Encryption Overview• Two main types we are concerned with – Data in motion, over the network – Data at rest, datafiles, backups, redo, exports• We will be concentrating on data at rest• Question & Discussion: – What is the goal behind encrypting data? – Why do we do it? – What doesn’t it do for us? What can it NOT protect us from?
Encryption Overview• Data in motion is easily done with SQL*Net and ASO – Network traffic entirely encrypted, snoop proof – Encrypted checksum as well – to prevent “replay” attacks (eg: let’s do that bank transfer twice) – And to prevent modification (eg: let’s change the leading 1 to a 9 in that transaction)
Encryption Overview• Data at rest options… – DBMS_OBFUSCATION_TOOLKIT • 8i-9iR2 • Would not use this anymore • Will not talk about it beyond this slide • Let’s have a quick talk about wrapper packages… – DBMS_CRYPTO • 10gR1 and above • Would not use this unless I had to (because of the next two bullets) – Column Level Encryption • 10gR2 and above (ASO) – Tablespace Encryption • 11gR1 and above (ASO)
DBMS_CRYPTO• Encrypt/Decrypt data procedurally – DES, 3DES – AES – RC4• Hash functions – MD5, SHA-1, MD4 – Can use secret key as well• Random functions – Raw keys – Number and Integers as well
DBMS_CRYPTO• The major problem – KEY MANAGEMENT – Do you store the key in the application? • How do you secure it there? • You need to retrieve it and transmit it – Do you store the key in the database? • If I steal your database, I have your keys • You will have code that retrieves the key, I will find out how – There are no good answers to this problem.
DBMS_CRYPTO• API driven.• You code it, definitely not transparent.• Definite performance impact (compared to column and/or tablespace encryption)• Supports as inputs – RAW – CLOB – BLOB• And always returns binary output – You will use BLOB or RAW to store – If you use varchar2, you need to round up to multiple of 16 and double the length and RAWTOHEX or base64 encode the data. – Discuss legacy obfuscation toolkit and varchar2 flaw
DBMS_CRYPTO• Simple Examples – Input raw after converting – Specify typ – the stream or block cipher type. Block cipher is what we use for storing data persistently – Key – the encryption key – Use varchar2 interface and the CLOB• Performance – What impact will this have? (it will be different for everyone) Encrypt1.sql – How to measure it? Encrypt2.sql Encrypt3.sql