Re: storing an explicit nonce - Mailing list pgsql-hackers

From Stephen Frost
Subject Re: storing an explicit nonce
Date
Msg-id 20210526000314.GU20766@tamriel.snowman.net
Whole thread Raw
In response to Re: storing an explicit nonce  (Andres Freund <andres@anarazel.de>)
Responses Re: storing an explicit nonce
List pgsql-hackers
Greetings,

* Andres Freund (andres@anarazel.de) wrote:
> On 2021-05-25 17:15:55 -0400, Stephen Frost wrote:
> > * Bruce Momjian (bruce@momjian.us) wrote:
> > > We already discussed that there are too many other ways to break system
> > > integrity that are not encrypted/integrity-checked, e.g., changes to
> > > clog.  Do you disagree?
> >
> > We had agreed that this wasn't something that was strictly required in
> > the first version and I continue to agree with that.  On the other hand,
> > if we decide that we ultimately need to use an independent nonce and
> > further that we can make room in the special space for it, then it's
> > trivial to also include the tag and we absolutely should (or make it
> > optional to do so) in that case.
>
> The page format for clog and that for relation data is unrelated.

Indeed they are, but that's not relevant to the thrust of this specific
debate.

Bruce is arguing that because clog is unprotected that it's not useful
to protect relation data, with regard to data integrity validation as
provided by AES-GCM using/storing tags.  I dispute this, as relation
data is primary data while clog, for all its value, is still metadata.
Yes, impacting the metadata has an impact on the primary data, but it
doesn't *change* that primary data at its core (and it's also more
likely to be detected than random bit flipping in the relation data
would be, which is possible if you're only encrypting and not providing
any integrity validation).

Thanks,

Stephen

Attachment

pgsql-hackers by date:

Previous
From: Stephen Frost
Date:
Subject: Re: storing an explicit nonce
Next
From: Stephen Frost
Date:
Subject: Re: automatic analyze: readahead - add "IO read time" log message