| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.misc -> Re: Oracle 10g security. Using certificates?
Vladimir M. Zakharychev wrote:
> nkunkov_at_escholar.com wrote:
> > Vladimir M. Zakharychev wrote:
> > > nkunkov_at_escholar.com wrote:
> > > > Hello,
> > > > I have an assignment that i don't know where to begin. Hope you can
> > > > give me some direction.
> > > > I'm running Oracle 10g. I'm using DBMS_CRYPTO.ENCRYPT to do some
> > > > encryption in my own function. My encryption key is stored (hardcoded)
> > > > within my function. My client doesn't like it for obvious reasons and
> > > > asked me if this key could be stored in a "certificate database"
> > > > whatever this term means. I think I need to have a security certificate
> > > > which will give me access to my key. I don't know if Oracle has this
> > > > kind of capability and I'm not sure where to look to learn about it.
> > > > If you can give me some help here I'd greatly appreciate it.
> > > > Thank you.
> > > > NK
> > >
> > > If you run 10g Release 2 (10.2,) you will find that it supports
> > > transparent data encryption and stores the key out of line
> > > in a wallet. So search the docs for TDA and google this
> > > group for some discussions about it.
> > >
> > > Other than that, I don't think that Oracle has any PKI API
> > > exposed to PL/SQL developers for immediate use. You can
> > > try Java for this. You can also store your keys outside the
> > > database and read them using BFILEs or UTL_FILE,
> > > and optionally encrypt that storage with some fixed, but
> > > not explicitly hard-coded key (for example, one derived from
> > > some immutable constants.)
> > >
> > > Brian Peasland also has a couple of white papers on
> > > key security in Oracle at http://www.peasland.net, which
> > > you may find helpful.
> > >
> > > Hth,
> > > Vladimir M. Zakharychev
> > > N-Networks, makers of Dynamic PSP(tm)
> > > http://www.dynamicpsp.com
> >
> >
> > Vladimir,
> > Thank you very much. This was actually very helpful.
> > Appreciate it.
> > NK
>
> Just re-read my post and figured I used a wrong acronym
> for transparent data encryption. TDE is the right one. :)
> Sorry for possible confusion.
>
> Regards,
> Vladimir M. Zakharychev
> N-Networks, makers of Dynamic PSP(tm)
> http://www.dynamicpsp.com
Vladimir,
Thanks again. No you didn't confuse me, I figured out the acronym :)
I wanted to ask you a few things though.
1. For TDE, I assume that I won't be able to use the DBMS_CRYPTO
package anymore? Is that right? Also, I'm looking not to encrypt the
fields of the table itself, but encrypt the contents of the
materialized views without doing anything with the actual tables. Will
TDE work for me or I need to use something else?
2. Do you think code obfuscation could be of help? Should I
have an abfuscated function that will return the key? But then the
function output will still be readable, right? (I never used
obfuscation before, that's why the questions are basic...)
3. If I wanted to store the key in a file, what should I use to
encrypt it? Same DBMS_CRYPTO? And when you are saying derive the key
from an immutable constant, that constant should also be stored
somewhere or known by the users, right? I'm giving this to the third
party, it's not an in house product...
Thanks for your help.
I greatly appreciate your answers.
NK
Received on Thu Jun 29 2006 - 07:54:07 CDT
 |
 |