Building web applications on top of encrypted data using Mylar

Raluca Ada Popa, Emily Stark, Steven Valdez, Jonas Helfer, Nickolai Zeldovich, Frans Kaashoek, Hari Balakrishnan
11th USENIX Symposium on Networked Systems Design and Implementation (NSDI), Seattle, WA, April 2014

Web applications rely on servers to store and process confidential information. However, anyone who gains access to the server (e.g., an attacker, a curious administrator, or a government) can obtain all of the data stored there. This paper presents Mylar, a platform for building web applications, which protects data confidentiality against attackers with full access to servers. Mylar stores sensitive data encrypted on the server, and decrypts that data only in users' browsers. Mylar addresses three challenges in making this approach work. First, Mylar allows the server to perform keyword search over encrypted documents, even if the documents are encrypted with different keys. Second, Mylar allows users to share keys and encrypted data securely in the presence of an active adversary. Finally, Mylar ensures that client-side application code is authentic, even if the server is malicious. Results with a prototype of Mylar built on top of the Meteor framework are promising: porting six applications required changing just 36 lines of code on average, and the performance overheads are modest, amounting to a 17% throughput loss and a 50 ms latency increase for sending a message in a chat application.

[PDF (763KB)]

Bibtex Entry:

@inproceedings{popa2014building,
   author =       "Raluca Ada Popa and Emily Stark and Steven Valdez and Jonas Helfer and Nickolai Zeldovich and Frans Kaashoek and Hari Balakrishnan",
   title =        "{Building web applications on top of encrypted data using Mylar}",
   booktitle =    {11th USENIX Symposium on Networked Systems Design and Implementation (NSDI)},
   year =         {2014},
   month =        {April},
   address =      {Seattle, WA}
}