Re: storing an explicit nonce

On Tue, May 25, 2021 at 05:25:36PM -0400, Stephen Frost wrote:
> Greetings,
>
> * Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> > On Tue, May 25, 2021 at 05:15:55PM -0400, Stephen Frost wrote:
> > > > We already discussed that there are too many other ways to break system
> > > > integrity that are not encrypted/integrity-checked, e.g., changes to
> > > > clog. Do you disagree?
> > >
> > > We had agreed that this wasn't something that was strictly required in
> > > the first version and I continue to agree with that. On the other hand,
> > > if we decide that we ultimately need to use an independent nonce and
> > > further that we can make room in the special space for it, then it's
> > > trivial to also include the tag and we absolutely should (or make it
> > > optional to do so) in that case.
> >
> > Well, if we can't really say the data has integrity, what does the
> > validation bytes accomplish? And if are going to encrypt everything
> > that would allow integrity, we need to encrypt almost the entire file
> > system.
>
> I'm not following this logic. The primary data would be guaranteed to
> be unchanged and there is absolutely value in that, even if the metadata
> is not guaranteed to be unmolested. Security always comes with a lot of
> tradeoffs. RLS doesn't prevent certain side-channel attacks but it
> still is extremely useful in a great many cases.

Well, changing the clog would change how the integrity-protected data is
interpreted, so I don't see much value in it.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com

If only the physical world exists, free will is an illusion.