Comments (2)
- In HMAC we use one more part for hashing - client's key. It cryptographically separates searchable pieces of the encrypted data between clients. For example, when you use just hashing for first name encryption, you get
HASH("John") == Hash("John")
. So an attacker will know all rows in the database with similar names. If he has own created row (by the legal UI or user flow as standard user) with name "John", he can find own row with hash of this first name, and then find all "John"s in the database. When we use separate keys for every client then an attacker can find only similar values in the set of rows of one client, not all in the database, and all other client data are not compromised. HMACing values add one more dimension of values. With set of 10k unique first names hashing produces 1D dimension of 10k values. Using HMAC and unique keys per client it produces 2D dimension with X keys * 10k values - Connect to Acra with another TLS certificate that changes clientID used for encryption/decryption operations. In the default configuration switching between users/clients works on changing TLS certificates.
- On encryption failures, Acra will interrupt connection processing and close connection to prevent the propagation of not protected data. To reproduce, you can start Acra, establish DB session via driver or CLI client, and after that remove/rename libthemis.so library used as crypto backend. It will cause runtime errors on key decryption operation (which always prepends any data encryption/decryption operation).
from acra.
Thanks you for you answer
from acra.
Related Issues (20)
- [ISSUE] Using Acra as proxy/encryptor with rails app fails to encrypt HOT 4
- [ISSUE] Acra throws errors on tables with columns wrapped with double quotes HOT 3
- [ISSUE] Acra replaces null values by an empty string when using prepared statements HOT 3
- [ISSUE] tls_ocsp_from_cert: ignore doesn't ignore database OCSP, undocumented behaviour HOT 4
- Clarification on replacement of Zones HOT 2
- [ISSUE] Tokenization in MariaDB HOT 2
- [ISSUE] "Error 2006: MySQL server has gone away" while executing mysqli prepared statements HOT 1
- [ISSUE] PAN masking does not meet the PCI SSC requirements HOT 1
- Question about AcraCensor: SQL query without "FROM" HOT 2
- Question about poison records HOT 7
- Online SQL grammar editor/tester
- Ask: How to use Masking? HOT 3
- [ISSUE] Encryption Not working HOT 4
- [ISSUE]Reducing overhead HOT 3
- [ISSUE]Supported MySQL Versions HOT 2
- [Query] acraserver in distributed environment behind load balancer HOT 4
- [ISSUE] Index on encrypted column HOT 1
- [ISSUE]Facing lot of "use of closed network connection" error HOT 2
- What should be the approach to supporting Microsoft SQL Server and Oracle? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acra.