Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) - Mailing list pgsql-hackers
| From | Antonin Houska |
|---|---|
| Subject | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |
| Date | |
| Msg-id | 9192.1562747092@spoje.net Whole thread Raw |
| In response to | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) (Joe Conway <mail@joeconway.com>) |
| Responses |
Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS)
|
| List | pgsql-hackers |
Joe Conway <mail@joeconway.com> wrote: > On 7/8/19 6:04 PM, Stephen Frost wrote: > > * Bruce Momjian (bruce@momjian.us) wrote: > >> Uh, well, renaming the user was a big problem, but that is the only case > >> I can think of. I don't see that as an issue for block or WAL sequence > >> numbers. If we want to use a different nonce, we have to find a way to > >> store it or look it up efficiently. Considering the nonce size, I don't > >> see how that is possible. > > > > No, this also meant that, as an attacker, I *knew* the salt ahead of > > time and therefore could build rainbow tables specifically for that > > salt. I could also use those *same* tables for any system where that > > user had an account, even if they used different passwords on different > > systems... > > > > I appreciate that *some* of this might not be completely relevant for > > the way a nonce is used in cryptography, but I'd be very surprised to > > have a cryptographer tell me that a deterministic nonce didn't have > > similar issues or didn't reduce the value of the nonce significantly. > > I have worked side by side on projects with bona fide cryptographers and > I can assure you that they recommended random nonces. Granted, that was > in the early 2000s, but I don't think "modern cryptography" has changed > that any more than "web scale" has made Postgres irrelevant in the > intervening years. I think that particular threads have to be considered. > Related links: > https://defuse.ca/cbcmodeiv.htm > https://www.cryptofails.com/post/70059609995/crypto-noobs-1-initialization-vectors The first one looks more in-depth than the other one, so I focused on it: * "Statistical Correlations between IV and Plaintext" My understanding is that predictability of the IV (in our implementation of full-instance encryption [1] we derive the IV from RelFileNode combined with block number) can reveal information about the first encryption block (16 bytes) of the page, i.e. part of the PageHeaderData structure. I don't think this leaks any valuable data. And starting the 2nd block, the IV is not predictable because it is cipher text of the previous block. * "Chosen-Plaintext Attacks" The question here is whether we expect the OS admin to have access to the database. In [1] we currently don't (cloud, where DBA has no control over the storage layer is the main use case), but if it appears to be the requirement, I believe CBC-ESSIV mode [2] can fix the problem. Anyway, I'm not sure if this kind of attack can reveal more information than something about the first block of the page (the page header), since each of the following blocks uses ciphertext of the previous block as the IV. * "Altering the IV Before Decryption" I don't think this attack needs special attention - page checksums should reveal it. [1] https://commitfest.postgresql.org/23/2104/ [2] https://en.wikipedia.org/wiki/Disk_encryption_theory#Encrypted_salt-sector_initialization_vector_.28ESSIV.29 -- Antonin Houska Web: https://www.cybertec-postgresql.com
pgsql-hackers by date: