Your SlideShare is downloading. ×
Database Security - Encryption
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Database Security - Encryption


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Database Encryption
  • 2. Encryption: overview
    • Encrypting Data-in-transit
    • As it is transmitted between client-server
    • Encrypting Data-at-rest
        • Storing data in the database as encrypted
        • Encrypting of Data is another layer of security (security in depth). It does not substitute other DB security techniques such as strong password.
  • 3. Encrypting Data-in-transit
    • For a Hacker to eavesdrop on a conversation and steal data, two things may occur
    • 1) Physically tap into the communications between
    • the db client & the db server
    • 2) Hacker must understand the communication stream in order to extract sensitive data.
    • In order to do this, what does the Hacker need ?
  • 4. Tools for packet sniffing
    • the Hacker needs to have
    • With a minimum understanding of TCP/IP +
    • Use one of many network protocol analyzer that are freely available.
    • Packet (formatted block of data transmitted by a Network).
    • Sniffing: capturing and analyzing package
            • (like dog sniffing).
  • 5. Minimum Understanding of TCP/IP
    • Network Security book.
    • Example:
    • Roberta Bragg, Mark Rhodes-Ousley and Keith Strassberg, Network Security; The Complete Reference.
    • TCP/IP is well documented all over the web.
    • Documentation describes the headers of the packet.
  • 6. Where to run Network Analyzer Packet ?
    • Client Machine that has access to the Database server
    • Database Server
  • 7. Network Protocol Analyzer: examples
    • Tcpdump : utility available as part of installation on most UNIX systems. Can be downloaded from
    • ( windump ). Windows counterpart. Available on some systems. Can be downloaded from
    • Wireshark ( ):
    • world’s most famous NP Analyzer. Formerly Ethereal (
  • 8. Implement Encryption,data-in-transit
    • Fortunately there are also many encryption techniques for data in transit:
    • Database-specific features such as Oracle Advanced Security
    • Connection-based metods (such as SSL)
    • Secure tunnels (such as SSH)
    • Relying on the operating Systems (IPSec Encryption)
  • 9. OAS
    • Oracle Advanced Security (previously Advanced Network Option), contains network encryption tools. Depending on the version of Oracle, it is available for no extra cost. It is for the enterprise edition.
    • Best literature for OAS is Oracle Security Handbook by Marlene Theriault and Aaron Newman, McGraw-Hill.
  • 10. Secure Socket Layer (SSL)
    • cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers.
    • You may enable SSL from within a DBMS.
    • SQL-Server for example: Programs -> Microsoft SQL Server -> Server Network Utility, check the Force protocol Encryption checkbox. Then Stop and start SQL Server.
    • Server also must be informed how it will derive encryption keys
    • Note: make sure that your version of SSL is compatible with your version of MySQL (like in ODBC or JDBC).
  • 11. SSH Tunnels
    • SSH used in many applications. Example: Substitute for FTP with encryption.
    • From most DBMSs, you can set up SSH tunnels to encrypt database traffic by port forwarding (Encrypted session between client and server).
    • Example: to connect Linux client machine of IP CCC.CCC.C.CCC to a MySQL instance installed on a server with IP address of SSS.SSS.S.SS listening in on port 3306 (default MySQL port).
    • Ssh –L 1000:localhost:3306 SSS.SSS.S.SS –l mylogin –I ~/ .ssh id –N -g
    • -L=port forwarding, Any connection attempted on port 1000 on the local machine should be forwarded to port 3306 on the server. Therefore any connection on port 1000 will go through encryption.
  • 12. IPSec
    • Another Infrastructure option that protects the DB with encryption tools.
    • IPSec is done by the OS so you need to encrypt all communications (can’t be selective).
    • It operates at layer 3 of the OSI network (lower level).
    • Installing IPSec on Windows/XP
    • install IP Security Policy manager. Then from Control Panel -> Administrative Tools, select IPSec
  • 13. Encrypting Data-at-rest
    • There are two reasons to do this
      • Protect it from DBAs.
      • Protect from File or Disk Theft.
  • 14. Encrypting Data-at-rest
    • Encrypting at Application Layer
    • Must do it at multiple locations from within app.
    • Data can only be used from within application
    • Encrypting at File System/Operating System Layer
    • less flexible. Requires you to encrypt everything.
    • Performance degrades
    • Weak for handling Disk Theft problem.
    • Encrypting within Database
      • Usually, most practical option
  • 15. Encrypting at Application Layer
    • Application Developers use a cryptographic library to encrypt such as Java Cryptographic Extensions (JCE) – set of APIs in the and java.crypto packages
  • 16. Encryption at OS layer
    • Windows implements the Encrypted File System (EFS) and you can use it for MS-SQL Server.
    • Disadvantages ?
  • 17. Encryption within Database
    • SQL Server 2005 you can access Windows
    • CryptoAPI through DB_ENCRYPT and DB_DECRYPT within T-SQL (similar to PL/SQL)
    • Can use DES, Triple DES and AES
    • (symmetric keys)
    • In ORACLE, you can access
      • DBMS_OBFUSCATION_TOOLKIT package that implements DES and Triple DES
  • 18. Summary
    • DB Encryption can be divided into Data-in-transit and Data-at-rest
    • Encryption is useful as a last layer of defense (defense in depth). Should never be used as an alternative solution
    • Encryption should be used only when needed
    • Key Management is Key
  • 19. End of Lecture
    • End
    • Of
    • Today’s
    • Lecture.