On Tue, 2021-12-07 at 22:21 +0100, Tomas Vondra wrote:
> IMO it's impossible to solve this attack within TCE, because it requires
> ensuring consistency at the row level, but TCE obviously works at column
> level only.
I was under the impression that clients already had to be modified to
figure out how to encrypt the data? If part of that process ends up
including enforcement of encryption for a specific column set, then the
addition of AEAD data could hypothetically be part of that hand-
waviness.
Unless "transparent" means that the client completely defers to the
server on whether to encrypt or not, and silently goes along with it if
the server tells it not to encrypt? That would only protect against a
_completely_ passive DBA, like someone reading unencrypted backups,
etc. And that still has a lot of value, certainly. But it seems like
this prototype is very close to a system where the client can reliably
secure data even if the server isn't trustworthy, if that's a use case
you're interested in.
> I believe TCE can do AEAD at the column level, which protects against
> attacks that flipping bits, and similar attacks. It's just a matter of
> how the client encrypts the data.
Right, I think authenticated encryption ciphers (without AD) will be
important to support in practice. I think users are going to want
*some* protection against active attacks.
> Extending it to protect the whole row seems tricky, because the client
> may not even know the other columns, and it's not clear to me how it'd
> deal with things like updates of the other columns, hint bits, dropped
> columns, etc.
Covering the entire row automatically probably isn't super helpful in
practice. As you mention later:
> It's probably possible to get something like this (row-level AEAD) by
> encrypting enriched data, i.e. not just the card number, but {user ID,
> card number} or something like that, and verify that in the webapp. The
> problem of course is that the "user ID" is just another column in the
> table, and there's nothing preventing the DBA from modifying that too.
Right. That's why the client has to be able to choose AD according to
the application. In my previous example, the victim's email address can
be copied by the DBA, but they wouldn't be able to authenticate as that
user and couldn't convince the client to use the plaintext on their
behalf.
--Jacob