Raluca Ada Popa, Emily Stark, Steven Valdez, Jonas Helfer, Nickolai Zeldovich, Frans Kaashoek, Hari Balakrishnan
11th USENIX Symposium on Networked Systems Design and Implementation (NSDI), Seattle, WA, April 2014
Web applications rely on servers to store and process confidential
information. However, anyone who gains access to the server (e.g., an
attacker, a curious administrator, or a government) can obtain all of
the data stored there. This paper presents Mylar, a platform for
building web applications, which protects data confidentiality against
attackers with full access to servers. Mylar stores sensitive
data encrypted on the server, and decrypts that data only in users'
browsers. Mylar addresses three challenges in making this approach
work. First, Mylar allows the server to perform keyword search over
encrypted documents, even if the documents are encrypted with
different keys. Second, Mylar allows users to share keys and
encrypted data securely in the presence of an active adversary.
Finally, Mylar ensures that client-side application code is authentic,
even if the server is malicious. Results with a prototype of Mylar
built on top of the Meteor framework are promising: porting six
applications required changing just 36 lines of code on average, and
the performance overheads are modest, amounting to a 17% throughput
loss and a 50 ms latency increase for sending a message in a chat
application.
[PDF (763KB)]
Bibtex Entry:
@inproceedings{popa2014building, author = "Raluca Ada Popa and Emily Stark and Steven Valdez and Jonas Helfer and Nickolai Zeldovich and Frans Kaashoek and Hari Balakrishnan", title = "{Building web applications on top of encrypted data using Mylar}", booktitle = {11th USENIX Symposium on Networked Systems Design and Implementation (NSDI)}, year = {2014}, month = {April}, address = {Seattle, WA} }