Comments (2)
- In HMAC we use one more part for hashing - client's key. It cryptographically separates searchable pieces of the encrypted data between clients. For example, when you use just hashing for first name encryption, you get
HASH("John") == Hash("John")
. So an attacker will know all rows in the database with similar names. If he has own created row (by the legal UI or user flow as standard user) with name "John", he can find own row with hash of this first name, and then find all "John"s in the database. When we use separate keys for every client then an attacker can find only similar values in the set of rows of one client, not all in the database, and all other client data are not compromised. HMACing values add one more dimension of values. With set of 10k unique first names hashing produces 1D dimension of 10k values. Using HMAC and unique keys per client it produces 2D dimension with X keys * 10k values - Connect to Acra with another TLS certificate that changes clientID used for encryption/decryption operations. In the default configuration switching between users/clients works on changing TLS certificates.
- On encryption failures, Acra will interrupt connection processing and close connection to prevent the propagation of not protected data. To reproduce, you can start Acra, establish DB session via driver or CLI client, and after that remove/rename libthemis.so library used as crypto backend. It will cause runtime errors on key decryption operation (which always prepends any data encryption/decryption operation).
from acra.
Thanks you for you answer
from acra.
Related Issues (20)
- Error with a golang dependency when using Go 1.10 HOT 7
- Database convert exiting plaintext records to ciphertext HOT 5
- Adding data type to encrypted column in AcraServer encryption configuration HOT 15
- Is SQL Server planned in the future? HOT 1
- Support for AcraServer integration with Patroni HA HOT 23
- Questions on Acra, python and TLS HOT 7
- Question about Searchable Encryption HOT 9
- Support for SQL schemas HOT 4
- [ISSUE] Acra Server doesn't encrypt on insert new row on PostgreSQL HOT 4
- AcraServer 0.93 + PostgreSQL | "Panic in connection processing" HOT 11
- [ISSUE] AcraServer 0.93 + PostgreSQL | Encryption not working with batch insert HOT 4
- [ISSUE] Acra is not parsing inserts ending in 'RETURNING 0' HOT 4
- [ISSUE] Using Acra as proxy/encryptor with rails app fails to encrypt HOT 4
- [ISSUE] Acra throws errors on tables with columns wrapped with double quotes HOT 3
- [ISSUE] Acra replaces null values by an empty string when using prepared statements HOT 3
- [ISSUE] tls_ocsp_from_cert: ignore doesn't ignore database OCSP, undocumented behaviour HOT 4
- Clarification on replacement of Zones HOT 2
- [ISSUE] Tokenization in MariaDB HOT 2
- [ISSUE] "Error 2006: MySQL server has gone away" while executing mysqli prepared statements HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acra.