| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Joe Conway <mail(at)joeconway(dot)com>, Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com>, Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Antonin Houska <ah(at)cybertec(dot)at>, Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com>, "Moon, Insung" <Moon_Insung_i3(at)lab(dot)ntt(dot)co(dot)jp>, Ibrar Ahmed <ibrar(dot)ahmad(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |
| Date: | 2019-07-08 22:45:50 |
| Message-ID: | 20190708224550.nl7le264hlo3yg67@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Jul 8, 2019 at 06:23:13PM -0400, Bruce Momjian wrote:
> Yes, 'postgres' can be used to create a nice md5 rainbow table that
> works on many servers --- good point. Are rainbow tables possible with
> something like AES?
>
> > I appreciate that *some* of this might not be completely relevant for
> > the way a nonce is used in cryptography, but I'd be very surprised to
> > have a cryptographer tell me that a deterministic nonce didn't have
> > similar issues or didn't reduce the value of the nonce significantly.
>
> This post:
>
> https://stackoverflow.com/questions/36760973/why-is-random-iv-fine-for-aes-cbc-but-not-for-aes-gcm
>
> says:
>
> GCM is a variation on Counter Mode (CTR). As you say, with any variant
> of Counter Mode, it is essential that the Nonce is not repeated with
> the same key. Hence CTR mode Nonces often include either a counter or
> a timer element: something that is guaranteed not to repeat over the
> lifetime of the key.
>
> CTR is what we use for WAL. 8k pages, we would use CBC, which says we
> need a random nonce. I need to dig deeper into ECB mode attack.
Looking here:
https://stackoverflow.com/questions/36760973/why-is-random-iv-fine-for-aes-cbc-but-not-for-aes-gcm
I think the issues is that we can't use a _counter_ for the nonce since
each page-0 of each table would use the same nonce, and each page-1,
etc. I assume we would use the table oid and page number as the nonce.
We can't use the database oid since we copy the files from one database
to another via file system copy and not through the shared buffer cache
where they would be re encrypted. Using relfilenode seems dangerous.
For WAL I think it would be the WAL segment number. It would be nice
to mix that with the "Database system identifier:", but are these the
same on primary and replicas?
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2019-07-08 22:53:32 | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |
| Previous Message | Stephen Frost | 2019-07-08 22:43:31 | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |