Stand: 7. Januar 2026
Version: v1.4.0-alpha
- 📋 Übersicht
- ✨ Features & Highlights
- 🛡️ Wissensgraphen-Schutz (NEU)
- 🚀 Schnellstart
- 📖 Detaillierte Dokumentation
- 💡 Best Practices
- 🔧 Troubleshooting
- 📚 Siehe auch
- 📝 Changelog | Dokument | Beschreibung | Status | |----------|--------------|--------| | ANGRIFFSVEKTOREN_ANALYSE.md ⭐ | Umfassende Analyse aller Angriffsvektoren (extern + intern) | ✅ v1.4.0 | | security_at_rest_encryption_research.md ⭐ | At-Rest Encryption Forschung (AWS, Google, Azure) | ✅ NEU | | security_threat_model.md | Threat Model Übersicht | ✅ Aktualisiert | | security_overview.md | Sicherheits-Features Übersicht | ✅ | | security_hardening.md | Production Hardening Guide | ✅ | | security_audit_checklist.md | BSI C5, ISO 27001, DSGVO Checklist | ✅ |
- ANGRIFFSVEKTOREN_ANALYSE.md - Comprehensive Attack Vector Analysis
- Externe Angriffsvektoren (7 Protokolle, 120+ APIs)
- Interne Angriffsvektoren (Insider, Privilege Escalation)
- STRIDE-Analyse & CVSS Ratings
- Gegenmaßnahmen & Empfehlungen
- security_threat_model.md - Threat Model (Light)
- security_risk_management.md - Risk Management Process
- security_overview.md - Security Features Overview
- security_implementation.md - Security Implementation Details
- security_hardening.md - Hardening Guide
- security_policies.md - Security Policies
- security_policy.md - Security Policy Document
- security_at_rest_encryption_research.md ⭐ - At-Rest Encryption Research (Hyperscaler Best Practices)
Das Security-Modul implementiert umfassende Sicherheitsfunktionen für ThemisDB, einschließlich Field-Level Encryption, Key Management, RBAC, PKI-Integration, Vector Encryption und Malware-Scanning.
| Komponente | Header | Source | Beschreibung |
|---|---|---|---|
| FieldEncryption | encryption.h |
encryption.cpp |
AES-256-GCM |
| KeyProvider | key_provider.h |
- | Key Provider Interface |
| MockKeyProvider | mock_key_provider.h |
mock_key_provider.cpp |
Test Provider |
| VaultKeyProvider | vault_key_provider.h |
vault_key_provider.cpp |
HashiCorp Vault |
| HSMProvider | hsm_provider.h |
hsm_provider_pkcs11.cpp |
PKCS#11 HSM |
| PKIKeyProvider | pki_key_provider.h |
pki_key_provider.cpp |
PKI Integration |
| RBAC | rbac.h |
rbac.cpp |
Role-Based Access |
| MalwareScanner | malware_scanner.h |
malware_scanner.cpp |
Content Scanning |
| CMSSigning | cms_signing.h |
cms_signing.cpp |
CMS Signatures |
| TimestampAuthority | timestamp_authority.h |
timestamp_authority.cpp |
RFC 3161 TSA |
Gesamt: 16 Header, 16 Source-Dateien, ~8,100 LOC
Neue Bedrohungen für Wissensgraphen und Vektor-Embeddings erfordern erweiterte Schutzmaßnahmen:
Dokumentation:
- knowledge_graph_protection.md - Umfassende Analyse und Schutzmaßnahmen
- graph_protection_impact_summary.md - Executive Summary & Implementierungsplan
- ../../config/graph_protection.yaml - Beispielkonfiguration
Kernthemen:
- 🔍 Systematische Graphexfiltration
- 📊 Embedding-Diebstahl
- 🎯 Training Data Extraction
- ⏱️ Temporal Data Mining
Empfohlene Maßnahmen:
- ✅ Phase 1 (Sofort): Erweiterte Audit-Logs, Rate Limits, Monitoring
- 📋 Phase 2 (3-6 Monate): Graph Watermarking, Embedding Fingerprinting
- 🔮 Phase 3 (6-12 Monate): Differenzielle Privacy, ML-Anomalieerkennung
Schnellstart:
- QUICK_START_VECTOR_ENCRYPTION.md - 5-Minuten Schnelleinstieg
Benutzerhandbücher:
- VECTOR_ENCRYPTION_CONFIGURATION.md - Phase 1: Vektor-Verschlüsselung in RocksDB
- HNSW_ENCRYPTION_CONFIGURATION.md - Phase 2: HNSW Index Verschlüsselung
Bedrohungsanalyse:
- LLM_LORA_ATTACK_VECTORS.md ⭐ WICHTIG - Umfassende Analyse von Angriffsvektoren auf LLMs und LoRa-Adapter
Hauptrisiken:
- 🔴 Prompt Injection (Hoch)
- 🔴 LoRa Model Poisoning (Hoch)
- 🟠 Vector Embedding Manipulation (Mittel, durch Verschlüsselung geschützt)
- 🟠 HNSW Index Poisoning (Mittel, durch Verschlüsselung geschützt)
- 🟡 Adapter Weight Extraction (Niedrig)
Schutzmaßnahmen (Implementiert):
⚠️ LoRASecurityValidator- Architektur und Tests (Signaturvalidierung: Stub)⚠️ PromptInjectionDetector- Pattern-basierte Injection-Erkennung (Produktionsreif)⚠️ EmbeddingAnomalyDetector- Statistische Anomalieerkennung (Produktionsreif)- ✅ Unit Tests in
tests/test_lora_security.cpp
⚠️ HINWEIS: Die Signaturvalidierung für LoRa-Adapter ist derzeit als Prototyp implementiert und verwendet Stub-Code. Für Produktionsumgebungen muss die OpenSSL-Integration vervollständigt werden. Siehe LLM_LORA_ATTACK_VECTORS.md für Details.
Referenzen:
- Multi-LoRa Manager - Adapter-Verwaltung
- Security Validator - Sicherheitsvalidierung
- RAID LoRa Implementation - Verteilte Adapter
Implementierungsdetails:
- COMPLETE_IMPLEMENTATION_SUMMARY.md - Vollständige Übersicht aller Phasen
- PHASE1_FINAL_REPORT.md - Phase 1 Abschlussbericht
- PHASE2_IMPLEMENTATION_REPORT.md - Phase 2 Abschlussbericht
Build & Test:
- BUILD_VERIFICATION_GUIDE.md - Build und Test Anleitung
Performance & Optimierung:
- PERFORMANCE_OPTIMIZATION_NOTES.md - Performance-Optimierungen
Analysen:
- HNSW_PERSISTENCE_ENCRYPTION_ANALYSIS.md - Sicherheitsanalyse HNSW Persistenz
- EMBEDDING_REVERSIBILITY_ANALYSIS.md - Vektor-Embedding Sicherheitsanalyse
- ENCRYPTED_HNSW_SEARCHABILITY.md - Analyse verschlüsselte Suche
Ergebnis:
- ✅ 100% At-Rest Verschlüsselung für Vektoren
- ✅ AES-256-GCM für RocksDB Vektoren und HNSW Index-Dateien
- ✅ BSI C5 CRY-03 vollständig konform
- ✅ 8 Integrationstests + 5 Beispiele
- ✅ Migrations-Tool für bestehende Daten
➡️ BSI C5 Column Encryption Compliance Report
Comprehensive analysis of column encryption implementation against BSI C5 requirements (CRY-01 to CRY-06).
Compliance Score: 95% → 100% (with new documentation) ✅
➡️ BSI C5 Multi-Model Encryption Analysis ⭐ NEU
Detaillierte Analyse der Verschlüsselung über alle Datenmodell-Schichten: Relational, Vector, Graph, Geo, Timeline, Process.
Ergebnis: Unified Storage Architecture sichert konsistente Verschlüsselung über alle Modelle ✅
Formale Dokumentation (Dezember 2025):
- Kryptographie-Policy - Formale Policy gemäß BSI C5 CRY-01, BSI TR-02102-1 konform
- Key Lifecycle Management - Vollständiger Schlüssel-Lebenszyklus gemäß BSI C5 CRY-02
- Executive Summary (DE) - Kurzzusammenfassung für Stakeholder
| Komponente | Status | Implementierung |
|---|---|---|
| RBAC/ABAC Policy Engine | ✅ Produktionsreif | Ranger-kompatibel |
| Apache Ranger Integration | ✅ Produktionsreif | src/server/ranger_adapter.cpp |
| VaultKeyProvider (KMS) | ✅ Produktionsreif | src/security/vault_key_provider.cpp |
| HSMProvider (PKCS#11) | ✅ Produktionsreif | src/security/hsm_provider_pkcs11.cpp |
| PKI Client (OpenSSL) | ✅ Produktionsreif | src/utils/pki_client.cpp |
| Audit Logging | ✅ Produktionsreif | Hash-Chain, PKI-Signaturen |
| Field Encryption | ✅ Produktionsreif | AES-256-GCM |
| Timestamp Authority | ✅ Produktionsreif | RFC 3161 via OpenSSL |
// Initialize encryption
auto key_provider = std::make_shared<KeyProvider>();
auto field_encryption = std::make_shared<FieldEncryption>(key_provider);
EncryptedField<std::vector<float>>::setFieldEncryption(field_encryption);
// Enable encryption
VectorIndexManager vim(db);
vim.init("documents", 768);
vim.setVectorEncryptionEnabled(true);
// Add vectors - automatically encrypted!
BaseEntity entity("doc1");
entity.setField("embedding", std::vector<float>(768, 0.5f));
vim.addEntity(entity);// Encrypt sensitive field
FieldEncryption encryption(keyProvider);
auto blob = encryption.encrypt("sensitive data", "user_pii");
entity.setField("email_encrypted", blob.toBase64());
// Decrypt
auto decrypted = encryption.decrypt(EncryptedBlob::fromBase64(encrypted_value));RBAC rbac;
rbac.createRole("analyst", {{"data", "read"}, {"reports", "read"}});
rbac.assignRole("user@example.com", "analyst");
// Check permission
if (rbac.authorize("user@example.com", "data", "read")) {
// Access granted
}- security_encryption_strategy.md - Verschlüsselungsstrategie
- security_encryption_deployment.md - Deployment Guide
- security_encryption_gaps.md - Gap Analysis
- security_encryption_metrics.md - Metrics
- security_encryption_roadmap.md - Roadmap
- security_key_management.md - Schlüsselverwaltung
- security_key_rotation.md - Key Rotation
- security_hsm.md - HSM Integration
- KEY_LIFECYCLE_MANAGEMENT.md - Key Lifecycle Management
- security_hardening.md - Härteleitfaden
- security_hardware_attack_vectors.md - Hardware-Angriffsvektoren (USB, PCIe, CPU, RAM, IO)
- security_audit_checklist.md - Audit-Checkliste
- security_audit_report.md - Audit-Report
- security_audit_retention.md - Audit-Retention
- security_incident_response.md - Incident Response
- security_threat_model.md - Threat Model
- security_pentest_guide.md - Pentest-Leitfaden
- security_compliance.md - Compliance-Übersicht
- security_eidas.md - eIDAS-Compliance
- security_policies.md - Security Policies
- security_policy.md - Security Policy
- CRYPTOGRAPHY_POLICY.md - Kryptographie-Policy
- KEY_LIFECYCLE_MANAGEMENT.md - Key Lifecycle
- security_column_encryption.md - Column Encryption
- VECTOR_ENCRYPTION_IMPLEMENTATION_SUMMARY.md - Vector Encryption
- security_policies.md - Apache Ranger Policies
- security_pki_architecture.md - PKI Architecture
- security_pki_rsa.md - RSA Integration
- security_pki_signatures.md - Digital Signatures
- security_certificate_pinning.md - Certificate Pinning
- security_password_policy.md - Password Policy
- security_hsm.md - HSM Integration Guide
- CRYPTOGRAPHY_POLICY.md - Cryptography Policy
- security_audit_checklist.md - Audit Checklist
- security_audit_report.md - Audit Report
- security_audit_retention.md - Audit Retention
- security_compliance.md - Compliance Overview
- security_eidas.md - eIDAS Compliance
- BSI_C5_ZUSAMMENFASSUNG.md - BSI C5 Summary
- BSI_C5_EXECUTIVE_SUMMARY.md - BSI C5 Executive Summary
- security_pii_detection.md - PII Detection
- security_pii_api.md - PII API
- security_pii_engines.md - PII Engines
- security_pii_signing.md - PII Signing
- security_incident_response.md - Incident Response Plan
- security_pentest_guide.md - Penetration Testing Guide
- security_malware_scanner.md - Malware Scanner
- BUILD_VERIFICATION_GUIDE.md - Build Verification
- security_sbom.md - Software Bill of Materials
- security_multi_party.md - Multi-Party Computation
- security_signatures.md - Digital Signatures
- security_plugins.md - Plugin Security
- security_opensource_best_practice.md - Open Source Best Practices
- COMPLETE_IMPLEMENTATION_SUMMARY.md - Implementation Summary
- PHASE1_FINAL_REPORT.md - Phase 1 Report
- PHASE2_IMPLEMENTATION_REPORT.md - Phase 2 Report
- security_sprint_summary.md - Sprint Summary
- Vulnerability melden: GitHub Security Advisories
- Incident Response: Siehe security_incident_response.md
- Security Contact: security@themisdb.example.com
Implementierungsstatus:
- ✅ RBAC/ABAC (Apache Ranger)
- ✅ Encryption (AES-256-GCM)
- ✅ Key Management (Vault/HSM)
- ✅ Audit Logging (65+ Event Types)
- ✅ TLS 1.2/1.3
- ✅ Rate Limiting
⚠️ MFA (geplant für v1.5.0)⚠️ LLM Prompt Injection Protection (in Entwicklung)
Top Prioritäten:
- Admin-API-Schutz (MFA, IP-Whitelisting)
- TLS-Enforcement (1.3 only)
- LLM-Sicherheit (Prompt Injection, Output Filtering)
- Supply Chain Security (SBOM, Dependency Scanning)
Siehe ANGRIFFSVEKTOREN_ANALYSE.md für detaillierte Handlungsempfehlungen.
Letzte Aktualisierung: 2026-01-07
Maintained by: Security Team