lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From JOAQUIN DELGADO <JOAQUIN.DELG...@ORACLE.COM>
Subject Re: Attached proposed modifications to Lucene 2.0 to support Field.Store.Encrypted
Date Fri, 01 Dec 2006 21:37:10 GMT
Security should be responsibility of the application. However let's make it clear that field
level encryption is more a "means of" implementing security and herefore an infrastructure
functionality that in my opinion Lucene should optionally provide. In the same way relational
databases provide options (at a performance cost) to encrypt column values for very sensitive
information.

That way, even if the data fell in obscure hands and they know how to read the lucene index,
they would not be able to see the values stored with it.

Think about credit card numbers for example ;-)

That's my two cents.

-- Joaquin


-----Original Message-----
>From negrinv <victornegrin@gmail.com>
Sent Fri 12/1/2006 1:22 PM
To java-dev@lucene.apache.org
Subject Re: Attached proposed modifications to Lucene 2.0 to support Field.Store.Encrypted


That is a valid consideration Doron, which brings the discussion back to the
difference between encrypton and security. I believe that security is an end
application responsability, not Lucene's. For instance, is it possible to
write the end application so that those stats are hidden from or
inaccessible to users?
Victor


Doron Cohen wrote:
> 
> Robert Engels <rengels@ix.netcom.com> wrote on 01/12/2006 09:34:12:
>> ... decrypting such small payloads .. I think it is also subject to an
> easy attack,
> 
> In addition, index statistics are still available, right?  So one can know
> how many docs, which (encrypted) words appear in which docs and exactly
> where, and how often.  AFAIK, with a large enough index these statistics
> can be useful for cracking the encryption.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
> For additional commands, e-mail: java-dev-help@lucene.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Attached-proposed-modifications-to-Lucene-2.0-to-support-Field.Store.Encrypted-tf2727614.html#a7646459
Sent from the Lucene - Java Developer mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org


Mime
View raw message