Re: storing an explicit nonce - Mailing list pgsql-hackers

From Andres Freund
Subject Re: storing an explicit nonce
Date
Msg-id 20210525235644.pkmovwajvrpwpw2q@alap3.anarazel.de
Whole thread Raw
In response to Re: storing an explicit nonce  (Stephen Frost <sfrost@snowman.net>)
List pgsql-hackers
On 2021-05-25 19:48:54 -0400, Stephen Frost wrote:
> That's how CTR works, yes.  The issue that you run into is that once
> you've got two pages which have different data but were encrypted with
> the same key and nonce then you can use crib-dragging.
> 
> A good example of how this works is here:
> 
> http://travisdazell.blogspot.com/2012/11/many-time-pad-attack-crib-drag.html
> 
> Once you've got the two different pages which had the same key+nonce
> used, you can XOR them together and then start cribbing, scanning the
> page for legitimate data which doesn't have to be in the part of the
> data that was different between the two original pages.

IOW, purely hint bit changes are the *dream* case for an attacker,
because any difference can just be ignored. All an attacker has to do is
to look at the writes, see if an IV repeats for a block, and the
attacker will get the *entire* page's worth of data. Either minus hint
bits (which are irrelevant), or with a trivial bit of inferrence even
that (because hint bits can only change in one direction).

Greetings,

Andres Freund



pgsql-hackers by date:

Previous
From: Stephen Frost
Date:
Subject: Re: storing an explicit nonce
Next
From: Michael Paquier
Date:
Subject: Re: pg_rewind fails if there is a read only file.