On Wed, Jun 20, 2018 at 06:19:40PM -0400, Joe Conway wrote: > On 06/20/2018 05:12 PM, Bruce Momjian wrote: > > On Mon, Jun 18, 2018 at 11:06:20AM -0400, Joe Conway wrote: > >>> At the same time, having to have a bunch of independently-decipherable > >>> short field values is not real secure either, especially if they're known > >>> to all be encrypted with the same key. But what you know or can guess > >>> about the plaintext in such cases would be target-specific, rather than > >>> an attack that could be built once and used against any PG database. > >> > >> Again is dependent on the specific solution for encryption. In some > >> cases you might do something like generate a single use random key, > >> encrypt the payload with that, encrypt the single use key with the > >> "global" key, append the two results and store. > > > > Even if they are encrypted with the same key, they use different > > initialization vectors that are stored inside the encrypted payload, so > > you really can't identify much except the length, as Robert stated. > > The more you encrypt with a single key, the more fuel you give to the > person trying to solve for the key with cryptanalysis. > > By encrypting only essentially random data (the single use keys, > generated with cryptographically strong random number generator) with > the "master key", and then encrypting the actual payloads (which are > presumably more predictable than the strong random single use keys), you > minimize the probability of someone cracking your master key and you > also minimize the damage caused by someone cracking one of the single > use keys.
Yeah, I have a slide about that too, and the previous and next slide: http://momjian.us/main/writings/crypto_hw_use.pdf#page=90 The more different keys you use the encrypt data, the more places you have to store it. -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +