Re: storing an explicit nonce

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Bruce Momjian <bruce(at)momjian(dot)us>
Cc: Alvaro Herrera <alvherre(at)alvh(dot)no-ip(dot)org>, Amit Kapila <amit(dot)kapila16(at)gmail(dot)com>, Andres Freund <andres(at)anarazel(dot)de>, Masahiko Sawada <masahiko(dot)sawada(at)2ndquadrant(dot)com>, Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com>, Thomas Munro <thomas(dot)munro(at)gmail(dot)com>, Tom Kincaid <tomjohnkincaid(at)gmail(dot)com>
Subject: Re: storing an explicit nonce
Date: 2021-05-25 21:15:55
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers


* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> On Tue, May 25, 2021 at 04:29:08PM -0400, Stephen Frost wrote:
> > On Tue, May 25, 2021 at 14:56 Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> >
> > On Tue, May 25, 2021 at 02:25:21PM -0400, Robert Haas wrote:
> > > One question here is whether we're comfortable saying that the nonce
> > > is entirely constant. I wasn't sure about that. It seems possible to
> > > me that different encryption algorithms might want nonces of different
> > > sizes, either now or in the future. I am not a cryptographer, but that
> > > seemed like a bit of a limiting assumption. So Bharath and I decided
> > > to make the POC cater to a fully variable-size nonce rather than
> > > zero-or-some-constant. However, if the consensus is that
> > > zero-or-some-constant is better, fair enough! The patch can certainly
> > > be adjusted to cater to work that way.
> >
> > A 16-byte nonce is sufficient for AES and I doubt we will need anything
> > stronger than AES256 anytime soon.  Making the nonce variable length
> > seems it is just adding complexity for little purpose.
> >
> >
> > I’d like to review this more and make sure using the special space is possible
> > but if it is then it opens up a huge new possibility that we could use it for
> > both the nonce AND an appropriately sized tag, giving us integrity along with
> > encryption which would be a very significant additional feature.  I’d
> > considered using a fork instead but having it on the page would be far better.
> We already discussed that there are too many other ways to break system
> integrity that are not encrypted/integrity-checked, e.g., changes to
> clog. Do you disagree?

We had agreed that this wasn't something that was strictly required in
the first version and I continue to agree with that. On the other hand,
if we decide that we ultimately need to use an independent nonce and
further that we can make room in the special space for it, then it's
trivial to also include the tag and we absolutely should (or make it
optional to do so) in that case.



In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Bruce Momjian 2021-05-25 21:16:00 Re: storing an explicit nonce
Previous Message Stephen Frost 2021-05-25 21:14:24 Re: storing an explicit nonce