| From: | Joe Conway <mail(at)joeconway(dot)com> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us>, Ryan Lambert <ryan(at)rustprooflabs(dot)com> |
| Cc: | Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com>, Antonin Houska <ah(at)cybertec(dot)at>, Stephen Frost <sfrost(at)snowman(dot)net>, Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com>, "Moon, Insung" <Moon_Insung_i3(at)lab(dot)ntt(dot)co(dot)jp>, Ibrar Ahmed <ibrar(dot)ahmad(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |
| Date: | 2019-07-13 11:34:22 |
| Message-ID: | 2ae81d2a-2b86-d25e-6453-deb69bac887f@joeconway.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 7/12/19 2:45 PM, Bruce Momjian wrote:
> On Fri, Jul 12, 2019 at 12:41:19PM -0600, Ryan Lambert wrote:
>> >> I vote for AES 256 rather than 128.
>> >
>> > Why? This page seems to think 128 is sufficient:
>> >
>> > https://crypto.stackexchange.com/questions/20/
>> what-are-the-practical-differences-between-256-bit-192-bit-and-128-bit-aes-enc
>> >
>> > For practical purposes, 128-bit keys are sufficient to ensure
>> security.
>> > The larger key sizes exist mostly to satisfy some US military
>> > regulations which call for the existence of several distinct
>> "security
>> > levels", regardless of whether breaking the lowest level is already
>> far
>> > beyond existing technology.
>>
>> After researching AES key sizes a bit more my vote is (surprisingly?) for
>> AES-128. My reasoning is about security, I did not consider performance
>> impacts in my decision.
>
> Thank you for this exhaustive research.
First of all, that is a mischaracterization of the issue. That paper
also states:
"we describe several key derivation attacks of practical complexity on
AES-256 when its number of rounds is reduced to approximately that of
AES-128. The best previously published attacks on such variants
were far from practical, requiring 4 related keys and 2^120
time to break a 9-round version of AES-256 [9], and 64 related keys and
2^172time to break a 10-round version of AES-256 ([9], see also [2]). In
this paper we describe an attack on 9-round AES-256 which can findits
complete 256-bit key in 239time by using only the simplest type of
related keys (in which the chosenplaintexts are encrypted under two keys
whose XOR difference can be chosen in many different ways).Our best
attack on 10-round AES-256 requires only two keys and 245time, but it
uses a stronger type ofrelated subkey attack. These attacks can be
extended into a quasi-practical 270attack on 11-round AES,and into a
trivial 226attack on 8-round AES."
Notice 2 key things about this:
1. The attacks described are against a reduced number of rounds. AES256
is 14 rounds, not 9 or 10.
2, They are "related key" attacks, which can be avoided by not using
related keys, and we certainly should not be doing that.
Also, please read the links that Sehrope sent earlier if you have not
done so. In particular this one:
https://www.ecrypt.eu.org/csa/documents/PQC-whitepaper.pdf
which says:
"Post-quantum cryptography is an area of cryptography in which systems
are studied under the security assumption that the attacker has a
quantum computer. This attack model is interesting because Shor has
shown a quantum algorithm that breaks RSA, ECC, and finite field
discrete logarithms in polynomial time. This means that in this model
all commonly used public-key systems are no longer secure.Symmetric
cryptography is also affected but significantly less. For systems that
do not rely on mathematical structures the main effect is that an
algorithm due to Grover halves the security level, i.e., breaking
AES-128 takes 2^64 quantum operations while current attacks take 2^128
steps. While this is a big change, it can be managed quite
easily by doubling the key sizes, e.g., by deploying AES-256. The
operations needed in Grover’s algorithm are inherently sequential
which has led some to doubt that even 264quantum operations
are feasible, but since the remedy of changing to larger key sizes is
very inexpensive it is generally recommended to do so."
In addition, that first paper was written in 2010, yet in 2016 NSA
published one of the other documents referenced by Sehrope:
Which states:
"If you have already implemented Suite B algorithms using the larger
(for TOP SECRET) key sizes, you should continue to use those algorithms
and key sizes through this upcoming transition period. In many products
changing to a larger key size can be done via a configuration
change.Implementations using only the algorithms previously approved for
SECRET and below in Suite B should not be used in NSS. In more precise
terms this means that NSS (National Security Systems) should no longer use
•ECDH and ECDSA with NIST P-256
•SHA-256
•AES-128
•RSA with 2048-bit keys
•Diffie-Hellman with 2048-bit keys"
I stand by my position. At a minimum, we need a choice of AES128 and AES256.
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2019-07-13 12:36:54 | Re: [PATCH] Implement uuid_version() |
| Previous Message | Thomas Munro | 2019-07-13 11:17:00 | Re: refactoring - share str2*int64 functions |