Dear Takayuki Tsunakawa.
> -----Original Message-----
> From: Tsunakawa, Takayuki [mailto:tsunakawa.takay@jp.fujitsu.com]
> Sent: Thursday, June 14, 2018 9:58 AM
> To: 'Tomas Vondra'; Moon, Insung; pgsql-hackers@postgresql.org
> Subject: RE: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS)
>
> > From: Tomas Vondra [mailto:tomas.vondra@2ndquadrant.com]
> > On 05/25/2018 01:41 PM, Moon, Insung wrote:
> > > BTW, I want to support CBC mode encryption[3]. However, I'm not sure
> > > how to use the IV in CBC mode for this proposal. I'd like to hear
> > > opinions by security engineer.
> > >
> >
> > I'm not a cryptographer either, but this is exactly where you need a
> > prior discussion about the threat models - there are a couple of
> > chaining modes, each with different weaknesses.
> Our products uses XTS, which recent FDE software like BitLocker and TrueCrypt uses instead of CBC.
>
> https://en.wikipedia.org/wiki/Disk_encryption_theory#XTS
>
> "According to SP 800-38E, "In the absence of authentication or access control, XTS-AES provides more protection than
the
> other approved confidentiality-only modes against unauthorized manipulation of the encrypted data.""
Thank your for your advice!
Yes. I found that CBC is not safe at this time.
So let's use XTS mode or GCM mode as you mentioned.
Thank you and Best regards.
Moon.
>
>
>
> > FWIW it may also matter if data_checksums are enabled, because that
> > may prevent malleability attacks affecting of the modes. Assuming
> > active attacker (with the ability to modify the data files) is part of
> > the threat model, of course.
>
> Encrypt the page after embedding its checksum value. If a malicious attacker modifies a page on disk, then the
decrypted
> page would be corrupt anyway, which can be detected by checksum.
>
>
> Regards
> Takayuki Tsunakawa
>