Security model for Acra

Possible threats

Note: We recommend taking a look at the architectural scheme of Acra before continuing to read.

Acra at its core is a set of tools that allow safeguarding the security of a database (running PostgreSQL or MySQL) against the known widespread threats.

The most dangerous current known security threats are:
- Threats related to excess / abuse of access privileges.
- Data leaks caused by mistakes in deploy, configuration settings, backup thefts, etc.
- SQL injections.
- Denial of service.
- Vulnerabilities in the database protocol.
- Weak audit or an absence thereof.
- Operational system vulnerabilities.
- Unsafe handling of cryptographic keys.

Conditions of secure work

Acra can perform its protective functions properly and protect from the security threats 1, 2, 3 if the following security assumptions are met:
- The PKI infrastructure is trusted;
- AcraServer is trusted;
- The client is less trusted than the server.

Possible consequences of compromisation

Let’s consider all the possible consequences of any of separate component being broken (broken as in “fully compromised” when the adversary fully overtakes the work of the component and gains full access to its memory).

When a Database is broken into, the worst-case scenario is DoS or COA. Thus, the stability of the system, in this case, is reduced to the stability of the symmetric encryption algorithm (AES-GCM-256). When the Client gets broken, the worst-case scenario is that the adversary can get the data belonging to this client, which is stored in the database. And finally, if AcraServer gets broken, the adversary can fully compromise the system.

It is worth mentioning that in absence of PKI, the communication channel between the Client and AcraServer is also vulnerable. In this case, the resistance ability of the system comes down to the secureness of the SSL/TLS or Themis’ Secure Session protocols. In all the other communication channels the data is encrypted so, in the worst case (when SSL/TLS is not used) the secureness of the system comes down to the secureness of the symmetric encryption algorithm (AES-GCM-256).

Additional reading

We recommend that you also check out the following articles to gain a better understanding of the security notions in this article: