Explore Knowledge Base

Postgress SQL

30. 01. 2025

The current version of the database is 17.

Secure Client Connections

PostgreSQL supports secure client connections to ensure data confidentiality, integrity, and authenticity during communication between clients and the database server.
This is achieved using SSL/TLS (Secure Sockets Layer/Transport Layer Security) and certificate-based authentication.
All data transmitted over SSL/TLS connections is encrypted, protecting against eavesdropping and man-in-the-middle attacks.
Using TLS 1.2 or higher is recommended for stronger encryption standards.
The actual cipher suites available depend on the version of OpenSSL used by PostgreSQL.

Usage in code

PostgreSQL 17 offers a comprehensive suite of cryptographic functions through the pgcrypto module, including hashing, encryption, and random data generation functions.
Below is detailed information about the supported algorithms, their key lengths, and references to relevant standards.

Hashing Functions

The pgcrypto module supports the following hash algorithms:

  • SHA-224: 224-bit hash.

  • SHA-256: 256-bit hash.

  • SHA-384: 384-bit hash.

  • SHA-512: 512-bit hash.

These algorithms conform to the standards defined in FIPS PUB 180-4. (FIPS PUB 180-4)

HMAC Functions

The hmac() function computes a keyed-hash message authentication code using the supported hash algorithms.

  • Key lengths can be arbitrary, but using keys matching the block size of the selected hash algorithm is recommended for optimal security.

Password Hashing Functions

The crypt() function is designed for password hashing and supports the following algorithms:

  • Blowfish (bf):

    • Maximum password length: 72 characters.

    • Uses a 128-bit salt and generates a 60-character result.

    • Adaptive algorithm, which increases the computational cost to resist brute-force attacks.

  • MD5:

    • No limit on password length.

    • Uses a 48-bit salt and generates a 34-character result.

    • Not adaptive and considered deprecated.

  • XDES (Extended DES):

    • Maximum password length: 8 characters.

    • Uses a 24-bit salt and generates a 20-character result.

    • Adaptive.

  • DES (Original UNIX crypt):

    • Maximum password length: 8 characters.

    • Uses a 12-bit salt and generates a 13-character result.

    • Not adaptive and considered obsolete.

Adaptive algorithms allow for adjusting the computational difficulty, improving resistance against brute-force attacks.

Low-Level Encryption Functions

Low-level encryption functions in pgcrypto support:

  • AES (Advanced Encryption Standard)
    Key lengths: 128, 192, and 256 bits.
    Compliant with FIPS PUB 197.

  • Blowfish
    Key lengths: 32 to 448 bits.

  • Triple DES (3DES):
    Key length: 168 bits.
    Compliant with FIPS PUB 46-3.

For robust data security, it is recommended to use algorithms with a key length of at least 128 bits.

Random Data Generation

The gen_random_bytes() function generates cryptographically secure random bytes using the random number generator from OpenSSL.