USENIX Security '23: In-Depth Security Analysis of MongoDB's Queryable Encryption ๐
Discover the latest findings from USENIX Security '23 on the security strengths and vulnerabilities of MongoDB's Queryable Encryption, presented by ETH Zurich researchers Zichen Gui, Kenneth G. Paterson, and Tianxin Tang.
USENIX
298 views โข Nov 30, 2023
About this video
USENIX Security '23 - Security Analysis of MongoDB Queryable Encryption
Zichen Gui, Kenneth G. Paterson, and Tianxin Tang, ETH Zurich
In June 2022, MongoDB released Queryable Encryption (QE), an extension of their flagship database product, enabling keyword searches to be performed over encrypted data. This is the first integration of such searchable encryption technology into a widely-used database system.We provide an independent security analysis of QE. We show that certain logs, fundamental to the operation of QE and accessible to a real-world snapshot adversary, contain statistical information about the queries and data. This information can be extracted and exploited by our new inference attacks to recover both the queries and data, assuming adversarial access to an auxiliary dataset with a similar distribution to the original data.Our analysis highlights the challenges of integrating searchable encryption technology into modern, complex database systems. In particular, our attacks stem from the interplay between QE and MongoDB's existing logging system. They show how such interactions can compromise query and data privacy.
View the full USENIX Security '23 program at https://www.usenix.org/conference/usenixsecurity23/program
Zichen Gui, Kenneth G. Paterson, and Tianxin Tang, ETH Zurich
In June 2022, MongoDB released Queryable Encryption (QE), an extension of their flagship database product, enabling keyword searches to be performed over encrypted data. This is the first integration of such searchable encryption technology into a widely-used database system.We provide an independent security analysis of QE. We show that certain logs, fundamental to the operation of QE and accessible to a real-world snapshot adversary, contain statistical information about the queries and data. This information can be extracted and exploited by our new inference attacks to recover both the queries and data, assuming adversarial access to an auxiliary dataset with a similar distribution to the original data.Our analysis highlights the challenges of integrating searchable encryption technology into modern, complex database systems. In particular, our attacks stem from the interplay between QE and MongoDB's existing logging system. They show how such interactions can compromise query and data privacy.
View the full USENIX Security '23 program at https://www.usenix.org/conference/usenixsecurity23/program
Tags and Topics
Browse our collection to discover more content in these categories.
Video Information
Views
298
Likes
4
Duration
12:52
Published
Nov 30, 2023
Related Trending Topics
LIVE TRENDSRelated trending topics. Click any trend to explore more videos.