RE: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS)
Moon, Insung <moon_insung_i3@lab.ntt.co.jp>
From: "Moon, Insung" <Moon_Insung_i3@lab.ntt.co.jp>
To: "'Tsunakawa, Takayuki'" <tsunakawa.takay@jp.fujitsu.com>,
<pgsql-hackers@postgresql.org>
Date: 2018-07-03T11:48:10Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Revamp the WAL record format.
- 2c03216d8311 9.5.0 cited
Dear Takayuki Tsunakawa. > -----Original Message----- > From: Tsunakawa, Takayuki [mailto:tsunakawa.takay@jp.fujitsu.com] > Sent: Thursday, June 14, 2018 9:58 AM > To: 'Tomas Vondra'; Moon, Insung; pgsql-hackers@postgresql.org > Subject: RE: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) > > > From: Tomas Vondra [mailto:tomas.vondra@2ndquadrant.com] > > On 05/25/2018 01:41 PM, Moon, Insung wrote: > > > BTW, I want to support CBC mode encryption[3]. However, I'm not sure > > > how to use the IV in CBC mode for this proposal. I'd like to hear > > > opinions by security engineer. > > > > > > > I'm not a cryptographer either, but this is exactly where you need a > > prior discussion about the threat models - there are a couple of > > chaining modes, each with different weaknesses. > Our products uses XTS, which recent FDE software like BitLocker and TrueCrypt uses instead of CBC. > > https://en.wikipedia.org/wiki/Disk_encryption_theory#XTS > > "According to SP 800-38E, "In the absence of authentication or access control, XTS-AES provides more protection than the > other approved confidentiality-only modes against unauthorized manipulation of the encrypted data."" Thank your for your advice! Yes. I found that CBC is not safe at this time. So let's use XTS mode or GCM mode as you mentioned. Thank you and Best regards. Moon. > > > > > FWIW it may also matter if data_checksums are enabled, because that > > may prevent malleability attacks affecting of the modes. Assuming > > active attacker (with the ability to modify the data files) is part of > > the threat model, of course. > > Encrypt the page after embedding its checksum value. If a malicious attacker modifies a page on disk, then the decrypted > page would be corrupt anyway, which can be detected by checksum. > > > Regards > Takayuki Tsunakawa >