Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: searching for encrypted fields in data columns

Re: searching for encrypted fields in data columns

From: Chris <chris2k01_at_hotmail.com>
Date: Tue, 09 Mar 2004 07:04:04 GMT
Message-ID: <E%d3c.171712$Hy3.145042@edtnps89>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steve Jorgensen wrote:

<snip>
> If you use PKI-style encryption, you can make the encryption key
> public, and
> the decryption key private. This way, you can encrypt a card
> number, then do
> a search for a match on that value. Since the card number will
> encrypt identically each time, the search will match.
<snip>

Hi,
As a matter of fact, your assumption is not quite true. While there are asymmetric encryption algorithms that *do* output the same ciphertext for a certain plaintext with a certain key, most are not like that, at least not most secure implementations. For example, using RSA, padding is almost always applied to the plaintext before encryption. This padding serves multiple purposes: it expands the plaintext to the correct length, it can (in some cases) catch a faulty decryption, and it prevents the same ciphertext from resulting from the same plaintext. The padding is random within a set of rules, thus introducing a small amount of random plaintext into the mixture. This plaintext basically randomizes the whole ciphertext, making it impossible to search in this way.

This is really a good thing, not a bad thing, for the very reason you mention: if an attacker matches up a block of plaintext with a block of ciphertext, without padding, the attacker would have knowledge of the plaintext block everywhere its encrypted form occurred in the ciphertext. With padding, the attacker only knows the one instance of the plaintext, even if the same original plaintext exists elsewhere.

Symmetric encryption uses a slightly different mechanism: while you can implement encryption that turns each plaintext into only one ciphertext, one more usually uses some kind of feedback mode with an initialization vector to prevent just such attacks. Look into Cipher Block Chaining (CBC), Cipher Feedback (CFB), and Output Feedback (OFB) if you're interested.

If we're talking about credit card numbers, I'd like to think they're being stored with top-of-the-line encryption here, which would by nature include padding or feedback of some type.

iD8DBQFATUI3nwjA8LryK2IRAkt9AKCqI4qw0RhZm7cke+DfJ0GocmrbyACg4Lgy aGIGs3HMji5luSrFZchoHzo=
=I1S9
-----END PGP SIGNATURE----- Received on Tue Mar 09 2004 - 01:04:04 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US