laboratory has been exploring how
> to protect data stored in Accumulo from malicious and honest-but-curious
> system administrators. Currently, an administrator is free to view any data
> stored in Accumulo, and can insert, modify, or delete data at will. To
> address these threat vectors, we have developed the Proactively-secure
> Accumulo with Cryptographic Enforcement (PACE) library.
>
>
>
> The PACE library supports both encrypting and signing records. Encryption
> is used to ensure that only users with the appropriate keys (i.e., not the
> system administrator) can read the unencrypted context of data stored in
> Accumulo. Signatures can be used to provide protection against an
> administrator spuriously inserting or modifying records.
>
>
>
> The PACE library works as a drop-in replacement for the existing Accumulo
> client-API, allowing existing code to be secure with only the change of a
> few lines of code. The PACE library can be found at This library can be
> found at https://github.com/mit-ll/PACE. All are welcome to use this
> library or fork the repository and modify the code for their own use.
>
>
>
> At this time, development of PACE at Lincoln Laboratory is complete. In my
> free time, I will attempt to address any reported bugs, but I am also
> interested in identify Accumulo developers that would like to help maintain
> this library. Alternatively, I am willing to turn ownership of this library
> entirely over to the Accumulo community.
>
>
>
> If you have any questions or comments about PACE, feel free to reach out
> to me.
>
>
>
> Thank you,
>
> Scott Ruoti
>
>
>
> —
> Dr. Scott Ruoti                             voice:  (781) 981-1551
> Technical Staff                             mobile: (801) 300-7013
> Secure, Resilient Systems and Technology    e-mail: [hidden email]
> Group 53
> MIT Lincoln Laboratory
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Library for cryptographically securing data stored in Accumulo

Christopher Tubbs-2
On Wed, May 31, 2017 at 5:45 PM Mike Drob <[hidden email]> wrote:

> Neat stuff, Scott.
>
> Before we dive in too deeply, how does this differ from the native
> encryption offered inside of Accumulo?
>

Scott can probably answer more thoroughly, but I can provide a brief answer
to this:

Inside Accumulo, we provide (experimental) support for encrypting RFiles
and WAL files. We also provide RPC encryption via TLS and also Kerberos
(SASL/GSSAPI). These provide encryption-at-rest (in HDFS) and
encryption-in-transit (between nodes). This library supports some
client-side encryption of the data as part of the application's data model.