| From: | Alastair Turner <minion(at)decodable(dot)me> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Michael Paquier <michael(at)paquier(dot)xyz>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Masahiko Sawada <masahiko(dot)sawada(at)2ndquadrant(dot)com> |
| Subject: | Re: Proposed patch for key managment |
| Date: | 2020-12-22 20:15:27 |
| Message-ID: | CAC0Gmywn71eLHi7noyHv64m3+W2BdO5bAYs-grZ4VMxBZCHDxw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi Bruce
In ckey_passphrase.sh.sample
+
+echo "$PASS" | sha256sum | cut -d' ' -f1
+
Under the threat model discussed, a copy of the keyfile could be
attacked offline. So getting from passphrase to DEKs should be as
resource intensive as possible to slow down brute-force attempts.
Instead of just a SHA hash, this should be at least a PBKDF2 (PKCS#5)
operation or preferably scrypt (which is memory intensive as well as
computationally intensive). While OpenSSL provides these key
derivation options for it's encoding operations, it does not offer a
command line option for key derivation using them. What's your view on
including third party utilities like nettlepbkdf in the sample or
providing this utility as a compiled program?
In the same theme - in ossl_cipher_ctx_create and the functions using
that context should rather be using the key-wrapping variants of the
cipher. As well as lower throughput, with the resulting effects on
brute force attempts, the key wrap variants provide more robust
ciphertext output
"
KW, KWP, and TKW are each robust in the sense that each bit of output
can be expected to depend in a nontrivial fashion on each bit of
input, even when the length of the input data is greater than one
block. This property is achieved at the cost of a considerably lower
throughput rate, compared to other authenticated-encryption modes, but
the tradeoff may be appropriate for some key management applications.
For example, a robust method may be desired when the length of the
keys to be protected is greater than the block size of the underlying
block cipher, or when the value of the protected data is very high.
" - NIST SP 800-38F
and aim to manage the risk of short or predictable IVs ([1] final para
of page 1)
On Tue, 22 Dec 2020 at 15:40, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>
> Here is an updated patch. Are people happy with the Makefile, its
> location in the source tree, and the install directory name? I used the
> directory name 'auth_commands' because I thought 'auth' was too easily
> misinterpreted. I put the scripts in /src/backend/utils/auth_commands.
>
What's implemented in these patches is an internal keystore, wrapped
with a key derived from a passphrase. I'd think that the scripts
directory should reflect what they interact with, so
'keystore_commands' or 'local_keystore_command' sounds more specific
and therefore better than 'auth_commands'.
Regards
Alastair
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2020-12-22 20:16:58 | Re: libpq compression |
| Previous Message | John Naylor | 2020-12-22 20:01:48 | Re: Perform COPY FROM encoding conversions in larger chunks |