Re: "hide" values in a column

From: Steve Crawford <scrawford(at)pinpointresearch(dot)com>
To: "Valerie Goodman" <val(at)webtribe(dot)net>, <pgsql-sql(at)postgresql(dot)org>
Subject: Re: "hide" values in a column
Date: 2003-03-12 22:39:04
Message-ID: 20030312223904.0D36D103C2@polaris.pinpointresearch.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-sql

Web based? Email based? Other? You have all sorts of problems since
identities could be discerned from careful reading of web or email logs,
looking at IP addresses, or even sniffing on the wire.

The amount of effort you put in to ensuring anonamity will be dictated by
budget and paranoia level.

I suspect your best bet may be to make it web based and allow people to pick
an anonymous handle and password (or several if they are paranoid). The
administrator could reply to that handle and the person could log in to
submit new suggestions or to check for replies.

Other things that could be used: https to limit wire-sniffing attacks, no
logging or sending any relevant logs to /dev/null, etc.

I'm afraid that if you are using employee IDs in a column you are SOL. Even a
trapdoor encryption will be of little use since you can easily use a
dictionary attack (encrypt all the employee IDs with all allowed salt values
and you will create a nice linking table of encrypted to unencrypted ids).

With email you are really up a creek since you have little control over the
servers through which the messages pass and you need a method of determining
the correct email address in the first place. That method is so full of holes
I wouldn't even try it.

Cheers,
Steve

On Wednesday 12 March 2003 1:12 pm, Valerie Goodman wrote:
> Background: The maniacs I work for want an e-suggestion box. The identity
> of the suggestor must not be known, but the suggestion box administrator
> must be able to respond privately back to that person so I can't just
> completely leave out the identity of a suggestor against his/her
> suggestion. The suggestor is meant to be have complete anonymity.
>
> The real question: How do I completely "hide"/encrypt the values in the
> emp_id column even from me (who would be using psql) without the easy
> possibility of decoding it?
>
> CREATE TABLE suggestions (
> emp_id INTEGER,
> dtm TIMESTAMP,
> comment TEXT,
> private_response BOOL,
> response TEXT,
> );
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster

In response to

Responses

Browse pgsql-sql by date

  From Date Subject
Next Message Dan Langille 2003-03-12 22:48:06 Re: extending ORDER BY make query much slower
Previous Message Tom Lane 2003-03-12 22:32:39 Re: View - Join based on dis-similar data types