Re: SQLNet/ODBC security and encryption

    In response to Dan Vincent's query about available crypto for ODBC and SQL*Net, Dean Mah <dmah_at_acs.ucalgary.ca> admitted:

>We haven't gone into production with our system yet but we have tested
Oracle's
>Advanced Networking Option for SecurID access and data encryption and
>checksumming. In Canada, we are using DES40 or RSA40 for encryption
and MD5
>for checksumming. If you are in the US, you will be able to use
stronger encryption.

    I'm confused. Unless you have a UCalgary project to develop your RDBS on the grounds of the Lybian Embassy or somesuch, I understood a Canadian citizen to have full access to any strong American-developed crypto available on the open market (as any American has full access to any strong Canadian crypto available to the private sector.) Crypto export controls are subjective, weird, and fundamentally corrupt -- forcing vendors to foist shoddy security and integrity products on many unsuspecting customers -- but the US/Canadian border is uniquely open for encryption products.

    Are you, for some reason, an exception?

    SNS offers full 56-bit DES, I know, and I presume at least equally-strong RC4 (one of Rivest's variable key-length ciphers, from SDTI/RSA) to protect SQL*Net sessions.

    In the "RSA Challenge" contest two years ago, a Canadian grad student at UCBerkeley popped a 40-bit key in three and a half hours using a medium-size university computer lab in a brute-force attack. 40-bit crypto offers but a little more security than pig-Latin or ROT13 today. It should not be considered for confidentiality.

    Suerte,

            _Vin

      Vin McLellan + The Privacy Guild + <vin_at_shore.net>   53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548

• <@><@> --