Re: [ADMIN] Secure DB Systems - How to - Mailing list pgsql-php

From Bruno Wolff III
Subject Re: [ADMIN] Secure DB Systems - How to
Date
Msg-id 20040729180010.GA23523@wolff.to
Whole thread Raw
In response to Re: [ADMIN] Secure DB Systems - How to  (Greg Stark <gsstark@mit.edu>)
Responses Re: [ADMIN] Secure DB Systems - How to
List pgsql-php
On Wed, Jul 28, 2004 at 16:16:10 -0400,
  Greg Stark <gsstark@mit.edu> wrote:
>
> Bruno Wolff III <bruno@wolff.to> writes:
>
> > That depends on the kind of queries. Searching for exact matches should work
> > fine. Some other things can be done in special cases.
>
> If searching for exact matches works then you're using a naive encryption
> system. The problem is that it also means your database is vulnerable to
> dictionary attacks. Good encryption systems will include random padding to
> ensure that you can't attack it by merely guessing many possible plaintexts
> and verifying to see if any match.

IVs act to make the key appear longer. This is especially useful when humans
are picking passphrases that are used to generate the key. If you control
what the actual keys are, then you can make dictionary attacks impractical.
However, there still would be the problem that identical items in the
database would be identical. Which, depnding on your application, might
be a problem because of information leakage.

pgsql-php by date:

Previous
From: Christopher Kings-Lynne
Date:
Subject: Re: inet_aton in mysql, how to convert it to postresql?
Next
From: Daniel Struck
Date:
Subject: Re: [ADMIN] Secure DB Systems - How to