Re: storing an explicit nonce
Stephen Frost <sfrost@snowman.net>
From: Stephen Frost <sfrost@snowman.net>
To: Bruce Momjian <bruce@momjian.us>
Cc: Antonin Houska <ah@cybertec.at>, Robert Haas <robertmhaas@gmail.com>, Ants Aasma <ants@cybertec.at>, Sasasu <i@sasa.su>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2021-10-11T17:30:38Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Rethink method for assigning OIDs to the template0 and postgres DBs.
- 2cb1272445d2 15.0 landed
-
pg_upgrade: Preserve database OIDs.
- aa01051418f1 15.0 landed
-
pg_upgrade: Preserve relfilenodes and tablespace OIDs.
- 9a974cbcba00 15.0 landed
-
Fix for new Boolean node
- cf925936ecc0 15.0 cited
-
Improve error handling of HMAC computations
- 5513dc6a304d 15.0 cited
-
Add macro RelationIsPermanent() to report relation permanence
- 95d77149c535 14.0 landed
-
Enhance nbtree index tuple deletion.
- d168b666823b 14.0 cited
Greetings, * Bruce Momjian (bruce@momjian.us) wrote: > On Fri, Oct 8, 2021 at 02:34:20PM -0400, Stephen Frost wrote: > > What I think is missing from this discussion is the fact that, with XTS > > (and XEX, on which XTS is built), the IV *is* run through a forward > > cipher function, just as suggested above needs to be done for CBC. I > > don't see any reason to doubt that OpenSSL is correctly doing that. > > > > This article shows this pretty clearly: > > > > https://en.wikipedia.org/wiki/Disk_encryption_theory > > > > I don't think that changes the fact that, if we're able to, we should be > > varying the tweak/IV as often as we can, and including the LSN seems > > like a good way to do just that. > > Keep in mind that in our existiing code (not my patch), the LSN is zero > for unlogged relations, a fixed value for some GiST index pages, and > unchanged for some hint bit changes. Therefore, while we can include > the LSN in the IV because it _might_ help, we can't rely on it. Regarding unlogged LSNs at least, I would think that we'd want to actually use GetFakeLSNForUnloggedRel() instead of just having it zero'd out. The fixed value for GiST index pages is just during the index build process, as I recall, and that's perhaps less of a concern. Part of the point of using XTS is to avoid the issue of the LSN not being changed when hint bits are, or more generally not being unique in various cases. > We probably need to have a discussion about whether LSN and checksum > should be encrypted on the page. I think we are currently leaning to no > encryption for LSN because we can use it as part of the nonce (where is > it is variable) and encrypting the checksum for rudimenary integrity > checking. Yes, that's the direction that I was thinking also and specifically with XTS as the encryption algorithm to allow us to exclude the LSN but keep everything else, and to address the concern around the nonce/tweak/etc being the same sometimes across multiple writes. Another thing to consider is if we want to encrypt zero'd page. There was a point brought up that if we do then we are encrypting a fair bit of very predictable bytes and that's not great (though there's a fair bit about our pages that someone could quite possibly predict anyway based on table structures and such...). I would think that if it's easy enough to not encrypt zero'd pages that we should avoid doing so. Don't recall offhand which way zero'd pages were being handled already but thought it made sense to mention that as part of this discussion. Thanks, Stephen