•  15-10-2022
  •  | 
  •  

Question

Note: Though I'm mentioning H2, this may apply to any DBMS,

  1. that allows you to store the whole database in a single file; and

  2. that makes its source-code publicly available.

My concern:

Is it possible to break into an encrypted H2 database by doing something like the following?

  1. Store a very large, zeroed out BLOB, a few 100 KB in size, in some table.

  2. Examine the new H2 database file binary and look for a repeating pattern near page/block boundaries. The page/block size could be obtained from the H2 source code. The repeating pattern so obtained would be the cipher key used to encrypt the H2 database.

  3. Once the cipher key stands exposed, the hacker just needs to be dedicated enough to then further dig into the H2 sources and figure out the exact structure of its tables, columns, and rows. In other words, everything stands exposed from this point on.

I have not personally studied the source code of H2, nor am I a cryptography expert, but here's why I think the above -- or some hack along the above lines -- might work:

  1. For performance reasons, all DBMSes read/write data in chunks (pages or blocks 512 bytes to 8 KB in size), and so would H2.

  2. Since a BLOB several hundred KB in size would far exceed the DBMS's page/block size, one can expect the cryptogrphic key (generated internally using the user password) to show up in repeating patterns of sizes less than the page/block size.

Was it helpful?

Solution 2

The file encryption algorithm used in H2 does not use the ECB encryption mode. The file encryption algorithm is, as documented, not vulnerable to this kind of attack. The new storage engine that will be used for future versions of H2 uses the standardized AES XTS algorithm.

OTHER TIPS

A good cryptography algorithm will not be vulnerable to this attack.

The patterns in the plaintext (here the BLOB of zeroes) will be dissipated in the ciphertext. The secret key will not be readily visible in the ciphertext as patterns or otherwise. A classic technique to achieve that when using a block cipher is to make the encryption of a block dependent on the ciphertext of the previous block. Here the blocks I'm referring to are the blocks used in the cryptography algorithm, typically 128 bits of length.

You can for example XOR the plaintext block with the result of the previous block encryption, here is the schema from Wikipedia for CBC mode, which XOR the current block with the result of the previous one prior to encryption.

CBC mode

As you can see, even if you feed all zeroes in each plaintext blocks, you will end up with a completely random looking result.

These are just examples and the actual confusion mechanism used in H2 might be more complex or involved depending on the algorithm they use.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top