Re: pg_hba.conf

On Wed, May 26, 2004 at 10:27:41 -0400,
LSanchez(at)ameritrade(dot)com wrote:
> Thanks Mike!
>
> Do you know if pgSQL will be supporting higher level of encryption in
> the near future? Most of us here at Ameritrade work from home via VPN.

The client can use ssl. That supports 128 bit keys which is plenty.
Any adversary that has the resources to brute force a 128bit key has
the resources to do black bag jobs for a lower cost. If there are other
weaknesses besides brute force attacks, increasing the key size alone
isn't going to magicly make things better.

What kinds of threats are you trying to protect against? If you are using
an encrypted link already, using ssl isn't going to add much security.

Just allowing people to connect to the database directly is a significant
risk. It is made worse by letting people do it home where the machines
may not be safely operated by the users, which are not physically secured
and for which maitainance is harder (or not being done by the company).

If you are worried about people stealing hardware with information on it,
you should be considering better physical security, proper procedures
for destroying old media and consider using encrypted file systems.

If you are looking for ideas for how to hide information from authroized
users of a database while letting them use it for some things, Peter Wayner's
book Translucent Databases might be of some interest.

> -----Original Message-----
> From: mike g [mailto:mike(at)thegodshalls(dot)com]
> Sent: Wednesday, May 26, 2004 12:51 AM
> To: LSanchez(at)ameritrade(dot)com
> Cc: xzilla(at)users(dot)sourceforge(dot)net; pgsql-admin(at)postgresql(dot)org
> Subject: Re: [ADMIN] pg_hba.conf
>
> Hello,
>
> I believe I found my problem. The Cisco VPN client I use encrypts data
> at a 168 bit level. Postgres only supports up to 128 bit correct?
>
> Mike