1 <!-- doc/src/sgml/pgcrypto.sgml -->
3 <sect1 id="pgcrypto" xreflabel="pgcrypto">
4 <title>pgcrypto</title>
6 <indexterm zone="pgcrypto">
7 <primary>pgcrypto</primary>
10 <indexterm zone="pgcrypto">
11 <primary>encryption</primary>
12 <secondary>for specific columns</secondary>
16 The <filename>pgcrypto</filename> module provides cryptographic functions for
17 <productname>PostgreSQL</productname>.
21 <title>General Hashing Functions</title>
24 <title><function>digest()</function></title>
27 <primary>digest</primary>
31 digest(data text, type text) returns bytea
32 digest(data bytea, type text) returns bytea
36 Computes a binary hash of the given <parameter>data</parameter>.
37 <parameter>type</parameter> is the algorithm to use.
38 Standard algorithms are <literal>md5</literal>, <literal>sha1</literal>,
39 <literal>sha224</literal>, <literal>sha256</literal>,
40 <literal>sha384</literal> and <literal>sha512</literal>.
41 If <filename>pgcrypto</filename> was built with
42 OpenSSL, more algorithms are available, as detailed in
43 <xref linkend="pgcrypto-with-without-openssl"/>.
47 If you want the digest as a hexadecimal string, use
48 <function>encode()</function> on the result. For example:
50 CREATE OR REPLACE FUNCTION sha1(bytea) returns text AS $$
51 SELECT encode(digest($1, 'sha1'), 'hex')
52 $$ LANGUAGE SQL STRICT IMMUTABLE;
58 <title><function>hmac()</function></title>
61 <primary>hmac</primary>
65 hmac(data text, key text, type text) returns bytea
66 hmac(data bytea, key bytea, type text) returns bytea
70 Calculates hashed MAC for <parameter>data</parameter> with key <parameter>key</parameter>.
71 <parameter>type</parameter> is the same as in <function>digest()</function>.
75 This is similar to <function>digest()</function> but the hash can only be
76 recalculated knowing the key. This prevents the scenario of someone
77 altering data and also changing the hash to match.
81 If the key is larger than the hash block size it will first be hashed and
82 the result will be used as key.
88 <title>Password Hashing Functions</title>
91 The functions <function>crypt()</function> and <function>gen_salt()</function>
92 are specifically designed for hashing passwords.
93 <function>crypt()</function> does the hashing and <function>gen_salt()</function>
94 prepares algorithm parameters for it.
98 The algorithms in <function>crypt()</function> differ from the usual
99 MD5 or SHA1 hashing algorithms in the following respects:
105 They are slow. As the amount of data is so small, this is the only
106 way to make brute-forcing passwords hard.
111 They use a random value, called the <firstterm>salt</firstterm>, so that users
112 having the same password will have different encrypted passwords.
113 This is also an additional defense against reversing the algorithm.
118 They include the algorithm type in the result, so passwords hashed with
119 different algorithms can co-exist.
124 Some of them are adaptive — that means when computers get
125 faster, you can tune the algorithm to be slower, without
126 introducing incompatibility with existing passwords.
132 <xref linkend="pgcrypto-crypt-algorithms"/> lists the algorithms
133 supported by the <function>crypt()</function> function.
136 <table id="pgcrypto-crypt-algorithms">
137 <title>Supported Algorithms for <function>crypt()</function></title>
141 <entry>Algorithm</entry>
142 <entry>Max Password Length</entry>
143 <entry>Adaptive?</entry>
144 <entry>Salt Bits</entry>
145 <entry>Output Length</entry>
146 <entry>Description</entry>
151 <entry><literal>bf</literal></entry>
156 <entry>Blowfish-based, variant 2a</entry>
159 <entry><literal>md5</literal></entry>
160 <entry>unlimited</entry>
164 <entry>MD5-based crypt</entry>
167 <entry><literal>xdes</literal></entry>
172 <entry>Extended DES</entry>
175 <entry><literal>des</literal></entry>
180 <entry>Original UNIX crypt</entry>
187 <title><function>crypt()</function></title>
190 <primary>crypt</primary>
194 crypt(password text, salt text) returns text
198 Calculates a crypt(3)-style hash of <parameter>password</parameter>.
199 When storing a new password, you need to use
200 <function>gen_salt()</function> to generate a new <parameter>salt</parameter> value.
201 To check a password, pass the stored hash value as <parameter>salt</parameter>,
202 and test whether the result matches the stored value.
205 Example of setting a new password:
207 UPDATE ... SET pswhash = crypt('new password', gen_salt('md5'));
211 Example of authentication:
213 SELECT (pswhash = crypt('entered password', pswhash)) AS pswmatch FROM ... ;
215 This returns <literal>true</literal> if the entered password is correct.
220 <title><function>gen_salt()</function></title>
223 <primary>gen_salt</primary>
227 gen_salt(type text [, iter_count integer ]) returns text
231 Generates a new random salt string for use in <function>crypt()</function>.
232 The salt string also tells <function>crypt()</function> which algorithm to use.
236 The <parameter>type</parameter> parameter specifies the hashing algorithm.
237 The accepted types are: <literal>des</literal>, <literal>xdes</literal>,
238 <literal>md5</literal> and <literal>bf</literal>.
242 The <parameter>iter_count</parameter> parameter lets the user specify the iteration
243 count, for algorithms that have one.
244 The higher the count, the more time it takes to hash
245 the password and therefore the more time to break it. Although with
246 too high a count the time to calculate a hash may be several years
247 — which is somewhat impractical. If the <parameter>iter_count</parameter>
248 parameter is omitted, the default iteration count is used.
249 Allowed values for <parameter>iter_count</parameter> depend on the algorithm and
250 are shown in <xref linkend="pgcrypto-icfc-table"/>.
253 <table id="pgcrypto-icfc-table">
254 <title>Iteration Counts for <function>crypt()</function></title>
258 <entry>Algorithm</entry>
259 <entry>Default</entry>
266 <entry><literal>xdes</literal></entry>
269 <entry>16777215</entry>
272 <entry><literal>bf</literal></entry>
282 For <literal>xdes</literal> there is an additional limitation that the
283 iteration count must be an odd number.
287 To pick an appropriate iteration count, consider that
288 the original DES crypt was designed to have the speed of 4 hashes per
289 second on the hardware of that time.
290 Slower than 4 hashes per second would probably dampen usability.
291 Faster than 100 hashes per second is probably too fast.
295 <xref linkend="pgcrypto-hash-speed-table"/> gives an overview of the relative slowness
296 of different hashing algorithms.
297 The table shows how much time it would take to try all
298 combinations of characters in an 8-character password, assuming
299 that the password contains either only lower case letters, or
300 upper- and lower-case letters and numbers.
301 In the <literal>crypt-bf</literal> entries, the number after a slash is
302 the <parameter>iter_count</parameter> parameter of
303 <function>gen_salt</function>.
306 <table id="pgcrypto-hash-speed-table">
307 <title>Hash Algorithm Speeds</title>
311 <entry>Algorithm</entry>
312 <entry>Hashes/sec</entry>
313 <entry>For <literal>[a-z]</literal></entry>
314 <entry>For <literal>[A-Za-z0-9]</literal></entry>
315 <entry>Duration relative to <literal>md5 hash</literal></entry>
320 <entry><literal>crypt-bf/8</literal></entry>
322 <entry>4 years</entry>
323 <entry>3927 years</entry>
327 <entry><literal>crypt-bf/7</literal></entry>
329 <entry>2 years</entry>
330 <entry>1929 years</entry>
334 <entry><literal>crypt-bf/6</literal></entry>
336 <entry>1 year</entry>
337 <entry>982 years</entry>
341 <entry><literal>crypt-bf/5</literal></entry>
343 <entry>188 days</entry>
344 <entry>521 years</entry>
348 <entry><literal>crypt-md5</literal></entry>
349 <entry>171584</entry>
350 <entry>15 days</entry>
351 <entry>41 years</entry>
355 <entry><literal>crypt-des</literal></entry>
356 <entry>23221568</entry>
357 <entry>157.5 minutes</entry>
358 <entry>108 days</entry>
362 <entry><literal>sha1</literal></entry>
363 <entry>37774272</entry>
364 <entry>90 minutes</entry>
365 <entry>68 days</entry>
369 <entry><literal>md5</literal> (hash)</entry>
370 <entry>150085504</entry>
371 <entry>22.5 minutes</entry>
372 <entry>17 days</entry>
386 The machine used is an Intel Mobile Core i3.
391 <literal>crypt-des</literal> and <literal>crypt-md5</literal> algorithm numbers are
392 taken from John the Ripper v1.6.38 <literal>-test</literal> output.
397 <literal>md5 hash</literal> numbers are from mdcrack 1.2.
402 <literal>sha1</literal> numbers are from lcrack-20031130-beta.
407 <literal>crypt-bf</literal> numbers are taken using a simple program that
408 loops over 1000 8-character passwords. That way I can show the speed
409 with different numbers of iterations. For reference: <literal>john
410 -test</literal> shows 13506 loops/sec for <literal>crypt-bf/5</literal>.
412 difference in results is in accordance with the fact that the
413 <literal>crypt-bf</literal> implementation in <filename>pgcrypto</filename>
414 is the same one used in John the Ripper.)
420 Note that <quote>try all combinations</quote> is not a realistic exercise.
421 Usually password cracking is done with the help of dictionaries, which
422 contain both regular words and various mutations of them. So, even
423 somewhat word-like passwords could be cracked much faster than the above
424 numbers suggest, while a 6-character non-word-like password may escape
431 <title>PGP Encryption Functions</title>
434 The functions here implement the encryption part of the OpenPGP (RFC 4880)
435 standard. Supported are both symmetric-key and public-key encryption.
439 An encrypted PGP message consists of 2 parts, or <firstterm>packets</firstterm>:
444 Packet containing a session key — either symmetric-key or public-key
450 Packet containing data encrypted with the session key.
456 When encrypting with a symmetric key (i.e., a password):
461 The given password is hashed using a String2Key (S2K) algorithm. This is
462 rather similar to <function>crypt()</function> algorithms — purposefully
463 slow and with random salt — but it produces a full-length binary
469 If a separate session key is requested, a new random key will be
470 generated. Otherwise the S2K key will be used directly as the session
476 If the S2K key is to be used directly, then only S2K settings will be put
477 into the session key packet. Otherwise the session key will be encrypted
478 with the S2K key and put into the session key packet.
484 When encrypting with a public key:
489 A new random session key is generated.
494 It is encrypted using the public key and put into the session key packet.
500 In either case the data to be encrypted is processed as follows:
505 Optional data-manipulation: compression, conversion to UTF-8,
506 and/or conversion of line-endings.
511 The data is prefixed with a block of random bytes. This is equivalent
512 to using a random IV.
517 An SHA1 hash of the random prefix and data is appended.
522 All this is encrypted with the session key and placed in the data packet.
528 <title><function>pgp_sym_encrypt()</function></title>
531 <primary>pgp_sym_encrypt</primary>
535 <primary>pgp_sym_encrypt_bytea</primary>
539 pgp_sym_encrypt(data text, psw text [, options text ]) returns bytea
540 pgp_sym_encrypt_bytea(data bytea, psw text [, options text ]) returns bytea
543 Encrypt <parameter>data</parameter> with a symmetric PGP key <parameter>psw</parameter>.
544 The <parameter>options</parameter> parameter can contain option settings,
550 <title><function>pgp_sym_decrypt()</function></title>
553 <primary>pgp_sym_decrypt</primary>
557 <primary>pgp_sym_decrypt_bytea</primary>
561 pgp_sym_decrypt(msg bytea, psw text [, options text ]) returns text
562 pgp_sym_decrypt_bytea(msg bytea, psw text [, options text ]) returns bytea
565 Decrypt a symmetric-key-encrypted PGP message.
568 Decrypting <type>bytea</type> data with <function>pgp_sym_decrypt</function> is disallowed.
569 This is to avoid outputting invalid character data. Decrypting
570 originally textual data with <function>pgp_sym_decrypt_bytea</function> is fine.
573 The <parameter>options</parameter> parameter can contain option settings,
579 <title><function>pgp_pub_encrypt()</function></title>
582 <primary>pgp_pub_encrypt</primary>
586 <primary>pgp_pub_encrypt_bytea</primary>
590 pgp_pub_encrypt(data text, key bytea [, options text ]) returns bytea
591 pgp_pub_encrypt_bytea(data bytea, key bytea [, options text ]) returns bytea
594 Encrypt <parameter>data</parameter> with a public PGP key <parameter>key</parameter>.
595 Giving this function a secret key will produce an error.
598 The <parameter>options</parameter> parameter can contain option settings,
604 <title><function>pgp_pub_decrypt()</function></title>
607 <primary>pgp_pub_decrypt</primary>
611 <primary>pgp_pub_decrypt_bytea</primary>
615 pgp_pub_decrypt(msg bytea, key bytea [, psw text [, options text ]]) returns text
616 pgp_pub_decrypt_bytea(msg bytea, key bytea [, psw text [, options text ]]) returns bytea
619 Decrypt a public-key-encrypted message. <parameter>key</parameter> must be the
620 secret key corresponding to the public key that was used to encrypt.
621 If the secret key is password-protected, you must give the password in
622 <parameter>psw</parameter>. If there is no password, but you want to specify
623 options, you need to give an empty password.
626 Decrypting <type>bytea</type> data with <function>pgp_pub_decrypt</function> is disallowed.
627 This is to avoid outputting invalid character data. Decrypting
628 originally textual data with <function>pgp_pub_decrypt_bytea</function> is fine.
631 The <parameter>options</parameter> parameter can contain option settings,
637 <title><function>pgp_key_id()</function></title>
640 <primary>pgp_key_id</primary>
644 pgp_key_id(bytea) returns text
647 <function>pgp_key_id</function> extracts the key ID of a PGP public or secret key.
648 Or it gives the key ID that was used for encrypting the data, if given
649 an encrypted message.
652 It can return 2 special key IDs:
657 <literal>SYMKEY</literal>
660 The message is encrypted with a symmetric key.
665 <literal>ANYKEY</literal>
668 The message is public-key encrypted, but the key ID has been removed.
669 That means you will need to try all your secret keys on it to see
670 which one decrypts it. <filename>pgcrypto</filename> itself does not produce
676 Note that different keys may have the same ID. This is rare but a normal
677 event. The client application should then try to decrypt with each one,
678 to see which fits — like handling <literal>ANYKEY</literal>.
683 <title><function>armor()</function>, <function>dearmor()</function></title>
686 <primary>armor</primary>
690 <primary>dearmor</primary>
694 armor(data bytea [ , keys text[], values text[] ]) returns text
695 dearmor(data text) returns bytea
698 These functions wrap/unwrap binary data into PGP ASCII-armor format,
699 which is basically Base64 with CRC and additional formatting.
703 If the <parameter>keys</parameter> and <parameter>values</parameter> arrays are specified,
704 an <firstterm>armor header</firstterm> is added to the armored format for each
705 key/value pair. Both arrays must be single-dimensional, and they must
706 be of the same length. The keys and values cannot contain any non-ASCII
712 <title><function>pgp_armor_headers</function></title>
715 <primary>pgp_armor_headers</primary>
719 pgp_armor_headers(data text, key out text, value out text) returns setof record
722 <function>pgp_armor_headers()</function> extracts the armor headers from
723 <parameter>data</parameter>. The return value is a set of rows with two columns,
724 key and value. If the keys or values contain any non-ASCII characters,
725 they are treated as UTF-8.
730 <title>Options for PGP Functions</title>
733 Options are named to be similar to GnuPG. An option's value should be
734 given after an equal sign; separate options from each other with commas.
737 pgp_sym_encrypt(data, psw, 'compress-algo=1, cipher-algo=aes256')
742 All of the options except <literal>convert-crlf</literal> apply only to
743 encrypt functions. Decrypt functions get the parameters from the PGP
748 The most interesting options are probably
749 <literal>compress-algo</literal> and <literal>unicode-mode</literal>.
750 The rest should have reasonable defaults.
754 <title>cipher-algo</title>
757 Which cipher algorithm to use.
760 Values: bf, aes128, aes192, aes256 (OpenSSL-only: <literal>3des</literal>, <literal>cast5</literal>)
762 Applies to: pgp_sym_encrypt, pgp_pub_encrypt
767 <title>compress-algo</title>
770 Which compression algorithm to use. Only available if
771 <productname>PostgreSQL</productname> was built with zlib.
777 2 - ZLIB compression (= ZIP plus meta-data and block CRCs)
779 Applies to: pgp_sym_encrypt, pgp_pub_encrypt
784 <title>compress-level</title>
787 How much to compress. Higher levels compress smaller but are slower.
788 0 disables compression.
793 Applies to: pgp_sym_encrypt, pgp_pub_encrypt
798 <title>convert-crlf</title>
801 Whether to convert <literal>\n</literal> into <literal>\r\n</literal> when
802 encrypting and <literal>\r\n</literal> to <literal>\n</literal> when
803 decrypting. RFC 4880 specifies that text data should be stored using
804 <literal>\r\n</literal> line-feeds. Use this to get fully RFC-compliant
810 Applies to: pgp_sym_encrypt, pgp_pub_encrypt, pgp_sym_decrypt, pgp_pub_decrypt
815 <title>disable-mdc</title>
818 Do not protect data with SHA-1. The only good reason to use this
819 option is to achieve compatibility with ancient PGP products, predating
820 the addition of SHA-1 protected packets to RFC 4880.
821 Recent gnupg.org and pgp.com software supports it fine.
826 Applies to: pgp_sym_encrypt, pgp_pub_encrypt
831 <title>sess-key</title>
834 Use separate session key. Public-key encryption always uses a separate
835 session key; this option is for symmetric-key encryption, which by default
836 uses the S2K key directly.
841 Applies to: pgp_sym_encrypt
846 <title>s2k-mode</title>
849 Which S2K algorithm to use.
853 0 - Without salt. Dangerous!
854 1 - With salt but with fixed iteration count.
855 3 - Variable iteration count.
857 Applies to: pgp_sym_encrypt
862 <title>s2k-count</title>
865 The number of iterations of the S2K algorithm to use. It must
866 be a value between 1024 and 65011712, inclusive.
869 Default: A random value between 65536 and 253952
870 Applies to: pgp_sym_encrypt, only with s2k-mode=3
875 <title>s2k-digest-algo</title>
878 Which digest algorithm to use in S2K calculation.
883 Applies to: pgp_sym_encrypt
888 <title>s2k-cipher-algo</title>
891 Which cipher to use for encrypting separate session key.
894 Values: bf, aes, aes128, aes192, aes256
895 Default: use cipher-algo
896 Applies to: pgp_sym_encrypt
901 <title>unicode-mode</title>
904 Whether to convert textual data from database internal encoding to
905 UTF-8 and back. If your database already is UTF-8, no conversion will
906 be done, but the message will be tagged as UTF-8. Without this option
912 Applies to: pgp_sym_encrypt, pgp_pub_encrypt
918 <title>Generating PGP Keys with GnuPG</title>
921 To generate a new key:
927 The preferred key type is <quote>DSA and Elgamal</quote>.
930 For RSA encryption you must create either DSA or RSA sign-only key
931 as master and then add an RSA encryption subkey with
932 <literal>gpg --edit-key</literal>.
937 gpg --list-secret-keys
941 To export a public key in ASCII-armor format:
943 gpg -a --export KEYID > public.key
947 To export a secret key in ASCII-armor format:
949 gpg -a --export-secret-keys KEYID > secret.key
953 You need to use <function>dearmor()</function> on these keys before giving them to
954 the PGP functions. Or if you can handle binary data, you can drop
955 <literal>-a</literal> from the command.
958 For more details see <literal>man gpg</literal>,
959 <ulink url="https://www.gnupg.org/gph/en/manual.html">The GNU
960 Privacy Handbook</ulink> and other documentation on
961 <ulink url="https://www.gnupg.org/"></ulink>.
966 <title>Limitations of PGP Code</title>
971 No support for signing. That also means that it is not checked
972 whether the encryption subkey belongs to the master key.
977 No support for encryption key as master key. As such practice
978 is generally discouraged, this should not be a problem.
983 No support for several subkeys. This may seem like a problem, as this
984 is common practice. On the other hand, you should not use your regular
985 GPG/PGP keys with <filename>pgcrypto</filename>, but create new ones,
986 as the usage scenario is rather different.
994 <title>Raw Encryption Functions</title>
997 These functions only run a cipher over data; they don't have any advanced
998 features of PGP encryption. Therefore they have some major problems:
1003 They use user key directly as cipher key.
1008 They don't provide any integrity checking, to see
1009 if the encrypted data was modified.
1014 They expect that users manage all encryption parameters
1015 themselves, even IV.
1020 They don't handle text.
1025 So, with the introduction of PGP encryption, usage of raw
1026 encryption functions is discouraged.
1030 <primary>encrypt</primary>
1034 <primary>decrypt</primary>
1038 <primary>encrypt_iv</primary>
1042 <primary>decrypt_iv</primary>
1046 encrypt(data bytea, key bytea, type text) returns bytea
1047 decrypt(data bytea, key bytea, type text) returns bytea
1049 encrypt_iv(data bytea, key bytea, iv bytea, type text) returns bytea
1050 decrypt_iv(data bytea, key bytea, iv bytea, type text) returns bytea
1054 Encrypt/decrypt data using the cipher method specified by
1055 <parameter>type</parameter>. The syntax of the
1056 <parameter>type</parameter> string is:
1059 <replaceable>algorithm</replaceable> <optional> <literal>-</literal> <replaceable>mode</replaceable> </optional> <optional> <literal>/pad:</literal> <replaceable>padding</replaceable> </optional>
1061 where <replaceable>algorithm</replaceable> is one of:
1064 <listitem><para><literal>bf</literal> — Blowfish</para></listitem>
1065 <listitem><para><literal>aes</literal> — AES (Rijndael-128, -192 or -256)</para></listitem>
1067 and <replaceable>mode</replaceable> is one of:
1071 <literal>cbc</literal> — next block depends on previous (default)
1076 <literal>ecb</literal> — each block is encrypted separately (for
1081 and <replaceable>padding</replaceable> is one of:
1085 <literal>pkcs</literal> — data may be any length (default)
1090 <literal>none</literal> — data must be multiple of cipher block size
1096 So, for example, these are equivalent:
1098 encrypt(data, 'fooz', 'bf')
1099 encrypt(data, 'fooz', 'bf-cbc/pad:pkcs')
1103 In <function>encrypt_iv</function> and <function>decrypt_iv</function>, the
1104 <parameter>iv</parameter> parameter is the initial value for the CBC mode;
1105 it is ignored for ECB.
1106 It is clipped or padded with zeroes if not exactly block size.
1107 It defaults to all zeroes in the functions without this parameter.
1112 <title>Random-Data Functions</title>
1115 <primary>gen_random_bytes</primary>
1119 gen_random_bytes(count integer) returns bytea
1122 Returns <parameter>count</parameter> cryptographically strong random bytes.
1123 At most 1024 bytes can be extracted at a time. This is to avoid
1124 draining the randomness generator pool.
1128 <primary>gen_random_uuid</primary>
1132 gen_random_uuid() returns uuid
1135 Returns a version 4 (random) UUID. (Obsolete, this function is now also
1136 included in core <productname>PostgreSQL</productname>.)
1141 <title>Notes</title>
1144 <title>Configuration</title>
1147 <filename>pgcrypto</filename> configures itself according to the findings of the
1148 main PostgreSQL <literal>configure</literal> script. The options that
1149 affect it are <literal>--with-zlib</literal> and
1150 <literal>--with-openssl</literal>.
1154 When compiled with zlib, PGP encryption functions are able to
1155 compress data before encrypting.
1159 When compiled with OpenSSL, there will be more algorithms available.
1160 Also public-key encryption functions will be faster as OpenSSL
1161 has more optimized BIGNUM functions.
1164 <table id="pgcrypto-with-without-openssl">
1165 <title>Summary of Functionality with and without OpenSSL</title>
1169 <entry>Functionality</entry>
1170 <entry>Built-in</entry>
1171 <entry>With OpenSSL</entry>
1186 <entry>SHA224/256/384/512</entry>
1191 <entry>Other digest algorithms</entry>
1193 <entry>yes (Note 1)</entry>
1196 <entry>Blowfish</entry>
1206 <entry>DES/3DES/CAST5</entry>
1211 <entry>Raw encryption</entry>
1216 <entry>PGP Symmetric encryption</entry>
1221 <entry>PGP Public-Key encryption</entry>
1236 Any digest algorithm OpenSSL supports is automatically picked up.
1237 This is not possible with ciphers, which need to be supported
1245 <title>NULL Handling</title>
1248 As is standard in SQL, all functions return NULL, if any of the arguments
1249 are NULL. This may create security risks on careless usage.
1254 <title>Security Limitations</title>
1257 All <filename>pgcrypto</filename> functions run inside the database server.
1259 the data and passwords move between <filename>pgcrypto</filename> and client
1260 applications in clear text. Thus you must:
1265 <para>Connect locally or use SSL connections.</para>
1268 <para>Trust both system and database administrator.</para>
1273 If you cannot, then better do crypto inside client application.
1277 The implementation does not resist
1278 <ulink url="https://en.wikipedia.org/wiki/Side-channel_attack">side-channel
1279 attacks</ulink>. For example, the time required for
1280 a <filename>pgcrypto</filename> decryption function to complete varies among
1281 ciphertexts of a given size.
1286 <title>Useful Reading</title>
1290 <para><ulink url="https://www.gnupg.org/gph/en/manual.html"></ulink></para>
1291 <para>The GNU Privacy Handbook.</para>
1294 <para><ulink url="http://www.openwall.com/crypt/"></ulink></para>
1295 <para>Describes the crypt-blowfish algorithm.</para>
1299 <ulink url="http://www.iusmentis.com/security/passphrasefaq/"></ulink>
1301 <para>How to choose a good password.</para>
1304 <para><ulink url="http://world.std.com/~reinhold/diceware.html"></ulink></para>
1305 <para>Interesting idea for picking passwords.</para>
1309 <ulink url="http://www.interhack.net/people/cmcurtin/snake-oil-faq.html"></ulink>
1311 <para>Describes good and bad cryptography.</para>
1317 <title>Technical References</title>
1321 <para><ulink url="https://tools.ietf.org/html/rfc4880"></ulink></para>
1322 <para>OpenPGP message format.</para>
1325 <para><ulink url="https://tools.ietf.org/html/rfc1321"></ulink></para>
1326 <para>The MD5 Message-Digest Algorithm.</para>
1329 <para><ulink url="https://tools.ietf.org/html/rfc2104"></ulink></para>
1330 <para>HMAC: Keyed-Hashing for Message Authentication.</para>
1334 <ulink url="https://www.usenix.org/legacy/events/usenix99/provos.html"></ulink>
1336 <para>Comparison of crypt-des, crypt-md5 and bcrypt algorithms.</para>
1340 <ulink url="https://en.wikipedia.org/wiki/Fortuna_(PRNG)"></ulink>
1342 <para>Description of Fortuna CSPRNG.</para>
1345 <para><ulink url="http://jlcooke.ca/random/"></ulink></para>
1346 <para>Jean-Luc Cooke Fortuna-based <filename>/dev/random</filename> driver for Linux.</para>
1353 <title>Author</title>
1356 Marko Kreen <email>markokr@gmail.com</email>
1360 <filename>pgcrypto</filename> uses code from the following sources:
1367 <entry>Algorithm</entry>
1368 <entry>Author</entry>
1369 <entry>Source origin</entry>
1374 <entry>DES crypt</entry>
1375 <entry>David Burren and others</entry>
1376 <entry>FreeBSD libcrypt</entry>
1379 <entry>MD5 crypt</entry>
1380 <entry>Poul-Henning Kamp</entry>
1381 <entry>FreeBSD libcrypt</entry>
1384 <entry>Blowfish crypt</entry>
1385 <entry>Solar Designer</entry>
1386 <entry>www.openwall.com</entry>
1389 <entry>Blowfish cipher</entry>
1390 <entry>Simon Tatham</entry>
1391 <entry>PuTTY</entry>
1394 <entry>Rijndael cipher</entry>
1395 <entry>Brian Gladman</entry>
1396 <entry>OpenBSD sys/crypto</entry>
1399 <entry>MD5 hash and SHA1</entry>
1400 <entry>WIDE Project</entry>
1401 <entry>KAME kame/sys/crypto</entry>
1404 <entry>SHA256/384/512 </entry>
1405 <entry>Aaron D. Gifford</entry>
1406 <entry>OpenBSD sys/crypto</entry>
1409 <entry>BIGNUM math</entry>
1410 <entry>Michael J. Fromberger</entry>
1411 <entry>dartmouth.edu/~sting/sw/imath</entry>