Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1muhuF-0008Si-JV for pgsql-hackers@arkaria.postgresql.org; Tue, 07 Dec 2021 21:21:47 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1muhuE-0006t5-GF for pgsql-hackers@arkaria.postgresql.org; Tue, 07 Dec 2021 21:21:46 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1muhuD-0006st-Pq for pgsql-hackers@lists.postgresql.org; Tue, 07 Dec 2021 21:21:46 +0000 Received: from mail-ed1-x529.google.com ([2a00:1450:4864:20::529]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1muhu6-0006ET-Sa for pgsql-hackers@postgresql.org; Tue, 07 Dec 2021 21:21:45 +0000 Received: by mail-ed1-x529.google.com with SMTP id r25so1120758edq.7 for ; Tue, 07 Dec 2021 13:21:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=1RJxIqIs0HlExnt//40wVzuyCYmLorlPyZd7fXeq8xI=; b=Ra2UG7b8DMsPIj+4ONONDhQ3od90vC/AMMCo3662DcNbSagLZPK7TTt0C7WY1wfcBO OtQDJ3qJQGtkkplSPTsbnTKVhdcyK/7kGzYWVzvw/CsxHGpfDwLY72ODInKGaLPEIw/Q 9nGh50Pcfi1/+SuK8uKqezEDHHDR4TqxJFyMdgO7Zp4D39NOIlrhixkxfe14f8JrHBaE OpbuTRo8pJrEg9WO/k49vyFDrYu/cZZ6z6dm9IS7w1x4UtxCbOvDNE5/5FBOQPYQvDjs f5lv0qyw+5MFd7ax2WL3DRmPQnZf64CR1rEF82ZvGotgxFpgQBZ1colRfn4q8KFnKjdJ D+iw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=1RJxIqIs0HlExnt//40wVzuyCYmLorlPyZd7fXeq8xI=; b=mb1dQwtyxIVQXcWmVYhcfrsuUBG+szkKC0b3gY6XgRgiBtJyWBnV0OjT8zYtNP8y7B EB59y5ZW6E39gfkH455aFXYK6lyyr4kJFQV10/28tSOyEaWxJI/25OTR/BE0z+wnOZvX itoXg/aOe+ugL48R6q6GJ5E9IFmQJ2EnizcRqAgIsbaHF9vyvHP1aAXtgq20hRNwTNYp qoLiiIJEVz6Gmu1Tos+WoicXiMrm56pCQKicYcRyNOKfvRjF9ptNLWCj+beavuR17BIo htu7/4AQ5RWdxaZ11HnjHPNtwlBf4L44CRq88OG6t+/R/0cdkumt9fPnvtTpZjADFdBR BKoQ== X-Gm-Message-State: AOAM530acIDIPhJFW3+NzWly/SUisKPwh10c2U5t6O/0+XmdMxv5wcEY mpbTpeheaqjuhxNecDmXcuNl/gsvKTrPw4YoJ3/OvZhs+MJJsiPoJpXvok8hgER9PZ9q0Uf0dPi eTcuepkZ5tjPnuGBfTDNGWOgBKEXB5XCgFM5ijewZ0GYIG274kz5mlY/ZjKeVop0QEDKfLdwrB8 nh98lgVjNHbS/V1TzTtkUKjOChYJcm+29ZYwgEGxHFDWUG X-Google-Smtp-Source: ABdhPJy2mtSPiv9tgYZFDwyFeyraaBWf1bfzoiMm0iPNQwqUQ4urIFcYNl3/WowVXdMgMk6m6TNwdw== X-Received: by 2002:a05:6402:270d:: with SMTP id y13mr12938257edd.362.1638912096613; Tue, 07 Dec 2021 13:21:36 -0800 (PST) Received: from [10.137.0.18] (ip-86-49-251-241.net.upcbroadband.cz. [86.49.251.241]) by smtp.gmail.com with ESMTPSA id sg17sm376825ejc.72.2021.12.07.13.21.34 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 07 Dec 2021 13:21:35 -0800 (PST) Message-ID: <1be3fd0e-959a-29e3-5f63-9c3dff9e7cb2@enterprisedb.com> Date: Tue, 7 Dec 2021 22:21:32 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0 Subject: Re: Transparent column encryption Content-Language: en-US To: Jacob Champion , "peter.eisentraut@enterprisedb.com" , "pgsql-hackers@postgresql.org" References: <89157929-c2b6-817b-6025-8e4b2d89d88f@enterprisedb.com> <4fbcf5540633699fc3d81ffb59cb0ac884673a7c.camel@vmware.com> From: Tomas Vondra In-Reply-To: <4fbcf5540633699fc3d81ffb59cb0ac884673a7c.camel@vmware.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor X-CLOUD-SEC-AV-Sent: true X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 12/7/21 19:02, Jacob Champion wrote: > On Tue, 2021-12-07 at 16:39 +0100, Peter Eisentraut wrote: >> On 06.12.21 21:44, Jacob Champion wrote: >>> I think reusing a zero IV will potentially leak more information than >>> just equality, depending on the cipher in use. You may be interested in >>> synthetic IVs and nonce-misuse resistance (e.g. [1]), since they seem >>> like they would match this use case exactly. (But I'm not a >>> cryptographer.) >> >> I'm aware of this and plan to make use of SIV. The current >> implementation is just an example. > > Sounds good. > >>> Have you given any thought to AEAD? As a client I'd like to be able to >>> tie an encrypted value to other column (or external) data. For example, >>> AEAD could be used to prevent a DBA from copying the (encrypted) value >>> of my credit card column into their account's row to use it. >> >> I don't know how that is supposed to work. When the value is encrypted >> for insertion, the client may know things like table name or column >> name, so it can tie it to those. But it doesn't know what row it will >> go in, so you can't prevent the value from being copied into another >> row. You would need some permanent logical row ID for this, I think. > > Sorry, my description was confusing. There's nothing preventing the DBA > from copying the value inside the database, but AEAD can make it so > that the copied value isn't useful to the DBA. > > Sample case. Say I have a webapp backed by Postgres, which stores > encrypted credit card numbers. Users authenticate to the webapp which > then uses the client (which has the keys) to talk to the database. > Additionally, I assume that: > > - the DBA can't access the client directly (because if they can, then > they can unencrypt the victim's info using the client's keys), and > > - the DBA can't authenticate as the user/victim (because if they can, > they can just log in themselves and have the data). The webapp might > for example use federated authn with a separate provider, using an > email address as an identifier. > > Now, if the client encrypts a user's credit card number using their > email address as associated data, then it doesn't matter if the DBA > copies that user's encrypted card over to their own account. The DBA > can't log in as the victim, so the client will fail to authenticate the > value because its associated data won't match. > >>>> This is not targeting PostgreSQL 15. But I'd appreciate some feedback >>>> on the direction. >>> >>> What kinds of attacks are you hoping to prevent (and not prevent)? >> >> The point is to prevent admins from getting at plaintext data. The >> scenario you show is an interesting one but I think it's not meant to be >> addressed by this. If admins can alter the database to their advantage, >> they could perhaps increase their account balance, create discount >> codes, etc. also. > > Sure, but increasing account balances and discount codes don't lead to > getting at plaintext data, right? Whereas stealing someone else's > encrypted value seems like it would be covered under your threat model, > since it lets you trick a real-world client into decrypting it for you. > > Other avenues of attack might depend on how you choose to add HMAC to > the current choice of AES-CBC. My understanding of AE ciphers (with or > without associated data) is that you don't have to design that > yourself, which is nice. > IMO it's impossible to solve this attack within TCE, because it requires ensuring consistency at the row level, but TCE obviously works at column level only. I believe TCE can do AEAD at the column level, which protects against attacks that flipping bits, and similar attacks. It's just a matter of how the client encrypts the data. Extending it to protect the whole row seems tricky, because the client may not even know the other columns, and it's not clear to me how it'd deal with things like updates of the other columns, hint bits, dropped columns, etc. It's probably possible to get something like this (row-level AEAD) by encrypting enriched data, i.e. not just the card number, but {user ID, card number} or something like that, and verify that in the webapp. The problem of course is that the "user ID" is just another column in the table, and there's nothing preventing the DBA from modifying that too. So I think it's pointless to try extending this to row-level AEAD. regards -- Tomas Vondra EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company