Re: Database Encryption (now required by law in Italy)

From: Silvana Di Martino <silvanadimartino(at)tin(dot)it>
To: "scott(dot)marlowe" <scott(dot)marlowe(at)ihs(dot)com>, pgsql-admin(at)postgresql(dot)org
Subject: Re: Database Encryption (now required by law in Italy)
Date: 2004-03-06 08:24:40
Message-ID: 200403060824.40597.silvanadimartino@tin.it
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin

Alle 20:34, venerdì 5 marzo 2004, scott.marlowe ha scritto:
> Sorry, but that's the wrong answer. Once someone has root on a unix box
> her can do ANYTHING he wants. and he can cover his tracks. If the
> encryption takes place on his box, he can attach to the process doing the
> encryption and /or replace it with a trojan copy of his own and get your
> data. The ONLY way to keep the data secure is for it to be encrypted
> elsewhere before it gets to the storage box. If the box that stores it
> encrypts, it, the root user on that box can impersonate anyone and any
> process on that box to get to the data in mid stream.

That's right, of course, but I think we have to consider what we actually have
to prevent, accordingly by law.

A "man-in-the-middle" attack to the encryption system or a
brute-force/dictionary-based attack to the password/data is a crime "per se",
both in Italy and in many other countries. The law does not impose on us the
burden to defend the end-user from a well-planned, well-performed criminal
act. This is the business of our Police. We just have to do our best to
protect our data from human curiosity, human errors and teenager hackers.

The italian law states exactly this: protect your data at the best of your
technological capabilities. Real crime is a police problem.

Anyway, even data encrypted on Mars would be vulnerable to a well-performed
brute-force attack. It is just a matter of computing resource and time.

See you

-----------------------------------------
Alessandro Bottoni and Silvana Di Martino
alessandrobottoni(at)interfree(dot)it
silvanadimartino(at)tin(dot)it

In response to

Browse pgsql-admin by date

  From Date Subject
Next Message Grega Bremec 2004-03-06 08:54:36 Re: Postgresql functions
Previous Message Silvana Di Martino 2004-03-06 07:53:36 Re: Database Encryption (now required by law in Italy)