Re: [ADMIN] Secure DB Systems - How to - Mailing list pgsql-php

From Daniel Struck
Subject Re: [ADMIN] Secure DB Systems - How to
Date
Msg-id 20040730114331.38845c7f@gentoo
Whole thread Raw
In response to Re: [ADMIN] Secure DB Systems - How to  (Bruno Wolff III <bruno@wolff.to>)
Responses Re: [ADMIN] Secure DB Systems - How to
List pgsql-php
> IVs act to make the key appear longer. This is especially useful when humans
> are picking passphrases that are used to generate the key. If you control
> what the actual keys are, then you can make dictionary attacks impractical.
> However, there still would be the problem that identical items in the
> database would be identical. Which, depnding on your application, might
> be a problem because of information leakage.

I don't think this is true for CBC mode. Here the first block of plaintext is XORed with the IV then encrypted with a
blockciper like AES for example. The next plaintext block is than XORed with the previous cyphertext and so on. 

So IV in CBC is used to make the encrypted cyphertext unique.

You can find some info in chapter 9.3 of "Appplied Cryptopgraphy" from Bruce Schneier.

In my application I do use a different IV for every encrypted plaintext:
$td = mcrypt_module_open('rijndael-128', '', 'cbc', '');
$iv = base64_encode(mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_DEV_URANDOM));
I do use base64 as it is easier to store it in the database.

The plaintext is then encrypted using:
$ciphertext = "encrypt_iv('" . $plaintext . "','" . $password] . "',decode('$iv','base64'),'aes')";

The IV is then stored together with the ciphertext in the database.


Daniel


--
Retrovirology Laboratory Luxembourg
Centre Hospitalier de Luxembourg
4, rue E. Barblé
L-1210 Luxembourg

phone: +352-44116105
fax:   +352-44116113
web: http://www.retrovirology.lu
e-mail: struck.d@retrovirology.lu

pgsql-php by date:

Previous
From: Bruno Wolff III
Date:
Subject: Re: [ADMIN] Secure DB Systems - How to
Next
From: reiner peterke
Date:
Subject: getting transactions to work