Quick Links

Re: storing an explicit nonce

From:	Bruce Momjian <bruce(at)momjian(dot)us>
To:	Stephen Frost <sfrost(at)snowman(dot)net>
Cc:	Ants Aasma <ants(at)cybertec(dot)at>, Sasasu <i(at)sasa(dot)su>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject:	Re: storing an explicit nonce
Date:	2021-10-06 20:08:29
Message-ID:	20211006200829.GF20296@momjian.us
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On Wed, Oct 6, 2021 at 03:17:00PM -0400, Stephen Frost wrote:
> Greetings,
>
> * Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> > On Tue, Oct 5, 2021 at 04:29:25PM -0400, Bruce Momjian wrote:
> > > On Tue, Sep 28, 2021 at 12:30:02PM +0300, Ants Aasma wrote:
> > > > On Mon, 27 Sept 2021 at 23:34, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> > > > We are still working on our TDE patch. Right now the focus is on refactoring
> > > > temporary file access to make the TDE patch itself smaller. Reconsidering
> > > > encryption mode choices given concerns expressed is next. Currently a viable
> > > > option seems to be AES-XTS with LSN added into the IV. XTS doesn't have an
-----------------------------------------------------
> > > > issue with predictable IV and isn't totally broken in case of IV reuse.
> > >
> > > Uh, yes, AES-XTS has benefits, but since it is a block cipher, previous
> > > 16-byte blocks affect later blocks, meaning that hint bit changes would
> > > also affect later blocks. I think this means we would need to write WAL
> > > full page images for hint bit changes to avoid torn pages. Right now
> > > hint bit (single bit) changes can be lost without causing torn pages.
> > > This was another of the advantages of using a stream cipher like CTR.
> >
> > Another problem caused by block mode ciphers is that to use the LSN as
> > part of the nonce, the LSN must not be encrypted, but you then have to
> > find a 16-byte block in the page that you don't need to encrypt.
>
> With AES-XTS, we don't need to use the LSN as part of the nonce though,
> so I don't think this argument is actually valid..? As discussed
> previously regarding AES-XTS, the general idea was to use the path to
> the file and the filename itself plus the block number as the IV, and
> that works fine for XTS because it's ok to reuse it (unlike with CTR).

Yes, I would prefer we don't use the LSN. I only mentioned it since
Ants Aasma mentioned LSN use above.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com

If only the physical world exists, free will is an illusion.

In response to

Re: storing an explicit nonce at 2021-10-06 19:17:00 from Stephen Frost

Responses

Re: storing an explicit nonce at 2021-10-07 14:26:56 from Stephen Frost
Re: storing an explicit nonce at 2021-10-07 18:38:45 from Ants Aasma

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Peter Geoghegan	2021-10-06 20:11:58	Re: BUG #17212: pg_amcheck fails on checking temporary relations
Previous Message	Mark Dilger	2021-10-06 20:01:26	Re: Role Self-Administration