Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Oracle security 07-transparent data encryption

518 views

Published on

Oracle security 07-transparent data encryption

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Oracle security 07-transparent data encryption

  1. 1. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Transparent Data Encryption
  2. 2. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Objectives After completing this lesson, you should be able to do the following: • Describe the encryption options • Generate random encryption keys • Encrypt and decrypt table columns • Encrypt tablespace
  3. 3. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Overview • Data encryption issues • Data encryption challenges • DBMS_CRYPTO package: – Encrypts column data – Decrypts column data – Supercedes DBMS_OBFUSCATION_TOOLKIT DBMS_CRYPTO OKYMSEISPDTGA MyCreditCardNum CUST.CREDITCARD
  4. 4. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Encryption Issues: Cost • Encryption and decryption of data – Accessibility – Performance • Management of encryption keys – Secure transmission – Administrative overhead
  5. 5. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Encryption Issues: Access Control Do not use encryption instead of access control. • Strong data access mechanisms are available. • Encryption must not interfere with access control.
  6. 6. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Encryption Issues: Access by Privileged Users • DBAs can access all data. Limit and monitor the DBA by: – Using SYSOPER with limited privileges – Creating junior DBA roles to limit access – Auditing the actions of the DBA – Running background checks on the DBAs – Encrypting sensitive columns • The system administrator has access to all data files. • Backup media may be compromised.
  7. 7. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Encryption Issues: Do Not Encrypt Everything • Encrypting everything does not make data secure. • Data is unavailable during key changes. • Lost keys mean lost data. • The management of keys becomes critical.
  8. 8. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Data Encryption: Challenges • Key management: – Generation – Changing – Transmission – Storage • Encrypting special types of data: – Indexed – Large objects (LOBs)
  9. 9. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Encryption Key Management: Key Generation Keys are generated with random numbers. Use an approved random-number generator: • DBMS_CRYPTO.RANDOMBYTES is based on RSA x9.31 PRNG. • DBMS_RANDOM is not approved. • DBMS_OBFUSCATION_TOOLKIT.GETKEY is still available.
  10. 10. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Encryption Key Management: Key Modification and Transmission • Modify periodically, like you would a password: – Reduce the possibility of brute force key discovery. – Reencrypt the data. • Transmit the keys in a secure manner: – Electronic transmission (encrypt the key) – Physical transmission
  11. 11. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Encryption Key Management: Storage Store the keys by using one of the following methods: • Store the key in the database. • Store the key in an operating system file. • Let the user manage the key.
  12. 12. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Storing the Key in the Database The techniques for protecting keys in the database are: • Store keys in a separate table. • Perform additional data transformation. • Wrap the PL/SQL package that performs the encryption. • Use a key per row. • Combine the techniques.
  13. 13. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Storing the Key in the Operating System Use this method to restrict DBA access to the keys: 1. Set up the file storing the keys so that the DBA does not have access to the file. 2. Retrieve the data from the database without decrypting the data. 3. Decrypt the data in the application accessing the data. The DBA must also be denied access to this application.
  14. 14. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Letting the User Manage the Key User-managed keys have these problems: • Users forget the key. • Users archive the key in an insecure manner. • Users must use secure transmission methods, such as network encryption.
  15. 15. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Encrypting Special Types of Data • Indexed data: – Encrypt the variable used to access the data – Not supported • Large objects (LOBs): – Use the ENCRYPT procedure of the DBMS_CRYPTO package.
  16. 16. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Comparing DBMS_CRYPTO with DBMS_OBFUSCATION_TOOLKIT Package Feature DBMS_CRYPTO DBMS_OBFUSCATION_TOOLKIT Cryptographic algorithms DES, 3DES, AES, RC4, 3DES_2KEY DES, 3DES Database types RAW, CLOB, BLOB RAW, VARCHAR2 Block cipher chaining modes CBC, CFB, ECB, OFB CBC Cryptographic hash algorithms MD5, SHA-1, MD4 MD5 Keyed hash (MAC) algorithms HMAC_MD5, HMAC_SH1 None supported
  17. 17. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com DBMS_CRYPTO Package • Functionality: – Random-number generation for encryption keys – Encryption and decryption by using various algorithms – Multiple cipher block chaining modes – Multiple cryptographic hash algorithms – Multiple padding forms • Procedures and functions in the package include: – RANDOMBYTES creates random keys. – ENCRYPT to encrypt columns or LOBs – DECRYPT to decrypt columns or LOBs – HASH applies a hash algorithm to data.
  18. 18. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Using ENCRYPT and DECRYPT • ENCRYPT: • DECRYPT: encrypted_raw := dbms_crypto.Encrypt ( src => raw_input, typ => dbms_crypto.DES3_CBC_PKCS5, key => raw_key, iv => NULL); decrypted_raw := dbms_ crypto.Decrypt ( encrypted_raw, dbms_crypto.DES3_CBC_PKCS5, raw_key);
  19. 19. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Using RANDOMBYTES • Generate a key: • Encrypt: raw_key := dbms_crypto.randombytes ( number_bytes => 24); encrypted_raw := dbms_crypto.encrypt ( src => raw_input, typ => DBMS_CRYPTO.DES3_CBC_PKCS5 key => raw_key);
  20. 20. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Enhanced Security Using the Cipher Block Modes Initial value block First block Encrypt Encrypt Next block Encrypted first block Encrypted next block Cipher Block Chaining
  21. 21. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Hash and Message Authentication Code • DBMS_CRYPTO includes both HASH and Message Authentication Code (MAC) functions. • Both produce a one-way hash of an LOB or RAW. • Use this hash to verify data integrity. • MAC uses a secret key. • Example: encrypted_raw := dbms_crypto.Mac( src => raw_input, typ => DBMS_CRYPTO.HMAC_MD5, key => raw_key);
  22. 22. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Summary In this lesson, you should have learned how to: • Describe the encryption options available with Oracle Database 10g • Use DBMS_CRYPTO to: – Generate random encryption keys – Encrypt and decrypt table columns
  23. 23. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Q&A

×