Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS)

On 2019-Jul-10, Joe Conway wrote:

> On 7/10/19 3:53 PM, Alvaro Herrera wrote:

> > (I do think you can have multiple writes of the same page with
> > different LSNs, if you change hint bits and don't write WAL about it,
>
> Do you mean "multiple writes of the same page without..."?

Right, "twice the same page with the same LSN" is what I was thinking,
which is basically the question Tomas asked afterwards.

> > but maybe we should force CRC enabled in encrypted tables, which I think
> > closes this hole?)
>
> If we can use the LSN (perhaps with CRC) without the page number that
> would seem to be a good idea.

Umm, I'm not advocating using the CRC as part of the nonce, because that
seems a terrible idea. I was just saying that if you enable CRC, then
even hint bit changes cause LSN changes (and thus IV changes) because of
the necessary FPIs, so you shouldn't get two writes with the same LSN.

With all this said, I think the case for writing two pages with the same
IV is being overstated a little bit. As I understand, the reason we
want to avoid using the same IV for too many pages is to dodge a
cryptanalysis attack, which requires a large amount of data encrypted
with the same key/IV in order to be effective. But if we have two
copies of the same page encrypted with the same key/IV, yes it's twice
as much data as just one copy of the page with that key/IV, but it still
seems like a sufficiently low amount of data that cryptanalysis is
unfeasible. Right? I mean, webservers send hundreds of kilobytes
encrypted with the same key; they avoid sending megabytes of it with the
same key/IV, but getting too worked up about 16 kB when we think 8 kB is
fine seems over the top.

So I guess the question is how much data is considered sufficient for a
successful, practical cryptanalysis attack?

--
Álvaro Herrera https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services