Skip site navigation (1) Skip section navigation (2)

Re: [ADMIN] Secure DB Systems - How to

From: Daniel Struck <struck(dot)d(at)retrovirology(dot)lu>
To: Bruno Wolff III <bruno(at)wolff(dot)to>
Cc: Greg Stark <gsstark(at)mit(dot)edu>,Mitch Pirtle <mitchy(at)spacemonkeylabs(dot)com>, pgsql-php(at)postgresql(dot)org
Subject: Re: [ADMIN] Secure DB Systems - How to
Date: 2004-07-30 09:43:31
Message-ID: 20040730114331.38845c7f@gentoo (view raw or flat)
Thread:
Lists: pgadmin-supportpgsql-adminpgsql-hackers-win32pgsql-phppgsql-sql
> IVs act to make the key appear longer. This is especially useful when humans
> are picking passphrases that are used to generate the key. If you control
> what the actual keys are, then you can make dictionary attacks impractical.
> However, there still would be the problem that identical items in the
> database would be identical. Which, depnding on your application, might
> be a problem because of information leakage.

I don't think this is true for CBC mode. Here the first block of plaintext is XORed with the IV then encrypted with a block ciper like AES for example. The next plaintext block is than XORed with the previous cyphertext and so on.

So IV in CBC is used to make the encrypted cyphertext unique.

You can find some info in chapter 9.3 of "Appplied Cryptopgraphy" from Bruce Schneier.

In my application I do use a different IV for every encrypted plaintext:
$td = mcrypt_module_open('rijndael-128', '', 'cbc', '');
$iv = base64_encode(mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_DEV_URANDOM));
I do use base64 as it is easier to store it in the database.

The plaintext is then encrypted using:
$ciphertext = "encrypt_iv('" . $plaintext . "','" . $password] . "',decode('$iv','base64'),'aes')";

The IV is then stored together with the ciphertext in the database.


Daniel


-- 
Retrovirology Laboratory Luxembourg
Centre Hospitalier de Luxembourg
4, rue E. Barblé
L-1210 Luxembourg

phone: +352-44116105
fax:   +352-44116113
web: http://www.retrovirology.lu
e-mail: struck(dot)d(at)retrovirology(dot)lu

In response to

Responses

pgsql-php by date

Next:From: reiner peterkeDate: 2004-07-30 14:53:01
Subject: getting transactions to work
Previous:From: Bruno Wolff IIIDate: 2004-07-29 18:00:10
Subject: Re: [ADMIN] Secure DB Systems - How to

pgsql-admin by date

Next:From: Ian FREISLICHDate: 2004-07-30 12:59:01
Subject: Re: please please please PLEASE help!
Previous:From: Saurabh PathakDate: 2004-07-30 09:37:11
Subject: ERROR Urgent

pgadmin-support by date

Next:From: Bruno Wolff IIIDate: 2004-07-30 15:30:49
Subject: Re: [ADMIN] Secure DB Systems - How to
Previous:From: Andreas PflugDate: 2004-07-29 19:08:59
Subject: Re: two bugs?

pgsql-hackers-win32 by date

Next:From: Claudio NatoliDate: 2004-07-30 11:50:37
Subject: Re: stderr piping under win32
Previous:From: Marko ZmakDate: 2004-07-29 21:23:51
Subject: pg_dumpall on win32

pgsql-sql by date

Next:From: Bruno Wolff IIIDate: 2004-07-30 15:30:49
Subject: Re: [ADMIN] Secure DB Systems - How to
Previous:From: Kemin ZhouDate: 2004-07-29 21:14:34
Subject: Re: C++ interface problem with libpq.so.3

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group