One group of MIT researchers believes the entire approach to securing online data should be overhauled. So, it has introduced Mylar, a platform for building secure Web applications, which redesigns encrypting and storing confidential user data by shoring up the weak link: servers.
The current mode of securing Web application data relies on servers for storing and processing, yet any intruder who infiltrates the server can access the unencrypted data. Applications and services built using Mylar keep information secure by never storing unencrypted data on servers. Mylar keeps server data encrypted at all times, only decrypting the data in the user’s browser.
(Related: White hat hacker breaks into HealthCare.gov)
MIT Computer Science and Artificial Intelligence Laboratory researcher Raluca Ada Popa and her team designed Mylar to integrate with Meteor, an open-source JavaScript Web development platform. She previously worked on CryptoDB, a database encryption system since adopted by Google and SAP.
Using the Meteor framework to simplify code porting, the researchers claimed that a Mylar prototype was able to secure six applications by changing only 35 lines of code.
Reducing server vulnerability only solves one part of the equation, though. Common forms of encryption have proved vulnerable to brute-force hacking and other decryption methods, so Mylar also builds other encryption mechanisms into applications while data is stored on the server.
“Simply encrypting each user’s data with a user key does not suffice, and Mylar addresses three challenges in making this approach work,” the researchers wrote on the Mylar project page. “First, Mylar allows the server to perform a keyword search over encrypted documents, even if the documents are encrypted with different keys. Second, Mylar allows users to share keys and data securely in the presence of an active adversary. Finally, Mylar ensures that client-side application code is authentic, even if the server is malicious.”
Researchers are currently testing a Mylar-built application that secures patients’ medical information at Newton-Wellesley Hospital in Boston, and according to the project page, they have also deployed Mylar to secure a chat application, an MIT class assignment submission website, a calendar, a forum, and a photo-sharing application.
Popa and her colleagues will present a paper on Mylar at the USENIX conference in April.