Dear Takayuki Tsunakawa. > -----Original Message----- > From: Tsunakawa, Takayuki [mailto:tsunakawa.ta...@jp.fujitsu.com] > Sent: Thursday, June 14, 2018 9:58 AM > To: 'Tomas Vondra'; Moon, Insung; pgsql-hack...@postgresql.org > Subject: RE: [Proposal] Table-level Transparent Data Encryption (TDE) and Key > Management Service (KMS) > > > From: Tomas Vondra [mailto:tomas.von...@2ndquadrant.com] > > On 05/25/2018 01:41 PM, Moon, Insung wrote: > > > BTW, I want to support CBC mode encryption[3]. However, I'm not sure > > > how to use the IV in CBC mode for this proposal. I'd like to hear > > > opinions by security engineer. > > > > > > > I'm not a cryptographer either, but this is exactly where you need a > > prior discussion about the threat models - there are a couple of > > chaining modes, each with different weaknesses. > Our products uses XTS, which recent FDE software like BitLocker and TrueCrypt > uses instead of CBC. > > https://en.wikipedia.org/wiki/Disk_encryption_theory#XTS > > "According to SP 800-38E, "In the absence of authentication or access > control, XTS-AES provides more protection than the > other approved confidentiality-only modes against unauthorized manipulation > of the encrypted data.""
Thank your for your advice! Yes. I found that CBC is not safe at this time. So let's use XTS mode or GCM mode as you mentioned. Thank you and Best regards. Moon. > > > > > FWIW it may also matter if data_checksums are enabled, because that > > may prevent malleability attacks affecting of the modes. Assuming > > active attacker (with the ability to modify the data files) is part of > > the threat model, of course. > > Encrypt the page after embedding its checksum value. If a malicious attacker > modifies a page on disk, then the decrypted > page would be corrupt anyway, which can be detected by checksum. > > > Regards > Takayuki Tsunakawa >
