Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oCPPT-0002OV-3W for pgsql-hackers@arkaria.postgresql.org; Fri, 15 Jul 2022 17:47:27 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1oCPPR-00069Z-Cn for pgsql-hackers@arkaria.postgresql.org; Fri, 15 Jul 2022 17:47:25 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oCPPR-00069Q-22 for pgsql-hackers@lists.postgresql.org; Fri, 15 Jul 2022 17:47:25 +0000 Received: from mail-pj1-x102f.google.com ([2607:f8b0:4864:20::102f]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1oCPPO-0006Jd-Hn for pgsql-hackers@postgresql.org; Fri, 15 Jul 2022 17:47:23 +0000 Received: by mail-pj1-x102f.google.com with SMTP id 89-20020a17090a09e200b001ef7638e536so12198972pjo.3 for ; Fri, 15 Jul 2022 10:47:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=timescale.com; s=google; h=message-id:date:mime-version:user-agent:subject:content-language :references:from:to:in-reply-to:content-transfer-encoding; bh=uZSquwXWqqS6tPKyaOPlM8nFflFyYPYAdmtvcEYznTk=; b=VScj3QNsuRM1EYbzRW+k0zSdxJlCvVp3fDKK7K1RBzNlzU3tp9MYmPMfEVihp1haDM u4Ra/2Ji/7RQuDkDyq+NAWPT5prvk/Zzprg+rBjSbM6ts7Z+/+W/JTF8FXklos1KqiYx /h7kHY2psMso47NbB62YkQpExGsTUjisE7PkNePWiF8ePc7qynU8seYw8SidLeeiANz5 nap8hwXz2S0tJPNYH0XO5+vtdBy7BmMoRw3UyPtzkXUi11kTjJLE/U+8PbSgRBBS8ktE 6W1yZR+V/a5tM7bvjvSPhjXw3JJrjqBOaiTJ5ItrzJQP9VBgyLTfzY7dlC5/qXHU/D4w TpNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:references:from:to:in-reply-to :content-transfer-encoding; bh=uZSquwXWqqS6tPKyaOPlM8nFflFyYPYAdmtvcEYznTk=; b=A7dBcxyPIHYMZAoO1+CB52m7LhRJ+5pkAMigczwjH1IqHsNng/RIpdxhk8hlNvUIUW JEqTGS6kVx3/pAEa1Akapc3v6592GhgBia4au6WWJlhRg71kGUIFhYRpCsp0EYvdtBr3 7teEZJaSz0jq0rhG8wP5DPMR+iuIzN5tnFPJgAXBKJKml4m/GF27VmmqS1MLMCPVjwrc 4YJTp1Ad0hMRDJk5Jtlg+GA2P8p6hFe8aQDIo0NioJiY/bB66xsYYZGbNHK5Q0qBicKP gHQp9AOlxDyAASOnV84PIAi7nWpsaH6wLoBHknxmCp6/f/8eRx6RPDkjD3bs+pOVnLCY Z5GA== X-Gm-Message-State: AJIora8QPHrHCHh6eHBEb/4HMtUqE+4NDEwU79vgW6yfPwx3ohdmhnzs 90f41UE1OOGRZXHlz4GZMZY8Sg== X-Google-Smtp-Source: AGRyM1t+OGU0adHfBOJzKL+FoaomPoDxXQEe9jYaFZv9saSZXbcHmbtYNOTZ0WxIXPTi1BY4a7osgw== X-Received: by 2002:a17:902:ea42:b0:16c:ca53:816c with SMTP id r2-20020a170902ea4200b0016cca53816cmr3310271plg.94.1657907241208; Fri, 15 Jul 2022 10:47:21 -0700 (PDT) Received: from [192.168.1.21] ([50.39.205.221]) by smtp.gmail.com with ESMTPSA id b15-20020a170902650f00b00163d76696e1sm3803028plk.102.2022.07.15.10.47.20 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 15 Jul 2022 10:47:20 -0700 (PDT) Message-ID: <9e664928-95ce-4da5-5fd1-6dad3f68c5b5@timescale.com> Date: Fri, 15 Jul 2022 10:47:20 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: Transparent column encryption Content-Language: en-US References: <89157929-c2b6-817b-6025-8e4b2d89d88f@enterprisedb.com> <48a9f2c2-4a57-27d8-7c53-16a23a01014e@enterprisedb.com> <79f08a39-a7da-5157-cef4-378fb60c18f8@enterprisedb.com> <258c5064-437e-f41e-7537-5e8c343c33cc@enterprisedb.com> From: Jacob Champion To: Peter Eisentraut , pgsql-hackers In-Reply-To: <258c5064-437e-f41e-7537-5e8c343c33cc@enterprisedb.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 7/12/22 11:29, Peter Eisentraut wrote: > > Updated patch, to resolve some merge conflicts. Thank you for working on this; it's an exciting feature. > The CEK key > material is in turn encrypted by an assymmetric key called the column > master key (CMK). I'm not yet understanding why the CMK is asymmetric. Maybe you could use the public key to add ephemeral, single-use encryption keys that no one but the private key holder could use (after you forget them on your side, that is). But since the entire column is encrypted with a single CEK, you would essentially only be able to do that if you created an entirely new column or table; do I have that right? I'm used to public keys being safe for... publication, but if I'm understanding correctly, it's important that the server admin doesn't get hold of the public key for your CMK, because then they could substitute their own CEKs transparently and undermine future encrypted writes. That seems surprising. Am I just missing something important about RSAES-OAEP? > +#define PG_CEK_AEAD_AES_128_CBC_HMAC_SHA_256 130 > +#define PG_CEK_AEAD_AES_192_CBC_HMAC_SHA_384 131 > +#define PG_CEK_AEAD_AES_256_CBC_HMAC_SHA_384 132 > +#define PG_CEK_AEAD_AES_256_CBC_HMAC_SHA_512 133 It looks like these ciphersuites were abandoned by the IETF. Are there existing implementations of them that have been audited/analyzed? Are they safe (and do we know that the claims made in the draft are correct)? How do they compare to other constructions like AES-GCM-SIV and XChacha20-Poly1305? > +-- \gencr > +-- (This just tests the parameter passing; there is no encryption here.) > +CREATE TABLE test_gencr (a int, b text); > +INSERT INTO test_gencr VALUES (1, 'one') \gencr > +SELECT * FROM test_gencr WHERE a = 1 \gencr > + a | b > +---+----- > + 1 | one > +(1 row) > + > +INSERT INTO test_gencr VALUES ($1, $2) \gencr 2 'two' > +SELECT * FROM test_gencr WHERE a IN ($1, $2) \gencr 2 3 > + a | b > +---+----- > + 2 | two > +(1 row) I'd expect \gencr to error out without sending plaintext. I know that under the hood this is just setting up a prepared statement, but if I'm using \gencr, presumably I really do want to be encrypting my data. Would it be a problem to always set force-column-encryption for the parameters we're given here? Any unencrypted columns could be provided directly. Another idle thought I had was that it'd be nice to have some syntax for providing a null value to \gencr (assuming I didn't overlook it in the patch). But that brings me to... > + > + Null values are not encrypted by transparent column encryption; null values > + sent by the client are visible as null values in the database. If the fact > + that a value is null needs to be hidden from the server, this information > + needs to be encoded into a nonnull value in the client somehow. > + This is a major gap, IMO. Especially with the switch to authenticated ciphers, because it means you can't sign your NULL values. And having each client or user that's out there solve this with a magic in-band value seems like a recipe for pain. Since we're requiring "canonical" use of text format, and the docs say there are no embedded or trailing nulls allowed in text values, could we steal the use of a single zero byte to mean NULL? One additional complication would be that the client would have to double-check that we're not writing a NULL into a NOT NULL column, and complain if it reads one during decryption. Another complication would be that the client would need to complain if it got a plaintext NULL. (The need for robust client-side validation of encrypted columns might be something to expand on in the docs more generally, since before this feature, it could probably be assumed that the server was buggy if it sent you unparsable junk in a column.) > + > + The associated data in these algorithms consists of 4 > + bytes: The ASCII letters P and G > + (byte values 80 and 71), followed by the algorithm ID as a 16-bit unsigned > + integer in network byte order. > + Is this AD intended as a placeholder for the future, or does it serve a particular purpose? Thanks, --Jacob