Upload
zhaoyang-wang
View
123
Download
7
Embed Size (px)
DESCRIPTION
Oracle security 07-transparent data encryption
Citation preview
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Objectives
After completing this lesson, you should be able to do the following:• Describe the encryption options• Generate random encryption keys• Encrypt and decrypt table columns• Encrypt tablespace
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Overview
• Data encryption issues• Data encryption challenges• DBMS_CRYPTO package:
– Encrypts column data– Decrypts column data– Supercedes DBMS_OBFUSCATION_TOOLKIT
DBMS_CRYPTO
OKYMSEISPDTGA
MyCreditCardNum
CUST.CREDITCARD
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Encryption Issues: Cost
• Encryption and decryption of data– Accessibility– Performance
• Management of encryption keys– Secure transmission– Administrative overhead
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Encryption Issues: Access Control
Do not use encryption instead of access control.
• Strong data access mechanisms are available.• Encryption must not interfere with access control.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Encryption Issues: Access by Privileged Users
• DBAs can access all data. Limit and monitor the DBA by:– Using SYSOPER with limited privileges– Creating junior DBA roles to limit access– Auditing the actions of the DBA– Running background checks on the DBAs– Encrypting sensitive columns
• The system administrator has access to all data files.
• Backup media may be compromised.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Encryption Issues: Do Not Encrypt Everything
• Encrypting everything does not make data secure.• Data is unavailable during key changes.• Lost keys mean lost data.• The management of keys becomes critical.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Data Encryption: Challenges
• Key management: – Generation– Changing– Transmission – Storage
• Encrypting special types of data:– Indexed– Large objects (LOBs)
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Encryption Key Management: Key Generation
Keys are generated with random numbers. Use an approved random-number generator:• DBMS_CRYPTO.RANDOMBYTES is based on RSA
x9.31 PRNG.• DBMS_RANDOM is not approved.• DBMS_OBFUSCATION_TOOLKIT.GETKEY is still
available.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Encryption Key Management: Key Modification and Transmission
• Modify periodically, like you would a password:– Reduce the possibility of brute force key discovery.– Reencrypt the data.
• Transmit the keys in a secure manner:– Electronic transmission (encrypt the key)– Physical transmission
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Encryption Key Management: Storage
Store the keys by using one of the following methods:• Store the key in the database.• Store the key in an operating system file.• Let the user manage the key.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Storing the Key in the Database
The techniques for protecting keys in the database are:• Store keys in a separate table.• Perform additional data transformation.• Wrap the PL/SQL package that performs the
encryption.• Use a key per row.• Combine the techniques.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Storing the Key in the Operating System
Use this method to restrict DBA access to the keys: 1. Set up the file storing the keys so that the DBA
does not have access to the file.2. Retrieve the data from the database without
decrypting the data.3. Decrypt the data in the application accessing the
data. The DBA must also be denied access to this application.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Letting the User Manage the Key
User-managed keys have these problems:• Users forget the key.• Users archive the key in an insecure manner.• Users must use secure transmission methods,
such as network encryption.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Encrypting Special Types of Data
• Indexed data:– Encrypt the variable used to access the data– Not supported
• Large objects (LOBs):– Use the ENCRYPT procedure of the DBMS_CRYPTO
package.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Comparing DBMS_CRYPTO withDBMS_OBFUSCATION_TOOLKIT
Package Feature
DBMS_CRYPTO DBMS_OBFUSCATION_TOOLKIT
Cryptographic algorithms
DES, 3DES, AES, RC4, 3DES_2KEY
DES, 3DES
Database types RAW, CLOB, BLOB
RAW, VARCHAR2
Block cipher chaining modes
CBC, CFB, ECB, OFB
CBC
Cryptographic hash algorithms
MD5, SHA-1, MD4
MD5
Keyed hash (MAC) algorithms
HMAC_MD5, HMAC_SH1
None supported
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
DBMS_CRYPTO Package
• Functionality:– Random-number generation for encryption keys – Encryption and decryption by using various
algorithms– Multiple cipher block chaining modes– Multiple cryptographic hash algorithms– Multiple padding forms
• Procedures and functions in the package include:– RANDOMBYTES creates random keys.– ENCRYPT to encrypt columns or LOBs– DECRYPT to decrypt columns or LOBs– HASH applies a hash algorithm to data.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Using ENCRYPT and DECRYPT
• ENCRYPT:
• DECRYPT:
encrypted_raw := dbms_crypto.Encrypt (src => raw_input,
typ => dbms_crypto.DES3_CBC_PKCS5,key => raw_key,iv => NULL);
decrypted_raw := dbms_ crypto.Decrypt (encrypted_raw,
dbms_crypto.DES3_CBC_PKCS5,raw_key);
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Using RANDOMBYTES
• Generate a key:
• Encrypt:
raw_key := dbms_crypto.randombytes (number_bytes => 24);
encrypted_raw := dbms_crypto.encrypt (src => raw_input,
typ => DBMS_CRYPTO.DES3_CBC_PKCS5key => raw_key);
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Enhanced Security Using the Cipher Block Modes
Initial valueblock
First block
Encrypt Encrypt
Next block
Encryptedfirst block
Encryptednext block
Cipher Block Chaining
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Hash and Message Authentication Code
• DBMS_CRYPTO includes both HASH and Message Authentication Code (MAC) functions.
• Both produce a one-way hash of an LOB or RAW. • Use this hash to verify data integrity.• MAC uses a secret key.• Example:
encrypted_raw := dbms_crypto.Mac(src => raw_input,
typ => DBMS_CRYPTO.HMAC_MD5, key => raw_key);
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Summary
In this lesson, you should have learned how to:• Describe the encryption options available with
Oracle Database 10g• Use DBMS_CRYPTO to:
– Generate random encryption keys – Encrypt and decrypt table columns