Oracle security 07-transparent data encryption

云和恩墨成就所托 by 王朝阳 18516271611 [email protected]

Transparent Data Encryption

mailto:[email protected]


Objectives

After completing this lesson, you should be able to do the following:• Describe the encryption options• Generate random encryption keys• Encrypt and decrypt table columns• Encrypt tablespace



Overview

• Data encryption issues• Data encryption challenges• DBMS_CRYPTO package:

– Encrypts column data– Decrypts column data– Supercedes DBMS_OBFUSCATION_TOOLKIT

DBMS_CRYPTO

OKYMSEISPDTGA

MyCreditCardNum

CUST.CREDITCARD



Encryption Issues: Cost

• Encryption and decryption of data– Accessibility– Performance

• Management of encryption keys– Secure transmission– Administrative overhead



Encryption Issues: Access Control

Do not use encryption instead of access control.

• Strong data access mechanisms are available.• Encryption must not interfere with access control.



Encryption Issues: Access by Privileged Users

• DBAs can access all data. Limit and monitor the DBA by:– Using SYSOPER with limited privileges– Creating junior DBA roles to limit access– Auditing the actions of the DBA– Running background checks on the DBAs– Encrypting sensitive columns

• The system administrator has access to all data files.

• Backup media may be compromised.



Encryption Issues: Do Not Encrypt Everything

• Encrypting everything does not make data secure.• Data is unavailable during key changes.• Lost keys mean lost data.• The management of keys becomes critical.



Data Encryption: Challenges

• Key management: – Generation– Changing– Transmission – Storage

• Encrypting special types of data:– Indexed– Large objects (LOBs)



Encryption Key Management: Key Generation

Keys are generated with random numbers. Use an approved random-number generator:• DBMS_CRYPTO.RANDOMBYTES is based on RSA

x9.31 PRNG.• DBMS_RANDOM is not approved.• DBMS_OBFUSCATION_TOOLKIT.GETKEY is still

available.



Encryption Key Management: Key Modification and Transmission

• Modify periodically, like you would a password:– Reduce the possibility of brute force key discovery.– Reencrypt the data.

• Transmit the keys in a secure manner:– Electronic transmission (encrypt the key)– Physical transmission



Encryption Key Management: Storage

Store the keys by using one of the following methods:• Store the key in the database.• Store the key in an operating system file.• Let the user manage the key.



Storing the Key in the Database

The techniques for protecting keys in the database are:• Store keys in a separate table.• Perform additional data transformation.• Wrap the PL/SQL package that performs the

encryption.• Use a key per row.• Combine the techniques.



Storing the Key in the Operating System

Use this method to restrict DBA access to the keys: 1. Set up the file storing the keys so that the DBA

does not have access to the file.2. Retrieve the data from the database without

decrypting the data.3. Decrypt the data in the application accessing the

data. The DBA must also be denied access to this application.



Letting the User Manage the Key

User-managed keys have these problems:• Users forget the key.• Users archive the key in an insecure manner.• Users must use secure transmission methods,

such as network encryption.



Encrypting Special Types of Data

• Indexed data:– Encrypt the variable used to access the data– Not supported

• Large objects (LOBs):– Use the ENCRYPT procedure of the DBMS_CRYPTO

package.



Comparing DBMS_CRYPTO withDBMS_OBFUSCATION_TOOLKIT

Package Feature

DBMS_CRYPTO DBMS_OBFUSCATION_TOOLKIT

Cryptographic algorithms

DES, 3DES, AES, RC4, 3DES_2KEY

DES, 3DES

Database types RAW, CLOB, BLOB

RAW, VARCHAR2

Block cipher chaining modes

CBC, CFB, ECB, OFB

CBC

Cryptographic hash algorithms

MD5, SHA-1, MD4

MD5

Keyed hash (MAC) algorithms

HMAC_MD5, HMAC_SH1

None supported



DBMS_CRYPTO Package

• Functionality:– Random-number generation for encryption keys – Encryption and decryption by using various

algorithms– Multiple cipher block chaining modes– Multiple cryptographic hash algorithms– Multiple padding forms

• Procedures and functions in the package include:– RANDOMBYTES creates random keys.– ENCRYPT to encrypt columns or LOBs– DECRYPT to decrypt columns or LOBs– HASH applies a hash algorithm to data.



Using ENCRYPT and DECRYPT

• ENCRYPT:

• DECRYPT:

encrypted_raw := dbms_crypto.Encrypt (src => raw_input,

typ => dbms_crypto.DES3_CBC_PKCS5,key => raw_key,iv => NULL);

decrypted_raw := dbms_ crypto.Decrypt (encrypted_raw,

dbms_crypto.DES3_CBC_PKCS5,raw_key);



Using RANDOMBYTES

• Generate a key:

• Encrypt:

raw_key := dbms_crypto.randombytes (number_bytes => 24);

encrypted_raw := dbms_crypto.encrypt (src => raw_input,

typ => DBMS_CRYPTO.DES3_CBC_PKCS5key => raw_key);



Enhanced Security Using the Cipher Block Modes

Initial valueblock

First block

Encrypt Encrypt

Next block

Encryptedfirst block

Encryptednext block

Cipher Block Chaining



Hash and Message Authentication Code

• DBMS_CRYPTO includes both HASH and Message Authentication Code (MAC) functions.

• Both produce a one-way hash of an LOB or RAW. • Use this hash to verify data integrity.• MAC uses a secret key.• Example:

encrypted_raw := dbms_crypto.Mac(src => raw_input,

typ => DBMS_CRYPTO.HMAC_MD5, key => raw_key);



Summary

In this lesson, you should have learned how to:• Describe the encryption options available with

Oracle Database 10g• Use DBMS_CRYPTO to:

– Generate random encryption keys – Encrypt and decrypt table columns



Q&A


Technology

Oracle security 07-transparent data encryption