From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Bruce Momjian <bruce(at)momjian(dot)us> |
Cc: | Alvaro Herrera <alvherre(at)alvh(dot)no-ip(dot)org>, Amit Kapila <amit(dot)kapila16(at)gmail(dot)com>, Andres Freund <andres(at)anarazel(dot)de>, Masahiko Sawada <masahiko(dot)sawada(at)2ndquadrant(dot)com>, Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com>, Thomas Munro <thomas(dot)munro(at)gmail(dot)com>, Tom Kincaid <tomjohnkincaid(at)gmail(dot)com> |
Subject: | Re: storing an explicit nonce |
Date: | 2021-05-25 23:54:22 |
Message-ID: | 20210525235421.GQ20766@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Greetings,
* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> On Tue, May 25, 2021 at 05:25:36PM -0400, Stephen Frost wrote:
> > * Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> > > On Tue, May 25, 2021 at 05:15:55PM -0400, Stephen Frost wrote:
> > > > > We already discussed that there are too many other ways to break system
> > > > > integrity that are not encrypted/integrity-checked, e.g., changes to
> > > > > clog. Do you disagree?
> > > >
> > > > We had agreed that this wasn't something that was strictly required in
> > > > the first version and I continue to agree with that. On the other hand,
> > > > if we decide that we ultimately need to use an independent nonce and
> > > > further that we can make room in the special space for it, then it's
> > > > trivial to also include the tag and we absolutely should (or make it
> > > > optional to do so) in that case.
> > >
> > > Well, if we can't really say the data has integrity, what does the
> > > validation bytes accomplish? And if are going to encrypt everything
> > > that would allow integrity, we need to encrypt almost the entire file
> > > system.
> >
> > I'm not following this logic. The primary data would be guaranteed to
> > be unchanged and there is absolutely value in that, even if the metadata
> > is not guaranteed to be unmolested. Security always comes with a lot of
> > tradeoffs. RLS doesn't prevent certain side-channel attacks but it
> > still is extremely useful in a great many cases.
>
> Well, changing the clog would change how the integrity-protected data is
> interpreted, so I don't see much value in it.
I hate to have to say it, but no, it's simply not correct to presume
that the ability to maniuplate any data means that it's not valuable to
protect anything. Further, while clog could be manipulated today,
hopefully one day it would become quite difficult to do so. I'm not
asking for that today, or to be in v15, but if we do come down on the
side of making space in the special area for a nonce, then, even if you
don't feel it's useful, I would strongly argue to have an option for
space to also exist for a tag to go.
Even if your claim that it's useless until clog is addressed were
correct, which I dispute, surely if we do one day have such validation
of clog we would also need a tag in the regular user pages, so why not
add the option while it's easy to do and let users decide if it's useful
to them or not?
This does presume that we ultimately agree on the approach which
involves the special area, of course.
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2021-05-25 23:55:06 | Re: storing an explicit nonce |
Previous Message | Stephen Frost | 2021-05-25 23:48:54 | Re: storing an explicit nonce |