| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | Ants Aasma <ants(at)cybertec(dot)at>, Sasasu <i(at)sasa(dot)su>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: storing an explicit nonce |
| Date: | 2021-10-07 14:26:56 |
| Message-ID: | 20211007142656.GA20998@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Greetings,
* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> On Wed, Oct 6, 2021 at 03:17:00PM -0400, Stephen Frost wrote:
> > * Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> > > On Tue, Oct 5, 2021 at 04:29:25PM -0400, Bruce Momjian wrote:
> > > > On Tue, Sep 28, 2021 at 12:30:02PM +0300, Ants Aasma wrote:
> > > > > On Mon, 27 Sept 2021 at 23:34, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> > > > > We are still working on our TDE patch. Right now the focus is on refactoring
> > > > > temporary file access to make the TDE patch itself smaller. Reconsidering
> > > > > encryption mode choices given concerns expressed is next. Currently a viable
> > > > > option seems to be AES-XTS with LSN added into the IV. XTS doesn't have an
> -----------------------------------------------------
> > > > > issue with predictable IV and isn't totally broken in case of IV reuse.
> > > >
> > > > Uh, yes, AES-XTS has benefits, but since it is a block cipher, previous
> > > > 16-byte blocks affect later blocks, meaning that hint bit changes would
> > > > also affect later blocks. I think this means we would need to write WAL
> > > > full page images for hint bit changes to avoid torn pages. Right now
> > > > hint bit (single bit) changes can be lost without causing torn pages.
> > > > This was another of the advantages of using a stream cipher like CTR.
> > >
> > > Another problem caused by block mode ciphers is that to use the LSN as
> > > part of the nonce, the LSN must not be encrypted, but you then have to
> > > find a 16-byte block in the page that you don't need to encrypt.
> >
> > With AES-XTS, we don't need to use the LSN as part of the nonce though,
> > so I don't think this argument is actually valid..? As discussed
> > previously regarding AES-XTS, the general idea was to use the path to
> > the file and the filename itself plus the block number as the IV, and
> > that works fine for XTS because it's ok to reuse it (unlike with CTR).
>
> Yes, I would prefer we don't use the LSN. I only mentioned it since
> Ants Aasma mentioned LSN use above.
Ohhh, apologies for missing that, makes more sense now.
Thanks!
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2021-10-07 14:28:55 | Re: storing an explicit nonce |
| Previous Message | Stephen Frost | 2021-10-07 14:21:45 | Re: Role Self-Administration |