Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mucZd-0003K4-3T for pgsql-hackers@arkaria.postgresql.org; Tue, 07 Dec 2021 15:40:09 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1mucZb-0005SV-W2 for pgsql-hackers@arkaria.postgresql.org; Tue, 07 Dec 2021 15:40:07 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mucZ7-0000Iv-D9 for pgsql-hackers@lists.postgresql.org; Tue, 07 Dec 2021 15:39:38 +0000 Received: from out5-smtp.messagingengine.com ([66.111.4.29]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mucZ3-0002jh-OI for pgsql-hackers@postgresql.org; Tue, 07 Dec 2021 15:39:36 +0000 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 971DE5C019E; Tue, 7 Dec 2021 10:39:32 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Tue, 07 Dec 2021 10:39:32 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=CvkiugDRqTKuxRP8CTHOpgTZdZR+bBaQ9mHucDdXG qM=; b=QwCWl7PrQC5jZx0PDIzNI37iS1zWvPCnpW4ds6DsykUobZVXWU1vLJUCZ QhuzxeC6SffolZsyKPDQ/PigkUzSRUA+nYEeLiAbTIoTrMM3zWsWReXLKAGA5vgD IZv+swF2DV8VwnjWc+o6G0UBlhYzJJm548I+25c+3knYuArrf5eNo8rqOk4pZoWD fxe4GK3WUinzi3kTZtn7DJ7ad5JGgCFa/6aXg7TjKvlge6wztQmsGVtsT1IDml4Q M81HTRWRfWKwTx8OMMwGtqcy+Spnkpx+nKOxgD872wWMOHVs1lciidycOZfDDTcz G0GfGs95vKJJBjXTE0vfcu+i7dMkA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrjeehgdekudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefkffggfgfuvfhfhfgjtgfgsehtjeertddtfeejnecuhfhrohhmpefrvghtvghr ucfgihhsvghnthhrrghuthcuoehpvghtvghrrdgvihhsvghnthhrrghuthesvghnthgvrh hprhhishgvuggsrdgtohhmqeenucggtffrrghtthgvrhhnpeefjeegheetuefhveevudel ueeftdejteeiffetvdduhfdtieefgfeutedtveeggfenucevlhhushhtvghrufhiiigvpe dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehpvghtvghrrdgvihhsvghnthhrrghuthes vghnthgvrhhprhhishgvuggsrdgtohhm X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 7 Dec 2021 10:39:30 -0500 (EST) Message-ID: Date: Tue, 7 Dec 2021 16:39:29 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.3.2 Subject: Re: Transparent column encryption Content-Language: en-US To: Jacob Champion , "pgsql-hackers@postgresql.org" References: <89157929-c2b6-817b-6025-8e4b2d89d88f@enterprisedb.com> From: Peter Eisentraut In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 06.12.21 21:44, Jacob Champion wrote: > I think reusing a zero IV will potentially leak more information than > just equality, depending on the cipher in use. You may be interested in > synthetic IVs and nonce-misuse resistance (e.g. [1]), since they seem > like they would match this use case exactly. (But I'm not a > cryptographer.) I'm aware of this and plan to make use of SIV. The current implementation is just an example. > Have you given any thought to AEAD? As a client I'd like to be able to > tie an encrypted value to other column (or external) data. For example, > AEAD could be used to prevent a DBA from copying the (encrypted) value > of my credit card column into their account's row to use it. I don't know how that is supposed to work. When the value is encrypted for insertion, the client may know things like table name or column name, so it can tie it to those. But it doesn't know what row it will go in, so you can't prevent the value from being copied into another row. You would need some permanent logical row ID for this, I think. For this scenario, the deterministic encryption mode is perhaps not the right one. >> This is not targeting PostgreSQL 15. But I'd appreciate some feedback >> on the direction. > > What kinds of attacks are you hoping to prevent (and not prevent)? The point is to prevent admins from getting at plaintext data. The scenario you show is an interesting one but I think it's not meant to be addressed by this. If admins can alter the database to their advantage, they could perhaps increase their account balance, create discount codes, etc. also. If this is a problem, then perhaps a better approach would be to store parts of the data in a separate database with separate admins.