Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) - Mailing list pgsql-hackers
| From | Bruce Momjian |
|---|---|
| Subject | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) |
| Date | |
| Msg-id | 20190708215108.nbfy47czhzt57sic@momjian.us Whole thread Raw |
| In response to | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) (Stephen Frost <sfrost@snowman.net>) |
| Responses |
Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS)
(Stephen Frost <sfrost@snowman.net>)
|
| List | pgsql-hackers |
On Mon, Jul 8, 2019 at 05:41:51PM -0400, Stephen Frost wrote: > * Bruce Momjian (bruce@momjian.us) wrote: > > Well, if it was a necessary features, I assume TLS 1.3 would have found > > a way to make it secure, no? Certainly they are not shipping TLS 1.3 > > with a known weakness. > > As discussed below- this is about moving goalposts, and that's, in part > at least, why re-keying isn't a *necessary* feature of TLS. As the I agree we have to allow rekeying and allow multiple unlocked keys in the server at the same time. The open question is whether encrypting different data with different keys and different unlock controls is possible or useful. > amount of data you transmit over a given TLS connection increases > though, the risk increases and it would be better to re-key. How much > better? That depends a great deal on if someone is trying to mount an > attack or not. Yep, we need to allow rekey. > > > > Of course, a database is going to process even more data so if the > > > > amount of data encrypted is a problem, we might have a problem too in > > > > using a single key. This is not related to whether we use one key for > > > > the entire cluster or multiple keys per tablespace --- the problem is > > > > the same. I guess we could create 1024 keys and use the bottom bits of > > > > the block number to decide what key to use. However, that still only > > > > pushes the goalposts farther. > > > > > > All of this is about pushing the goalposts farther away, as I see it. > > > There's going to be trade-offs here and there isn't going to be any "one > > > right answer" when it comes to this space. That's why I'm inclined to > > > argue that we should try to come up with a relatively *good* solution > > > that doesn't create a huge amount of work for us, and then build on > > > that. To that end, leveraging metadata that we already have outside of > > > the catalogs (databases, tablespaces, potentially other information that > > > we store, essentially, in the filesystem metadata already) to decide on > > > what key to use, and how many we can support, strikes me as a good > > > initial target. > > > > Yes, we will need that for a usable nonce that we don't need to store in > > the blocks and WAL files. > > I'm not a fan of the idea of using something which is predictable as a > nonce. Using the username as the salt for our md5 password mechanism > was, all around, a bad idea. This seems like it's repeating that > mistake. Uh, well, renaming the user was a big problem, but that is the only case I can think of. I don't see that as an issue for block or WAL sequence numbers. If we want to use a different nonce, we have to find a way to store it or look it up efficiently. Considering the nonce size, I don't see how that is possible. > > > > Anyway, I will to research the reasonable data size that can be secured > > > > with a single key via AES. I will look at how PGP encrypts large files > > > > too. > > > > > > This seems unlikely to lead to a definitive result, but it would be > > > interesting to hear if there have been studies around that and what > > > their conclusions were. > > > > I found this: > > > > https://crypto.stackexchange.com/questions/44113/what-is-a-safe-maximum-message-size-limit-when-encrypting-files-to-disk-with-aes > > https://crypto.stackexchange.com/questions/20333/encryption-of-big-files-in-java-with-aes-gcm/20340#20340 > > > > The numbers listed are: > > > > Maximum Encrypted Plaintext Size: 68GB > > Maximum Processed Additional Authenticated Data: 2 x 10^18 > > These are specific to AES, from a quick reading of those pages, right? Yes, AES with GCM, which has authentication parts we would not use, so we would use CBC and CTR, which I think has the same or larger spaces. > > > The 68GB value is "the maximum bits that can be processed with a single > > key/IV(nonce) pair." We would 8k of data for each 8k page. If we > > assume a unique nonce per page that is 10^32 bytes. > > A unique nonce per page strikes me as excessive... but then, I think we > should have an actually random nonce rather than something calculated > from the metadata. Uh, well, you are much less likely to get duplicate nonce values by using block number or WAL sequence number. If you look at the implementations, few compute random nonce values. > > For the WAL we would probably use a different nonce for each 16MB page, > > so we would be OK there too, since that is 10 ^ 36 bytes. > > > > gives us 10^36 bytes before the segment number causes the nonce to > > repeat. > > This presumes that the segment number is involved in the nonce > selection, which again strikes me as a bad idea. Maybe it could be > involved in some way, but we should have a properly random nonce. And you base the random goal on what? Nonce is number used only once, and randomness is not a requirement. You can say you prefer it, but why, because most implementations don't use random nonce. > > > When it comes to concerns about autovacuum or other system processes, > > > those don't have any direct user connections or interactions, so having > > > them be more privileged and having access to more is reasonable. > > > > Well, I am trying to understand the value of having some keys accessible > > by some parts of the system, and some not. I am unclear what security > > value that has. > > A very real risk is a low-privilege process gaining access to the entire > backend process, and therefore being able to access anything that > backend is able to. Well, if they get to one key, they will get to them all, right? > > > Ideally, all of this would leverage a vaulting system or other mechanism > > > which manages access to the keys and allows their usage to be limited. > > > That's been generally accepted as a good way to bridge the gap between > > > having to ask users every time for a key and having keys stored > > > long-term in memory. Having *only* the keys for the data which the > > > currently connected user is allowed to access would certainly be a great > > > initial capability, even if system processes (including potentially WAL > > > replay) have to have access to all of the keys. And yes, shared buffers > > > being unencrypted and accessible by every backend continues to be an > > > issue- it'd be great to improve on that situation too. I don't think > > > having everything encrypted in shared buffers is likely the solution, > > > rather, segregating it up might make more sense, again, along similar > > > lines to keys and using metadata that's outside of the catalogs, which > > > has been discussed previously, though I don't think anyone's actively > > > working on it. > > > > What is this trying to protect against? Without a clear case, I don't > > see what that complexity is buying us. > > This is trying to protect against cross-domain leakage due to specific > security vulnerabilities, similar to those just recently fixed, where a > given backend is able to be comrpomised and is able to be used to run > any code the attacker wishes inside of that backend's process. I am not sure TLS is a good solution to that. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +
pgsql-hackers by date: