Mylar is a platform for building secure web applications.
Web applications rely on servers to store and process confidential information.
However, anyone who gains access to the server (e.g., an attacker, a curious
administrator, or a government) can obtain all of the data stored there. Mylar
protects data confidentiality even when an attacker gets full access to servers.
Mylar stores only encrypted data on the server, and decrypts data only in
users' browsers. Simply encrypting each user's data with a user key does not
suffice, and Mylar addresses three challenges in making this approach work.
First, Mylar allows the server to perform keyword search over encrypted
documents, even if the documents are encrypted with different keys.
Second, Mylar allows users to share keys and data securely in the presence
of an active adversary. Finally, Mylar ensures that client-side application
code is authentic, even if the server is malicious. Results with a prototype
of Mylar built on top of the Meteor framework are promising: porting 6
applications required changing just 35 lines of code on average, and the
performance overheads are modest, amounting to a 17% throughput loss and a
50 msec latency increase for sending a message in a chat application.
Raluca Ada Popa, Emily Stark, Jonas Helfer, Steven Valdez,
Nickolai Zeldovich, M. Frans Kaashoek, and Hari Balakrishnan.
Building web applications on top of encrypted data using Mylar.
To appear in NSDI'14 (11th USENIX Symposium on Networked
Systems Design and Implementation).
- Raluca Ada Popa and Nickolai Zeldovich.
Multi-Key Searchable Encryption.
Cryptology ePrint Archive, 2013/508.
(Mylar uses this new encryption scheme to perform search over data encrypted with different keys efficiently.)
Play with Mylar! Download it using
git, and then follow the instructions in README.md.
git clone -b public git://g.csail.mit.edu/mylar
For more information on Mylar, contact raluca AT csail DOT mit DOT edu.
We secured real applications with Mylar including a medical application (performing
a survey of patients suffering from endometriosis) led by surgeons from Mass. General
and Newton-Wellesley hospitals.
This application is currently under IRB approval and in alpha deployment.
We also secured a chat application, a class assignment submission website (for the MIT class 6.858), a calendar, a forum application and a photo sharing application.