Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Encryption oracle


Published on

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

Encryption oracle

  1. 1. All About Encryption
  2. 2. Encryption Overview• Two main types we are concerned with – Data in motion, over the network – Data at rest, datafiles, backups, redo, exports• We will be concentrating on data at rest• Question & Discussion: – What is the goal behind encrypting data? – Why do we do it? – What doesn’t it do for us? What can it NOT protect us from?
  3. 3. Encryption Overview• Data in motion is easily done with SQL*Net and ASO – Network traffic entirely encrypted, snoop proof – Encrypted checksum as well – to prevent “replay” attacks (eg: let’s do that bank transfer twice) – And to prevent modification (eg: let’s change the leading 1 to a 9 in that transaction)
  4. 4. Encryption Overview• Data at rest options… – DBMS_OBFUSCATION_TOOLKIT • 8i-9iR2 • Would not use this anymore • Will not talk about it beyond this slide • Let’s have a quick talk about wrapper packages… – DBMS_CRYPTO • 10gR1 and above • Would not use this unless I had to (because of the next two bullets) – Column Level Encryption • 10gR2 and above (ASO) – Tablespace Encryption • 11gR1 and above (ASO)
  5. 5. DBMS_CRYPTO• Encrypt/Decrypt data procedurally – DES, 3DES – AES – RC4• Hash functions – MD5, SHA-1, MD4 – Can use secret key as well• Random functions – Raw keys – Number and Integers as well
  6. 6. DBMS_CRYPTO• The major problem – KEY MANAGEMENT – Do you store the key in the application? • How do you secure it there? • You need to retrieve it and transmit it – Do you store the key in the database? • If I steal your database, I have your keys • You will have code that retrieves the key, I will find out how – There are no good answers to this problem.
  7. 7. DBMS_CRYPTO• API driven.• You code it, definitely not transparent.• Definite performance impact (compared to column and/or tablespace encryption)• Supports as inputs – RAW – CLOB – BLOB• And always returns binary output – You will use BLOB or RAW to store – If you use varchar2, you need to round up to multiple of 16 and double the length and RAWTOHEX or base64 encode the data. – Discuss legacy obfuscation toolkit and varchar2 flaw
  8. 8. DBMS_CRYPTO• Simple Examples – Input raw after converting – Specify typ – the stream or block cipher type. Block cipher is what we use for storing data persistently – Key – the encryption key – Use varchar2 interface and the CLOB• Performance – What impact will this have? (it will be different for everyone) Encrypt1.sql – How to measure it? Encrypt2.sql Encrypt3.sql