Re: Adding deprecation notices to pgcrypto documentation

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: Peter Eisentraut <peter(at)eisentraut(dot)org>
Cc: Nathan Bossart <nathandbossart(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: Adding deprecation notices to pgcrypto documentation
Date: 2024-03-06 10:50:51
Message-ID: F76CC26E-AEB4-4F9B-A646-E69B9433D0B1@yesql.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

> On 6 Mar 2024, at 10:57, Peter Eisentraut <peter(at)eisentraut(dot)org> wrote:
>
> On 05.03.24 11:50, Daniel Gustafsson wrote:
>>> * Should we actually document the exact list of algorithms along with
>>> detailed reasons? This list seems prone to becoming outdated.
>> If we don't detail the list then I think that it's not worth doing, doing the
>> research isn't entirely trivial as one might not even know where to look or
>> what to look for.
>> I don't think this list will move faster than we can keep up with it,
>> especially since it's more or less listing everything that pgcrypto supports at
>> this point.
>
> The more detail we provide, the more detailed questions can be asked about it.

To make it more palatable then, let's remove everything apart from the NIST
recommendations?

> The introduction says certain algorithms are vulnerable to attacks. Is 3DES vulnerable to attacks? Or just deprecated?

Both, 3DES in CBC mode is vulnerable to birthday attacks (CVE-2016-2183) and is
disallowed for encryption (NIST-SP800-131A) after 2023.

> What about something like CAST5? This is in the OpenSSL legacy provider, but I don't think it's know to be vulnerable. Is its status different from 3DES?

CAST is vulnerable but CAST5, which is another name for CAST-128, is not known
to be vulnerable as long as a 128 bit key is used (which is what pgcrypto use).
It is AFAIK considered a legacy cipher due to the small block size.

> It says MD5 should not be used for digital signatures. But is password hashing a digital signature? How are these related? Similarly about SHA-1, which has a different level of detail.

A digital signature is a mathematical construction to verify the authenticity
of a message, so I guess password hashing falls under that. The fact that MD5
is vulnerable to collision attacks makes MD5 a particularly poor choice for
that particular application IMO.

> Blowfish is advised against, but by whom? By us?

Blowfish in CBC mode is vulnerable to birthday attacks (CVE-2016-6329). The
author of Blowfish among others, he had this to say in 2007 [0]:

"There weren't enough alternatives to DES out there. I wrote Blowfish
as such an alternative, but I didn't even know if it would survive a
year of cryptanalysis. Writing encryption algorithms is hard, and it's
always amazing if one you write actually turns out to be secure. At
this point, though, I'm amazed it's still being used. If people ask, I
recommend Twofish instead."

--
Daniel Gustafsson

[0] https://web.archive.org/web/20161202063854/https://www.computerworld.com.au/article/46254/bruce_almighty_schneier_preaches_security_linux_faithful/?pp=3

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Amit Kapila 2024-03-06 10:58:27 Re: Introduce XID age and inactive timeout based replication slot invalidation
Previous Message Daniel Gustafsson 2024-03-06 10:49:00 Re: pipe_read_line for reading arbitrary strings