Skip site navigation (1) Skip section navigation (2)

Re: Database Encryption (now required by law in Italy)

From: Silvana Di Martino <silvanadimartino(at)tin(dot)it>
To: "scott(dot)marlowe" <scott(dot)marlowe(at)ihs(dot)com>,pgsql-admin(at)postgresql(dot)org
Subject: Re: Database Encryption (now required by law in Italy)
Date: 2004-03-06 08:24:40
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-admin
Alle 20:34, venerdì 5 marzo 2004, scott.marlowe ha scritto:
> Sorry, but that's the wrong answer.  Once someone has root on a unix box
> her can do ANYTHING he wants.  and he can cover his tracks.  If the
> encryption takes place on his box, he can attach to the process doing the
> encryption and /or replace it with a trojan copy of his own and get your
> data.  The ONLY way to keep the data secure is  for it to be encrypted
> elsewhere before it gets to the storage box.  If the box that stores it
> encrypts, it, the root user on that box can impersonate anyone and any
> process on that box to get to the data in mid stream.

That's right, of course, but I think we have to consider what we actually have 
to prevent, accordingly by law.

A "man-in-the-middle" attack to the encryption system or a 
brute-force/dictionary-based attack to the password/data is a crime "per se", 
both in Italy and in many other countries. The law does not impose on us the 
burden to defend the end-user from a well-planned, well-performed criminal 
act. This is the business of our Police. We just have to do our best to 
protect our data from human curiosity, human errors and teenager hackers. 

The italian law states exactly this: protect your data at the best of your 
technological capabilities. Real crime is a police problem.

Anyway, even data encrypted on Mars would be vulnerable to a well-performed 
brute-force attack. It is just a matter of computing resource and time. 

See you

Alessandro Bottoni and Silvana Di Martino

In response to

pgsql-admin by date

Next:From: Grega BremecDate: 2004-03-06 08:54:36
Subject: Re: Postgresql functions
Previous:From: Silvana Di MartinoDate: 2004-03-06 07:53:36
Subject: Re: Database Encryption (now required by law in Italy)

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group