Your SlideShare is downloading. ×
Defending the Oracle Database with Advanced Security Features
Defending the Oracle Database with Advanced Security Features
Defending the Oracle Database with Advanced Security Features
Defending the Oracle Database with Advanced Security Features
Defending the Oracle Database with Advanced Security Features
Defending the Oracle Database with Advanced Security Features
Defending the Oracle Database with Advanced Security Features
Defending the Oracle Database with Advanced Security Features
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Defending the Oracle Database with Advanced Security Features

1,872

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,872
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Defending the Oracle Database with Advanced Defence Security Features Mikoláš Panský Difficulty There are some actual issues with Oracle Security. There is a new book The Oracle Hacker’s Handbook written by David Litchfield. It covers possible methods to attack the Oracle server. Some of the examples shown in that book are based on traffic sniffing, direct access to Oracle's Shared Global Memory, or just accessing the raw data files. S ome of these risks could be prevented the OS Authentication case, security is traded by adding Advanced Security features to for comfort resulting in a less secure environ- an already existent database. This does ment. Network authentication is implemented not mean that you would open the box and a using Secure Socket Layer or the help of perfect unique shield will protect your database. Third-Party Services. These could for exam- It does not work like this. All these features must ple be Kerberos or PKI-based authentications. be carefully planned and velvety implemented. In my opinion the most commonly used meth- In the event of a system crash/ configuration od of authentication is the Oracle Database is error your data may never be recovered other- the text password. Thus far it achieves decent wise. However if the implementation is carefully security, and ease of use. However this is all planned, and you have an experienced DBA governed by the complexity of the password there is way to better defend your database. as well as it's resistance to social engineering. There is no need to install any other system Authentication authentication. Nor is it a simple walk around Authentication means verifying the identity of a poorly secured operating system. Database subject who wants to access database objects. When authentication is successfully passed, authorization processes comes into play. Au- What you will learn... thorization is the process that controls access • What is Oracle Wallet, to database objects. There are different meth- • What is Transparent Data Encryption, ods of authentication. The most commonly • What is Oracle Advanced Security. used are authentication by the Operating Sys- tem, Network, Database, Multi-Tier System, or What you should know... Secure Socket Layer. When OS Authentica- tion is used there is no need for any further • Basic knowledge of SSL, validation. Users can connect to database just • Basic knowledge of computer Cryptography by running the database client (e.g. sqlplus). In 56 hakin9 4/2007 www.hakin9.org/en
  • 2. Oracle Wallet, Transparent Data Encryption, Network data encryption and integrity authentication is based on the layer that handles queries and user esses. First is to ensure that only comparison of a given username/ controls. Multiple users can access certain users can access, process, password combination. As well as a data server without separate con- or alter data. The second is to ap- information encrypted and stored in nections for each of them. For these ply limitations on user access or a data dictionary. Users can change purposes an Oracle Call Interface actions (e.g. limitations of objects their passwords at any time. One could be used. It has some advan- and/or resources). When speaking of the basic tasks in securing the tages but generally it is not recom- of authorization – One of the first database should be enabling pass- mended due to poor security. Once questions to ask is what privileges word encryption while connecting, an account has been compromised a particular user has? A privilege is account locking, password lifetime the attacker gains full access to the a right to execute a particular type and expiration, password history application, and may seek higher of SQL statement or to access an- and password complexity verifica- account privileges. other user’s object. Privileges could tion. These requests are explained be granted to a user one by one or in detail in the Oracle Database Authorization in groups through roles. Roles are Security Guide. This was my prior Post-authentication tasks (that incorporated into the database to reference source for this article. My verifies user identity) have to control simplify the process of adminis- intentions were not to rewrite the user's access to database objects. trating users and their rights to do entire manual. I wanted to give you At first we used profiles and iden- something in the database. There short overview and save you sev- tification methods to complete the are two main categories of privi- eral hours of reading. Other ways first task. Now we need to manipu- leges. System privileges should be to control access to the database is late privileges, roles, profiles and granted with care. They should to create Multi-Tier Application. This resource limitations. The authori- never be given to common database provides access to database with a zation consists of two main proc- users. They should be granted only to administrators and application developers. The SQL statements to Tables that are Used to Build the Views use with privileges are GRANT and REVOKE. There is one unique fac- • user$ – table of users identified by name, type and number. tor about privileges in Oracle. It is • defrole$ – default roles (columns are user# and role#). possible to grant privileges with the • objauth$ – table of authorization. admin option. This option allows the • sysauth$ – system authorization (system privileges, grantee, options). • ts$ – tablespaces. target user to grant or revoke such • obj$ – Objects. Identifies objects by name, type and owner number. privileges to/from another person. • cols$ – Columns. Object privileges control user’s ac- • profile$ – Connects profiles and resource privileges. cess to tables, views, procedures, • resource _ map – description of resources. functions or packages. • system _ privilege _ map – description of system privileges. • table _ privilege _ map – description of auditing privileges. Concept • user _ astatus _ map – status of password and account status. I must begin at the starting point for exploring the Oracle Database. This is a Conceptual Guide. The basic idea of Security is to deny or allow Security Related Views users actions. The ideal model of VIEWS RELATED TO PROFILES: security implementation in Oracle is discretionary access control. This DBA_PROFILES, DBA_SQL_PROFILES. means that privileges are granted to users at the discretion of other us- VIEWS RELATED TO ROLES: ers. The database itself stores a list DBA_APPLICATION_ROLES, DAB_CONNECT_ROLE_GRANTEES, DBA_ROLE_PRIVS, DBA_ROLES, of users. When a user is trying to ac- PROXY_ROLES, PROXY_USER_AND_ROLES. cess a database application a valid username and password must be VIEWS RELATED TO PRIVILEGES: provided. A security domain exists for each user. A security domain DAB_COL_PRIVS, DBA_ROLE_PRIVS, DBA_SYS_PRIVS, DAB_TAB_PRIVS. is set of privileges and roles, table VIEWS RELATED TO USERS: space quotas and system resources limits. A privilege is an implemen- DBA_USERS. tation of access control. Oracle is very flexible and offers precise www.hakin9.org/en hakin9 4/2007 57
  • 3. Defence tables to PUBLIC. However I would Listing 1. Creating TDE column with and without salt definitely not recommend this. The CREATE TABLE gold_partner ( only usage that comes to my mind partnerID NUMBER ENCRYPT NO SALT, is database access level debugging. name VARCHAR2(128), Yet another way to use this view surname VARCHAR2(128), would be to check to see who has ccno NUMBER(16) ENCRYPT USING ‘M4g1cW0rD’ the grantable right. ); CREATE INDEX partnerID_idx ON god_partner (partnerID); Supervisors To administer the database, there Listing 2. Sample sqlnet.ora for server are two predefined accounts in the system – SYS and SYSTEM. In pre- # sqlnet.ora Network Configuration (Server) vious versions (10g and less) there # Example configuration for server to use Oracle Advanced Features was a default password associated SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (MD5) with these accounts. SYS had default SQLNET.ENCRYPTION_TYPES_SERVER= (3DES168, 3DES112, DES40) password CHANGE_ON_INSTALL and SYSTEM had default password Listing 3. Sample sqlnet.ora for client MANAGER. One of the very impor- tant tasks during database crea- # sqlnet.ora Network Configuration (Client) tion CREATE DATABASE is to use # Example configuration for client to use Oracle Advanced Features commands USER SYS IDENTIFIED SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (MD5) SQLNET.ENCRYPTION_TYPES_CLIENT= (3DES112, 3DES168, DES40) BY password and USER SYSTEM IDENTIFIED BY password to change default passwords for these accounts. control of user’s privileges. We the previous issues of Hakin9 maga- There are many hacking tools to could divide system privileges into zine these views could be modified reveal default password association. two categories. One of its privileges with full access to the database to These accounts are really powerful! that is applicable to whole database hide users, processes etc. There It is a good idea to create another ac- system. This privilege has a name are many view used for security count to perform daily administration word ANY. These privileges are purposes. tasks and avoid using these types of very powerful. It gives access rights Some of this views also has ALL accounts. To help simplify adminis- to all objects that are not in the SYS and USER versions. It differs in tration of privileges associated with scheme (data dictionary). Access to scope from objects that display. The each user a group of privileges called the data dictionary could be regu- difference could be obtained from Role exists for this purpose. These lated by the system initial parameter view name prefix. We have ALL, could be granted with the GRANT 07 _ DICTIONARY _ ACCESSIBILITY. If this which displays all objects, USER clause. Imagine there is inquiry to parameter is set to false no privilege displays objects that are owned by manage access control for a hundred could access the data dictionary. user and DBA corresponds to the The rest of system privileges af- database administrator's objects. fect the state of the database. For These views are in the database to Oracle Wallet example these could be privileges show their user-friendly way follow- Registry Keys to CREATE TABLESPACE, AUDIT ing database tables: SYSTEM, CREATE LIBRARY etc. As I mentioned above there is DEFAULT: Most of the system privileges could another group of privileges. These HKEY_CURRENT_USERSOFTWARE be found in the SYSTEM_PRIVI- privileges are object privileges. ORACLEWALLETSDEFAULT LEGE_MAP view. We could allow These are relevant to a specific standard access to this table by is- object. For example when a user ENCRYPTED WALLET: suing a query to explore its contents. wants to view the content of the To view system privileges granted to employee table, he has to issue the HKEY_CURRENT_USERSOFTWARE ORACLEWALLETSDEFAULT users and roles we could use the SELECT command. However it’s EWALLET.P12 DBA _ SYS _ PRIVS view. In terminology not allowed by default for the user the system privileges view grantee to view their privileges. If the admin- OBFUSCATED ORACLE WALLET: is the person who has the privilege istrator would like to allow users to granted to. These views could serve see what access level they have, HKEY_CURRENT_USERSOFTWARE for easy database administration, access could be granted to the view ORACLEWALLETSDEFAULT but it is not recommended that one user _ objects _ privs or user _ sys _ CWALLET.SSO rely on it 100%. As stated in one of privs by making the access to these 58 hakin9 4/2007 www.hakin9.org/en
  • 4. Oracle Wallet, Transparent Data Encryption, Network data encryption and integrity users from ten different departments. Another case of using roles would be ated for this purpose. However this This could become very frustrating necessary when there is need to use principle allows the implementation without having to associate each several different applications. It’s the element that changes the access user with at least five different privi- same principle, however it differs a bit privileges during runtime just by us- leges. Things would become even in the reason to create role. Imagine ing the SET ROLE clause on the fly. worse if you had to change privileges applications that use a table of offers. The most powerful role in the system for all users in the department. This With the use of roles in the game it’s is DBA (stands for Database Admin- is where user roles come into play. much easier to change the access istrator). This role is implicitly asso- For each department a role could be depending on the user that is logged ciated with the SYS and SYSTEM created. Then changing privileges for into the application. For example account. However I must again note all departments would be as easy when regular user is logged into an that access control to these accounts as grant/revoke privilege from role. application there could be a role cre- is a critical task. In obsolete versions of Oracle (8i and older) there was a special user named INTERNAL that could access the database whether it was in a MOUNT or NOMOUNT state. This account had the default password set to oracle. This account wasn’t maintained in the database data dictionary, but in an Oracle password file. In past versions the INTERNAL mechanism has been re- place by the SYSDBA and SYSOPER privilege. SYSDBA privileges allows user to startup, shutdown, backup, recover and create databases. The list of all users who has SYSDBA or SYSOPER privileges could be found in v$defile users. There is a limitation for the SYSDBA role – it cannot be granted to the public. Another is- sue when creating databases is the default action of creating the role PUBLIC. This role is often used in hacking methods. There are two main reasons. The first is that some Figure 1. ORACLE.WALLET.SCREENSHOT people don’t even know that it exists. That’s because it cannot be seen in dab_roles. Another and even more important reason is because chang- ing the privileges in this role applies to other users as well. This role is cre- ated when a new database is created (to create new database Oracle uses the script sql.bsq). To determine the type of account the user is connected to database with could be shown with SHOW USER (SQL*Plus). There is one more thing in using these ac- counts. The objects owned by user SYS cannot be exported via standard tools (exp, imp). Another rule tells us that No objects may be created in SYS schema. The SYS schema has the job of storing data dictionary objects and it is fully managed by the Figure 2. ORACLE.NETWORK.MANAGER database itself. www.hakin9.org/en hakin9 4/2007 59
  • 5. Defence Application tokens etc. The third reason against to compromise data integrity as it is Security Roles this is user access to the database moved between sites. User identify Application security roles could be is less effective than with the usage falsifying is an attack vector based enabled only by authorized PL/SQL of roles. This restriction could be on the premise that an attacker can packages. To ensure higher level of overcome by using a set role dy- pretend that he/she is someone else. security it is better not to embed pass- namically. And last but not least is to Another type of attack in this group is words in the source code or the table. disable the Oracle Identity Manager. to hijack the connection of the user. In order to achieve this it is necessary The fundamentals in implementing a to create a secure application role Secure Application Role are based Oracle Advanced that could define which PL/SQL pack- validating the identity by looking into Security Secure age has sufficient privileges to enable the context. Application roles could Sockets Layer this role. This concept could be en- be also used for controlling the value Authentication hanced by adding additional checks of IP an address, where is the user Oracle Advanced security supports of conditions for authorization by the connecting from? Application roles both Secure Sockets Layer (SSL) application. However implementing could be implemented in separate and Transport Layer Security (TLS) authorization on the client side of the packages. The basic principle of us- protocols. The SSL protocol is au- application is always tricky. The main ing a secure application role is to as- thentication and encryption method reason for this is the fact, that an ap- sociate privileges with User Database that enhances TCP clients with secure plication could be skipped by using Roles. Let’s focus on some of the services. This protocol was originally sqlplus client or any other tool to con- details of using roles. Roles are used developed by Netscape Communica- nect to the database. Another reason to simplify the process of granting tion Company to secure the HTTP to use security mechanisms on the and revoking user privileges. A role is protocol communication between server side is re-usability. There is a set of privileges that allows a user client and server. This still remains no need to implement the security ac- to access objects (see SQL code). its primary usage. The SSL protocol cess control twice when we change Another interesting query to view is on based on IETF standard RFC- the application. It is enough to store it could provide information about the 2246 under name TLS (Transport once on the server and then reuse it default privileges assignment. This Layer Security). Each side in the com- with different applications. Also when could be done by querying the list of munication gives proof of identity with using database server side security all privileges with restrictions only to a digital certificate (encrypted block of we could use all the security features the PUBLIC grantee. It is highly rec- data). A certificate is validated by a that Oracle offers (fine-grained ac- ommended that privileges be revoked trusted third-party which then verifies cess control with application context), from the PUBLIC. So from this we the communication between identity roles, stored procedures and auditing. could derive the most popular method and a given encrypted key. This third- For this reasons Use of Ad Hoc Tools used to hack the database. This is to party is called Certification Authority is a potential security problem. obtain the highest privileges or the (see http://www.openssl.org) for more It is recommended by Oracle to most powerful role in the system. details. Using this feature ensures equal application users to database encrypted connections between cli- users. This would give us the potential Oracle Advanced ents and servers, and it could also be to use all security features that Oracle Security used to validate a secure client/server has to offer. However this is not true OAS is a collection of security fea- database connection. This feature for many applications. Most of these tures related to Oracle Net Services, applications use one user to connect Oracle Database, Oracle Application to the database with higher privileges. Server and Oracle Identity Man- Frequently Used Terms It is the so-called One Big Application agement infrastructure. It provides in Cryptography User model. There are some disad- defenses against most common vantages while using this model to security threats. Eavesdropping, • Encrypt – Scrambling data to make access the database. For example data theft, data tempering, falsifying it unrecognizable. • Decrypt – Unscrambling data to its there is no way to audit the actions user identities and password-related original format. of each user using this application. threats. Eavesdropping is the illegal • Cipher – Another word for algo- The database doesn’t recognize each interception of conversations by unin- rithm. user. If we would like to use auditing in tended recipients. This is the method • Certificate Authority (CA) – third- the One User Model we must imple- used by an intruder once data is sent party, e.g. Verisign, CyberTrust or ment our own auditing mechanisms. over an insecure network (de facto RSA. The second disadvantage of using whole Internet). However even in a • Digital Certificates – Consists of the one user model is the possible de-militarized zone network sniffers private key and public key the pri- inability to use Advanced Security could be used to capture secret com- vate key has to be verified by CA. Authentication. These include SSL, munications. Data Tempering means 60 hakin9 4/2007 www.hakin9.org/en
  • 6. Oracle Wallet, Transparent Data Encryption, Network data encryption and integrity session key. A session key is shared Public-Key Cryptography Standards (PKCS) Support by at least two parties. It is used for Author of this standard is RSA Data Security Inc. [8] RSA is part of EMC Corporation the duration of that particular com- [9] – American manufacturer of software and security management and storage sys- munication session. This improves tems. RSA has the patent for RSA asymmetric key algorithm. RSA research resulted the security via cracking the session in PKCS standard. This defines the industry standard for promoting and facilitating the key due to frequency of session key use of public-key techniques. Today there are fifteen PKCS standards. For our pur- change. The next part is the authen- poses the most relevant are PKCS #15, #12 and #10. PKCS #15 is the standard that tication process. At first the user initi- enables users to use cryptographic tokens to identify themselves to multiple, standard- ates an Oracle Net connection to the aware applications regardless of the application’s cryptoki (or other token interface) server by using SSL. SSL performs provider. PKCS #12 is standard of format to store X.509 certificates and private keys. a handshake between client and the Finally there is PKCS #10 to generate certificate requests. The hardware storage of server and if the handshake is suc- credentials is conforming to PKCS #11 specification. cessful, the server verifies that the user has the appropriate authoriza- is great in case of fraud attempts by example, the two nodes negotiate to tion to access the database. To make sniffing the network communication. It see which cipher suite they will use this things work there is a Public Key also improves the reliability of the au- when transmitting messages back infrastructure (Also Known As PKI) in thentication process. There are some and forth. The server sends its cer- the Oracle Environment. PKI ensures basic steps in Oracle SSL communi- tificate to the client and the client veri- trusted relations for the entire organi- cation. There are two main parts of fies that the server’s certificate was zation. The PKI that used by Oracle is SSL communication. The first is SSL signed by a trusted CA. This ensures based on RSA Security, Inc., Public- handshake, and second is the ac- proof of the server’s identity. If client Key Cryptography Standards. [10] tual authentication process. The SSL authentication is required, the client PKI is a robust public key system that handshake consists of following steps. sends its own certificate and server was designed to utilize single-sign-on The client and the server establish a verifies that the client’s certificate was feature and provide digital ID. In con- set of authentication, encryption and signed by a trusted CA. Next client trast to private-key or symmetric-key data integrity algorithms used for ex- and server exchange key information cryptography that requires a single, changing messages between network using public key cryptography. Based secret key that is shared by two or nodes. During an SSL handshake, for on this information, each generates a more parties public-key cryptography A D V E R T I S E M E N T www.hakin9.org/en hakin9 4/2007 61
  • 7. Defence makes the public key freely available. the private key and configure trusted Oracle Wallet Manager The public key is used to encrypt mes- certificates. And finally Hardware Se- Is used as place to store, manage sages that can only be decrypted by curity Modules are devices that stores and edit authentication and signing the holder of the associated private cryptographic information, such as pri- credentials. This includes private key. The private key is securely stored vate keys or to perform cryptographic keys, certificates and trusted certifi- together with other security creden- operations to off load RSA operations cated needed by SSL. It could also tials in an encrypted container called a from server. There are two types of be used as storage for credentials wallet. A wallet is a data structure used this device: server-side (stores keys) for a hardware security module. to store and manage security creden- and client-side (smart card readers). To protect the content a password tials for an individual entity. A Wallet To improve the security, it is possible must be chooses that complies with Resource Locator (WRL) provides all to use additional authentication meth- the Password Management Policy the necessary information to locate ods (RADIUS, Kerberos). SSL brings guidelines (min. 8 chars, alphanu- the wallet. Public-key algorithm has some issues with using Firewalls. meric required). It could be used a weakness that could be exploited Firewalls that perform packet inspec- to store certificates (X.509) under in the absence of the communicating tions must have this feature disabled Triple-DES encryption. For optimum party’s identity verification. This type otherwise they are unable to read wallet access and administration of attack is called the man-in-the- the packet. In this case Oracle Net Oracle provides an option to store middle. It’s based on the idea that an Firewall Proxy kit can provide some your user profile in the registry. [6] intruder captures the public key of the specific support for database network OWM enables one to store sender. Then uses his/her own public traffic. U.S. government regulations multiple certificates in each wal- key to send messages to the receiver. prohibit double encryption. This is the let supporting SSL authentica- When the receiver responds, the reason why this will not work concur- tion, S/MIME signature, S/MIME intruder is able to re-encrypt the mes- rently with SSL encryption or another encryption, Code-Signing and CA sage with public key of sender and encryption method. Certificate Signing. The process of forwards the message to the sender. obtaining a new certificate consists It gives the intruder the possibility to OAS SSL of several steps. First is to gener- read the message (eavesdropping). Authentication Practice ate a unique private/public key pair. To prevent this type of attack, it is nec- When implementing advanced secu- The private key stays in the wallet essary to verity the owner of the public rity features there are some options. and the public key is sent with the key through authentication. This is the You can utilize third-party software request to a certificate authority. point where CA comes to play. The like Kerberos or RADIUS; it is pos- Once the certificate authority gen- CA issues public key certificate that sible to use Secure Socket Layer erates and signs the certificate it contains information about the prin- (SSL). Oracle has a specific set of could then be imported into the cipal entity’s security credentials and tools used to manage certificates, wallet that has the corresponding encrypts a message with private key. wallets and certificate revocation private key. There is X.509 Version This provides an opportunity to verify lists. Oracle’s Wallet Manager is an 3 Key Usage extension to define that the key was issued by the CA. In application that stores security cre- Oracle PKI certificate usage. Ora- an Oracle Environment the PKI com- dentials in the users Oracle wallets. cle’s Wallet also supports LDAP. ponents include Certificate Authority, This Manager can be used to create This feature allows users to retrieve Certificates, Certificate Revocation public and private key pairs, store and their wallets from LDAP directory. Lists, Wallets and Hardware Secu- manage user credentials, generate This allows users to access wallets rity Modules. CA issues the certificate certificate requests, store and man- from multiple locations or devices. signed with its own private key. To age certificate authority certificates, Only functional wallets could be up- verify the certificate was in fact issued upload and download wallets to and loaded to LDAP. To protect access by the CA its public key is used. The from an LDAP directory and create Oracle’s wallets are stored in LDAP certificate is created only in the event wallets to store hardware security there are passwords to access that the entity’s public key is signed by module credentials. OWM could be Wallets from LDAP and another to a trusted CA. Certification Revocation found on UNIX in $ORACLE _ HOME/bin/ open the Wallet itself. It is recom- (CLR) lists is a list where CA stores ex- owm . See Figure 1. Another important mended that separate password pired or invalid certificates. The server tool is Oracle’s Net Manager. It is be used where neither one can searches for CLRs in the following well known common database ad- logically be derived from the other. locations: local file system, Oracle ministration however when oracle’s The description of creating a new Internet Directory and CRL Distribu- advanced security is installed Oracle wallet could be found in [9 Chap- tion Point. Oracle Wallet is used for Net Manager allows one to configure ter 9.3]. Here is a short overview generating a public-private key pair strong authentication, network en- of possible actions: Create wallet and create certificate request, store cryption and check summing for data (standard or stored on a hardware a user certificate that matches with integrity. See Figure 2. security module [ PKCS #11]), Open, 62 hakin9 4/2007 www.hakin9.org/en
  • 8. Oracle Wallet, Transparent Data Encryption, Network data encryption and integrity ALL _ ENCRYPTED _ COLUMNS and USER _ ENCRYPTED _ COLUMNS. References • [1] Oracle Database Advanced Security Administrator’s Guide 10gR2. Network • [2] SSH (O’Reilly) – cap. 1.6.6 Secure Socket Layer SSL. Data Encryption • [3] Chey Cobb, CISSP – Cryptography for Dummies (Wiley) 2004. and Integrity • [4] The Oracle Hacker’s Handbook. Let’s recap what we have learned • [5] Transparent Data Encryption stores key unencrypted in the SGA, in this article. Some time ago when http://www.red-database-security.com/advisory/oracle_tde_unencrypted_sga.html. Oracle was in version 8.1.7 there • [6] Oracle Database Platform Guide 10gR2 for MS Windows (32-bit). was restrictions on the exporta- • [7] Public Key Cryptography Standard, http://en.wikipedia.org/wiki/PKCS. • [8] RSA Security, http://en.wikipedia.org/wiki/RSA_Security. tion of cryptosystems from the US. • [9] EMC Corporation, http://en.wikipedia.org/wiki/EMC_Corporation. That’s why there are several ver- • [10] Oracle’s special users: SYS, SYSTEM, INTERNAL and PUBLIC, sions (in 8.1.7) these are Domestic, http://www.adp-gmbh.ch/ora/misc/sys_system_internal.html. Upgrade and Export. Each version • [11] Oracle password file (orapwd utility), is different in the key length that is http://www.adp-gmbh.ch/ora/admin/password_file.html. uses. There is well known post-at- tack on Oracle action. This con- sists of Rootkit deployment upon Close, Upload /Download to /from serve as a warning that even the successful infiltration. Another is LDAP Directory, Save, Save As, most complex security defense is just to distract data integrity in two Delete, Change password, Use useless when there is someone possible ways data modification Auto-Login, Manage Certificates. who has a bright idea and a genius attack (this mean to alter in some Let’s have a quick look at the last brain. Let’s have a look what we manner values stored in database) action. There are two types of cer- already know. The usage of Wallet and replay attack (multiple usage tificates to manage. There are User is to store the master keys. There of normally disallowed transaction). certificates and trusted certificates. are specific commands to work with Oracle offers defenses against The first step will be to Request Wallets. For the sake of this article these types of attack by using a certificate (there is difference in let’s assume say there is only one checksumming packages. I mean key length 512b-4096b ). After the key that opens and allows access the usage of MD5 (Message Di- Certification Authority processes to our wallet. There is also a feature gest 5) or SHA-1 (Secure Hash and approves your request for cer- to enable auto-login into the wallet. Algorithm) SHA-1 to prevent and tificate it is possible to import the The mkwallet is a command line util- discover this type of attack. The certificate into the wallet. = ity that allows wallet management principle is to use hash algorithms without a GUI. Just after the wallet to create a checksum. On the base Transparent is setup and it is opened with master of this checksum there is possibility Data Encryption key we can start to create and use to discover if the data integrity has Transparent Data Encryption works the transparent data encryption. been altered on its way between to enhance database security at the To set a new master key issues server and client. This could pre- Operating System Level. This fea- this command: ALTER SYSTEM vent man-in-the-middle attack). ture can protect the Virtual Private SET ENCRYPTION KEY IDENTI- The principle is based on session Database [4]. This type of attack is FIED BY password. To make the key by Diffie-Hellman negotiation based on raw access to data files. encrypted data accessible just is- algorithm. Then OAS combines Data encrypted using Transparent sue ALTER SYSTEM SET WALLET the shared secret and the Diffie- Data Encryption could be helpful OPEN IDENTIFIED BY password. Helman session key to generate in a regulatory issue. Also there is Right after opening the wallet TDE a stronger session key designed to no need to request users to store uses standard DDL e.g. CREATE defeat a man-in-the-middle attack. encryption keys. It also simplifies TABLE table_name (column _ name To activate Encryption and Integrity the development process because column _ type ENCRYPT, …), AL- the server selects which algorithm it is not necessary to make any TER TABLE table_name MODIFY to use from those specified in the deep changes in applications that (column _ name column _ type EN- sqlnet.ora files. There are four access data. There are some cases CRYPT,…). Access to all encrypted levels of security between client where TDE it is not recommended columns in the database could be and server. These are REJECTED (indexes, BLOB and utilities with done by statement ALTER SYSTEM (minimum amount), ACCEPTED raw access to data). While TDE is SET WALLET CLOSE. To get infor- (default), REQUESTED and RE- good it is not the ultimate solution. mation of what columns in database QUIRED (maximum amount). As The master key is stored unen- are encrypted just use following an option the encryption seed can crypted in the SGA [5]. This should views: DBA _ ENCRYPTED _ COLUMNS, be set. l www.hakin9.org/en hakin9 4/2007 63

×