| From: | Ryan Lambert <ryan(at)rustprooflabs(dot)com> |
|---|---|
| To: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> |
| Cc: | Joe Conway <mail(at)joeconway(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, Stephen Frost <sfrost(at)snowman(dot)net>, Antonin Houska <ah(at)cybertec(dot)at>, Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com>, Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com>, "Moon, Insung" <Moon_Insung_i3(at)lab(dot)ntt(dot)co(dot)jp>, Ibrar Ahmed <ibrar(dot)ahmad(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |
| Date: | 2019-07-10 23:02:20 |
| Message-ID: | CAN-V+g-6bduh7mYG1x29r0qNY=9p2mWsQf6EvRheDL+LMOzP8w@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> As I understand, the reason we
> want to avoid using the same IV for too many pages is to dodge a
> cryptanalysis attack, which requires a large amount of data encrypted
> with the same key/IV in order to be effective. But if we have two
> copies of the same page encrypted with the same key/IV, yes it's twice
> as much data as just one copy of the page with that key/IV, but it still
> seems like a sufficiently low amount of data that cryptanalysis is
> unfeasible. Right? I mean, webservers send hundreds of kilobytes
> encrypted with the same key; they avoid sending megabytes of it with the
> same key/IV, but getting too worked up about 16 kB when we think 8 kB is
> fine seems over the top.
> So I guess the question is how much data is considered sufficient for a
> successful, practical cryptanalysis attack?
Yes, a cryptanalysis attack could hypothetically derive critical info about
the key from two encrypted blocks with the same IV.
A major (very important) difference with web servers is they use asymmetric
encryption with the client to negotiate and share the secure symmetric
encryption key for that session. The vast majority of the encryption work
is done w/ short lived symmetric keys, not the TLS keys we all think of
(because that's what we configure). Many DB encryption keys (symmetric)
will live for a number of years, so the attack vectors and timelines are
far different. By contrast, the longest CA TLS keys through paid vendors
are typically 2 years, most are 1, LetsEncrypt certs only live 3 months.
Are there any metrics on how long a page can live without being modified in
one way or another to trigger it to re-encrypt with a new IV? Is it
possible that a single page could live essentially forever without being
modified? If its the latter than I would opt on the side of paranoid due
to the expected lifecycle of keys. If it's the former it probably merits
further discussion on the paranoia requirements. Another consideration is
if someone can get this data and there are a LOT of pages sharing IVs the
exposure increases significantly, probably not linearly.
Another (probably bad) idea is if there was a REENCRYPT DATABASE, the
hyper-paranoid could force a full rewrite as often as they want. Large
databases seem to be the ones that are most likely to have long living
pages, and the least likely to want to wait to reencrypt the whole thing.
Ryan Lambert
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Melanie Plageman | 2019-07-10 23:51:02 | Re: accounting for memory used for BufFile during hash joins |
| Previous Message | Tom Lane | 2019-07-10 22:59:27 | Re: Refactoring syslogger piping to simplify adding new log destinations |