Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mumDn-0000Jm-3Q for pgsql-hackers@arkaria.postgresql.org; Wed, 08 Dec 2021 01:58:15 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1mumDl-0003Df-W2 for pgsql-hackers@arkaria.postgresql.org; Wed, 08 Dec 2021 01:58:14 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mumDl-0003DR-7r for pgsql-hackers@lists.postgresql.org; Wed, 08 Dec 2021 01:58:13 +0000 Received: from mail-ed1-x52b.google.com ([2a00:1450:4864:20::52b]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1mumDi-0007lQ-2P for pgsql-hackers@postgresql.org; Wed, 08 Dec 2021 01:58:12 +0000 Received: by mail-ed1-x52b.google.com with SMTP id x6so3112546edr.5 for ; Tue, 07 Dec 2021 17:58:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=ywlq6womtADEBl47GoSpVMM0nieaf0FiyQV/lnCcQs4=; b=A8fggURjmDKQmQfRSDmcWP9ba+yXvLC3mhbvJbMmTZ52niCvQxP3+pqLq+KXbf8IOM PUgTWJKKsCaFVn12UyNVBJb6LRInYZ1B/3BcfWEVZg9ouKsc983QYL/I5MCeTGAW6HCQ AEwLfvJbZ7NDx+Ti2YniqalxVHCIMT1z14OWAgu8ig6JmXUx+T0tL/SgTzV4B8EZmHzl Q0E02lcnM/1Fstfh/oOEPgPciIM3tiiVvRXT6JDrAXJ9u/ew84fsRzctVmWSvZoxN3dv CRv6UglhqNPIUakQwJowQ5NjKBnc5mY/PMAr33u06eDNxF3vDQ2V9rstuzYzpgyo42Gw L19Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=ywlq6womtADEBl47GoSpVMM0nieaf0FiyQV/lnCcQs4=; b=iaxAb9/zu+ASRUgX4NF8Vs/B4U30Dd1D4y1rhlBGhR7ABHkNRelsiQyyJpv3rcYV8d cOHpQqMxbP7B0E+RTIbXgK3hOHCFbu+u5jr4DqgRC9xfSunsCVW/tpKUGZuoLsyebeaA rQAOUH/+miY8wXB6zV5RMjY8eZgA4kX6wNR4E2Do/gm0a5DpA3namll8Bv4jf2s9vNuz 4WU4e8Sl175O6JAPvcY7rgNTBNHPzNSfHKKt+vSZsUktaJgpzRhZ+HYxuna8jCu9eavM PNBpcrRtmSn+cDew1lDrVBsb4Eibnt9zYQM5wtSi+GCSnN8ilW64ZX8Ot8eRHAmzaJ3X FWcw== X-Gm-Message-State: AOAM5314MKMw0rcskmkV7/v3Qv9LouhxLpmZhbKzn2r2DXAGVaoxkVPm B3ESVaYqJrt8WE5wnr5xZgw7WKAN18870/we4iizEtpbhenjX8DU6wfTzuat+GPXtTr+AG06Xov /NELtJx0arMksRXMHRqe0845ioSZXqttE2QpJlIV004YTQlarrwboK91hAcQpHe+r9kARnuW8nT B0lRh5tgLKudb1nYZHqvvupdad0ERhaMALnlt7 X-Google-Smtp-Source: ABdhPJzzwnTSZrea3DrBn65+cCFB18vt+2TP8fzuSdvpVcHMtRBOb7329tbLOF/Sm4OtpLxeYxTjYw== X-Received: by 2002:a17:906:b88f:: with SMTP id hb15mr3834684ejb.91.1638928687828; Tue, 07 Dec 2021 17:58:07 -0800 (PST) Received: from [10.137.0.19] (ip-86-49-251-241.net.upcbroadband.cz. [86.49.251.241]) by smtp.gmail.com with ESMTPSA id m25sm921350edj.80.2021.12.07.17.58.07 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 07 Dec 2021 17:58:07 -0800 (PST) Message-ID: <3c48f839-45f0-b85d-fd99-8693171f515e@enterprisedb.com> Date: Wed, 8 Dec 2021 02:58:06 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.1.0 Subject: Re: Transparent column encryption Content-Language: en-US To: Jacob Champion , "peter.eisentraut@enterprisedb.com" , "pgsql-hackers@postgresql.org" References: <89157929-c2b6-817b-6025-8e4b2d89d88f@enterprisedb.com> <4fbcf5540633699fc3d81ffb59cb0ac884673a7c.camel@vmware.com> <1be3fd0e-959a-29e3-5f63-9c3dff9e7cb2@enterprisedb.com> From: Tomas Vondra In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor X-CLOUD-SEC-AV-Sent: true X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 12/8/21 00:26, Jacob Champion wrote: > On Tue, 2021-12-07 at 22:21 +0100, Tomas Vondra wrote: >> IMO it's impossible to solve this attack within TCE, because it requires >> ensuring consistency at the row level, but TCE obviously works at column >> level only. > > I was under the impression that clients already had to be modified to > figure out how to encrypt the data? If part of that process ends up > including enforcement of encryption for a specific column set, then the > addition of AEAD data could hypothetically be part of that hand- > waviness. > I think "transparency" here means the client just uses the regular prepared-statement API without having to explicitly encrypt/decrypt any data. The problem is we can't easily tie this to other columns in the table, because the client may not even know what values are in those columns. Imagine you do this UPDATE t SET encrypted_column = $1 WHERE another_column = $2; but you want to ensure the encrypted value belongs to a particular row (which may or may not be identified by the another_column value). How would the client do that? Should it fetch the value or what? Similarly, what if the client just does SELECT encrypted_column FROM t; How would it verify the values belong to the row, without having all the data for the row (or just the required columns)? > Unless "transparent" means that the client completely defers to the > server on whether to encrypt or not, and silently goes along with it if > the server tells it not to encrypt? I think that's probably a valid concern - a "bad DBA" could alter the table definition to not contain the "ENCRYPTED" bits, and then peek at the plaintext values. But it's not clear to me how exactly would the AEAD prevent this? Wouldn't that be also specified on the server, somehow? In which case the DBA could just tweak that too, no? In other words, this issue seems mostly orthogonal to the AEAD, and the right solution would be to allow the client to define which columns have to be encrypted (in which case altering the server definition would not be enough). > That would only protect against a > _completely_ passive DBA, like someone reading unencrypted backups, > etc. And that still has a lot of value, certainly. But it seems like > this prototype is very close to a system where the client can reliably > secure data even if the server isn't trustworthy, if that's a use case > you're interested in. > Right. IMHO the "passive attacker" is a perfectly fine model for use cases that would be fine with e.g. pgcrypto if there was no risk of leaking plaintext values to logs, system catalogs, etc. If we can improve it to provide (at least some) protection against active attackers, that'd be a nice bonus. >> I believe TCE can do AEAD at the column level, which protects against >> attacks that flipping bits, and similar attacks. It's just a matter of >> how the client encrypts the data. > > Right, I think authenticated encryption ciphers (without AD) will be > important to support in practice. I think users are going to want > *some* protection against active attacks. > >> Extending it to protect the whole row seems tricky, because the client >> may not even know the other columns, and it's not clear to me how it'd >> deal with things like updates of the other columns, hint bits, dropped >> columns, etc. > > Covering the entire row automatically probably isn't super helpful in > practice. As you mention later: > >> It's probably possible to get something like this (row-level AEAD) by >> encrypting enriched data, i.e. not just the card number, but {user ID, >> card number} or something like that, and verify that in the webapp. The >> problem of course is that the "user ID" is just another column in the >> table, and there's nothing preventing the DBA from modifying that too. > > Right. That's why the client has to be able to choose AD according to > the application. In my previous example, the victim's email address can > be copied by the DBA, but they wouldn't be able to authenticate as that > user and couldn't convince the client to use the plaintext on their > behalf. > Well, yeah. But I'm not sure how to make that work easily, because the client may not have the data :-( I was thinking about using a composite data type combining the data with the extra bits - that'd not be all that transparent as it'd require the client to build this manually and then also cross-check it after loading the data. So the user would be responsible for having all the data. But doing that automatically/transparently seems hard, because how would you deal e.g. with SELECT queries reading data through a view or CTE? How would you declare this, either at the client or server? Do any other databases have this capability? How do they do it? regards -- Tomas Vondra EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company