RE: Why the index is not used ?

From: ROS Didier <didier(dot)ros(at)edf(dot)fr>
To: "phil_tnlcz_endecott(at)chezphil(dot)org" <phil_tnlcz_endecott(at)chezphil(dot)org>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org>
Subject: RE: Why the index is not used ?
Date: 2018-10-08 12:02:50
Message-ID: 0f723a9063f14e2096eb36e720a8048b@PCYINTPEXMU001.NEOPROD.EDF.FR
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-performance pgsql-sql

Hi Phil

Thank you for this recommendation, but I posted on this public list only generic examples that have nothing to do with the works done in my company.
These examples serve me only to discuss about the subject of data encryption and performance
My answers to your remarks :

>>
Why do you need to search by credit card number?
<<
Again, this is just an example. I just want to find a solution to query a column containing encrypted data with good performance.

>>
one option is to use an encryption function that doesn't salt the data
<<
I am interested. Can you give some examples of these encryption function that doesn't salt the data.

Best Regards
Didier ROS
-----Message d'origine-----
De : phil_tnlcz_endecott(at)chezphil(dot)org [mailto:phil_tnlcz_endecott(at)chezphil(dot)org]
Envoyé : dimanche 7 octobre 2018 21:17
À : ROS Didier <didier(dot)ros(at)edf(dot)fr>; pgsql-general(at)lists(dot)postgresql(dot)org
Objet : RE: Why the index is not used ?

Hello Didier,

Your email is didier(dot)ros(at)edf(dot)fr(dot) Are you working at Electricite de France, and storing actual customers' credit card details? How many millions of them?

Note that this mailing list is public; people looking for targets with poor security from which they can harvest credit card numbers might be reading it.
And after you are hacked and all your customers' credit card details are made public, someone will find this thread.

> it's not the best solution, but we have data encryption needs and good
> performance needs too. I do not know how to do it except the specified
> procedure..

You should probably employ someone who knows what they are doing.

Sorry for being so direct, but really... storing large quantities of credit card details is the text book example of something that has to be done correctly.

> if anyone has any proposals to put this in place, I'm interested.

Why do you need to search by credit card number?

If you really really need to do that, then one option is to use an encryption function that doesn't salt the data. Or you could store part of the number (last 4 digits?), or an unsalted hash of the number, unencrypted and indexed, and then you need only to sequentially decrypt (using the salted encryption) e.g. 1/10000 of the card numbers. But there are complex security issues and tradeoffs involved here. You probably need to comply with regulations (e.g. "PCI standards") which will specify what is allowed and what isn't. And if you didn't already know that, you shouldn't be doing this.

Good luck, I suppose.

Phil.

P.S. It seems that you were asking about this a year ago, and got the same answers...

Ce message et toutes les pièces jointes (ci-après le 'Message') sont établis à l'intention exclusive des destinataires et les informations qui y figurent sont strictement confidentielles. Toute utilisation de ce Message non conforme à sa destination, toute diffusion ou toute publication totale ou partielle, est interdite sauf autorisation expresse.

Si vous n'êtes pas le destinataire de ce Message, il vous est interdit de le copier, de le faire suivre, de le divulguer ou d'en utiliser tout ou partie. Si vous avez reçu ce Message par erreur, merci de le supprimer de votre système, ainsi que toutes ses copies, et de n'en garder aucune trace sur quelque support que ce soit. Nous vous remercions également d'en avertir immédiatement l'expéditeur par retour du message.

Il est impossible de garantir que les communications par messagerie électronique arrivent en temps utile, sont sécurisées ou dénuées de toute erreur ou virus.
____________________________________________________

This message and any attachments (the 'Message') are intended solely for the addressees. The information contained in this Message is confidential. Any use of information contained in this Message not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval.

If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return message.

E-mail communication cannot be guaranteed to be timely secure, error or virus-free.

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message ROS Didier 2018-10-08 12:07:44 RE: Why the index is not used ?
Previous Message ROS Didier 2018-10-08 11:47:06 RE: Why the index is not used ?

Browse pgsql-performance by date

  From Date Subject
Next Message ROS Didier 2018-10-08 12:07:44 RE: Why the index is not used ?
Previous Message ROS Didier 2018-10-08 11:47:06 RE: Why the index is not used ?

Browse pgsql-sql by date

  From Date Subject
Next Message ROS Didier 2018-10-08 12:07:44 RE: Why the index is not used ?
Previous Message ROS Didier 2018-10-08 11:47:06 RE: Why the index is not used ?