Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: searching for encrypted fields in data columns
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Steve Jorgensen wrote:
<snip>
> If you use PKI-style encryption, you can make the encryption key
> public, and
> the decryption key private. This way, you can encrypt a card
> number, then do
> a search for a match on that value. Since the card number will
> encrypt identically each time, the search will match.
<snip>
Hi,
As a matter of fact, your assumption is not quite true. While there
are asymmetric encryption algorithms that *do* output the same
ciphertext for a certain plaintext with a certain key, most are not
like that, at least not most secure implementations. For example,
using RSA, padding is almost always applied to the plaintext before
encryption. This padding serves multiple purposes: it expands the
plaintext to the correct length, it can (in some cases) catch a
faulty decryption, and it prevents the same ciphertext from resulting
from the same plaintext. The padding is random within a set of rules,
thus introducing a small amount of random plaintext into the mixture.
This plaintext basically randomizes the whole ciphertext, making it
impossible to search in this way.
This is really a good thing, not a bad thing, for the very reason you mention: if an attacker matches up a block of plaintext with a block of ciphertext, without padding, the attacker would have knowledge of the plaintext block everywhere its encrypted form occurred in the ciphertext. With padding, the attacker only knows the one instance of the plaintext, even if the same original plaintext exists elsewhere.
Symmetric encryption uses a slightly different mechanism: while you can implement encryption that turns each plaintext into only one ciphertext, one more usually uses some kind of feedback mode with an initialization vector to prevent just such attacks. Look into Cipher Block Chaining (CBC), Cipher Feedback (CFB), and Output Feedback (OFB) if you're interested.
If we're talking about credit card numbers, I'd like to think they're being stored with top-of-the-line encryption here, which would by nature include padding or feedback of some type.
iD8DBQFATUI3nwjA8LryK2IRAkt9AKCqI4qw0RhZm7cke+DfJ0GocmrbyACg4Lgy
aGIGs3HMji5luSrFZchoHzo=
=I1S9
-----END PGP SIGNATURE-----
Received on Tue Mar 09 2004 - 01:04:04 CST